Windows
Analysis Report
cake.exe
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- cake.exe (PID: 5144 cmdline:
"C:\Users\ user\Deskt op\cake.ex e" MD5: D64C3A1236EED6BA90305DCB38F92F6C)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
XWorm | Malware with wide range of capabilities ranging from RAT to ransomware. | No Attribution |
{"C2 url": ["vecotr.viewdns.net"], "Port": "50000", "Aes key": "<Xwormmm>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_XWorm | Yara detected XWorm | Joe Security | ||
MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_XWorm | Yara detected XWorm | Joe Security | ||
MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
| |
JoeSecurity_XWorm | Yara detected XWorm | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_XWorm | Yara detected XWorm | Joe Security | ||
MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
|
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-09-25T19:15:53.508270+0200 | 2853193 | 1 | Malware Command and Control Activity Detected | 192.168.2.5 | 49714 | 163.5.112.71 | 50000 | TCP |
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | Malware Configuration Extractor: |
Source: | ReversingLabs: |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: |
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: |
Source: | Static PE information: |
Source: | Static PE information: |
Networking |
---|
Source: | Suricata IDS: | ||
Source: | Suricata IDS: |
Source: | URLs: |
Source: | TCP traffic: |
Source: | ASN Name: |
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: |
System Summary |
---|
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Process Stats: |
Source: | Code function: | 0_2_00007FF848E75D76 | |
Source: | Code function: | 0_2_00007FF848E76B22 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: |
Source: | Classification label: |
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | Static PE information: |
Source: | Static file information: |
Source: | Key opened: | Jump to behavior |
Source: | ReversingLabs: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Static PE information: |
Source: | Static PE information: |
Data Obfuscation |
---|
Source: | .Net Code: | ||
Source: | .Net Code: |
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: |
Source: | Code function: | 0_2_00007FF848E700C1 |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion |
---|
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior |
Source: | Thread delayed: | Jump to behavior |
Source: | Window / User API: | Jump to behavior | ||
Source: | Window / User API: | Jump to behavior |
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior |
Source: | File Volume queried: | Jump to behavior | ||
Source: | File Volume queried: | Jump to behavior | ||
Source: | File Volume queried: | Jump to behavior | ||
Source: | File Volume queried: | Jump to behavior | ||
Source: | File Volume queried: | Jump to behavior | ||
Source: | File Volume queried: | Jump to behavior | ||
Source: | File Volume queried: | Jump to behavior | ||
Source: | File Volume queried: | Jump to behavior | ||
Source: | File Volume queried: | Jump to behavior | ||
Source: | File Volume queried: | Jump to behavior | ||
Source: | File Volume queried: | Jump to behavior | ||
Source: | File Volume queried: | Jump to behavior |
Source: | Thread delayed: | Jump to behavior |
Source: | Binary or memory string: |
Source: | Process token adjusted: | Jump to behavior |
Source: | Memory allocated: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Queries volume information: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Binary or memory string: |
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 11 Windows Management Instrumentation | 1 DLL Side-Loading | 1 Process Injection | 1 Disable or Modify Tools | OS Credential Dumping | 121 Security Software Discovery | Remote Services | 11 Archive Collected Data | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 131 Virtualization/Sandbox Evasion | LSASS Memory | 1 Process Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Non-Standard Port | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 Process Injection | Security Account Manager | 131 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | 1 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Deobfuscate/Decode Files or Information | NTDS | 1 Application Window Discovery | Distributed Component Object Model | Input Capture | 11 Application Layer Protocol | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Obfuscated Files or Information | LSA Secrets | 13 System Information Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 2 Software Packing | Cached Domain Credentials | Wi-Fi Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 1 DLL Side-Loading | DCSync | Remote System Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
82% | ReversingLabs | ByteCode-MSIL.Backdoor.XWorm | ||
100% | Avira | HEUR/AGEN.1305769 | ||
100% | Joe Sandbox ML |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
vecotr.viewdns.net | 163.5.112.71 | true | true | unknown |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
163.5.112.71 | vecotr.viewdns.net | France | 56339 | EPITECHFR | true |
Joe Sandbox version: | 41.0.0 Charoite |
Analysis ID: | 1518520 |
Start date and time: | 2024-09-25 19:13:09 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 6m 7s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 4 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | cake.exe |
Detection: | MAL |
Classification: | mal100.troj.evad.winEXE@1/0@4/1 |
EGA Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Execution Graph export aborted for target cake.exe, PID 5144 because it is empty
- Report size getting too big, too many NtQueryValueKey calls found.
- VT rate limit hit for: cake.exe
Time | Type | Description |
---|---|---|
13:14:06 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
vecotr.viewdns.net | Get hash | malicious | XWorm | Browse |
| |
Get hash | malicious | PureLog Stealer, XWorm | Browse |
| ||
Get hash | malicious | XWorm | Browse |
| ||
Get hash | malicious | PureLog Stealer, XWorm | Browse |
| ||
Get hash | malicious | PureLog Stealer, XWorm | Browse |
| ||
Get hash | malicious | XWorm | Browse |
| ||
Get hash | malicious | PureLog Stealer, XWorm | Browse |
| ||
Get hash | malicious | XWorm | Browse |
| ||
Get hash | malicious | XWorm | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
EPITECHFR | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | AsyncRAT | Browse |
| ||
Get hash | malicious | AsyncRAT, PureLog Stealer, XWorm | Browse |
|
File type: | |
Entropy (8bit): | 5.59506560425833 |
TrID: |
|
File name: | cake.exe |
File size: | 33'280 bytes |
MD5: | d64c3a1236eed6ba90305dcb38f92f6c |
SHA1: | 9d239b7f28e6dbd96b2a1a8484747874664aaa8b |
SHA256: | 18dc423099be030506353e6b26762f2c789f22e79991192f4fae3e290afacc07 |
SHA512: | 526e7fd2e97e41a9bde5dc6bb06014b2f59c9a6d8338526d1f31dee4df32793ab0448aa13be2baa77d6e059c27fdd5c9d728745e5a4ec41c524eb3382c176931 |
SSDEEP: | 384:mlRmhGD91SluSWhnHHxzLmYV3Tm2eaFOzlzRApkFTBLTsOZwpGd2v99IkuisFVFE:GRPD9OQhx/BV3Tw4OlzVFE9jcOjhfbH |
TLSH: | 53E23B4877E44712DAFEAFB12DF261061271D51BD823EF9E0CE485EA2B67AC047407E6 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....M.f.................x............... ........@.. ....................................@................................ |
Icon Hash: | 00928e8e8686b000 |
Entrypoint: | 0x40979e |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x66DF4DB3 [Mon Sep 9 19:34:11 2024 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | f34d5f2d4577ed6d9ceec516c1f5a744 |
Instruction |
---|
jmp dword ptr [00402000h] |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x9744 | 0x57 | .text |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xa000 | 0x4d8 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0xc000 | 0xc | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x2000 | 0x8 | .text |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x2008 | 0x48 | .text |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x2000 | 0x77a4 | 0x7800 | ac61a5122f8cbfa991fc259cf079a73a | False | 0.5017903645833334 | data | 5.74573214807577 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rsrc | 0xa000 | 0x4d8 | 0x600 | afbb984503128042cc38bf70e5e337f4 | False | 0.375 | data | 3.7203482473352403 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0xc000 | 0xc | 0x200 | fbad57bc563b9a0d7654c19529129cc5 | False | 0.044921875 | data | 0.08153941234324169 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_VERSION | 0xa0a0 | 0x244 | data | 0.4724137931034483 | ||
RT_MANIFEST | 0xa2e8 | 0x1ea | XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators | 0.5469387755102041 |
DLL | Import |
---|---|
mscoree.dll | _CorExeMain |
Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-09-25T19:14:18.618659+0200 | 2855924 | ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound | 1 | 192.168.2.5 | 49704 | 163.5.112.71 | 50000 | TCP |
2024-09-25T19:15:53.508270+0200 | 2853193 | ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound | 1 | 192.168.2.5 | 49714 | 163.5.112.71 | 50000 | TCP |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Sep 25, 2024 19:14:07.672586918 CEST | 49704 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:14:07.677644014 CEST | 50000 | 49704 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:14:07.677747011 CEST | 49704 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:14:08.119388103 CEST | 49704 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:14:08.124471903 CEST | 50000 | 49704 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:14:18.618659019 CEST | 49704 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:14:18.623768091 CEST | 50000 | 49704 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:14:29.076006889 CEST | 50000 | 49704 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:14:29.076200008 CEST | 49704 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:14:30.424199104 CEST | 49704 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:14:30.426044941 CEST | 49710 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:14:30.530380011 CEST | 50000 | 49704 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:14:30.530401945 CEST | 50000 | 49710 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:14:30.530503988 CEST | 49710 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:14:30.556523085 CEST | 49710 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:14:30.561373949 CEST | 50000 | 49710 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:14:45.559494019 CEST | 49710 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:14:45.564825058 CEST | 50000 | 49710 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:14:51.904378891 CEST | 50000 | 49710 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:14:51.904638052 CEST | 49710 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:14:53.486768961 CEST | 49710 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:14:53.487966061 CEST | 49711 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:14:53.491813898 CEST | 50000 | 49710 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:14:53.493079901 CEST | 50000 | 49711 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:14:53.493171930 CEST | 49711 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:14:53.516880989 CEST | 49711 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:14:53.521812916 CEST | 50000 | 49711 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:15:07.143255949 CEST | 49711 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:15:07.159614086 CEST | 50000 | 49711 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:15:14.922636032 CEST | 50000 | 49711 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:15:14.922729969 CEST | 49711 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:15:16.020163059 CEST | 49711 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:15:16.025468111 CEST | 50000 | 49711 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:15:16.044150114 CEST | 49713 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:15:16.049067974 CEST | 50000 | 49713 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:15:16.052253008 CEST | 49713 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:15:16.152153015 CEST | 49713 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:15:16.157015085 CEST | 50000 | 49713 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:15:16.440031052 CEST | 49713 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:15:16.445061922 CEST | 50000 | 49713 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:15:25.127818108 CEST | 49713 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:15:25.132790089 CEST | 50000 | 49713 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:15:32.008224010 CEST | 49713 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:15:32.013319016 CEST | 50000 | 49713 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:15:34.580785990 CEST | 49713 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:15:34.586849928 CEST | 50000 | 49713 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:15:35.613131046 CEST | 49713 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:15:35.618964911 CEST | 50000 | 49713 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:15:37.112195015 CEST | 49713 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:15:37.117244959 CEST | 50000 | 49713 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:15:37.143162966 CEST | 49713 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:15:37.148269892 CEST | 50000 | 49713 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:15:37.159060001 CEST | 49713 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:15:37.163855076 CEST | 50000 | 49713 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:15:37.237097979 CEST | 49713 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:15:37.242582083 CEST | 50000 | 49713 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:15:37.436630964 CEST | 50000 | 49713 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:15:37.439879894 CEST | 49713 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:15:42.252510071 CEST | 49713 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:15:42.256216049 CEST | 49714 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:15:42.257544041 CEST | 50000 | 49713 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:15:42.261229038 CEST | 50000 | 49714 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:15:42.262319088 CEST | 49714 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:15:42.312846899 CEST | 49714 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:15:42.318279982 CEST | 50000 | 49714 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:15:49.127775908 CEST | 49714 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:15:49.133260965 CEST | 50000 | 49714 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:15:53.508270025 CEST | 49714 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:15:53.514394999 CEST | 50000 | 49714 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:16:01.503618956 CEST | 49714 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:16:01.508878946 CEST | 50000 | 49714 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:16:02.536303043 CEST | 49714 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:16:02.542298079 CEST | 50000 | 49714 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:16:03.620367050 CEST | 50000 | 49714 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:16:03.624376059 CEST | 49714 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:16:07.549362898 CEST | 49714 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:16:07.556313992 CEST | 49715 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:16:07.558341980 CEST | 50000 | 49714 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:16:07.565573931 CEST | 50000 | 49715 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:16:07.565699100 CEST | 49715 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:16:07.640424013 CEST | 49715 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:16:07.649120092 CEST | 50000 | 49715 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:16:08.580710888 CEST | 49715 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:16:08.588184118 CEST | 50000 | 49715 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:16:13.471513987 CEST | 49715 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:16:13.476922989 CEST | 50000 | 49715 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:16:13.502599001 CEST | 49715 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:16:13.507491112 CEST | 50000 | 49715 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:16:24.565315962 CEST | 49715 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:16:24.675677061 CEST | 50000 | 49715 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:16:26.549530983 CEST | 49715 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:16:26.554940939 CEST | 50000 | 49715 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:16:28.918421030 CEST | 50000 | 49715 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:16:28.918507099 CEST | 49715 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:16:29.131331921 CEST | 49715 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:16:29.137763023 CEST | 50000 | 49715 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:16:29.169574022 CEST | 49716 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:16:29.175153017 CEST | 50000 | 49716 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:16:29.175225973 CEST | 49716 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:16:29.218096018 CEST | 49716 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:16:29.231468916 CEST | 50000 | 49716 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:16:29.424542904 CEST | 49716 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:16:29.429461002 CEST | 50000 | 49716 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:16:29.440184116 CEST | 49716 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:16:29.445049047 CEST | 50000 | 49716 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:16:29.455648899 CEST | 49716 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:16:29.472929001 CEST | 50000 | 49716 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:16:29.472971916 CEST | 49716 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:16:29.480777979 CEST | 50000 | 49716 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:16:34.520478964 CEST | 49716 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:16:34.525482893 CEST | 50000 | 49716 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:16:36.908910990 CEST | 49716 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:16:36.913826942 CEST | 50000 | 49716 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:16:45.127733946 CEST | 49716 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:16:45.132725000 CEST | 50000 | 49716 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:16:45.143260002 CEST | 49716 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:16:45.149116039 CEST | 50000 | 49716 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:16:45.174401999 CEST | 49716 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:16:45.179281950 CEST | 50000 | 49716 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:16:45.299618959 CEST | 49716 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:16:45.304764986 CEST | 50000 | 49716 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:16:45.315192938 CEST | 49716 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:16:45.320008993 CEST | 50000 | 49716 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:16:48.831162930 CEST | 49716 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:16:49.223527908 CEST | 49716 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:16:49.533642054 CEST | 49716 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:16:49.923738003 CEST | 50000 | 49716 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:16:49.923752069 CEST | 50000 | 49716 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:16:49.923762083 CEST | 50000 | 49716 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:16:50.487026930 CEST | 49716 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:16:50.492089033 CEST | 50000 | 49716 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:16:50.587055922 CEST | 50000 | 49716 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:16:50.590863943 CEST | 49716 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:16:50.591023922 CEST | 49716 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:16:50.592591047 CEST | 49717 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:16:50.596995115 CEST | 50000 | 49716 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:16:50.597680092 CEST | 50000 | 49717 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:16:50.597795963 CEST | 49717 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:16:50.647026062 CEST | 49717 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:16:50.651838064 CEST | 50000 | 49717 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:16:50.815212965 CEST | 49717 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:16:50.820156097 CEST | 50000 | 49717 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:16:50.846414089 CEST | 49717 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:16:50.851639032 CEST | 50000 | 49717 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:16:50.971487045 CEST | 49717 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:16:50.976387978 CEST | 50000 | 49717 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:16:51.018485069 CEST | 49717 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:16:51.023421049 CEST | 50000 | 49717 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:16:51.049571991 CEST | 49717 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:16:51.054589987 CEST | 50000 | 49717 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:16:51.080854893 CEST | 49717 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:16:51.088169098 CEST | 50000 | 49717 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:16:51.096477032 CEST | 49717 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:16:51.103965998 CEST | 50000 | 49717 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:16:56.158900023 CEST | 49717 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:16:56.163757086 CEST | 50000 | 49717 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:17:04.506799936 CEST | 49717 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:17:04.513052940 CEST | 50000 | 49717 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:17:04.783931017 CEST | 49717 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:17:04.788889885 CEST | 50000 | 49717 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:17:06.877823114 CEST | 49717 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:17:06.883980989 CEST | 50000 | 49717 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:17:06.893292904 CEST | 49717 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:17:06.898147106 CEST | 50000 | 49717 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:17:06.909009933 CEST | 49717 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:17:06.914021969 CEST | 50000 | 49717 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:17:11.950186968 CEST | 50000 | 49717 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:17:11.952562094 CEST | 49717 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:17:12.052472115 CEST | 49717 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:17:12.052472115 CEST | 49718 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:17:12.057658911 CEST | 50000 | 49717 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:17:12.057712078 CEST | 50000 | 49718 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:17:12.057823896 CEST | 49718 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:17:12.212306976 CEST | 49718 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:17:12.217698097 CEST | 50000 | 49718 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:17:23.065478086 CEST | 49718 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:17:23.071702957 CEST | 50000 | 49718 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:17:23.080835104 CEST | 49718 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:17:23.085647106 CEST | 50000 | 49718 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:17:23.096405983 CEST | 49718 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:17:23.101502895 CEST | 50000 | 49718 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:17:23.111980915 CEST | 49718 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:17:23.116780996 CEST | 50000 | 49718 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:17:23.127671957 CEST | 49718 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:17:23.132441998 CEST | 50000 | 49718 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:17:23.158871889 CEST | 49718 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:17:23.165436983 CEST | 50000 | 49718 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:17:23.174489975 CEST | 49718 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:17:23.179282904 CEST | 50000 | 49718 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:17:23.190146923 CEST | 49718 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:17:23.195008039 CEST | 50000 | 49718 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:17:23.205750942 CEST | 49718 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:17:23.210515022 CEST | 50000 | 49718 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:17:23.221420050 CEST | 49718 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:17:23.226452112 CEST | 50000 | 49718 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:17:23.236984968 CEST | 49718 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:17:23.242137909 CEST | 50000 | 49718 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:17:23.268362045 CEST | 49718 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:17:23.273344994 CEST | 50000 | 49718 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:17:23.283864975 CEST | 49718 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:17:23.288810015 CEST | 50000 | 49718 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:17:23.299541950 CEST | 49718 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:17:23.304455996 CEST | 50000 | 49718 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:17:23.331819057 CEST | 49718 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:17:23.336585999 CEST | 50000 | 49718 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:17:23.346457005 CEST | 49718 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:17:23.351288080 CEST | 50000 | 49718 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:17:23.393327951 CEST | 49718 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:17:23.398278952 CEST | 50000 | 49718 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:17:23.408931017 CEST | 49718 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:17:23.414135933 CEST | 50000 | 49718 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:17:23.424519062 CEST | 49718 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:17:23.429830074 CEST | 50000 | 49718 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:17:23.440114021 CEST | 49718 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:17:23.444974899 CEST | 50000 | 49718 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:17:24.018593073 CEST | 49718 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:17:24.023504972 CEST | 50000 | 49718 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:17:28.705843925 CEST | 49718 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:17:28.711216927 CEST | 50000 | 49718 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:17:33.456316948 CEST | 50000 | 49718 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:17:33.456401110 CEST | 49718 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:17:33.784531116 CEST | 49718 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:17:33.789335966 CEST | 50000 | 49718 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:17:33.797195911 CEST | 49719 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:17:33.801970005 CEST | 50000 | 49719 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:17:33.804627895 CEST | 49719 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:17:33.996563911 CEST | 49719 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:17:34.003257990 CEST | 50000 | 49719 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:17:34.737200022 CEST | 49719 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:17:34.742202997 CEST | 50000 | 49719 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:17:39.018661022 CEST | 49719 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:17:39.252480984 CEST | 49719 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:17:39.564976931 CEST | 49719 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:17:40.169893980 CEST | 50000 | 49719 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:17:40.169920921 CEST | 50000 | 49719 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:17:40.170764923 CEST | 50000 | 49719 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:17:42.676635027 CEST | 49719 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:17:42.682077885 CEST | 50000 | 49719 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:17:49.455892086 CEST | 49719 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:17:49.510932922 CEST | 50000 | 49719 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:17:49.510991096 CEST | 49719 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:17:49.574717999 CEST | 50000 | 49719 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:17:49.581100941 CEST | 49719 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:17:49.661588907 CEST | 50000 | 49719 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:17:49.661649942 CEST | 49719 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:17:49.764144897 CEST | 50000 | 49719 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:17:49.768584013 CEST | 49719 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:17:49.859024048 CEST | 50000 | 49719 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:17:51.670387030 CEST | 49719 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:17:51.710078955 CEST | 50000 | 49719 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:17:54.924604893 CEST | 49719 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:17:54.941534996 CEST | 50000 | 49719 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:17:54.971498966 CEST | 49719 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:17:54.979126930 CEST | 50000 | 49719 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:17:55.080997944 CEST | 49719 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:17:55.091487885 CEST | 50000 | 49719 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:17:55.096519947 CEST | 49719 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:17:55.105089903 CEST | 50000 | 49719 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:17:55.217787981 CEST | 50000 | 49719 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:17:55.217848063 CEST | 49719 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:18:00.096548080 CEST | 49719 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:18:00.100625038 CEST | 49720 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:18:00.266916037 CEST | 50000 | 49719 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:18:00.266963959 CEST | 50000 | 49720 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:18:00.267168999 CEST | 49720 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:18:00.370608091 CEST | 49720 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:18:00.375559092 CEST | 50000 | 49720 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:18:09.831361055 CEST | 49720 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:18:09.984220982 CEST | 50000 | 49720 | 163.5.112.71 | 192.168.2.5 |
Sep 25, 2024 19:18:10.816623926 CEST | 49720 | 50000 | 192.168.2.5 | 163.5.112.71 |
Sep 25, 2024 19:18:10.821846962 CEST | 50000 | 49720 | 163.5.112.71 | 192.168.2.5 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Sep 25, 2024 19:14:07.640628099 CEST | 57915 | 53 | 192.168.2.5 | 1.1.1.1 |
Sep 25, 2024 19:14:07.650729895 CEST | 53 | 57915 | 1.1.1.1 | 192.168.2.5 |
Sep 25, 2024 19:15:16.024151087 CEST | 57275 | 53 | 192.168.2.5 | 1.1.1.1 |
Sep 25, 2024 19:15:16.036556959 CEST | 53 | 57275 | 1.1.1.1 | 192.168.2.5 |
Sep 25, 2024 19:16:29.132929087 CEST | 61017 | 53 | 192.168.2.5 | 1.1.1.1 |
Sep 25, 2024 19:16:29.143603086 CEST | 53 | 61017 | 1.1.1.1 | 192.168.2.5 |
Sep 25, 2024 19:17:33.786405087 CEST | 55749 | 53 | 192.168.2.5 | 1.1.1.1 |
Sep 25, 2024 19:17:33.795753002 CEST | 53 | 55749 | 1.1.1.1 | 192.168.2.5 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Sep 25, 2024 19:14:07.640628099 CEST | 192.168.2.5 | 1.1.1.1 | 0x88e4 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Sep 25, 2024 19:15:16.024151087 CEST | 192.168.2.5 | 1.1.1.1 | 0xd660 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Sep 25, 2024 19:16:29.132929087 CEST | 192.168.2.5 | 1.1.1.1 | 0x7af2 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Sep 25, 2024 19:17:33.786405087 CEST | 192.168.2.5 | 1.1.1.1 | 0x87dd | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Sep 25, 2024 19:14:07.650729895 CEST | 1.1.1.1 | 192.168.2.5 | 0x88e4 | No error (0) | 163.5.112.71 | A (IP address) | IN (0x0001) | false | ||
Sep 25, 2024 19:15:16.036556959 CEST | 1.1.1.1 | 192.168.2.5 | 0xd660 | No error (0) | 163.5.112.71 | A (IP address) | IN (0x0001) | false | ||
Sep 25, 2024 19:16:29.143603086 CEST | 1.1.1.1 | 192.168.2.5 | 0x7af2 | No error (0) | 163.5.112.71 | A (IP address) | IN (0x0001) | false | ||
Sep 25, 2024 19:17:33.795753002 CEST | 1.1.1.1 | 192.168.2.5 | 0x87dd | No error (0) | 163.5.112.71 | A (IP address) | IN (0x0001) | false |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Target ID: | 0 |
Start time: | 13:14:02 |
Start date: | 25/09/2024 |
Path: | C:\Users\user\Desktop\cake.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x70000 |
File size: | 33'280 bytes |
MD5 hash: | D64C3A1236EED6BA90305DCB38F92F6C |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Has exited: | false |
Function 00007FF848E75D76 Relevance: .5, Instructions: 476COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF848E76B22 Relevance: .5, Instructions: 462COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF848E70718 Relevance: .3, Instructions: 342COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF848E721C4 Relevance: .3, Instructions: 336COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF848E76736 Relevance: .3, Instructions: 335COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF848E721FD Relevance: .3, Instructions: 327COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF848E725F5 Relevance: .3, Instructions: 311COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF848E77523 Relevance: .3, Instructions: 252COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF848E77DCD Relevance: .2, Instructions: 215COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF848E70925 Relevance: .2, Instructions: 213COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF848E7897D Relevance: .2, Instructions: 203COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF848E7366C Relevance: .2, Instructions: 198COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF848E78F6A Relevance: .2, Instructions: 196COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF848E71738 Relevance: .2, Instructions: 185COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF848E705A0 Relevance: .2, Instructions: 180COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF848E70740 Relevance: .2, Instructions: 173COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF848E786F1 Relevance: .2, Instructions: 171COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF848E7148D Relevance: .2, Instructions: 166COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF848E70B5E Relevance: .2, Instructions: 160COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF848E70780 Relevance: .2, Instructions: 150COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF848E78131 Relevance: .1, Instructions: 147COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF848E789D0 Relevance: .1, Instructions: 141COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF848E704C8 Relevance: .1, Instructions: 138COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF848E782F5 Relevance: .1, Instructions: 132COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF848E70E11 Relevance: .1, Instructions: 132COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF848E70710 Relevance: .1, Instructions: 131COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF848E70CC1 Relevance: .1, Instructions: 121COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF848E70E30 Relevance: .1, Instructions: 116COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF848E79335 Relevance: .1, Instructions: 103COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF848E77FF9 Relevance: .1, Instructions: 101COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF848E78B31 Relevance: .1, Instructions: 95COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF848E713D5 Relevance: .1, Instructions: 87COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF848E79259 Relevance: .1, Instructions: 84COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF848E79141 Relevance: .1, Instructions: 77COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF848E712C1 Relevance: .1, Instructions: 61COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF848E77C21 Relevance: .1, Instructions: 56COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF848E70738 Relevance: .0, Instructions: 46COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF848E7135D Relevance: .0, Instructions: 38COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF848E7143B Relevance: .0, Instructions: 31COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF848E71141 Relevance: .0, Instructions: 26COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF848E71284 Relevance: .0, Instructions: 26COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF848E70795 Relevance: .0, Instructions: 10COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|