Edit tour

Windows Analysis Report
NXK7tvxiAh.exe

Overview

General Information

Sample name:	NXK7tvxiAh.exe renamed because original name is a hash value
Original sample name:	4f121ea16b6d93625750722b82b68566.exe
Analysis ID:	1528612
MD5:	4f121ea16b6d93625750722b82b68566
SHA1:	cf11c14525ae058bc653724281965314550b0c64
SHA256:	d7ac0037bcddd94c672402c04523ecf749de0156e550e1eec5d91abf29a7ddb2
Tags:	64exeMeterpretertrojan
Infos:

Detection

Metasploit

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Metasploit Payload

AI detected suspicious sample

Machine Learning detection for sample

Detected TCP or UDP traffic on non-standard ports

Entry point lies outside standard sections

Internet Provider seen in connection with other malware

PE file contains an invalid checksum

PE file contains sections with non-standard names

Program does not show much activity (idle)

Yara signature match

Classification

Process Tree

System is w10x64

NXK7tvxiAh.exe (PID: 3228 cmdline: "C:\Users\user\Desktop\NXK7tvxiAh.exe" MD5: 4F121EA16B6D93625750722B82B68566)

cleanup

Malware Configuration

Threatname: Metasploit

{"Type": "Metasploit Connect", "IP": "47.239.242.141", "Port": 6666}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
NXK7tvxiAh.exe	JoeSecurity_MetasploitPayload_2	Yara detected Metasploit Payload	Joe Security
NXK7tvxiAh.exe	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
NXK7tvxiAh.exe	Windows_Trojan_Metasploit_c9773203	Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.	unknown	0x1881:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
NXK7tvxiAh.exe	Windows_Trojan_Metasploit_91bc5d7d	unknown	unknown	0x18d7:$a: 49 BE 77 73 32 5F 33 32 00 00 41 56 49 89 E6 48 81 EC A0 01 00 00 49 89 E5

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.2017931866.0000000140004000.00000080.00000001.01000000.00000003.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000000.00000000.2017931866.0000000140004000.00000080.00000001.01000000.00000003.sdmp	Windows_Trojan_Metasploit_c9773203	Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.	unknown	0x81:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
00000000.00000000.2017931866.0000000140004000.00000080.00000001.01000000.00000003.sdmp	Windows_Trojan_Metasploit_91bc5d7d	unknown	unknown	0xd7:$a: 49 BE 77 73 32 5F 33 32 00 00 41 56 49 89 E6 48 81 EC A0 01 00 00 49 89 E5
00000000.00000002.3257863596.0000000140004000.00000080.00000001.01000000.00000003.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000000.00000002.3257863596.0000000140004000.00000080.00000001.01000000.00000003.sdmp	Windows_Trojan_Metasploit_c9773203	Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.	unknown	0x81:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
00000000.00000002.3257863596.0000000140004000.00000080.00000001.01000000.00000003.sdmp	Windows_Trojan_Metasploit_91bc5d7d	unknown	unknown	0xd7:$a: 49 BE 77 73 32 5F 33 32 00 00 41 56 49 89 E6 48 81 EC A0 01 00 00 49 89 E5
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.NXK7tvxiAh.exe.140000000.0.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
0.0.NXK7tvxiAh.exe.140000000.0.unpack	Windows_Trojan_Metasploit_c9773203	Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.	unknown	0x16c9:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
0.0.NXK7tvxiAh.exe.140000000.0.unpack	Windows_Trojan_Metasploit_91bc5d7d	unknown	unknown	0x171f:$a: 49 BE 77 73 32 5F 33 32 00 00 41 56 49 89 E6 48 81 EC A0 01 00 00 49 89 E5
0.2.NXK7tvxiAh.exe.140000000.0.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
0.2.NXK7tvxiAh.exe.140000000.0.unpack	Windows_Trojan_Metasploit_c9773203	Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.	unknown	0x16c9:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
0.2.NXK7tvxiAh.exe.140000000.0.unpack	Windows_Trojan_Metasploit_91bc5d7d	unknown	unknown	0x171f:$a: 49 BE 77 73 32 5F 33 32 00 00 41 56 49 89 E6 48 81 EC A0 01 00 00 49 89 E5
Click to see the 1 entries

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: NXK7tvxiAh.exe

Avira: detected

Found malware configuration

Source: NXK7tvxiAh.exe

Malware Configuration Extractor: Metasploit {"Type": "Metasploit Connect", "IP": "47.239.242.141", "Port": 6666}

Multi AV Scanner detection for submitted file

Source: NXK7tvxiAh.exe

ReversingLabs: Detection: 92%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: NXK7tvxiAh.exe

Joe Sandbox ML: detected

Source: global traffic

TCP traffic: 192.168.2.5:49704 -> 47.239.242.141:6666

Source: Joe Sandbox View

ASN Name: CHARTER-20115US CHARTER-20115US

Source: unknown	TCP traffic detected without corresponding DNS query: 47.239.242.141
Source: unknown	TCP traffic detected without corresponding DNS query: 47.239.242.141
Source: unknown	TCP traffic detected without corresponding DNS query: 47.239.242.141
Source: unknown	TCP traffic detected without corresponding DNS query: 47.239.242.141
Source: unknown	TCP traffic detected without corresponding DNS query: 47.239.242.141
Source: unknown	TCP traffic detected without corresponding DNS query: 47.239.242.141
Source: unknown	TCP traffic detected without corresponding DNS query: 47.239.242.141
Source: unknown	TCP traffic detected without corresponding DNS query: 47.239.242.141
Source: unknown	TCP traffic detected without corresponding DNS query: 47.239.242.141
Source: unknown	TCP traffic detected without corresponding DNS query: 47.239.242.141
Source: unknown	TCP traffic detected without corresponding DNS query: 47.239.242.141
Source: unknown	TCP traffic detected without corresponding DNS query: 47.239.242.141
Source: unknown	TCP traffic detected without corresponding DNS query: 47.239.242.141
Source: unknown	TCP traffic detected without corresponding DNS query: 47.239.242.141
Source: unknown	TCP traffic detected without corresponding DNS query: 47.239.242.141
Source: unknown	TCP traffic detected without corresponding DNS query: 47.239.242.141
Source: unknown	TCP traffic detected without corresponding DNS query: 47.239.242.141
Source: unknown	TCP traffic detected without corresponding DNS query: 47.239.242.141
Source: unknown	TCP traffic detected without corresponding DNS query: 47.239.242.141
Source: unknown	TCP traffic detected without corresponding DNS query: 47.239.242.141
Source: unknown	TCP traffic detected without corresponding DNS query: 47.239.242.141
Source: unknown	TCP traffic detected without corresponding DNS query: 47.239.242.141
Source: unknown	TCP traffic detected without corresponding DNS query: 47.239.242.141
Source: unknown	TCP traffic detected without corresponding DNS query: 47.239.242.141
Source: unknown	TCP traffic detected without corresponding DNS query: 47.239.242.141
Source: unknown	TCP traffic detected without corresponding DNS query: 47.239.242.141
Source: unknown	TCP traffic detected without corresponding DNS query: 47.239.242.141
Source: unknown	TCP traffic detected without corresponding DNS query: 47.239.242.141
Source: unknown	TCP traffic detected without corresponding DNS query: 47.239.242.141
Source: unknown	TCP traffic detected without corresponding DNS query: 47.239.242.141
Source: unknown	TCP traffic detected without corresponding DNS query: 47.239.242.141
Source: unknown	TCP traffic detected without corresponding DNS query: 47.239.242.141
Source: unknown	TCP traffic detected without corresponding DNS query: 47.239.242.141
Source: unknown	TCP traffic detected without corresponding DNS query: 47.239.242.141
Source: unknown	TCP traffic detected without corresponding DNS query: 47.239.242.141
Source: unknown	TCP traffic detected without corresponding DNS query: 47.239.242.141
Source: unknown	TCP traffic detected without corresponding DNS query: 47.239.242.141
Source: unknown	TCP traffic detected without corresponding DNS query: 47.239.242.141
Source: unknown	TCP traffic detected without corresponding DNS query: 47.239.242.141
Source: unknown	TCP traffic detected without corresponding DNS query: 47.239.242.141
Source: unknown	TCP traffic detected without corresponding DNS query: 47.239.242.141
Source: unknown	TCP traffic detected without corresponding DNS query: 47.239.242.141
Source: unknown	TCP traffic detected without corresponding DNS query: 47.239.242.141
Source: unknown	TCP traffic detected without corresponding DNS query: 47.239.242.141
Source: unknown	TCP traffic detected without corresponding DNS query: 47.239.242.141
Source: unknown	TCP traffic detected without corresponding DNS query: 47.239.242.141
Source: unknown	TCP traffic detected without corresponding DNS query: 47.239.242.141
Source: unknown	TCP traffic detected without corresponding DNS query: 47.239.242.141
Source: unknown	TCP traffic detected without corresponding DNS query: 47.239.242.141
Source: unknown	TCP traffic detected without corresponding DNS query: 47.239.242.141

Source: C:\Users\user\Desktop\NXK7tvxiAh.exe

Code function: 0_2_00000001400040D6 LoadLibraryA,WSASocketA,connect,recv,closesocket,

0_2_00000001400040D6

System Summary

Malicious sample detected (through community Yara rule)

Source: NXK7tvxiAh.exe, type: SAMPLE	Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: NXK7tvxiAh.exe, type: SAMPLE	Matched rule: Windows_Trojan_Metasploit_91bc5d7d Author: unknown
Source: 0.0.NXK7tvxiAh.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: 0.0.NXK7tvxiAh.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Metasploit_91bc5d7d Author: unknown
Source: 0.2.NXK7tvxiAh.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: 0.2.NXK7tvxiAh.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Metasploit_91bc5d7d Author: unknown
Source: 00000000.00000000.2017931866.0000000140004000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: 00000000.00000000.2017931866.0000000140004000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_91bc5d7d Author: unknown
Source: 00000000.00000002.3257863596.0000000140004000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: 00000000.00000002.3257863596.0000000140004000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_91bc5d7d Author: unknown

Source: NXK7tvxiAh.exe, type: SAMPLE	Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: NXK7tvxiAh.exe, type: SAMPLE	Matched rule: Windows_Trojan_Metasploit_91bc5d7d reference_sample = 0dd993ff3917dc56ef02324375165f0d66506c5a9b9548eda57c58e041030987, os = windows, severity = x86, creation_date = 2021-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 8848a3de66a25dd98278761a7953f31b7995e48621dec258f3d92bd91a4a3aa3, id = 91bc5d7d-31e3-4c02-82b3-a685194981f3, last_modified = 2021-10-04
Source: 0.0.NXK7tvxiAh.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: 0.0.NXK7tvxiAh.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Metasploit_91bc5d7d reference_sample = 0dd993ff3917dc56ef02324375165f0d66506c5a9b9548eda57c58e041030987, os = windows, severity = x86, creation_date = 2021-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 8848a3de66a25dd98278761a7953f31b7995e48621dec258f3d92bd91a4a3aa3, id = 91bc5d7d-31e3-4c02-82b3-a685194981f3, last_modified = 2021-10-04
Source: 0.2.NXK7tvxiAh.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: 0.2.NXK7tvxiAh.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Metasploit_91bc5d7d reference_sample = 0dd993ff3917dc56ef02324375165f0d66506c5a9b9548eda57c58e041030987, os = windows, severity = x86, creation_date = 2021-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 8848a3de66a25dd98278761a7953f31b7995e48621dec258f3d92bd91a4a3aa3, id = 91bc5d7d-31e3-4c02-82b3-a685194981f3, last_modified = 2021-10-04
Source: 00000000.00000000.2017931866.0000000140004000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: 00000000.00000000.2017931866.0000000140004000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_91bc5d7d reference_sample = 0dd993ff3917dc56ef02324375165f0d66506c5a9b9548eda57c58e041030987, os = windows, severity = x86, creation_date = 2021-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 8848a3de66a25dd98278761a7953f31b7995e48621dec258f3d92bd91a4a3aa3, id = 91bc5d7d-31e3-4c02-82b3-a685194981f3, last_modified = 2021-10-04
Source: 00000000.00000002.3257863596.0000000140004000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: 00000000.00000002.3257863596.0000000140004000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_91bc5d7d reference_sample = 0dd993ff3917dc56ef02324375165f0d66506c5a9b9548eda57c58e041030987, os = windows, severity = x86, creation_date = 2021-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 8848a3de66a25dd98278761a7953f31b7995e48621dec258f3d92bd91a4a3aa3, id = 91bc5d7d-31e3-4c02-82b3-a685194981f3, last_modified = 2021-10-04

Source: classification engine

Classification label: mal96.troj.winEXE@1/0@0/1

Source: C:\Users\user\Desktop\NXK7tvxiAh.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: NXK7tvxiAh.exe

ReversingLabs: Detection: 92%

Source: C:\Users\user\Desktop\NXK7tvxiAh.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\Desktop\NXK7tvxiAh.exe	Section loaded: mswsock.dll			Jump to behavior

Source: NXK7tvxiAh.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: initial sample

Static PE information: section where entry point is pointing to: .aycs

Source: NXK7tvxiAh.exe

Static PE information: real checksum: 0x58ba should be: 0x5a72

Source: NXK7tvxiAh.exe

Static PE information: section name: .aycs

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: NXK7tvxiAh.exe, 00000000.00000002.3257704414.00000000005F6000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Remote Access Functionality

Yara detected Metasploit Payload

Source: Yara match	File source: NXK7tvxiAh.exe, type: SAMPLE
Source: Yara match	File source: 0.0.NXK7tvxiAh.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NXK7tvxiAh.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2017931866.0000000140004000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3257863596.0000000140004000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 DLL Side-Loading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	1 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label
NXK7tvxiAh.exe	92%	ReversingLabs	Win64.Backdoor.Meterpreter
NXK7tvxiAh.exe	100%	Avira	TR/Crypt.XPACK.Gen7
NXK7tvxiAh.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
47.239.242.141	unknown	United States		20115	CHARTER-20115US	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1528612
Start date and time:	2024-10-08 04:28:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	NXK7tvxiAh.exe renamed because original name is a hash value
Original Sample Name:	4f121ea16b6d93625750722b82b68566.exe
Detection:	MAL
Classification:	mal96.troj.winEXE@1/0@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 1 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
VT rate limit hit for: NXK7tvxiAh.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
47.239.242.141	vNenBbeRFZ.exe	Get hash	malicious	CobaltStrike, Metasploit, ReflectiveLoader	Browse	47.239.242.141:9999/ga.js
47.239.242.141	hRjh70pZ6Q.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse	47.239.242.141:9999/s9bO

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CHARTER-20115US	vNenBbeRFZ.exe	Get hash	malicious	CobaltStrike, Metasploit, ReflectiveLoader	Browse	47.239.242.141
	cenSXPimaG.elf	Get hash	malicious	Mirai, Okiru	Browse	97.94.57.120
	XvAqhy3FO6.elf	Get hash	malicious	Mirai, Okiru	Browse	172.220.122.192
	na.elf	Get hash	malicious	Unknown	Browse	66.215.147.152
	O8scEm3rJN.exe	Get hash	malicious	Unknown	Browse	47.238.55.14
	setupa.exe	Get hash	malicious	GhostRat	Browse	47.239.116.158
	Jr77pnmOup.elf	Get hash	malicious	Mirai	Browse	71.94.21.162
	ZEjcJZcrXc.elf	Get hash	malicious	Mirai	Browse	24.178.88.151
	na.elf	Get hash	malicious	Mirai	Browse	47.26.86.21
	na.elf	Get hash	malicious	Mirai, Okiru	Browse	66.169.57.64

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	1.315425145419752
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	NXK7tvxiAh.exe
File size:	7'168 bytes
MD5:	4f121ea16b6d93625750722b82b68566
SHA1:	cf11c14525ae058bc653724281965314550b0c64
SHA256:	d7ac0037bcddd94c672402c04523ecf749de0156e550e1eec5d91abf29a7ddb2
SHA512:	fc532fe11356c833d22302750a0259081e9ece7e632444ce5f544eea2460cd784005198369f76cc13d162080d63efd4cc686a00617200bd8ad8da33950d8531a
SSDEEP:	24:eFGStrJ9u0/6XZnZdkBQAVxc/q9KZqAaeNDMSCvOXpmB:is0WpkBQNC9vSD9C2kB
TLSH:	F7E175133B184EB6D87C057947E3FDA766689A293F3F43758D180307387232479A5918
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9$..}E..}E..}E..Z...~E..}E~..E..t=..\|E..t=..\|E..Rich}E..................PE..d...}<.K..........#......0...........@.........@...

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x140004000
Entrypoint Section:	.aycs
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x4BC63C7D [Wed Apr 14 22:06:53 2010 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	b4c6fff030479aa3b12625be67bf4914

Entrypoint Preview

Instruction
cld
dec eax
and esp, FFFFFFF0h
call 00007F8F1C4ED6A1h
inc ecx
push ecx
inc ecx
push eax
push edx
dec eax
xor edx, edx
dec eax
mov edx, dword ptr [edx+60h]
dec eax
mov edx, dword ptr [edx+18h]
push ecx
push esi
dec eax
mov edx, dword ptr [edx+20h]
dec ebp
xor ecx, ecx
dec eax
movzx ecx, word ptr [edx+4Ah]
dec eax
mov esi, dword ptr [edx+50h]
dec eax
xor eax, eax
lodsb
cmp al, 61h
jl 00007F8F1C4ED5D4h
sub al, 20h
inc ecx
ror ecx, 0Dh
inc ecx
add ecx, eax
loop 00007F8F1C4ED5BFh
push edx
dec eax
mov edx, dword ptr [edx+20h]
inc ecx
push ecx
mov eax, dword ptr [edx+3Ch]
dec eax
add eax, edx
cmp word ptr [eax+18h], 020Bh
jne 00007F8F1C4ED648h
mov eax, dword ptr [eax+00000088h]
dec eax
test eax, eax
je 00007F8F1C4ED639h
dec eax
add eax, edx
mov ecx, dword ptr [eax+18h]
push eax
inc esp
mov eax, dword ptr [eax+20h]
dec ecx
add eax, edx
jecxz 00007F8F1C4ED628h
dec eax
dec ecx
inc ecx
mov esi, dword ptr [eax+ecx*4]
dec eax
add esi, edx
dec ebp
xor ecx, ecx
dec eax
xor eax, eax
lodsb
inc ecx
ror ecx, 0Dh
inc ecx
add ecx, eax
cmp al, ah
jne 00007F8F1C4ED5C3h
dec esp
add ecx, dword ptr [esp+08h]
inc ebp
cmp ecx, edx
jne 00007F8F1C4ED5AAh
pop eax
inc esp
mov eax, dword ptr [eax+24h]
dec ecx
add eax, edx
inc cx
mov ecx, dword ptr [eax+ecx*2]
inc esp
mov eax, dword ptr [eax+1Ch]
dec ecx
add eax, edx
inc ecx
mov eax, dword ptr [eax+ecx*4]
inc ecx
pop eax
inc ecx
pop eax
dec eax
add eax, edx
pop esi
pop ecx
pop edx
inc ecx
pop eax
inc ecx
pop ecx
inc ecx
pop edx
dec eax
sub esp, 20h
inc ecx

Rich Headers

Programming Language:

[IMP] VS2005 build 50727
[ASM] VS2008 SP1 build 30729
[LNK] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4200	0x6c	.aycs
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4270	0x8	.aycs
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x3000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x104e	0x1200	a4a5deae25708a9e05f50bcad7075c86	False	0.025390625	data	0.16810049402497224	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x3000	0x84	0x200	253b88122c36b6951090c6288183e4ae	False	0.15625	data	0.9630867345987311	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.aycs	0x4000	0x278	0x400	ea92a97d65e01e0fb402ff25159a45c5	False	0.5302734375	data	4.304252932787313	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL	Import
KERNEL32.dll	VirtualAlloc, ExitProcess

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 8, 2024 04:28:56.356075048 CEST	49704	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:28:56.361088037 CEST	6666	49704	47.239.242.141	192.168.2.5
Oct 8, 2024 04:28:56.361190081 CEST	49704	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:28:58.433989048 CEST	6666	49704	47.239.242.141	192.168.2.5
Oct 8, 2024 04:28:58.434071064 CEST	49704	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:28:58.434437037 CEST	49704	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:28:58.435074091 CEST	49705	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:28:58.439378023 CEST	6666	49704	47.239.242.141	192.168.2.5
Oct 8, 2024 04:28:58.439924002 CEST	6666	49705	47.239.242.141	192.168.2.5
Oct 8, 2024 04:28:58.440006018 CEST	49705	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:00.504858017 CEST	6666	49705	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:00.504968882 CEST	49705	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:00.505351067 CEST	49705	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:00.505887032 CEST	49706	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:00.510112047 CEST	6666	49705	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:00.510657072 CEST	6666	49706	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:00.510735035 CEST	49706	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:02.581083059 CEST	6666	49706	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:02.581222057 CEST	49706	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:02.581533909 CEST	49706	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:02.582176924 CEST	49707	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:02.586350918 CEST	6666	49706	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:02.587069988 CEST	6666	49707	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:02.587146044 CEST	49707	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:04.630455017 CEST	6666	49707	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:04.630587101 CEST	49707	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:04.630860090 CEST	49707	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:04.631505013 CEST	49708	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:04.635730982 CEST	6666	49707	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:04.636398077 CEST	6666	49708	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:04.636472940 CEST	49708	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:06.681799889 CEST	6666	49708	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:06.681891918 CEST	49708	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:06.682199955 CEST	49708	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:06.682832003 CEST	49709	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:06.687028885 CEST	6666	49708	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:06.687762976 CEST	6666	49709	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:06.687844992 CEST	49709	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:08.726419926 CEST	6666	49709	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:08.726705074 CEST	49709	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:08.727113962 CEST	49709	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:08.727648973 CEST	49710	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:08.731853962 CEST	6666	49709	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:08.732449055 CEST	6666	49710	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:08.732551098 CEST	49710	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:10.800486088 CEST	6666	49710	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:10.800581932 CEST	49710	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:10.800975084 CEST	49710	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:10.801609993 CEST	49711	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:10.805777073 CEST	6666	49710	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:10.806353092 CEST	6666	49711	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:10.806437016 CEST	49711	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:12.851751089 CEST	6666	49711	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:12.851816893 CEST	49711	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:12.852216959 CEST	49711	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:12.853136063 CEST	49715	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:12.856976032 CEST	6666	49711	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:12.857940912 CEST	6666	49715	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:12.857999086 CEST	49715	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:14.930875063 CEST	6666	49715	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:14.930938005 CEST	49715	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:14.931272030 CEST	49715	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:14.932104111 CEST	49720	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:14.936139107 CEST	6666	49715	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:14.936930895 CEST	6666	49720	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:14.937014103 CEST	49720	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:17.040447950 CEST	6666	49720	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:17.041559935 CEST	49720	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:17.046022892 CEST	49720	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:17.046952009 CEST	49727	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:17.050923109 CEST	6666	49720	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:17.051930904 CEST	6666	49727	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:17.052006960 CEST	49727	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:19.144570112 CEST	6666	49727	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:19.147877932 CEST	49727	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:19.148088932 CEST	49727	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:19.148725033 CEST	49743	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:19.152812958 CEST	6666	49727	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:19.153481960 CEST	6666	49743	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:19.153588057 CEST	49743	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:21.246426105 CEST	6666	49743	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:21.246494055 CEST	49743	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:21.246773005 CEST	49743	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:21.247325897 CEST	49759	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:21.251562119 CEST	6666	49743	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:21.252105951 CEST	6666	49759	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:21.252173901 CEST	49759	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:23.286938906 CEST	6666	49759	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:23.287023067 CEST	49759	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:23.287471056 CEST	49759	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:23.288675070 CEST	49770	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:23.292289019 CEST	6666	49759	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:23.293587923 CEST	6666	49770	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:23.293685913 CEST	49770	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:25.338098049 CEST	6666	49770	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:25.338217974 CEST	49770	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:25.338702917 CEST	49770	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:25.339658976 CEST	49786	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:25.343468904 CEST	6666	49770	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:25.344506025 CEST	6666	49786	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:25.344588041 CEST	49786	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:27.383529902 CEST	6666	49786	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:27.383622885 CEST	49786	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:27.383928061 CEST	49786	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:27.384646893 CEST	49802	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:27.388755083 CEST	6666	49786	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:27.389583111 CEST	6666	49802	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:27.389656067 CEST	49802	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:29.445700884 CEST	6666	49802	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:29.445797920 CEST	49802	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:29.446114063 CEST	49802	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:29.446758032 CEST	49813	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:29.450894117 CEST	6666	49802	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:29.451549053 CEST	6666	49813	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:29.451639891 CEST	49813	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:31.535274982 CEST	6666	49813	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:31.535337925 CEST	49813	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:31.535681963 CEST	49813	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:31.536343098 CEST	49825	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:31.540400982 CEST	6666	49813	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:31.541111946 CEST	6666	49825	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:31.541188955 CEST	49825	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:33.603993893 CEST	6666	49825	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:33.604094982 CEST	49825	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:33.615071058 CEST	49825	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:33.615806103 CEST	49837	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:33.619847059 CEST	6666	49825	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:33.620615005 CEST	6666	49837	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:33.620686054 CEST	49837	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:35.681138039 CEST	6666	49837	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:35.681206942 CEST	49837	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:35.681498051 CEST	49837	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:35.682102919 CEST	49853	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:35.686309099 CEST	6666	49837	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:35.686937094 CEST	6666	49853	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:35.687002897 CEST	49853	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:37.727580070 CEST	6666	49853	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:37.727664948 CEST	49853	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:37.728108883 CEST	49853	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:37.729012966 CEST	49864	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:37.732916117 CEST	6666	49853	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:37.733818054 CEST	6666	49864	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:37.733896971 CEST	49864	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:39.815304041 CEST	6666	49864	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:39.815469980 CEST	49864	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:39.816402912 CEST	49864	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:39.816525936 CEST	49880	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:39.821132898 CEST	6666	49864	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:39.821392059 CEST	6666	49880	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:39.821476936 CEST	49880	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:41.884593010 CEST	6666	49880	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:41.884674072 CEST	49880	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:41.885839939 CEST	49880	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:41.889339924 CEST	49896	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:41.890698910 CEST	6666	49880	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:41.894144058 CEST	6666	49896	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:41.894203901 CEST	49896	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:43.951167107 CEST	6666	49896	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:43.951297045 CEST	49896	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:43.951596975 CEST	49896	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:43.952177048 CEST	49908	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:43.956360102 CEST	6666	49896	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:43.956943989 CEST	6666	49908	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:43.957014084 CEST	49908	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:45.992993116 CEST	6666	49908	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:45.993061066 CEST	49908	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:45.993349075 CEST	49908	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:45.993997097 CEST	49923	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:45.998277903 CEST	6666	49908	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:45.998800039 CEST	6666	49923	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:45.998878002 CEST	49923	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:48.062649965 CEST	6666	49923	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:48.062721968 CEST	49923	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:48.063028097 CEST	49923	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:48.063644886 CEST	49935	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:48.067765951 CEST	6666	49923	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:48.068483114 CEST	6666	49935	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:48.068548918 CEST	49935	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:50.118088961 CEST	6666	49935	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:50.118300915 CEST	49935	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:50.118488073 CEST	49935	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:50.119093895 CEST	49950	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:50.125288010 CEST	6666	49935	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:50.125374079 CEST	6666	49950	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:50.125447035 CEST	49950	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:52.207807064 CEST	6666	49950	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:52.207892895 CEST	49950	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:52.208163977 CEST	49950	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:52.208756924 CEST	49963	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:52.213762045 CEST	6666	49950	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:52.214472055 CEST	6666	49963	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:52.214565039 CEST	49963	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:54.285712004 CEST	6666	49963	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:54.285800934 CEST	49963	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:54.286189079 CEST	49963	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:54.286690950 CEST	49976	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:54.290919065 CEST	6666	49963	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:54.291461945 CEST	6666	49976	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:54.291544914 CEST	49976	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:56.378954887 CEST	6666	49976	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:56.379062891 CEST	49976	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:56.379451036 CEST	49976	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:56.380069971 CEST	49991	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:56.384272099 CEST	6666	49976	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:56.384926081 CEST	6666	49991	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:56.385003090 CEST	49991	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:58.452920914 CEST	6666	49991	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:58.454679012 CEST	49991	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:58.454991102 CEST	49991	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:58.455651045 CEST	50003	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:29:58.459839106 CEST	6666	49991	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:58.460510969 CEST	6666	50003	47.239.242.141	192.168.2.5
Oct 8, 2024 04:29:58.460628986 CEST	50003	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:00.536055088 CEST	6666	50003	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:00.536204100 CEST	50003	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:00.536505938 CEST	50003	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:00.537245989 CEST	50008	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:00.541299105 CEST	6666	50003	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:00.542115927 CEST	6666	50008	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:00.542201042 CEST	50008	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:02.685066938 CEST	6666	50008	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:02.685179949 CEST	50008	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:02.685460091 CEST	50008	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:02.686028957 CEST	50009	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:02.690253973 CEST	6666	50008	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:02.690850019 CEST	6666	50009	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:02.690922022 CEST	50009	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:04.896684885 CEST	6666	50009	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:04.896883965 CEST	50009	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:04.897214890 CEST	50009	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:04.897839069 CEST	50010	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:04.902129889 CEST	6666	50009	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:04.902673960 CEST	6666	50010	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:04.902753115 CEST	50010	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:07.049470901 CEST	6666	50010	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:07.049640894 CEST	50010	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:07.050070047 CEST	50010	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:07.051021099 CEST	50011	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:07.054908991 CEST	6666	50010	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:07.055915117 CEST	6666	50011	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:07.056315899 CEST	50011	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:09.178224087 CEST	6666	50011	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:09.178801060 CEST	50011	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:09.178801060 CEST	50011	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:09.179734945 CEST	50012	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:09.183907986 CEST	6666	50011	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:09.184823990 CEST	6666	50012	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:09.185034037 CEST	50012	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:11.274348021 CEST	6666	50012	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:11.274425983 CEST	50012	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:11.274707079 CEST	50012	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:11.275320053 CEST	50013	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:11.279526949 CEST	6666	50012	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:11.280265093 CEST	6666	50013	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:11.280345917 CEST	50013	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:13.322252035 CEST	6666	50013	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:13.322542906 CEST	50013	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:13.322635889 CEST	50013	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:13.323183060 CEST	50014	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:13.327440977 CEST	6666	50013	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:13.328011036 CEST	6666	50014	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:13.328075886 CEST	50014	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:15.403410912 CEST	6666	50014	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:15.403582096 CEST	50014	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:15.403980970 CEST	50014	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:15.404845953 CEST	50015	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:15.409653902 CEST	6666	50014	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:15.411248922 CEST	6666	50015	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:15.411331892 CEST	50015	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:17.478486061 CEST	6666	50015	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:17.479244947 CEST	50015	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:17.479244947 CEST	50015	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:17.480401993 CEST	50016	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:17.484097004 CEST	6666	50015	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:17.485248089 CEST	6666	50016	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:17.485580921 CEST	50016	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:19.525316000 CEST	6666	50016	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:19.525398970 CEST	50016	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:19.525722027 CEST	50016	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:19.526432037 CEST	50017	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:19.530432940 CEST	6666	50016	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:19.531234026 CEST	6666	50017	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:19.531333923 CEST	50017	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:21.589792013 CEST	6666	50017	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:21.589924097 CEST	50017	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:21.590405941 CEST	50017	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:21.591377974 CEST	50018	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:21.595195055 CEST	6666	50017	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:21.596184969 CEST	6666	50018	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:21.596270084 CEST	50018	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:23.692441940 CEST	6666	50018	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:23.692637920 CEST	50018	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:23.692996979 CEST	50018	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:23.694060087 CEST	50019	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:23.698183060 CEST	6666	50018	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:23.699369907 CEST	6666	50019	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:23.699465036 CEST	50019	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:25.786032915 CEST	6666	50019	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:25.786237001 CEST	50019	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:25.786784887 CEST	50019	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:25.787435055 CEST	50020	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:25.791645050 CEST	6666	50019	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:25.792288065 CEST	6666	50020	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:25.792355061 CEST	50020	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:27.860841990 CEST	6666	50020	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:27.861083984 CEST	50020	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:27.862035990 CEST	50020	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:27.864213943 CEST	50021	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:27.866841078 CEST	6666	50020	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:27.869070053 CEST	6666	50021	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:27.869240999 CEST	50021	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:29.919061899 CEST	6666	50021	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:29.919174910 CEST	50021	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:29.919629097 CEST	50021	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:29.920639038 CEST	50022	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:29.925020933 CEST	6666	50021	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:29.925405979 CEST	6666	50022	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:29.925487995 CEST	50022	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:31.994503975 CEST	6666	50022	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:31.994573116 CEST	50022	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:31.994863987 CEST	50022	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:31.995523930 CEST	50023	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:31.999599934 CEST	6666	50022	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:32.000332117 CEST	6666	50023	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:32.000421047 CEST	50023	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:34.118360043 CEST	6666	50023	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:34.118489027 CEST	50023	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:34.119189024 CEST	50023	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:34.119680882 CEST	50024	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:34.123995066 CEST	6666	50023	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:34.124555111 CEST	6666	50024	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:34.124677896 CEST	50024	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:36.211252928 CEST	6666	50024	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:36.211399078 CEST	50024	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:36.211628914 CEST	50024	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:36.212219000 CEST	50025	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:36.216406107 CEST	6666	50024	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:36.217004061 CEST	6666	50025	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:36.217067957 CEST	50025	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:38.259572029 CEST	6666	50025	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:38.259758949 CEST	50025	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:38.260400057 CEST	50025	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:38.261014938 CEST	50026	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:38.265191078 CEST	6666	50025	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:38.265847921 CEST	6666	50026	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:38.265928984 CEST	50026	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:40.349695921 CEST	6666	50026	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:40.349844933 CEST	50026	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:40.353390932 CEST	50026	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:40.358298063 CEST	6666	50026	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:40.361038923 CEST	50027	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:40.365957975 CEST	6666	50027	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:40.366039991 CEST	50027	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:42.419358015 CEST	6666	50027	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:42.419596910 CEST	50027	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:42.419836998 CEST	50027	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:42.420438051 CEST	50028	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:42.424604893 CEST	6666	50027	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:42.425290108 CEST	6666	50028	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:42.425364971 CEST	50028	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:44.463434935 CEST	6666	50028	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:44.463651896 CEST	50028	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:44.463829041 CEST	50028	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:44.464416027 CEST	50029	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:44.468661070 CEST	6666	50028	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:44.469307899 CEST	6666	50029	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:44.469368935 CEST	50029	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:46.508956909 CEST	6666	50029	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:46.509089947 CEST	50029	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:46.509644032 CEST	50029	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:46.510479927 CEST	50030	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:46.514514923 CEST	6666	50029	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:46.515378952 CEST	6666	50030	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:46.515464067 CEST	50030	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:48.557754993 CEST	6666	50030	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:48.557976961 CEST	50030	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:48.558176041 CEST	50030	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:48.558779955 CEST	50031	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:48.562953949 CEST	6666	50030	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:48.563610077 CEST	6666	50031	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:48.563802004 CEST	50031	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:50.620909929 CEST	6666	50031	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:50.621042967 CEST	50031	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:50.621331930 CEST	50031	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:50.622100115 CEST	50032	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:50.626274109 CEST	6666	50031	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:50.627099991 CEST	6666	50032	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:50.627293110 CEST	50032	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:52.665915966 CEST	6666	50032	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:52.665998936 CEST	50032	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:52.666316986 CEST	50032	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:52.666939974 CEST	50033	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:52.671374083 CEST	6666	50032	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:52.671974897 CEST	6666	50033	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:52.672046900 CEST	50033	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:54.713901043 CEST	6666	50033	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:54.714101076 CEST	50033	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:54.714930058 CEST	50033	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:54.719650984 CEST	6666	50033	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:54.721426010 CEST	50034	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:54.726264000 CEST	6666	50034	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:54.726356983 CEST	50034	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:56.821557045 CEST	6666	50034	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:56.821827888 CEST	50034	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:56.822124004 CEST	50034	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:56.826117039 CEST	50035	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:56.826935053 CEST	6666	50034	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:56.831056118 CEST	6666	50035	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:56.831163883 CEST	50035	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:58.885932922 CEST	6666	50035	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:58.886169910 CEST	50035	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:58.886452913 CEST	50035	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:58.887101889 CEST	50036	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:30:58.891355038 CEST	6666	50035	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:58.892373085 CEST	6666	50036	47.239.242.141	192.168.2.5
Oct 8, 2024 04:30:58.892474890 CEST	50036	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:31:00.932276011 CEST	6666	50036	47.239.242.141	192.168.2.5
Oct 8, 2024 04:31:00.932477951 CEST	50036	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:31:00.933505058 CEST	50036	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:31:00.935398102 CEST	50037	6666	192.168.2.5	47.239.242.141
Oct 8, 2024 04:31:00.938322067 CEST	6666	50036	47.239.242.141	192.168.2.5
Oct 8, 2024 04:31:00.940196037 CEST	6666	50037	47.239.242.141	192.168.2.5
Oct 8, 2024 04:31:00.940361023 CEST	50037	6666	192.168.2.5	47.239.242.141

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: NXK7tvxiAh.exePID: 3228, Parent PID: 1028

General

Target ID:	0
Start time:	22:28:55
Start date:	07/10/2024
Path:	C:\Users\user\Desktop\NXK7tvxiAh.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\NXK7tvxiAh.exe"
Imagebase:	0x140000000
File size:	7'168 bytes
MD5 hash:	4F121EA16B6D93625750722B82B68566
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000000.00000000.2017931866.0000000140004000.00000080.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: 00000000.00000000.2017931866.0000000140004000.00000080.00000001.01000000.00000003.sdmp, Author: unknown Rule: Windows_Trojan_Metasploit_91bc5d7d, Description: unknown, Source: 00000000.00000000.2017931866.0000000140004000.00000080.00000001.01000000.00000003.sdmp, Author: unknown Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000000.00000002.3257863596.0000000140004000.00000080.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: 00000000.00000002.3257863596.0000000140004000.00000080.00000001.01000000.00000003.sdmp, Author: unknown Rule: Windows_Trojan_Metasploit_91bc5d7d, Description: unknown, Source: 00000000.00000002.3257863596.0000000140004000.00000080.00000001.01000000.00000003.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: NXK7tvxiAh.exePID: 3228, Parent PID: 1028COMMON

Execution Graph

Execution Coverage:	42.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	88.9%
Total number of Nodes:	9
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00000001400040D6 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 92
networklibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 0000000140004108
WSASocketA.WS2_32(00000000,00000000), ref: 0000000140004139
connect.WS2_32 ref: 000000014000414E
recv.WS2_32 ref: 0000000140004175
closesocket.WS2_32 ref: 00000001400041D9

Strings

ws2_32, xrefs: 00000001400040D7
unMa, xrefs: 00000001400041D3

Memory Dump Source

Source File: 00000000.00000002.3257863596.0000000140004000.00000080.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.3257795738.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_NXK7tvxiAh.jbxd

Yara matches

Similarity

API ID: LibraryLoadSocketclosesocketconnectrecv
String ID: unMa$ws2_32
API String ID: 2974377591-2325342229
Opcode ID: 89f92c085a98e0a76f54d3c6f7480ad20a4018a5f34a8644ac3c2a25d9a8b8ea
Instruction ID: 142aa4cc21d4ff41224c27b3dc1efc0ac2e34cf01bdba4847470c7e655eee39f
Opcode Fuzzy Hash: 89f92c085a98e0a76f54d3c6f7480ad20a4018a5f34a8644ac3c2a25d9a8b8ea
Instruction Fuzzy Hash: 4A21E2E2B5525828FA27A2A33D17FF684456B29FE0F1880207F1E8F7D6DC68C6C2511D

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report NXK7tvxiAh.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Metasploit

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Imports

Network Behavior

Network Port Distribution

TCP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: NXK7tvxiAh.exePID: 3228, Parent PID: 1028

General

Chronological Activities

Disassembly

Analysis Process: NXK7tvxiAh.exePID: 3228, Parent PID: 1028COMMON

Execution Graph

Windows Analysis Report
NXK7tvxiAh.exe

Function 00000001400040D6 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 92
networklibraryCOMMON