Windows
Analysis Report
wSIWW3vyrB.exe
Overview
General Information
Sample name: | wSIWW3vyrB.exerenamed because original name is a hash value |
Original sample name: | 848de6895fc2b6a1415564d88ec10917.exe |
Analysis ID: | 1527159 |
MD5: | 848de6895fc2b6a1415564d88ec10917 |
SHA1: | d0215843c2f33624a45c9bd359903adfdb74b9a1 |
SHA256: | 730012443a3df91c8bf067a31599ef529192e30b28372003dda7637b2966d5b0 |
Tags: | exeuser-abuse_ch |
Infos: | |
Detection
Score: | 68 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- wSIWW3vyrB.exe (PID: 5956 cmdline:
"C:\Users\ user\Deskt op\wSIWW3v yrB.exe" MD5: 848DE6895FC2B6A1415564D88EC10917) - conhost.exe (PID: 7160 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - whoami.exe (PID: 6568 cmdline:
whoami MD5: A4A6924F3EAF97981323703D38FD99C4) - conhost.exe (PID: 6124 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Supershell | Yara detected Supershell | Joe Security |
Source: | Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: |
Click to jump to signature section
AV Detection |
---|
Source: | ReversingLabs: |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | TCP traffic: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | Classification label: |
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | File opened: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | ReversingLabs: |
Source: | String found in binary or memory: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Static file information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Boot Survival |
---|
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | System information queried: | Jump to behavior |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Binary or memory string: |
Source: | Process information queried: | Jump to behavior |
Source: | Process token adjusted: | Jump to behavior |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Process created: | Jump to behavior |
Stealing of Sensitive Information |
---|
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 2 Command and Scripting Interpreter | 1 DLL Side-Loading | 11 Process Injection | 1 Software Packing | OS Credential Dumping | 1 System Time Discovery | Remote Services | Data from Local System | 1 Non-Standard Port | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 11 Process Injection | LSASS Memory | 1 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 DLL Side-Loading | Security Account Manager | 1 Process Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Obfuscated Files or Information | NTDS | 11 System Information Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
42% | ReversingLabs | Win64.Trojan.ShellcodeRunner | ||
100% | Joe Sandbox ML |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
fp2e7a.wpc.phicdn.net | 192.229.221.95 | true | false | unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
121.41.18.122 | unknown | China | 37963 | CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd | false |
Joe Sandbox version: | 41.0.0 Charoite |
Analysis ID: | 1527159 |
Start date and time: | 2024-10-06 20:57:54 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 4m 16s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 9 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | wSIWW3vyrB.exerenamed because original name is a hash value |
Original Sample Name: | 848de6895fc2b6a1415564d88ec10917.exe |
Detection: | MAL |
Classification: | mal68.troj.winEXE@5/1@0/1 |
EGA Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
- Excluded IPs from analysis (whitelisted): 20.190.159.4, 20.190.159.73, 20.190.159.2, 20.190.159.68, 20.190.159.64, 40.126.31.73, 20.190.159.23, 20.190.159.71
- Excluded domains from analysis (whitelisted): client.wns.windows.com, prdv4a.aadg.msidentity.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, login.live.com, www.tm.v4.a.prd.aadg.akadns.net, ocsp.edge.digicert.com, ctldl.windowsupdate.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, www.tm.lg.prod.aadmsa.trafficmanager.net
- Not all processes where analyzed, report is missing behavior information
- VT rate limit hit for: wSIWW3vyrB.exe
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
fp2e7a.wpc.phicdn.net | Get hash | malicious | HTMLPhisher | Browse |
| |
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd | Get hash | malicious | HTMLPhisher | Browse |
| |
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai | Browse |
|
Process: | C:\Users\user\Desktop\wSIWW3vyrB.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 160 |
Entropy (8bit): | 4.438743916256937 |
Encrypted: | false |
SSDEEP: | 3:rmHfvtH//STGlA1yqGlYUGk+ldyHGlgZty:rmHcKtGFlqty |
MD5: | E467C82627F5E1524FDB4415AF19FC73 |
SHA1: | B86E3AA40E9FBED0494375A702EABAF1F2E56F8E |
SHA-256: | 116CD35961A2345CE210751D677600AADA539A66F046811FA70E1093E01F2540 |
SHA-512: | 2A969893CC713D6388FDC768C009055BE1B35301A811A7E313D1AEEC1F75C88CCDDCD8308017A852093B1310811E90B9DA76B6330AACCF5982437D84F553183A |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
File type: | |
Entropy (8bit): | 7.8915465929003235 |
TrID: |
|
File name: | wSIWW3vyrB.exe |
File size: | 5'939'200 bytes |
MD5: | 848de6895fc2b6a1415564d88ec10917 |
SHA1: | d0215843c2f33624a45c9bd359903adfdb74b9a1 |
SHA256: | 730012443a3df91c8bf067a31599ef529192e30b28372003dda7637b2966d5b0 |
SHA512: | ec0028b77cff56cdd5743de74416c8305879bc83fd2ef0d9d890636eedbd108860f5d88956941f53dd46edbfd4376737e4bd20f0e229249ddcbab1bc681dd295 |
SSDEEP: | 98304:uDCZPZUmgjGXKXl5t9Fk6TXibjXOBswc6d81/IGOj1oUUL43BSx4iwnH6ZCpt+Zx:uDQOjG6XtjS+BvL8Ojul0HiLCpI |
TLSH: | 5956332B91493D73D06A1678A3392C4DB952540DE3DCA734EBA2D9E673BC3A20DBD071 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................".......Z.........@9........@..............................P............`... ............................ |
Icon Hash: | 00928e8e8686b000 |
Entrypoint: | 0x1423940 |
Entrypoint Section: | UPX1 |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows cui |
Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED |
DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x0 [Thu Jan 1 00:00:00 1970 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 1 |
File Version Major: | 6 |
File Version Minor: | 1 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 1 |
Import Hash: | 6ed4f5f04d62b18d96b26d6db7c18840 |
Instruction |
---|
push ebx |
push esi |
push edi |
push ebp |
dec eax |
lea esi, dword ptr [FFA566DAh] |
dec eax |
lea edi, dword ptr [esi-00A79025h] |
push edi |
xor ebx, ebx |
xor ecx, ecx |
dec eax |
or ebp, FFFFFFFFh |
call 00007F6970E09615h |
add ebx, ebx |
je 00007F6970E095C4h |
rep ret |
mov ebx, dword ptr [esi] |
dec eax |
sub esi, FFFFFFFCh |
adc ebx, ebx |
mov dl, byte ptr [esi] |
rep ret |
dec eax |
lea eax, dword ptr [edi+ebp] |
cmp ecx, 05h |
mov dl, byte ptr [eax] |
jbe 00007F6970E095E3h |
dec eax |
cmp ebp, FFFFFFFCh |
jnbe 00007F6970E095DDh |
sub ecx, 04h |
mov edx, dword ptr [eax] |
dec eax |
add eax, 04h |
sub ecx, 04h |
mov dword ptr [edi], edx |
dec eax |
lea edi, dword ptr [edi+04h] |
jnc 00007F6970E095B1h |
add ecx, 04h |
mov dl, byte ptr [eax] |
je 00007F6970E095D2h |
dec eax |
inc eax |
mov byte ptr [edi], dl |
sub ecx, 01h |
mov dl, byte ptr [eax] |
dec eax |
lea edi, dword ptr [edi+01h] |
jne 00007F6970E095B2h |
rep ret |
cld |
inc ecx |
pop ebx |
jmp 00007F6970E095CAh |
dec eax |
inc esi |
mov byte ptr [edi], dl |
dec eax |
inc edi |
mov dl, byte ptr [esi] |
add ebx, ebx |
jne 00007F6970E095CCh |
mov ebx, dword ptr [esi] |
dec eax |
sub esi, FFFFFFFCh |
adc ebx, ebx |
mov dl, byte ptr [esi] |
jc 00007F6970E095A8h |
lea eax, dword ptr [ecx+01h] |
jmp 00007F6970E095C9h |
dec eax |
inc ecx |
call ebx |
adc eax, eax |
inc ecx |
call ebx |
adc eax, eax |
add ebx, ebx |
jne 00007F6970E095CCh |
mov ebx, dword ptr [esi] |
dec eax |
sub esi, FFFFFFFCh |
adc ebx, ebx |
mov dl, byte ptr [esi] |
jnc 00007F6970E095A6h |
sub eax, 03h |
jc 00007F6970E095DBh |
shl eax, 08h |
movzx edx, dl |
or eax, edx |
dec eax |
inc esi |
xor eax, FFFFFFFFh |
je 00007F6970E0961Ah |
sar eax, 1 |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x1024000 | 0x9c | UPX2 |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
UPX0 | 0x1000 | 0xa79000 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
UPX1 | 0xa7a000 | 0x5aa000 | 0x5a9c00 | 0414e75bcefb8af969388c5ce712cfc9 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
UPX2 | 0x1024000 | 0x1000 | 0x200 | 7e52da50a2c179bbebab5ba9aef24dfb | False | 0.197265625 | data | 1.4609665700923298 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
DLL | Import |
---|---|
KERNEL32.DLL | LoadLibraryA, ExitProcess, GetProcAddress, VirtualProtect |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Oct 6, 2024 20:58:50.698713064 CEST | 49710 | 3232 | 192.168.2.6 | 121.41.18.122 |
Oct 6, 2024 20:58:50.703779936 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:58:50.703857899 CEST | 49710 | 3232 | 192.168.2.6 | 121.41.18.122 |
Oct 6, 2024 20:58:50.703999043 CEST | 49710 | 3232 | 192.168.2.6 | 121.41.18.122 |
Oct 6, 2024 20:58:50.709120035 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:58:51.834146976 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:58:51.834698915 CEST | 49710 | 3232 | 192.168.2.6 | 121.41.18.122 |
Oct 6, 2024 20:58:51.834819078 CEST | 49710 | 3232 | 192.168.2.6 | 121.41.18.122 |
Oct 6, 2024 20:58:51.839484930 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:58:51.839603901 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:58:52.273232937 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:58:52.273828983 CEST | 49710 | 3232 | 192.168.2.6 | 121.41.18.122 |
Oct 6, 2024 20:58:52.273926020 CEST | 49710 | 3232 | 192.168.2.6 | 121.41.18.122 |
Oct 6, 2024 20:58:52.278635025 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:58:52.278657913 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:58:52.710432053 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:58:52.711080074 CEST | 49710 | 3232 | 192.168.2.6 | 121.41.18.122 |
Oct 6, 2024 20:58:52.716722012 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:58:53.146958113 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:58:53.147766113 CEST | 49710 | 3232 | 192.168.2.6 | 121.41.18.122 |
Oct 6, 2024 20:58:53.152663946 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:58:53.586277008 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:58:53.586839914 CEST | 49710 | 3232 | 192.168.2.6 | 121.41.18.122 |
Oct 6, 2024 20:58:53.591645002 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:58:54.024288893 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:58:54.065068960 CEST | 49710 | 3232 | 192.168.2.6 | 121.41.18.122 |
Oct 6, 2024 20:58:54.159719944 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:58:54.179208040 CEST | 49710 | 3232 | 192.168.2.6 | 121.41.18.122 |
Oct 6, 2024 20:58:54.184119940 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:58:54.252295971 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:58:54.256352901 CEST | 49710 | 3232 | 192.168.2.6 | 121.41.18.122 |
Oct 6, 2024 20:58:54.256485939 CEST | 49710 | 3232 | 192.168.2.6 | 121.41.18.122 |
Oct 6, 2024 20:58:54.261214018 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:58:54.261337042 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:58:55.497394085 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:58:55.545536041 CEST | 49710 | 3232 | 192.168.2.6 | 121.41.18.122 |
Oct 6, 2024 20:58:55.635922909 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:58:55.636013985 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:58:55.636082888 CEST | 49710 | 3232 | 192.168.2.6 | 121.41.18.122 |
Oct 6, 2024 20:58:55.636425972 CEST | 49710 | 3232 | 192.168.2.6 | 121.41.18.122 |
Oct 6, 2024 20:58:55.636696100 CEST | 49710 | 3232 | 192.168.2.6 | 121.41.18.122 |
Oct 6, 2024 20:58:55.646776915 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:58:55.646789074 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:58:56.079895020 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:58:56.127655029 CEST | 49710 | 3232 | 192.168.2.6 | 121.41.18.122 |
Oct 6, 2024 20:58:56.219814062 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:58:56.220381021 CEST | 49710 | 3232 | 192.168.2.6 | 121.41.18.122 |
Oct 6, 2024 20:58:56.220591068 CEST | 49710 | 3232 | 192.168.2.6 | 121.41.18.122 |
Oct 6, 2024 20:58:56.220762014 CEST | 49710 | 3232 | 192.168.2.6 | 121.41.18.122 |
Oct 6, 2024 20:58:56.220793009 CEST | 49710 | 3232 | 192.168.2.6 | 121.41.18.122 |
Oct 6, 2024 20:58:56.225246906 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:58:56.225373983 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:58:56.225553036 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:58:56.225586891 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:58:57.038747072 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:58:57.086993933 CEST | 49710 | 3232 | 192.168.2.6 | 121.41.18.122 |
Oct 6, 2024 20:58:57.171761990 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:58:57.181682110 CEST | 49710 | 3232 | 192.168.2.6 | 121.41.18.122 |
Oct 6, 2024 20:58:57.183821917 CEST | 49710 | 3232 | 192.168.2.6 | 121.41.18.122 |
Oct 6, 2024 20:58:57.186721087 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:58:57.188683987 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:58:58.084744930 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:58:58.132601023 CEST | 49710 | 3232 | 192.168.2.6 | 121.41.18.122 |
Oct 6, 2024 20:58:58.135761023 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:58:58.136213064 CEST | 49710 | 3232 | 192.168.2.6 | 121.41.18.122 |
Oct 6, 2024 20:58:58.136559010 CEST | 49710 | 3232 | 192.168.2.6 | 121.41.18.122 |
Oct 6, 2024 20:58:58.141175032 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:58:58.141356945 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:58:58.954876900 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:58:59.002667904 CEST | 49710 | 3232 | 192.168.2.6 | 121.41.18.122 |
Oct 6, 2024 20:58:59.087872982 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:58:59.088134050 CEST | 49710 | 3232 | 192.168.2.6 | 121.41.18.122 |
Oct 6, 2024 20:58:59.088335037 CEST | 49710 | 3232 | 192.168.2.6 | 121.41.18.122 |
Oct 6, 2024 20:58:59.093986988 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:58:59.093998909 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:58:59.617580891 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:58:59.619461060 CEST | 49710 | 3232 | 192.168.2.6 | 121.41.18.122 |
Oct 6, 2024 20:58:59.624339104 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:58:59.906219006 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:58:59.954097986 CEST | 49710 | 3232 | 192.168.2.6 | 121.41.18.122 |
Oct 6, 2024 20:59:00.039855957 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:59:00.040201902 CEST | 49710 | 3232 | 192.168.2.6 | 121.41.18.122 |
Oct 6, 2024 20:59:00.040390015 CEST | 49710 | 3232 | 192.168.2.6 | 121.41.18.122 |
Oct 6, 2024 20:59:00.044899940 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:59:00.045367956 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:59:01.988985062 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:59:01.989419937 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:59:01.989465952 CEST | 49710 | 3232 | 192.168.2.6 | 121.41.18.122 |
Oct 6, 2024 20:59:01.989557981 CEST | 49710 | 3232 | 192.168.2.6 | 121.41.18.122 |
Oct 6, 2024 20:59:01.989702940 CEST | 49710 | 3232 | 192.168.2.6 | 121.41.18.122 |
Oct 6, 2024 20:59:01.990102053 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:59:01.990149975 CEST | 49710 | 3232 | 192.168.2.6 | 121.41.18.122 |
Oct 6, 2024 20:59:01.990885019 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:59:01.990927935 CEST | 49710 | 3232 | 192.168.2.6 | 121.41.18.122 |
Oct 6, 2024 20:59:01.991767883 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:59:01.991823912 CEST | 49710 | 3232 | 192.168.2.6 | 121.41.18.122 |
Oct 6, 2024 20:59:02.006186008 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:59:02.006278038 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:59:02.148608923 CEST | 49710 | 3232 | 192.168.2.6 | 121.41.18.122 |
Oct 6, 2024 20:59:02.149166107 CEST | 49710 | 3232 | 192.168.2.6 | 121.41.18.122 |
Oct 6, 2024 20:59:02.153489113 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:59:02.154062986 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:59:02.210922956 CEST | 49710 | 3232 | 192.168.2.6 | 121.41.18.122 |
Oct 6, 2024 20:59:02.215693951 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:59:02.898052931 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:59:02.945620060 CEST | 49710 | 3232 | 192.168.2.6 | 121.41.18.122 |
Oct 6, 2024 20:59:02.982096910 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:59:03.032676935 CEST | 49710 | 3232 | 192.168.2.6 | 121.41.18.122 |
Oct 6, 2024 20:59:03.142059088 CEST | 49710 | 3232 | 192.168.2.6 | 121.41.18.122 |
Oct 6, 2024 20:59:03.147392035 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:59:05.246783972 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:59:05.252314091 CEST | 49710 | 3232 | 192.168.2.6 | 121.41.18.122 |
Oct 6, 2024 20:59:05.257030964 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:59:10.693845034 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:59:10.694063902 CEST | 49710 | 3232 | 192.168.2.6 | 121.41.18.122 |
Oct 6, 2024 20:59:10.698937893 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:59:16.576414108 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:59:16.576646090 CEST | 49710 | 3232 | 192.168.2.6 | 121.41.18.122 |
Oct 6, 2024 20:59:16.581530094 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:59:22.016072035 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:59:22.016448021 CEST | 49710 | 3232 | 192.168.2.6 | 121.41.18.122 |
Oct 6, 2024 20:59:22.021472931 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:59:27.455003977 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:59:27.455302954 CEST | 49710 | 3232 | 192.168.2.6 | 121.41.18.122 |
Oct 6, 2024 20:59:27.460094929 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:59:32.895607948 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:59:32.895869017 CEST | 49710 | 3232 | 192.168.2.6 | 121.41.18.122 |
Oct 6, 2024 20:59:32.900684118 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:59:38.335504055 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:59:38.335721970 CEST | 49710 | 3232 | 192.168.2.6 | 121.41.18.122 |
Oct 6, 2024 20:59:38.341470957 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:59:43.775345087 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:59:43.777529001 CEST | 49710 | 3232 | 192.168.2.6 | 121.41.18.122 |
Oct 6, 2024 20:59:43.782294989 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:59:49.217036963 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:59:49.217338085 CEST | 49710 | 3232 | 192.168.2.6 | 121.41.18.122 |
Oct 6, 2024 20:59:49.222173929 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:59:54.571886063 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:59:54.572129011 CEST | 49710 | 3232 | 192.168.2.6 | 121.41.18.122 |
Oct 6, 2024 20:59:54.576983929 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:59:59.913492918 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 20:59:59.913881063 CEST | 49710 | 3232 | 192.168.2.6 | 121.41.18.122 |
Oct 6, 2024 20:59:59.918729067 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 21:00:05.254271984 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 21:00:05.254616022 CEST | 49710 | 3232 | 192.168.2.6 | 121.41.18.122 |
Oct 6, 2024 21:00:05.259399891 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 21:00:10.598973989 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 21:00:10.599318981 CEST | 49710 | 3232 | 192.168.2.6 | 121.41.18.122 |
Oct 6, 2024 21:00:10.604223967 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 21:00:15.940006971 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 21:00:15.940196991 CEST | 49710 | 3232 | 192.168.2.6 | 121.41.18.122 |
Oct 6, 2024 21:00:15.945194960 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 21:00:21.280633926 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 21:00:21.280889988 CEST | 49710 | 3232 | 192.168.2.6 | 121.41.18.122 |
Oct 6, 2024 21:00:21.285681009 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 21:00:26.627355099 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 21:00:26.627608061 CEST | 49710 | 3232 | 192.168.2.6 | 121.41.18.122 |
Oct 6, 2024 21:00:26.632601976 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 21:00:31.976511002 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 21:00:31.976735115 CEST | 49710 | 3232 | 192.168.2.6 | 121.41.18.122 |
Oct 6, 2024 21:00:31.981574059 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 21:00:37.317022085 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 21:00:37.317610979 CEST | 49710 | 3232 | 192.168.2.6 | 121.41.18.122 |
Oct 6, 2024 21:00:37.322421074 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 21:00:42.658919096 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 21:00:42.659218073 CEST | 49710 | 3232 | 192.168.2.6 | 121.41.18.122 |
Oct 6, 2024 21:00:42.664470911 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 21:00:48.001008034 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 21:00:48.001256943 CEST | 49710 | 3232 | 192.168.2.6 | 121.41.18.122 |
Oct 6, 2024 21:00:48.008265018 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 21:00:53.343781948 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Oct 6, 2024 21:00:53.343977928 CEST | 49710 | 3232 | 192.168.2.6 | 121.41.18.122 |
Oct 6, 2024 21:00:53.348778009 CEST | 3232 | 49710 | 121.41.18.122 | 192.168.2.6 |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Oct 6, 2024 20:58:44.718962908 CEST | 1.1.1.1 | 192.168.2.6 | 0xf1f2 | No error (0) | fp2e7a.wpc.phicdn.net | CNAME (Canonical name) | IN (0x0001) | false | ||
Oct 6, 2024 20:58:44.718962908 CEST | 1.1.1.1 | 192.168.2.6 | 0xf1f2 | No error (0) | 192.229.221.95 | A (IP address) | IN (0x0001) | false |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 14:58:49 |
Start date: | 06/10/2024 |
Path: | C:\Users\user\Desktop\wSIWW3vyrB.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0xf00000 |
File size: | 5'939'200 bytes |
MD5 hash: | 848DE6895FC2B6A1415564D88EC10917 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | Go lang |
Reputation: | low |
Has exited: | false |
Target ID: | 1 |
Start time: | 14:58:49 |
Start date: | 06/10/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff66e660000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 3 |
Start time: | 14:59:00 |
Start date: | 06/10/2024 |
Path: | C:\Windows\System32\whoami.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff77b1e0000 |
File size: | 73'728 bytes |
MD5 hash: | A4A6924F3EAF97981323703D38FD99C4 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Has exited: | true |
Target ID: | 4 |
Start time: | 14:59:00 |
Start date: | 06/10/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff66e660000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |