Windows
Analysis Report
rPROFORMAINVOICE-PO_ATS_1036.exe
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- rPROFORMAINVOICE-PO_ATS_1036.exe (PID: 6180 cmdline:
"C:\Users\ user\Deskt op\rPROFOR MAINVOICE- PO_ATS_103 6.exe" MD5: CCDC6ABB91CBA9B82FCEA9F02AAEFFAC) - conhost.exe (PID: 6344 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - MSBuild.exe (PID: 3756 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\msb uild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232) - WerFault.exe (PID: 6604 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 3 756 -s 158 8 MD5: C31336C1EFC2CCB44B4326EA793040F2)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
XWorm | Malware with wide range of capabilities ranging from RAT to ransomware. | No Attribution |
{"C2 url": ["67.215.224.133"], "Port": "5454", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V3.1"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_XWorm | Yara detected XWorm | Joe Security | ||
MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
| |
JoeSecurity_XWorm | Yara detected XWorm | Joe Security | ||
MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
| |
JoeSecurity_XWorm | Yara detected XWorm | Joe Security | ||
Click to see the 3 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_XWorm | Yara detected XWorm | Joe Security | ||
JoeSecurity_XWorm | Yara detected XWorm | Joe Security | ||
MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
| |
MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
| |
JoeSecurity_XWorm | Yara detected XWorm | Joe Security | ||
Click to see the 9 entries |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-09-25T14:26:58.181877+0200 | 2853193 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 58154 | 67.215.224.133 | 5454 | TCP |
Click to jump to signature section
AV Detection |
---|
Source: | Malware Configuration Extractor: |
Source: | ReversingLabs: |
Source: | ReversingLabs: |
Source: | Integrated Neural Analysis Model: |
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | 0_2_00007FF78BA0CC30 | |
Source: | Code function: | 0_2_00007FF78B9DFAA0 | |
Source: | Code function: | 0_2_00007FF78BA37A90 | |
Source: | Code function: | 0_2_00007FF78B9DF9C0 | |
Source: | Code function: | 0_2_00007FF78B9C9FC0 | |
Source: | Code function: | 0_2_00007FF78BA34450 | |
Source: | Code function: | 0_2_00007FF78BA30200 |
Networking |
---|
Source: | Suricata IDS: | ||
Source: | Suricata IDS: |
Source: | URLs: |
Source: | TCP traffic: |
Source: | TCP traffic: |
Source: | ASN Name: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Network traffic detected: |
Key, Mouse, Clipboard, Microphone and Screen Capturing |
---|
Source: | .Net Code: |
System Summary |
---|
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Static PE information: |
Source: | Process Stats: |
Source: | Code function: | 0_2_00007FF78B980C50 | |
Source: | Code function: | 0_2_00007FF78B97DFD0 | |
Source: | Code function: | 0_2_00007FF78B969340 | |
Source: | Code function: | 0_2_00007FF78B978200 | |
Source: | Code function: | 0_2_00007FF78B976190 | |
Source: | Code function: | 0_2_00007FF78B97D16A | |
Source: | Code function: | 0_2_00007FF78B978830 | |
Source: | Code function: | 0_2_00007FF78B971520 | |
Source: | Code function: | 0_2_00007FF78B974CD9 | |
Source: | Code function: | 0_2_00007FF78B985C20 | |
Source: | Code function: | 0_2_00007FF78B987C79 | |
Source: | Code function: | 0_2_00007FF78B98BBA0 | |
Source: | Code function: | 0_2_00007FF78BA17BA0 | |
Source: | Code function: | 0_2_00007FF78B97FB40 | |
Source: | Code function: | 0_2_00007FF78BA12AC0 | |
Source: | Code function: | 0_2_00007FF78B994A40 | |
Source: | Code function: | 0_2_00007FF78B966A50 | |
Source: | Code function: | 0_2_00007FF78B956A50 | |
Source: | Code function: | 0_2_00007FF78B979A50 | |
Source: | Code function: | 0_2_00007FF78B9899C3 | |
Source: | Code function: | 0_2_00007FF78B961A00 | |
Source: | Code function: | 0_2_00007FF78B98F960 | |
Source: | Code function: | 0_2_00007FF78B9680D0 | |
Source: | Code function: | 0_2_00007FF78BA200E0 | |
Source: | Code function: | 0_2_00007FF78B96EFE0 | |
Source: | Code function: | 0_2_00007FF78B983F60 | |
Source: | Code function: | 0_2_00007FF78B98BEA0 | |
Source: | Code function: | 0_2_00007FF78B97FDD0 | |
Source: | Code function: | 0_2_00007FF78B972D30 | |
Source: | Code function: | 0_2_00007FF78B9744D0 | |
Source: | Code function: | 0_2_00007FF78B98B4F0 | |
Source: | Code function: | 0_2_00007FF78B97A420 | |
Source: | Code function: | 0_2_00007FF78B959430 | |
Source: | Code function: | 0_2_00007FF78BA03480 | |
Source: | Code function: | 0_2_00007FF78B960470 | |
Source: | Code function: | 0_2_00007FF78B981470 | |
Source: | Code function: | 0_2_00007FF78B9583C4 | |
Source: | Code function: | 0_2_00007FF78B98D320 | |
Source: | Code function: | 0_2_00007FF78B984390 | |
Source: | Code function: | 0_2_00007FF78B970360 | |
Source: | Code function: | 0_2_00007FF78B982370 | |
Source: | Code function: | 0_2_00007FF78B9892CE | |
Source: | Code function: | 0_2_00007FF78B9852E0 | |
Source: | Code function: | 0_2_00007FF78BA2E240 | |
Source: | Code function: | 0_2_00007FF78B958220 | |
Source: | Code function: | 0_2_00007FF78B98F280 | |
Source: | Code function: | 0_2_00007FF78B9891B0 | |
Source: | Code function: | 0_2_00007FF78B991200 | |
Source: | Code function: | 0_2_00007FF78B975200 | |
Source: | Code function: | 0_2_00007FF78B98B180 | |
Source: | Code function: | 0_2_00007FF78B96E8A0 | |
Source: | Code function: | 0_2_00007FF78B95A8B0 | |
Source: | Code function: | 0_2_00007FF78B9B1910 | |
Source: | Code function: | 0_2_00007FF78B9888D9 | |
Source: | Code function: | 0_2_00007FF78B97A850 | |
Source: | Code function: | 0_2_00007FF78B98A7B0 | |
Source: | Code function: | 0_2_00007FF78B98C800 | |
Source: | Code function: | 0_2_00007FF78B9767F0 | |
Source: | Code function: | 0_2_00007FF78B962750 | |
Source: | Code function: | 0_2_00007FF78B97B6B0 | |
Source: | Code function: | 0_2_00007FF78B973640 | |
Source: | Code function: | 0_2_00007FF78B9835C0 | |
Source: | Code function: | 0_2_00007FF78B976610 | |
Source: | Code function: | 0_2_00007FF78B98E540 | |
Source: | Code function: | 2_2_00FFEB98 |
Source: | Code function: |
Source: | Process created: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: |
Source: | Binary or memory string: |
Source: | Classification label: |
Source: | Code function: | 0_2_00007FF78B961830 |
Source: | File created: | Jump to behavior |
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | ReversingLabs: |
Source: | File read: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Static PE information: |
Source: | Static file information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Data Obfuscation |
---|
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: |
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | File created: | Jump to dropped file |
Source: | File created: | Jump to dropped file |
Boot Survival |
---|
Source: | File created: | Jump to dropped file |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior |
Source: | Thread delayed: | Jump to behavior |
Source: | Window / User API: | Jump to behavior | ||
Source: | Window / User API: | Jump to behavior |
Source: | Evasive API call chain: | graph_0-29135 |
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior |
Source: | File Volume queried: | Jump to behavior | ||
Source: | File Volume queried: | Jump to behavior | ||
Source: | File Volume queried: | Jump to behavior | ||
Source: | File Volume queried: | Jump to behavior | ||
Source: | File Volume queried: | Jump to behavior | ||
Source: | File Volume queried: | Jump to behavior | ||
Source: | File Volume queried: | Jump to behavior | ||
Source: | File Volume queried: | Jump to behavior | ||
Source: | File Volume queried: | Jump to behavior | ||
Source: | File Volume queried: | Jump to behavior | ||
Source: | File Volume queried: | Jump to behavior | ||
Source: | File Volume queried: | Jump to behavior | ||
Source: | File Volume queried: | Jump to behavior | ||
Source: | File Volume queried: | Jump to behavior | ||
Source: | File Volume queried: | Jump to behavior | ||
Source: | File Volume queried: | Jump to behavior | ||
Source: | File Volume queried: | Jump to behavior | ||
Source: | File Volume queried: | Jump to behavior | ||
Source: | File Volume queried: | Jump to behavior | ||
Source: | File Volume queried: | Jump to behavior | ||
Source: | File Volume queried: | Jump to behavior | ||
Source: | File Volume queried: | Jump to behavior | ||
Source: | File Volume queried: | Jump to behavior |
Source: | Code function: | 0_2_00007FF78B961460 |
Source: | Thread delayed: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process information queried: | Jump to behavior |
Source: | Process token adjusted: | Jump to behavior | ||
Source: | Process token adjusted: | Jump to behavior |
Source: | Code function: | 0_2_00007FF78B9BB64C |
Source: | Memory allocated: | Jump to behavior |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | Memory allocated: | Jump to behavior |
Source: | Memory written: | Jump to behavior |
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior |
Source: | Process created: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: | 0_2_00007FF78B9E8FB0 | |
Source: | Code function: | 0_2_00007FF78B9E9080 |
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior |
Source: | Code function: | 0_2_00007FF78B960030 |
Source: | Key value queried: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Windows Management Instrumentation | 1 DLL Side-Loading | 1 Access Token Manipulation | 111 Masquerading | 1 Input Capture | 1 System Time Discovery | Remote Services | 1 Input Capture | 12 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | 1 Native API | Boot or Logon Initialization Scripts | 312 Process Injection | 1 Disable or Modify Tools | LSASS Memory | 121 Security Software Discovery | Remote Desktop Protocol | 11 Archive Collected Data | 1 Non-Standard Port | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | 1 DLL Side-Loading | 31 Virtualization/Sandbox Evasion | Security Account Manager | 2 Process Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | 1 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Access Token Manipulation | NTDS | 31 Virtualization/Sandbox Evasion | Distributed Component Object Model | Input Capture | 12 Application Layer Protocol | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 312 Process Injection | LSA Secrets | 1 Application Window Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 11 Deobfuscate/Decode Files or Information | Cached Domain Credentials | 25 System Information Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 2 Obfuscated Files or Information | DCSync | Remote System Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | 2 Software Packing | Proc Filesystem | System Owner/User Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
Network Topology | Malvertising | Exploit Public-Facing Application | Command and Scripting Interpreter | At | At | 1 DLL Side-Loading | /etc/passwd and /etc/shadow | Network Sniffing | Direct Cloud VM Connections | Data Staged | Web Protocols | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Internal Defacement |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
66% | ReversingLabs | Win64.Trojan.XWorm |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
66% | ReversingLabs | Win64.Trojan.XWorm |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
fp2e7a.wpc.phicdn.net | 192.229.221.95 | true | false | unknown | |
198.187.3.20.in-addr.arpa | unknown | unknown | false | unknown |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
67.215.224.133 | unknown | United States | 8100 | ASN-QUADRANET-GLOBALUS | true |
Joe Sandbox version: | 41.0.0 Charoite |
Analysis ID: | 1518225 |
Start date and time: | 2024-09-25 14:24:28 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 7m 16s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 11 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | rPROFORMAINVOICE-PO_ATS_1036.exe |
Detection: | MAL |
Classification: | mal100.troj.spyw.evad.winEXE@5/6@1/1 |
EGA Information: |
|
HCA Information: | Failed |
Cookbook Comments: |
|
- Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
- Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 4.245.163.56, 2.16.100.168, 88.221.110.91, 52.165.164.15, 192.229.221.95, 40.69.42.241, 20.3.187.198, 4.175.87.197, 20.12.23.50, 20.190.159.0, 40.126.31.67, 20.190.159.75, 20.190.159.68, 20.190.159.2, 20.190.159.4, 20.190.159.64, 20.190.159.71, 20.189.173.22
- Excluded domains from analysis (whitelisted): prdv4a.aadg.msidentity.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, www.tm.v4.a.prd.aadg.akadns.net, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, login.msa.msidentity.com, download.windowsupdate.com.edgesuite.net, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, login.live.com, glb.cws.prod.dcat.dsp.trafficmanager.net, ocsp.edge.digicert.com, blobcollector.events.data.trafficmanager.net, sls.update.microsoft.com, umwatson.events.data.microsoft.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, www.tm.lg.prod.aadmsa.trafficmanager.net
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Report size getting too big, too many NtSetInformationFile calls found.
- VT rate limit hit for: rPROFORMAINVOICE-PO_ATS_1036.exe
Time | Type | Description |
---|---|---|
08:25:27 | API Interceptor | |
08:27:56 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
fp2e7a.wpc.phicdn.net | Get hash | malicious | ScreenConnect Tool | Browse |
| |
Get hash | malicious | ScreenConnect Tool | Browse |
| ||
Get hash | malicious | ScreenConnect Tool | Browse |
| ||
Get hash | malicious | ScreenConnect Tool | Browse |
| ||
Get hash | malicious | ScreenConnect Tool | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | HtmlDropper | Browse |
| ||
Get hash | malicious | SmokeLoader | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
ASN-QUADRANET-GLOBALUS | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | Remcos, DBatLoader | Browse |
| ||
Get hash | malicious | XWorm | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | GuLoader, Snake Keylogger, VIP Keylogger | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_msbuild.exe_c0d52432dfe3ceb750b4c6e7cd4c95a2e207481_11e7f0f4_f83a3f6a-ba45-452e-b37a-b98497531510\Report.wer
Download File
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 1.1701646477935583 |
Encrypted: | false |
SSDEEP: | 192:/tzxScO3aXGT0BU/Ka6THyChC/zuiFzZ24IO8G:Zxi3aXxBU/KaWSp/zuiFzY4IO8G |
MD5: | 66CC108814C483D97B492FE85EFE7336 |
SHA1: | CA37A90FF23051EF908170041292FAD04D30C5D8 |
SHA-256: | EC13F2AA645508A955EACF5DC02C1789964B8C8C8AAA2F2C90607C0A09308735 |
SHA-512: | 361F1EB08BECF5D45A49C66E2A532BF4F3DE66ACA14F65C979D6F52B62C9DE285C332434A9D6ACC0F88AC1072CF9DF474722A0EEB9A359755856DA65E6B44291 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 330460 |
Entropy (8bit): | 3.6666584031052403 |
Encrypted: | false |
SSDEEP: | 3072:y3dCx2c0s4uEqkdXW8rfwqtNnY+LTg3NytN4XfUlOl:ytPc0s47wknYsTgdyte |
MD5: | 90CC49AAC8858896A4098D11817730D6 |
SHA1: | 8FDBE9DFF0FF0DC4EB501706B1C76274399F753F |
SHA-256: | 5E291D8EF29B861E061965F244C3F6C7AF73B092BD1CDC4874F8591FE993B6F2 |
SHA-512: | 7F5183B38F814ACDFE70DBF19F1E666A84055F39C88F52A9A8BF93A6199BB7396269FD21C0C4A2DB4FC65BD7B3F3DA3A62A36E0304DBA2FCB2309F423544CD87 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 6384 |
Entropy (8bit): | 3.717767588768132 |
Encrypted: | false |
SSDEEP: | 192:R6l7wVeJWg6XJ+YZzVapr689boJCsfqupm:R6lXJh6Z+Yn0oJBfTE |
MD5: | 88931B628AEB489AD8C495AB58063178 |
SHA1: | 53CEFDE1885D76F545B97869A31882932F8C05EF |
SHA-256: | F2CA7F0FB8E2E44964FAF4CAEE480B77BA32C53612D48235D2E861343C0E42F2 |
SHA-512: | 62A6EAE5B537BE4CA153ACD53E5F2D8CF71E83F4540B80DFA3DC574DAE1D18182F3BA9B3DD533614FA2BB817B86EBF645960C81DDAA18DBD6A665D4AC40DEFEA |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4729 |
Entropy (8bit): | 4.448828040781326 |
Encrypted: | false |
SSDEEP: | 48:cvIwWl8zs5NJg77aI9sfWpW8VYj2Ym8M4JoxFqI+q8vulmLCd:uIjf5nI7OO7VCJUKomLCd |
MD5: | 9147A3187C8547ABBF9C751D3C16EF3B |
SHA1: | 92C8D631D03EBFBE85BA4328A86E4D8083C14A3B |
SHA-256: | FC05361E079AB959AAE1E0430385FBC124C91F93E86B64C309D5409CF9D2B97B |
SHA-512: | 442400464F7968263B24CEA00690E7120265DE9742A66A62FB1AD5AE39EC4DCCFBE58DEBC7FE8F9C07CA385BEA051B2B1B91E0C6F6297B31A396153B51AA01F9 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1464832 |
Entropy (8bit): | 6.886828046222246 |
Encrypted: | false |
SSDEEP: | 24576:rAonTAWtaG9kwX2t684Bnndby1UuFLan9k5TRM7phylfihgdElWlVjD:rAodtaG9kS2U84B+FLan9k5TRM9zlgVj |
MD5: | CCDC6ABB91CBA9B82FCEA9F02AAEFFAC |
SHA1: | 8BADDE3B9CB21B8F6CD0FCF75F8B94A545FA35EA |
SHA-256: | 55EAD53E3DFF6DB18AB2E0A9E353C4F39E6D0CE7AD0DD506DD7CE92D866B7EAA |
SHA-512: | 216E011F71E2783EC85B21AE98A1952D9C0F8FF7325E7001C177B3FFAEBA5407446E42C05393BB33B6DCFD430EB81323343A24C9F6A2597709A6DF26D0CAF7DF |
Malicious: | true |
Antivirus: |
|
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1835008 |
Entropy (8bit): | 4.466344412417991 |
Encrypted: | false |
SSDEEP: | 6144:TIXfpi67eLPU9skLmb0b4OWSPKaJG8nAgejZMMhA2gX4WABl0uNddwBCswSb+:EXD94OWlLZMM6YFH7++ |
MD5: | A2791C4437591F26E21ADBDA86022287 |
SHA1: | 9062DBD6220E38A9B7F80232F3D6A0A59F29B24C |
SHA-256: | F918B0A1D009CF60BA2882873F985900109FAE7F909079E80512291A343E4A7C |
SHA-512: | DE67D87AAEBF79171DF90A365D90CAB5E7BB63CE157A16C02B40322618EF45582C967766F064DF1BAFBE02F35CCC364F8CCE3A6BA171DF7CBACFD7D2E8DF825B |
Malicious: | false |
Reputation: | low |
Preview: |
File type: | |
Entropy (8bit): | 6.886828046222246 |
TrID: |
|
File name: | rPROFORMAINVOICE-PO_ATS_1036.exe |
File size: | 1'464'832 bytes |
MD5: | ccdc6abb91cba9b82fcea9f02aaeffac |
SHA1: | 8badde3b9cb21b8f6cd0fcf75f8b94a545fa35ea |
SHA256: | 55ead53e3dff6db18ab2e0a9e353c4f39e6d0ce7ad0dd506dd7ce92d866b7eaa |
SHA512: | 216e011f71e2783ec85b21ae98a1952d9c0f8ff7325e7001c177b3ffaeba5407446e42c05393bb33b6dcfd430eb81323343a24c9f6a2597709a6df26d0caf7df |
SSDEEP: | 24576:rAonTAWtaG9kwX2t684Bnndby1UuFLan9k5TRM7phylfihgdElWlVjD:rAodtaG9kS2U84B+FLan9k5TRM9zlgVj |
TLSH: | B765BE19E3A911FCD52BC634CB51A233E6B174560B21A5CB0B99C7452FB3EE16B7B302 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......E......E...E...E...D...E...D...E...D/..E..BE...EJ..D...E...E...E...D...E...D...E...E...E...DD..EI..D...EI..D...E............... |
Icon Hash: | 90cececece8e8eb0 |
Entrypoint: | 0x14006ac2c |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x140000000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE |
DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x66E5ADB8 [Sat Sep 14 15:37:28 2024 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 0 |
File Version Major: | 6 |
File Version Minor: | 0 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 0 |
Import Hash: | 22a65106d3d84ea74d966fa0424a5a0c |
Instruction |
---|
dec eax |
sub esp, 28h |
call 00007FB9B48ABE6Ch |
dec eax |
add esp, 28h |
jmp 00007FB9B48AB697h |
int3 |
int3 |
jmp 00007FB9B48AC1E8h |
int3 |
int3 |
int3 |
dec eax |
sub esp, 28h |
call 00007FB9B48AC1E4h |
jmp 00007FB9B48AB824h |
xor eax, eax |
dec eax |
add esp, 28h |
ret |
int3 |
int3 |
jmp 00007FB9B48AB80Ch |
int3 |
int3 |
int3 |
dec eax |
sub esp, 28h |
dec ebp |
mov eax, dword ptr [ecx+38h] |
dec eax |
mov ecx, edx |
dec ecx |
mov edx, ecx |
call 00007FB9B48AB832h |
mov eax, 00000001h |
dec eax |
add esp, 28h |
ret |
int3 |
int3 |
int3 |
inc eax |
push ebx |
inc ebp |
mov ebx, dword ptr [eax] |
dec eax |
mov ebx, edx |
inc ecx |
and ebx, FFFFFFF8h |
dec esp |
mov ecx, ecx |
inc ecx |
test byte ptr [eax], 00000004h |
dec esp |
mov edx, ecx |
je 00007FB9B48AB835h |
inc ecx |
mov eax, dword ptr [eax+08h] |
dec ebp |
arpl word ptr [eax+04h], dx |
neg eax |
dec esp |
add edx, ecx |
dec eax |
arpl ax, cx |
dec esp |
and edx, ecx |
dec ecx |
arpl bx, ax |
dec edx |
mov edx, dword ptr [eax+edx] |
dec eax |
mov eax, dword ptr [ebx+10h] |
mov ecx, dword ptr [eax+08h] |
dec eax |
mov eax, dword ptr [ebx+08h] |
test byte ptr [ecx+eax+03h], 0000000Fh |
je 00007FB9B48AB82Dh |
movzx eax, byte ptr [ecx+eax+03h] |
and eax, FFFFFFF0h |
dec esp |
add ecx, eax |
dec esp |
xor ecx, edx |
dec ecx |
mov ecx, ecx |
pop ebx |
jmp 00007FB9B48AB836h |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
nop word ptr [eax+eax+00000000h] |
dec eax |
cmp ecx, dword ptr [00000049h] |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x17f3c0 | 0x5c | .rdata |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x17f41c | 0xf0 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x19c000 | 0x8cec | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x18f000 | 0xcdec | .pdata |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x1a5000 | 0x5b8 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x165ae0 | 0x54 | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x165d00 | 0x28 | .rdata |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x1659a0 | 0x140 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x11a000 | 0x6a0 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x6f188 | 0x6f200 | 16824105689e93571b28f6d652acf3f1 | False | 0.45466728768278963 | data | 6.6338226603175485 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.managed | 0x71000 | 0x77a28 | 0x77c00 | 459fe8e4d0429964edfb07e39e66b232 | False | 0.46850331093423797 | data | 6.473781869755907 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
hydrated | 0xe9000 | 0x30498 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rdata | 0x11a000 | 0x66c6a | 0x66e00 | 66005403fd51b790f6bebcfc93bfd20a | False | 0.48810088851761846 | data | 6.702713768992107 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x181000 | 0xd5a8 | 0x1800 | 9d5075bd44b367f703d8e922b003398a | False | 0.2294921875 | data | 3.190641782829915 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.pdata | 0x18f000 | 0xcdec | 0xce00 | 638451eb673a6cdf25f666b19f1b8bb4 | False | 0.49419751213592233 | data | 6.064103613023274 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.rsrc | 0x19c000 | 0x8cec | 0x8e00 | 44a3fd7e9e9250b96fa62a4cdb150fb0 | False | 0.9726287411971831 | data | 7.961008846506978 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x1a5000 | 0x5b8 | 0x600 | adcf9b9e4d3994d1018ad464f4f1db74 | False | 0.5826822916666666 | data | 5.215191968056739 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
BINARY | 0x19c130 | 0x8694 | data | 1.000609543712992 | ||
RT_VERSION | 0x1a47c4 | 0x33c | data | 0.3864734299516908 | ||
RT_MANIFEST | 0x1a4b00 | 0x1ea | XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators | 0.5489795918367347 |
DLL | Import |
---|---|
ADVAPI32.dll | RegOpenKeyExW, RegQueryValueExW, RegSetValueExW, RegCloseKey, OpenProcessToken, LookupPrivilegeValueW, AdjustTokenPrivileges, RegEnumValueW |
bcrypt.dll | BCryptCloseAlgorithmProvider, BCryptGenerateSymmetricKey, BCryptDestroyKey, BCryptOpenAlgorithmProvider, BCryptGenRandom |
KERNEL32.dll | TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, InitializeCriticalSectionAndSpinCount, EncodePointer, GetConsoleWindow, FreeConsole, AllocConsole, SetLastError, GetLastError, LocalFree, CloseHandle, ExitProcess, GetTickCount64, FormatMessageW, K32EnumProcessModulesEx, IsWow64Process, GetExitCodeProcess, OpenProcess, K32EnumProcesses, K32GetModuleInformation, K32GetModuleBaseNameW, K32GetModuleFileNameExW, GetProcessId, DuplicateHandle, GetCurrentProcess, CloseThreadpoolIo, GetCurrentProcessId, MultiByteToWideChar, GetStdHandle, RaiseFailFastException, GetCalendarInfoEx, CompareStringOrdinal, CompareStringEx, FindNLSStringEx, GetLocaleInfoEx, ResolveLocaleName, FindStringOrdinal, GetCurrentThread, Sleep, DeleteCriticalSection, EnterCriticalSection, SleepConditionVariableCS, LeaveCriticalSection, WakeConditionVariable, QueryPerformanceCounter, InitializeCriticalSection, InitializeConditionVariable, WaitForMultipleObjectsEx, QueryPerformanceFrequency, GetFullPathNameW, GetLongPathNameW, WideCharToMultiByte, LocalAlloc, GetConsoleOutputCP, GetProcAddress, LocaleNameToLCID, LCMapStringEx, EnumTimeFormatsEx, EnumCalendarInfoExEx, CreateFileW, CreateThreadpoolIo, StartThreadpoolIo, CancelThreadpoolIo, DeleteFileW, DeviceIoControl, ExpandEnvironmentStringsW, FindClose, FindFirstFileExW, FlushFileBuffers, FreeLibrary, GetFileAttributesExW, GetFileInformationByHandleEx, GetFileType, GetModuleFileNameW, GetOverlappedResult, LoadLibraryExW, ReadFile, SetFileInformationByHandle, SetThreadErrorMode, GetThreadPriority, SetThreadPriority, WriteFile, GetCurrentProcessorNumberEx, SetEvent, CreateEventExW, GetEnvironmentVariableW, FlushProcessWriteBuffers, WaitForSingleObjectEx, RtlVirtualUnwind, RtlCaptureContext, RtlRestoreContext, AddVectoredExceptionHandler, FlsAlloc, FlsGetValue, FlsSetValue, CreateEventW, TerminateProcess, SwitchToThread, CreateThread, GetCurrentThreadId, SuspendThread, ResumeThread, GetThreadContext, SetThreadContext, FlushInstructionCache, VirtualAlloc, VirtualProtect, VirtualFree, QueryInformationJobObject, GetModuleHandleW, GetModuleHandleExW, GetProcessAffinityMask, InitializeContext, GetEnabledXStateFeatures, SetXStateFeaturesMask, InitializeCriticalSectionEx, VirtualQuery, GetSystemTimeAsFileTime, ResetEvent, DebugBreak, WaitForSingleObject, SleepEx, GlobalMemoryStatusEx, GetSystemInfo, GetLogicalProcessorInformation, GetLogicalProcessorInformationEx, GetLargePageMinimum, VirtualUnlock, VirtualAllocExNuma, IsProcessInJob, GetNumaHighestNodeNumber, GetProcessGroupAffinity, K32GetProcessMemoryInfo, RaiseException, RtlPcToFileHeader, RtlUnwindEx, IsProcessorFeaturePresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, RtlLookupFunctionEntry, InitializeSListHead |
ole32.dll | CoGetApartmentType, CoTaskMemAlloc, CoUninitialize, CoInitializeEx, CoTaskMemFree, CoWaitForMultipleHandles |
api-ms-win-crt-heap-l1-1-0.dll | malloc, free, _callnewh, calloc, _set_new_mode |
api-ms-win-crt-math-l1-1-0.dll | __setusermatherr |
api-ms-win-crt-string-l1-1-0.dll | strcmp, _stricmp, strcpy_s, strncpy_s, wcsncmp |
api-ms-win-crt-convert-l1-1-0.dll | strtoull |
api-ms-win-crt-runtime-l1-1-0.dll | __p___wargv, _cexit, exit, terminate, _crt_atexit, _register_onexit_function, _initialize_onexit_table, __p___argc, _exit, abort, _initterm_e, _c_exit, _register_thread_local_exe_atexit_callback, _seh_filter_exe, _set_app_type, _initterm, _configure_wide_argv, _initialize_wide_environment, _get_initial_wide_environment |
api-ms-win-crt-stdio-l1-1-0.dll | __stdio_common_vsprintf_s, __stdio_common_vfprintf, __p__commode, _set_fmode, __stdio_common_vsscanf, __acrt_iob_func |
api-ms-win-crt-locale-l1-1-0.dll | _configthreadlocale |
Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-09-25T14:26:30.991268+0200 | 2855924 | ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound | 1 | 192.168.2.4 | 58148 | 67.215.224.133 | 5454 | TCP |
2024-09-25T14:26:58.181877+0200 | 2853193 | ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound | 1 | 192.168.2.4 | 58154 | 67.215.224.133 | 5454 | TCP |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Sep 25, 2024 14:25:24.065973043 CEST | 49675 | 443 | 192.168.2.4 | 173.222.162.32 |
Sep 25, 2024 14:25:28.083329916 CEST | 49730 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:25:28.088262081 CEST | 5454 | 49730 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:25:28.088402033 CEST | 49730 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:25:28.178103924 CEST | 49730 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:25:28.183857918 CEST | 5454 | 49730 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:25:29.657665968 CEST | 5454 | 49730 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:25:29.657776117 CEST | 49730 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:25:31.753740072 CEST | 49730 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:25:31.755755901 CEST | 49731 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:25:31.758657932 CEST | 5454 | 49730 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:25:31.760586977 CEST | 5454 | 49731 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:25:31.760701895 CEST | 49731 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:25:31.774903059 CEST | 49731 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:25:31.779848099 CEST | 5454 | 49731 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:25:33.333336115 CEST | 5454 | 49731 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:25:33.333420992 CEST | 49731 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:25:37.503679991 CEST | 49731 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:25:37.504909992 CEST | 49733 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:25:37.508531094 CEST | 5454 | 49731 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:25:37.509776115 CEST | 5454 | 49733 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:25:37.509869099 CEST | 49733 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:25:37.528363943 CEST | 49733 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:25:37.533220053 CEST | 5454 | 49733 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:25:39.080449104 CEST | 5454 | 49733 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:25:39.080744028 CEST | 49733 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:25:41.449673891 CEST | 49723 | 80 | 192.168.2.4 | 93.184.221.240 |
Sep 25, 2024 14:25:41.454740047 CEST | 80 | 49723 | 93.184.221.240 | 192.168.2.4 |
Sep 25, 2024 14:25:41.455638885 CEST | 49723 | 80 | 192.168.2.4 | 93.184.221.240 |
Sep 25, 2024 14:25:41.941034079 CEST | 49733 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:25:41.942063093 CEST | 49739 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:25:41.946024895 CEST | 5454 | 49733 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:25:41.946892023 CEST | 5454 | 49739 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:25:41.946970940 CEST | 49739 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:25:41.963135004 CEST | 49739 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:25:41.969373941 CEST | 5454 | 49739 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:25:43.621519089 CEST | 5454 | 49739 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:25:43.621603966 CEST | 49739 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:25:46.817111015 CEST | 49739 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:25:46.819411993 CEST | 49740 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:25:46.847575903 CEST | 5454 | 49739 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:25:46.851737976 CEST | 5454 | 49740 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:25:46.851867914 CEST | 49740 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:25:46.866580963 CEST | 49740 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:25:46.889198065 CEST | 5454 | 49740 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:25:48.810291052 CEST | 5454 | 49740 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:25:48.810313940 CEST | 5454 | 49740 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:25:48.810436964 CEST | 49740 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:25:50.972501040 CEST | 49740 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:25:50.974397898 CEST | 49741 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:25:50.984384060 CEST | 5454 | 49740 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:25:50.986604929 CEST | 5454 | 49741 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:25:50.986764908 CEST | 49741 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:25:51.005218029 CEST | 49741 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:25:51.014213085 CEST | 5454 | 49741 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:25:52.615550041 CEST | 5454 | 49741 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:25:52.615706921 CEST | 49741 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:25:53.229340076 CEST | 58130 | 53 | 192.168.2.4 | 162.159.36.2 |
Sep 25, 2024 14:25:53.244033098 CEST | 53 | 58130 | 162.159.36.2 | 192.168.2.4 |
Sep 25, 2024 14:25:53.244157076 CEST | 58130 | 53 | 192.168.2.4 | 162.159.36.2 |
Sep 25, 2024 14:25:53.244318008 CEST | 58130 | 53 | 192.168.2.4 | 162.159.36.2 |
Sep 25, 2024 14:25:53.253160000 CEST | 53 | 58130 | 162.159.36.2 | 192.168.2.4 |
Sep 25, 2024 14:25:53.742116928 CEST | 53 | 58130 | 162.159.36.2 | 192.168.2.4 |
Sep 25, 2024 14:25:53.747014999 CEST | 58130 | 53 | 192.168.2.4 | 162.159.36.2 |
Sep 25, 2024 14:25:53.770323992 CEST | 53 | 58130 | 162.159.36.2 | 192.168.2.4 |
Sep 25, 2024 14:25:53.770412922 CEST | 58130 | 53 | 192.168.2.4 | 162.159.36.2 |
Sep 25, 2024 14:25:55.256213903 CEST | 49741 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:25:55.257733107 CEST | 58132 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:25:55.275494099 CEST | 5454 | 49741 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:25:55.275835037 CEST | 5454 | 58132 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:25:55.275928020 CEST | 58132 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:25:55.309695005 CEST | 58132 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:25:55.318092108 CEST | 5454 | 58132 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:25:57.102610111 CEST | 5454 | 58132 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:25:57.102737904 CEST | 58132 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:00.378905058 CEST | 58132 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:00.379981995 CEST | 58136 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:00.385278940 CEST | 5454 | 58132 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:00.386301994 CEST | 5454 | 58136 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:00.386456966 CEST | 58136 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:00.400599957 CEST | 58136 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:00.406557083 CEST | 5454 | 58136 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:02.002873898 CEST | 5454 | 58136 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:02.004323959 CEST | 58136 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:04.735771894 CEST | 58136 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:04.738430023 CEST | 58137 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:04.741015911 CEST | 5454 | 58136 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:04.743268013 CEST | 5454 | 58137 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:04.743407011 CEST | 58137 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:04.825062990 CEST | 58137 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:04.832082987 CEST | 5454 | 58137 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:06.314150095 CEST | 5454 | 58137 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:06.314321995 CEST | 58137 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:08.175514936 CEST | 58137 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:08.176774025 CEST | 58138 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:08.180438995 CEST | 5454 | 58137 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:08.181571960 CEST | 5454 | 58138 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:08.181669950 CEST | 58138 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:08.198577881 CEST | 58138 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:08.205084085 CEST | 5454 | 58138 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:09.774266005 CEST | 5454 | 58138 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:09.774523973 CEST | 58138 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:11.847414970 CEST | 58138 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:11.848463058 CEST | 58139 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:11.853703022 CEST | 5454 | 58138 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:11.854245901 CEST | 5454 | 58139 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:11.854361057 CEST | 58139 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:11.868599892 CEST | 58139 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:11.874130964 CEST | 5454 | 58139 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:13.423770905 CEST | 5454 | 58139 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:13.423935890 CEST | 58139 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:14.691088915 CEST | 58139 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:14.691900015 CEST | 58140 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:14.695868015 CEST | 5454 | 58139 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:14.696682930 CEST | 5454 | 58140 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:14.696774960 CEST | 58140 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:14.709603071 CEST | 58140 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:14.714493990 CEST | 5454 | 58140 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:16.291531086 CEST | 5454 | 58140 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:16.291796923 CEST | 58140 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:16.993506908 CEST | 58140 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:16.995414972 CEST | 58141 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:16.998446941 CEST | 5454 | 58140 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:17.000303984 CEST | 5454 | 58141 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:17.000408888 CEST | 58141 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:17.015047073 CEST | 58141 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:17.020503998 CEST | 5454 | 58141 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:18.582076073 CEST | 5454 | 58141 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:18.582269907 CEST | 58141 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:18.612953901 CEST | 58141 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:18.613837004 CEST | 58142 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:18.617872000 CEST | 5454 | 58141 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:18.618629932 CEST | 5454 | 58142 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:18.618702888 CEST | 58142 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:18.630337954 CEST | 58142 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:18.635185003 CEST | 5454 | 58142 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:20.209152937 CEST | 5454 | 58142 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:20.209280968 CEST | 58142 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:20.253637075 CEST | 58142 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:20.254601955 CEST | 58143 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:20.258690119 CEST | 5454 | 58142 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:20.259438038 CEST | 5454 | 58143 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:20.259510994 CEST | 58143 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:20.275404930 CEST | 58143 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:20.280431986 CEST | 5454 | 58143 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:21.831409931 CEST | 5454 | 58143 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:21.831787109 CEST | 58143 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:22.597367048 CEST | 58143 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:22.598351955 CEST | 58144 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:22.602257013 CEST | 5454 | 58143 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:22.603224993 CEST | 5454 | 58144 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:22.603303909 CEST | 58144 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:22.615725994 CEST | 58144 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:22.620670080 CEST | 5454 | 58144 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:24.193614006 CEST | 5454 | 58144 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:24.193706036 CEST | 58144 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:24.737910986 CEST | 58144 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:24.738836050 CEST | 58145 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:24.742870092 CEST | 5454 | 58144 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:24.743771076 CEST | 5454 | 58145 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:24.743868113 CEST | 58145 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:24.755249977 CEST | 58145 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:24.760010004 CEST | 5454 | 58145 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:26.334225893 CEST | 5454 | 58145 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:26.334414005 CEST | 58145 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:26.628647089 CEST | 58145 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:26.629576921 CEST | 58146 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:26.635847092 CEST | 5454 | 58145 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:26.638817072 CEST | 5454 | 58146 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:26.638987064 CEST | 58146 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:26.651000977 CEST | 58146 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:26.658725023 CEST | 5454 | 58146 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:28.223449945 CEST | 5454 | 58146 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:28.223608017 CEST | 58146 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:28.347368002 CEST | 58146 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:28.348355055 CEST | 58147 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:28.352257013 CEST | 5454 | 58146 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:28.353271008 CEST | 5454 | 58147 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:28.353348970 CEST | 58147 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:28.364743948 CEST | 58147 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:28.369584084 CEST | 5454 | 58147 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:29.285067081 CEST | 49724 | 80 | 192.168.2.4 | 93.184.221.240 |
Sep 25, 2024 14:26:29.290213108 CEST | 80 | 49724 | 93.184.221.240 | 192.168.2.4 |
Sep 25, 2024 14:26:29.290318966 CEST | 49724 | 80 | 192.168.2.4 | 93.184.221.240 |
Sep 25, 2024 14:26:29.942154884 CEST | 5454 | 58147 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:29.942270041 CEST | 58147 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:29.958025932 CEST | 58147 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:29.960786104 CEST | 58148 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:29.963066101 CEST | 5454 | 58147 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:29.965708971 CEST | 5454 | 58148 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:29.965823889 CEST | 58148 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:29.978579044 CEST | 58148 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:29.983582020 CEST | 5454 | 58148 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:30.991267920 CEST | 58148 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:30.997365952 CEST | 5454 | 58148 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:31.019622087 CEST | 58148 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:31.025746107 CEST | 5454 | 58148 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:31.238322020 CEST | 58148 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:31.243350983 CEST | 5454 | 58148 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:31.604201078 CEST | 5454 | 58148 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:31.605653048 CEST | 58148 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:31.606267929 CEST | 58148 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:31.607856035 CEST | 58149 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:31.610990047 CEST | 5454 | 58148 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:31.612750053 CEST | 5454 | 58149 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:31.612865925 CEST | 58149 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:31.643135071 CEST | 58149 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:31.648066998 CEST | 5454 | 58149 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:33.191458941 CEST | 5454 | 58149 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:33.192709923 CEST | 58149 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:36.831597090 CEST | 58149 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:36.834301949 CEST | 58150 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:36.836584091 CEST | 5454 | 58149 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:36.839253902 CEST | 5454 | 58150 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:36.839340925 CEST | 58150 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:36.876773119 CEST | 58150 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:36.881786108 CEST | 5454 | 58150 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:37.363272905 CEST | 58150 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:37.368345022 CEST | 5454 | 58150 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:37.441286087 CEST | 58150 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:37.446258068 CEST | 5454 | 58150 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:38.409243107 CEST | 5454 | 58150 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:38.409400940 CEST | 58150 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:42.458300114 CEST | 58151 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:42.458301067 CEST | 58150 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:42.464808941 CEST | 5454 | 58150 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:42.464822054 CEST | 5454 | 58151 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:42.464945078 CEST | 58151 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:42.561379910 CEST | 58151 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:42.566240072 CEST | 5454 | 58151 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:44.054091930 CEST | 5454 | 58151 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:44.054164886 CEST | 58151 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:47.613071918 CEST | 58151 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:47.615159988 CEST | 58152 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:47.618063927 CEST | 5454 | 58151 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:47.620073080 CEST | 5454 | 58152 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:47.620145082 CEST | 58152 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:47.652051926 CEST | 58152 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:47.657244921 CEST | 5454 | 58152 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:47.707494020 CEST | 58152 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:47.754436970 CEST | 5454 | 58152 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:47.816276073 CEST | 58152 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:47.823379993 CEST | 5454 | 58152 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:49.283936977 CEST | 5454 | 58152 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:49.284056902 CEST | 58152 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:52.847598076 CEST | 58152 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:52.849544048 CEST | 58153 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:52.863617897 CEST | 5454 | 58152 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:52.864392042 CEST | 5454 | 58153 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:52.866596937 CEST | 58153 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:52.937750101 CEST | 58153 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:52.942728996 CEST | 5454 | 58153 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:53.350121021 CEST | 58153 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:53.657653093 CEST | 58153 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:53.691361904 CEST | 5454 | 58153 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:53.691378117 CEST | 5454 | 58153 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:53.722594023 CEST | 58153 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:53.740813971 CEST | 5454 | 58153 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:53.831291914 CEST | 58153 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:53.840766907 CEST | 5454 | 58153 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:53.923512936 CEST | 58153 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:53.948157072 CEST | 5454 | 58153 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:53.961719990 CEST | 58153 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:53.970104933 CEST | 5454 | 58153 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:54.034586906 CEST | 58153 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:54.044466019 CEST | 5454 | 58153 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:54.046842098 CEST | 58153 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:54.058393955 CEST | 5454 | 58153 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:54.144751072 CEST | 58153 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:54.154185057 CEST | 5454 | 58153 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:54.510936975 CEST | 5454 | 58153 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:54.511003971 CEST | 58153 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:57.987931013 CEST | 58153 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:57.990403891 CEST | 58154 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:57.993298054 CEST | 5454 | 58153 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:57.995368958 CEST | 5454 | 58154 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:57.995465994 CEST | 58154 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:58.046135902 CEST | 58154 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:58.051043034 CEST | 5454 | 58154 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:58.152220011 CEST | 58154 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:58.158212900 CEST | 5454 | 58154 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:58.181876898 CEST | 58154 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:58.400289059 CEST | 5454 | 58154 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:59.253690958 CEST | 58154 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:26:59.258692026 CEST | 5454 | 58154 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:59.596793890 CEST | 5454 | 58154 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:26:59.596863985 CEST | 58154 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:27:03.219058990 CEST | 58154 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:27:03.224387884 CEST | 5454 | 58154 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:27:03.250720024 CEST | 58155 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:27:03.269224882 CEST | 5454 | 58155 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:27:03.269596100 CEST | 58155 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:27:03.454819918 CEST | 58155 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:27:03.463280916 CEST | 5454 | 58155 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:27:03.553725958 CEST | 58155 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:27:03.573621035 CEST | 5454 | 58155 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:27:03.727591038 CEST | 58155 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:27:03.734019041 CEST | 5454 | 58155 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:27:03.842407942 CEST | 58155 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:27:03.851066113 CEST | 5454 | 58155 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:27:03.855220079 CEST | 58155 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:27:03.865318060 CEST | 5454 | 58155 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:27:04.637378931 CEST | 58155 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:27:04.643294096 CEST | 5454 | 58155 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:27:04.919886112 CEST | 5454 | 58155 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:27:04.919986010 CEST | 58155 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:27:08.659755945 CEST | 58155 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:27:08.660895109 CEST | 58156 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:27:08.664693117 CEST | 5454 | 58155 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:27:08.665834904 CEST | 5454 | 58156 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:27:08.665930033 CEST | 58156 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:27:08.697635889 CEST | 58156 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:27:08.702615976 CEST | 5454 | 58156 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:27:09.721616983 CEST | 58156 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:27:09.726579905 CEST | 5454 | 58156 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:27:10.207618952 CEST | 58156 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:27:10.383742094 CEST | 5454 | 58156 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:27:10.383819103 CEST | 58156 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:27:10.385194063 CEST | 5454 | 58156 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:27:10.388837099 CEST | 5454 | 58156 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:27:13.973510027 CEST | 58157 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:27:13.978543043 CEST | 5454 | 58157 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:27:13.981600046 CEST | 58157 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:27:14.038613081 CEST | 58157 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:27:14.043397903 CEST | 5454 | 58157 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:27:15.569825888 CEST | 5454 | 58157 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:27:15.569937944 CEST | 58157 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:27:19.441677094 CEST | 58157 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:27:19.443877935 CEST | 58158 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:27:19.449393988 CEST | 5454 | 58157 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:27:19.452023983 CEST | 5454 | 58158 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:27:19.452131033 CEST | 58158 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:27:19.478866100 CEST | 58158 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:27:19.483747959 CEST | 5454 | 58158 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:27:20.113364935 CEST | 58158 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:27:20.118444920 CEST | 5454 | 58158 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:27:20.168143988 CEST | 58158 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:27:20.173158884 CEST | 5454 | 58158 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:27:20.682256937 CEST | 58158 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:27:20.687285900 CEST | 5454 | 58158 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:27:20.881164074 CEST | 58158 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:27:20.890012980 CEST | 5454 | 58158 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:27:21.050735950 CEST | 5454 | 58158 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:27:21.050952911 CEST | 58158 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:27:25.378530025 CEST | 58158 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:27:25.379903078 CEST | 58159 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:27:25.384263039 CEST | 5454 | 58158 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:27:25.387131929 CEST | 5454 | 58159 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:27:25.387211084 CEST | 58159 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:27:25.434683084 CEST | 58159 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:27:25.440674067 CEST | 5454 | 58159 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:27:27.180217028 CEST | 5454 | 58159 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:27:27.180314064 CEST | 58159 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:27:30.910080910 CEST | 58159 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:27:30.913213015 CEST | 58160 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:27:30.915056944 CEST | 5454 | 58159 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:27:30.918118954 CEST | 5454 | 58160 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:27:30.918201923 CEST | 58160 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:27:30.974839926 CEST | 58160 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:27:30.981719971 CEST | 5454 | 58160 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:27:31.730832100 CEST | 58160 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:27:31.738044977 CEST | 5454 | 58160 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:27:32.488166094 CEST | 5454 | 58160 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:27:32.488261938 CEST | 58160 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:27:36.081624031 CEST | 58160 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:27:36.082993031 CEST | 58161 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:27:36.090447903 CEST | 5454 | 58160 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:27:36.090863943 CEST | 5454 | 58161 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:27:36.090943098 CEST | 58161 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:27:36.127415895 CEST | 58161 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:27:36.135070086 CEST | 5454 | 58161 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:27:36.339238882 CEST | 58161 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:27:36.344302893 CEST | 5454 | 58161 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:27:37.237327099 CEST | 58161 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:27:37.242489100 CEST | 5454 | 58161 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:27:37.402493954 CEST | 58161 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:27:37.407511950 CEST | 5454 | 58161 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:27:37.767287016 CEST | 5454 | 58161 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:27:37.767431974 CEST | 58161 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:27:56.826611996 CEST | 58161 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:27:56.829626083 CEST | 58173 | 5454 | 192.168.2.4 | 67.215.224.133 |
Sep 25, 2024 14:27:56.996958971 CEST | 5454 | 58161 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:27:56.996973038 CEST | 5454 | 58173 | 67.215.224.133 | 192.168.2.4 |
Sep 25, 2024 14:27:56.997036934 CEST | 58173 | 5454 | 192.168.2.4 | 67.215.224.133 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Sep 25, 2024 14:25:53.228573084 CEST | 53 | 57373 | 162.159.36.2 | 192.168.2.4 |
Sep 25, 2024 14:25:53.786108971 CEST | 61884 | 53 | 192.168.2.4 | 1.1.1.1 |
Sep 25, 2024 14:25:53.833808899 CEST | 53 | 61884 | 1.1.1.1 | 192.168.2.4 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Sep 25, 2024 14:25:53.786108971 CEST | 192.168.2.4 | 1.1.1.1 | 0x811f | Standard query (0) | PTR (Pointer record) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Sep 25, 2024 14:25:40.356439114 CEST | 1.1.1.1 | 192.168.2.4 | 0xea7d | No error (0) | fp2e7a.wpc.phicdn.net | CNAME (Canonical name) | IN (0x0001) | false | ||
Sep 25, 2024 14:25:40.356439114 CEST | 1.1.1.1 | 192.168.2.4 | 0xea7d | No error (0) | 192.229.221.95 | A (IP address) | IN (0x0001) | false | ||
Sep 25, 2024 14:25:53.833808899 CEST | 1.1.1.1 | 192.168.2.4 | 0x811f | Name error (3) | none | none | PTR (Pointer record) | IN (0x0001) | false |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 08:25:20 |
Start date: | 25/09/2024 |
Path: | C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff78b950000 |
File size: | 1'464'832 bytes |
MD5 hash: | CCDC6ABB91CBA9B82FCEA9F02AAEFFAC |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Has exited: | true |
Target ID: | 1 |
Start time: | 08:25:20 |
Start date: | 25/09/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7699e0000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 2 |
Start time: | 08:25:20 |
Start date: | 25/09/2024 |
Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x860000 |
File size: | 262'432 bytes |
MD5 hash: | 8FDF47E0FF70C40ED3A17014AEEA4232 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | high |
Has exited: | true |
Target ID: | 9 |
Start time: | 08:27:38 |
Start date: | 25/09/2024 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xc30000 |
File size: | 483'680 bytes |
MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Execution Graph
Execution Coverage: | 7.2% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 31.5% |
Total number of Nodes: | 1152 |
Total number of Limit Nodes: | 71 |
Graph
Function 00007FF78B971520 Relevance: 16.8, APIs: 8, Strings: 1, Instructions: 1052threadCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF78B97D16A Relevance: 9.5, APIs: 4, Strings: 1, Instructions: 763COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF78B97DFD0 Relevance: .7, Instructions: 685COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF78B978200 Relevance: .4, Instructions: 414COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF78B980C50 Relevance: .3, Instructions: 317COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF78B976190 Relevance: .3, Instructions: 272COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF78B97C9B6 Relevance: 16.1, APIs: 4, Strings: 5, Instructions: 393COMMON
Control-flow Graph
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF78B961010 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 103COMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF78B95B820 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 90memoryCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF78B954740 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 108COMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF78B9554E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86sleepCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF78B960E30 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132COMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF78B9BB610 Relevance: 3.0, APIs: 2, Instructions: 21COMMONLIBRARYCODE
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF78B961770 Relevance: 1.3, APIs: 1, Instructions: 7COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF78B961830 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 81memoryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF78B96EFE0 Relevance: 13.4, APIs: 5, Strings: 2, Instructions: 1181threadCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF78B956A50 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 241COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF78B959430 Relevance: 1.0, Instructions: 971COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF78B984390 Relevance: 1.0, Instructions: 955COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF78B9892CE Relevance: .8, Instructions: 844COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF78B9888D9 Relevance: .8, Instructions: 829COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF78B975200 Relevance: .6, Instructions: 629COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF78B9852E0 Relevance: .6, Instructions: 619COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF78B985C20 Relevance: .6, Instructions: 604COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF78B98BEA0 Relevance: .6, Instructions: 561COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF78B972D30 Relevance: .5, Instructions: 457COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF78BA200E0 Relevance: .4, Instructions: 428COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF78B98B4F0 Relevance: .4, Instructions: 424COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF78B970360 Relevance: .4, Instructions: 423COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF78B982370 Relevance: .4, Instructions: 392COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF78B9891B0 Relevance: .3, Instructions: 326COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF78B974CD9 Relevance: .3, Instructions: 319COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF78B9899C3 Relevance: .3, Instructions: 304COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF78B9767F0 Relevance: .3, Instructions: 299COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF78B987C79 Relevance: .3, Instructions: 262COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF78B966A50 Relevance: .3, Instructions: 258COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF78B97A420 Relevance: .3, Instructions: 258COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF78BA03480 Relevance: .3, Instructions: 257COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF78B983F60 Relevance: .3, Instructions: 255COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF78B98F280 Relevance: .3, Instructions: 254COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF78B98E540 Relevance: .2, Instructions: 220COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF78B98B180 Relevance: .2, Instructions: 218COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF78B98BBA0 Relevance: .2, Instructions: 212COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF78B9B1910 Relevance: .2, Instructions: 209COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF78B95A8B0 Relevance: .2, Instructions: 206COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF78B9583C4 Relevance: .2, Instructions: 175COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF78B97A850 Relevance: .2, Instructions: 171COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF78BA2E240 Relevance: .2, Instructions: 167COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF78B97FB40 Relevance: .2, Instructions: 166COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF78BA30200 Relevance: .2, Instructions: 165COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF78B973640 Relevance: .2, Instructions: 163COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF78BA0CC30 Relevance: .2, Instructions: 160COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF78B98C800 Relevance: .2, Instructions: 160COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF78B9680D0 Relevance: .1, Instructions: 125COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF78B976610 Relevance: .1, Instructions: 123COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF78BA12AC0 Relevance: .1, Instructions: 102COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF78BA34450 Relevance: .1, Instructions: 102COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF78B981470 Relevance: .1, Instructions: 71COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF78BA37A90 Relevance: .1, Instructions: 68COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF78B9DF9C0 Relevance: .0, Instructions: 46COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF78B9DFAA0 Relevance: .0, Instructions: 25COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF78B9C9FC0 Relevance: .0, Instructions: 19COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF78B9B90A0 Relevance: 33.4, APIs: 9, Strings: 10, Instructions: 136COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF78B95C1A0 Relevance: 24.1, APIs: 8, Strings: 8, Instructions: 101stringCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF78B95B3B0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 84libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF78B954E90 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 83threadlibraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF78B955260 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50threadCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF78B953540 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF78B9BB27C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF78B9BC658 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF78B95D050 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37stringCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Execution Graph
Execution Coverage: | 4.5% |
Dynamic/Decrypted Code Coverage: | 100% |
Signature Coverage: | 0% |
Total number of Nodes: | 20 |
Total number of Limit Nodes: | 2 |
Graph
Function 00FF7110 Relevance: 6.1, APIs: 4, Instructions: 133threadCOMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00FF7120 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00FF6CEC Relevance: 1.6, APIs: 1, Instructions: 65COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00FF7360 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00FF2260 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00FF2268 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00E8D500 Relevance: .1, Instructions: 75COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00E9D0FC Relevance: .1, Instructions: 72COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00E8D4FB Relevance: .1, Instructions: 56COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00E9D0F7 Relevance: .1, Instructions: 53COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|