Edit tour

Windows Analysis Report
gjsdk.exe

Overview

General Information

Sample name:	gjsdk.exe
Analysis ID:	1529334
MD5:	0537541bc5c5e92570375c1178f6b8c0
SHA1:	041c02dbab31e9521f865f7e1783314364a93ec2
SHA256:	f38d1ee353a3c7f45a20a67b46bed65c4312fc24d7dcb761d800c8003d8d10e5
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

AI detected suspicious sample

Drops executables to the windows directory (C:\Windows) and starts them

Uses known network protocols on non-standard ports

Creates files inside the system directory

Creates or modifies windows services

Detected TCP or UDP traffic on non-standard ports

Drops PE files to the windows directory (C:\Windows)

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Classification

Process Tree

System is w10x64

gjsdk.exe (PID: 7500 cmdline: "C:\Users\user\Desktop\gjsdk.exe" MD5: 0537541BC5C5E92570375C1178F6B8C0)

conhost.exe (PID: 7508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

mmzwi.exe (PID: 7588 cmdline: C:\Windows\AppReadiness\mmzwi.exe MD5: 0537541BC5C5E92570375C1178F6B8C0)

svchost.exe (PID: 8048 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Sigma Signatures

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, ProcessId: 8048, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Source: gjsdk.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Networking

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49953 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49953

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 45.151.62.65:8082

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /7FBE8Vhw_Ej3wyS05Pj-_OcuPl34HeR5tlGYDglketqIsLl6CwLCyB374ln1tVW7ajwzELAFfkyu3R5Q-hjDLQ== HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Connection: UpgradeSec-WebSocket-Key: Mkj9i1IGcuFLi6pPiAlmsQ==Sec-WebSocket-Version: 13Upgrade: websocket
Source: global traffic	HTTP traffic detected: GET /7FBE8Vhw_Ej3wyS05Pj-_OcuPl34HeR5tlGYDglketqIsLl6CwLCyB374ln1tVW7ajwzELAFfkyu3R5Q-hjDLQ== HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Connection: UpgradeSec-WebSocket-Key: GF7zLiydRprawdcGTIIheg==Sec-WebSocket-Version: 13Upgrade: websocket
Source: global traffic	HTTP traffic detected: GET /7FBE8Vhw_Ej3wyS05Pj-_OcuPl34HeR5tlGYDglketqIsLl6CwLCyB374ln1tVW7ajwzELAFfkyu3R5Q-hjDLQ== HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Connection: UpgradeSec-WebSocket-Key: OUx2ht0WNPJoXjDZ6u3e2w==Sec-WebSocket-Version: 13Upgrade: websocket
Source: global traffic	HTTP traffic detected: GET /7FBE8Vhw_Ej3wyS05Pj-_OcuPl34HeR5tlGYDglketqIsLl6CwLCyB374ln1tVW7ajwzELAFfkyu3R5Q-hjDLQ== HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Connection: UpgradeSec-WebSocket-Key: iEPpNfUCMB4KPKjaL5VSPQ==Sec-WebSocket-Version: 13Upgrade: websocket
Source: global traffic	HTTP traffic detected: GET /7FBE8Vhw_Ej3wyS05Pj-_OcuPl34HeR5tlGYDglketqIsLl6CwLCyB374ln1tVW7ajwzELAFfkyu3R5Q-hjDLQ== HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Connection: UpgradeSec-WebSocket-Key: +Z+9VSkuyjpvQkVrx8MhxQ==Sec-WebSocket-Version: 13Upgrade: websocket
Source: global traffic	HTTP traffic detected: GET /7FBE8Vhw_Ej3wyS05Pj-_OcuPl34HeR5tlGYDglketqIsLl6CwLCyB374ln1tVW7ajwzELAFfkyu3R5Q-hjDLQ== HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Connection: UpgradeSec-WebSocket-Key: C0P5MvCyAeBMUwbVkkAe/w==Sec-WebSocket-Version: 13Upgrade: websocket
Source: global traffic	HTTP traffic detected: GET /7FBE8Vhw_Ej3wyS05Pj-_OcuPl34HeR5tlGYDglketqIsLl6CwLCyB374ln1tVW7ajwzELAFfkyu3R5Q-hjDLQ== HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Connection: UpgradeSec-WebSocket-Key: myJxkJJ4oaSedrcwhxGnjA==Sec-WebSocket-Version: 13Upgrade: websocket
Source: global traffic	HTTP traffic detected: GET /7FBE8Vhw_Ej3wyS05Pj-_OcuPl34HeR5tlGYDglketqIsLl6CwLCyB374ln1tVW7ajwzELAFfkyu3R5Q-hjDLQ== HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Connection: UpgradeSec-WebSocket-Key: fiJuZ0206DDY4XC9dWnhuA==Sec-WebSocket-Version: 13Upgrade: websocket
Source: global traffic	HTTP traffic detected: GET /7FBE8Vhw_Ej3wyS05Pj-_OcuPl34HeR5tlGYDglketqIsLl6CwLCyB374ln1tVW7ajwzELAFfkyu3R5Q-hjDLQ== HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Connection: UpgradeSec-WebSocket-Key: 7eYFrZDFqk4ipCw7Av6AyA==Sec-WebSocket-Version: 13Upgrade: websocket
Source: global traffic	HTTP traffic detected: GET /7FBE8Vhw_Ej3wyS05Pj-_OcuPl34HeR5tlGYDglketqIsLl6CwLCyB374ln1tVW7ajwzELAFfkyu3R5Q-hjDLQ== HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Connection: UpgradeSec-WebSocket-Key: FH2w5nqUvChS0FqylUd82g==Sec-WebSocket-Version: 13Upgrade: websocket
Source: global traffic	HTTP traffic detected: GET /7FBE8Vhw_Ej3wyS05Pj-_OcuPl34HeR5tlGYDglketqIsLl6CwLCyB374ln1tVW7ajwzELAFfkyu3R5Q-hjDLQ== HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Connection: UpgradeSec-WebSocket-Key: V0fRj4PL+mkXO4y7UJYUpw==Sec-WebSocket-Version: 13Upgrade: websocket

Source: global traffic

DNS traffic detected: DNS query: c4h10o.autos

Source: mmzwi.exe, 00000002.00000002.2959142621.000000C000080000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: ftp://192.168.2.47
Source: mmzwi.exe, 00000002.00000002.2959142621.000000C000008000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://%s:%d/%sHTTP/1.1
Source: mmzwi.exe, 00000002.00000002.2959142621.000000C000394000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://%s:%d/%sbg-hi-bluebg-hi-magentabg-hi-cyanHTTP/1.1
Source: gjsdk.exe, 00000000.00000002.1747251241.000000C000300000.00000004.00001000.00020000.00000000.sdmp, mmzwi.exe, 00000002.00000002.2963616316.000000C0008C6000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://.css
Source: gjsdk.exe, 00000000.00000002.1747251241.000000C000300000.00000004.00001000.00020000.00000000.sdmp, mmzwi.exe, 00000002.00000002.2963616316.000000C0008C6000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://.jpg
Source: mmzwi.exe, 00000002.00000002.2959142621.000000C000080000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://45.151.62.65:8082/7FBE8Vhw_Ej3wyS05Pj-_OcuPl34HeR5tlGYDglketqIsLl6CwLCyB374ln1tVW7ajwzELAFfky
Source: gjsdk.exe, 00000000.00000002.1747251241.000000C000300000.00000004.00001000.00020000.00000000.sdmp, mmzwi.exe, 00000002.00000002.2963616316.000000C0008C6000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://html4/loose.dtd
Source: gjsdk.exe, 00000000.00000002.1747251241.000000C000124000.00000004.00001000.00020000.00000000.sdmp, mmzwi.exe, 00000002.00000002.2959142621.000000C0002DC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/go-sql-driver/mysql/wiki/old_passwords
Source: gjsdk.exe, 00000000.00000002.1748840323.000000C00060A000.00000004.00001000.00020000.00000000.sdmp, mmzwi.exe, 00000002.00000002.2959142621.000000C000394000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urfave/cli/blob/main/docs/CHANGELOG.md
Source: mmzwi.exe, 00000002.00000002.2959142621.000000C000222000.00000004.00001000.00020000.00000000.sdmp, mmzwi.exe, 00000002.00000002.2959142621.000000C0002DE000.00000004.00001000.00020000.00000000.sdmp, mmzwi.exe, 00000002.00000002.2959142621.000000C0000F2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urfave/cli/blob/main/docs/CHANGELOG.md#deprecated-cli-app-action-signature
Source: gjsdk.exe, 00000000.00000002.1747251241.000000C000110000.00000004.00001000.00020000.00000000.sdmp, mmzwi.exe, 00000002.00000002.2959142621.000000C0002DE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urfave/cli/blob/main/docs/CHANGELOG.md#deprecated-cli-app-action-signatureNAME:
Source: mmzwi.exe, 00000002.00000002.2959142621.000000C0000F2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urfave/cli/blob/main/docs/CHANGELOG.md#deprecated-cli-app-action-signatureeyJhbGc
Source: mmzwi.exe, 00000002.00000002.2959142621.000000C000394000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urfave/cli/blob/main/docs/CHANGELOG.mdMust
Source: gjsdk.exe, 00000000.00000002.1748840323.000000C00060A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urfave/cli/blob/main/docs/CHANGELOG.mdThe
Source: mmzwi.exe, 00000002.00000002.2963616316.000000C0008AE000.00000004.00001000.00020000.00000000.sdmp, mmzwi.exe, 00000002.00000002.2959142621.000000C000162000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://lockn1t3.xyz
Source: mmzwi.exe, 00000002.00000002.2962140246.000000C0005D2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://lockn1t3.xyz--09AZ__azMMZWIODFMQ2GGOJRGRTGIM3GMY4TOYRVHBQTQZRSMZRDQNLEMVSWOZLDNNXQ
Source: mmzwi.exe, 00000002.00000002.2959142621.000000C000162000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://lockn1t3.xyz00:11:22:33:44:5500:11:22:33:44:5500:11:22:33:44:5500:11:22:33:44:5500:11:22:33:
Source: gjsdk.exe, 00000000.00000002.1748840323.000000C0005D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://lockn1t3.xyzMMZWIODFMQ2GGOJRGRTGIM3GMY4TOYRVHBQTQZRSMZRDQNLEMVSWOZLDNNXQMMZWIODFMQ2GGOJRGRTG
Source: mmzwi.exe, 00000002.00000002.2963616316.000000C000904000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://lockn1t3.xyzocelot.jython27.xyztiger.jython27.xyz00:11:22:33:44:55cecreate
Source: gjsdk.exe, 00000000.00000002.1748840323.000000C0005D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://lockn1t3.xyzsizeof(rtype)

Source: C:\Users\user\Desktop\gjsdk.exe	File created: C:\Windows\AppReadiness\.840809828.tmp			Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	File created: C:\Windows\AppReadiness\.209553492.tmp			Jump to behavior

Source: classification engine

Classification label: mal52.troj.evad.winEXE@4/0@1/1

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7508:120:WilError_03

Source: C:\Users\user\Desktop\gjsdk.exe	File opened: C:\Windows\system32\43cf6327ee4e9a51c1f22496118c7b5e2d1b5bb7f55e4e915b3b63d138789748AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA			Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	File opened: C:\Windows\system32\43d042447d465d96d1e34aed23508a3def79fdfb21cfe1f197319fae4deb3fb0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA			Jump to behavior

Source: C:\Users\user\Desktop\gjsdk.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: gjsdk.exe, 00000000.00000002.1747251241.000000C0002CA000.00000004.00001000.00020000.00000000.sdmp, mmzwi.exe, 00000002.00000002.2959142621.000000C0002AC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: gjsdk.exe, 00000000.00000002.1747251241.000000C0002CA000.00000004.00001000.00020000.00000000.sdmp, mmzwi.exe, 00000002.00000002.2959142621.000000C0002AC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: gjsdk.exe, 00000000.00000002.1747251241.000000C0002CA000.00000004.00001000.00020000.00000000.sdmp, mmzwi.exe, 00000002.00000002.2959142621.000000C0002AC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: gjsdk.exe, 00000000.00000002.1747251241.000000C0002CA000.00000004.00001000.00020000.00000000.sdmp, mmzwi.exe, 00000002.00000002.2959142621.000000C0002AC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: C:\Users\user\Desktop\gjsdk.exe

File read: C:\Users\user\Desktop\gjsdk.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\gjsdk.exe "C:\Users\user\Desktop\gjsdk.exe"
Source: C:\Users\user\Desktop\gjsdk.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\AppReadiness\mmzwi.exe C:\Windows\AppReadiness\mmzwi.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

Source: C:\Users\user\Desktop\gjsdk.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\gjsdk.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\gjsdk.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\gjsdk.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: licensemanagersvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: licensemanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: clipc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior

Source: gjsdk.exe

Static file information: File size 12120576 > 1048576

Source: gjsdk.exe

Static PE information: Raw size of UPX1 is bigger than: 0x100000 < 0xb8ee00

Source: gjsdk.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: gjsdk.exe

Static PE information: section name: UPX2

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: unknown

Executable created and started: C:\Windows\AppReadiness\mmzwi.exe

Source: C:\Users\user\Desktop\gjsdk.exe

PE file moved: C:\Windows\AppReadiness\mmzwi.exe

Jump to behavior

Source: C:\Users\user\Desktop\gjsdk.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\partmgr

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49953 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49953

Source: C:\Users\user\Desktop\gjsdk.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX			Jump to behavior

Source: gjsdk.exe, 00000000.00000002.1747251241.000000C000160000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: KVMKVMKVMKVMGetFileTimeGetFileTypeMicrosoft HvFORMAIFFGetFullPathNameWGetLastErrorGetLogicalDrivesGetLongPathNameWGetNamedPipeInfoGetPriorityClassGetProcAddressGetProcessIdFORMAIFFVMwareVMwareGetProcessTimesXenVMMXenVMMbhyve bhyve GetStartupInfoWaudio/ai
Source: mmzwi.exe, 00000002.00000002.2955357792.0000000002441000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: <br/></ul>tbodytheadtfootstdinwhoisIPSecimap4rsyncsteamSkypeWhoIsNETSCXeroxMAILQVMNETUnifybhfhsFXP-1bhmdsVSLMPRTSPSbh611decapOnmuxArielSMPTEdsfgwalpesSMTPSss7nsaviandantzxvttpsnaretalkdripnguucpdkrcmdchcmddemonsonarVEMMIginadRUSHDnetGWrfilephoneKIOSKJSTELOBRPDROOTDIPCD3HuskyRxMonFTSRVMIMERBytexShiva3l-l1WinDDMSIMSradiocvmoncnhrpcft-0cft-1cft-2cft-3cft-4cft-5cft-6cft-7helloMMPFTSPICESlushCacheglobetroffrimslDSATPNETMLSNAPPdbrefRSMTPOrionvenusTOP/XTSILBspockWillyWinDbIPASSbruceSolveSonuswkarsqotpsAlarmUADTCaurisAISESaaftprmlnkPDnetREBOLqsoftICPv24TalkPlatoE-NetMySQLBBARSCSMS2jt400MS-LAITOSESariseMuleMCNTPA1-BSICMPDCVSupSSDTPProEdCDDBPWebSMqueuepokerIRISAHivePTrackBINKPquakeKuangyamux[E]: /hostES256ES384ES512EdDSAHS256HS384HS512RS256RS384RS512PS256PS384PS512%s=%qc(%s)
Source: mmzwi.exe, 00000002.00000002.2959142621.000000C000394000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: IDEAFARM-CATCH / NetDevil trojanVMware Authentication Daemon
Source: mmzwi.exe, 00000002.00000002.2959142621.000000C000368000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMware Web Access
Source: gjsdk.exe, 00000000.00000002.1742065604.0000000002441000.00000040.00000001.01000000.00000005.sdmp, mmzwi.exe, 00000002.00000002.2955357792.0000000002441000.00000040.00000001.01000000.00000005.sdmp, mmzwi.exe, 00000002.00000001.1731920546.00000000024DE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: QeMUY6J
Source: mmzwi.exe, 00000002.00000002.2959142621.000000C000394000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMware Authentication Daemon / IDEAFARM-CHAT
Source: gjsdk.exe, 00000000.00000002.1742065604.0000000002441000.00000040.00000001.01000000.00000005.sdmp, mmzwi.exe, 00000002.00000002.2955357792.0000000002441000.00000040.00000001.01000000.00000005.sdmp, mmzwi.exe, 00000002.00000001.1731920546.00000000024BF000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: ijfV6o2HGfS
Source: mmzwi.exe, 00000002.00000002.2959142621.000000C0002CC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: places.sqliteplaces.sqliteClearCommError192.168.2.203192.168.2.204CloseHandleplaces.sqliteextensions.jsonConnectNamedPipeCreateDirectoryWCreateEventExWCreateEventWCreateFileWCreateHardLinkWCreateJobObjectWunsupported itemunsupported itemCreateMutexExWCreateMutexWparse error192.168.2.205CreateNamedPipeWCreatePipeCreateProcessW192.168.2.206192.168.2.207192.168.2.208AMDisbetter!DefineDosDeviceWDeleteFileWDeviceIoControlAuthenticAMDCentaurHaulsGenuineIntel192.168.2.209DuplicateHandleExitProcessFindCloseFindFirstFileWFindFirstVolumeWFindNextFileWFindNextVolumeWFindResourceWFindVolumeCloseFlushFileBuffersFlushViewOfFileFormatMessageWFreeLibraryGetCommStateGetCommTimeoutsGetCommandLineW192.168.2.210TransmetaCPUGetComputerNameW192.168.2.211192.168.2.212GetConsoleCPGetConsoleModeGenuineTMx86Geode by NSCVIA VIA VIA 192.168.2.213192.168.2.214KVMKVMKVMKVMGetDriveTypeWMicrosoft Hv192.168.2.215GetFileTimeGetFileType192.168.2.216VMwareVMwareGetFullPathNameWGetLastErrorGetLogicalDrivesGetLongPathNameWGetNamedPipeInfoGetPriorityClassGetProcAddressGetProcessIdXenVMMXenVMMbhyve bhyve GetProcessTimes192.168.2.217192.168.2.218GetStartupInfoWHygonGenuineVortex86 SoCGetStdHandleSiS SiS SiS 192.168.2.219GetTempPathWGetTickCount64192.168.2.220RiseRiseRiseGetVersionGenuine RDC192.168.2.221192.168.2.222192.168.2.223192.168.2.224192.168.2.225IsWow64ProcessIsWow64Process2LoadLibraryExW192.168.2.226192.168.2.227LoadLibraryWLoadResourceLocalAllocLocalFreeLockFileExLockResourceMapViewOfFile192.168.2.228192.168.2.229Module32FirstW192.168.2.230192.168.2.231Module32NextW192.168.2.232192.168.2.233MoveFileExWGenuineIntel192.168.2.234MoveFileWOpenEventW192.168.2.235192.168.2.236OpenMutexWOpenProcessOpenThread192.168.2.237192.168.2.238Process32FirstWProcess32NextWPulseEventPurgeComm192.168.2.239Did you mean %q?QueryDosDeviceWReadConsReadFile ,,ReadConsoleWReleaseMutexW192.168.2.240192.168.2.241RemoveDirectoryWResetEventResumeThreadSetCommBreakSetCommMask192.168.2.242192.168.2.243SetCommStateshow help]192.168.2.244SetCommTimeoutsSetConsoleCPSetConsoleMode192.168.2.245[command]192.168.2.246192.168.2.247SetDllDirectoryW[command]192.168.2.248SetEndOfFileSetEnvirSetEvent192.168.2.249SetErrorModetestdata/fuzz
Source: mmzwi.exe, 00000002.00000002.2955357792.0000000002441000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: rlogindhcpv6vmwareradiuscpanelTelnetNI FTPGophervettcpFingerSUPDUPISO-IPJargonXyplexDirectrescapZannetHassleUTMPSDUTMPCDcomscmskronkMondexulpnetISAKMPPassGogdomapwhoamiudemonrepcmdSANityAminetRepCmdSun DRMeCommAgentXnloginquotadomservsubmitentombwpagesdevicevsinetmaitrdbusboynimregCARDAXPROOFDMurrayDNS2Gohermesudt_osDBStarTabulaPEportrfx-lmoracleisi-lm3ds-lmsna-csorbixdontimekermitrrirtrrrimwmrrilwmrrifmmrrisatcentraimperacaicciwinddxroketzproximencorepsmondRADIUSMyrtlecsoft1TALNETarmadptekplsmpnjscUniSQLsearchcdfuncsdfuncNBX CCNBX AUComcamAVENUEDOCENTRECIPeCVMMONpehelpsdhelpfcmsysFutrixWusageG-TalkGROOVEBMC ARDIRGISfjmpssREFTEKlabratDeliboCECSVCnetrekAMInetTragicOLHOSTtqdataRaven1Raven2aic-npcspuniatmtcpka0wucsilkp1silkp2silkp3silkp4glishddaishiEpiconROBOERJAMCT5JAMCT6SignalZARKOVBOSCAPITB301vsixmldi-asegds_dbTL1-LVVMODEMadmindSYSOPTfg-fpsfg-gippdrncsVNSSTRWebTIESUITJDDJ ILMSAVANTPharosN1-FWPActNetDJ-ICEA1-MSCEWCTSPxdsxdmJMACT3jmevt2iRDMI2PatrolLM DtaabarsdtruecmrasadvPalaceBlockshp-scohp-scaAsylummed-cipolicysha256deleteKOI8-RKOI8-U_count^(?i)(_blue__cyan_inverthiddenfinishack:%dIgnoreUTF-16[%d]%s
Source: mmzwi.exe, 00000002.00000002.2959142621.000000C0002CC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: gjsdk.exe, 00000000.00000002.1750980942.000002B0E4744000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: mmzwi.exe, 00000002.00000002.2966741709.000001F8FE57C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllNN

Source: C:\Users\user\Desktop\gjsdk.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\gjsdk.exe	Queries volume information: C:\Users\user\Desktop\gjsdk.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gjsdk.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Queries volume information: C:\Windows\AppReadiness\mmzwi.exe VolumeInformation	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\gjsdk.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Windows Service	1 Windows Service	12 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	11 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Process Injection	1 Process Injection	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Obfuscated Files or Information	Security Account Manager	12 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Software Packing	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Name	IP	Active	Malicious	Antivirus Detection	Reputation
c4h10o.autos	45.151.62.65	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://45.151.62.65:8082/7FBE8Vhw_Ej3wyS05Pj-_OcuPl34HeR5tlGYDglketqIsLl6CwLCyB374ln1tVW7ajwzELAFfkyu3R5Q-hjDLQ==	false		unknown
http://45.151.62.65:8082/	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://html4/loose.dtd	gjsdk.exe, 00000000.00000002.1747251241.000000C000300000.00000004.00001000.00020000.00000000.sdmp, mmzwi.exe, 00000002.00000002.2963616316.000000C0008C6000.00000004.00001000.00020000.00000000.sdmp	false	unknown
http://45.151.62.65:8082/7FBE8Vhw_Ej3wyS05Pj-_OcuPl34HeR5tlGYDglketqIsLl6CwLCyB374ln1tVW7ajwzELAFfky	mmzwi.exe, 00000002.00000002.2959142621.000000C000080000.00000004.00001000.00020000.00000000.sdmp	false	unknown
https://lockn1t3.xyz00:11:22:33:44:5500:11:22:33:44:5500:11:22:33:44:5500:11:22:33:44:5500:11:22:33:	mmzwi.exe, 00000002.00000002.2959142621.000000C000162000.00000004.00001000.00020000.00000000.sdmp	false	unknown
https://lockn1t3.xyzsizeof(rtype)	gjsdk.exe, 00000000.00000002.1748840323.000000C0005D0000.00000004.00001000.00020000.00000000.sdmp	false	unknown
http://%s:%d/%sHTTP/1.1	mmzwi.exe, 00000002.00000002.2959142621.000000C000008000.00000004.00001000.00020000.00000000.sdmp	false	unknown
https://github.com/urfave/cli/blob/main/docs/CHANGELOG.md	gjsdk.exe, 00000000.00000002.1748840323.000000C00060A000.00000004.00001000.00020000.00000000.sdmp, mmzwi.exe, 00000002.00000002.2959142621.000000C000394000.00000004.00001000.00020000.00000000.sdmp	false	unknown
https://lockn1t3.xyzMMZWIODFMQ2GGOJRGRTGIM3GMY4TOYRVHBQTQZRSMZRDQNLEMVSWOZLDNNXQMMZWIODFMQ2GGOJRGRTG	gjsdk.exe, 00000000.00000002.1748840323.000000C0005D0000.00000004.00001000.00020000.00000000.sdmp	false	unknown
https://lockn1t3.xyz	mmzwi.exe, 00000002.00000002.2963616316.000000C0008AE000.00000004.00001000.00020000.00000000.sdmp, mmzwi.exe, 00000002.00000002.2959142621.000000C000162000.00000004.00001000.00020000.00000000.sdmp	false	unknown
http://%s:%d/%sbg-hi-bluebg-hi-magentabg-hi-cyanHTTP/1.1	mmzwi.exe, 00000002.00000002.2959142621.000000C000394000.00000004.00001000.00020000.00000000.sdmp	false	unknown
https://lockn1t3.xyz--09AZ__azMMZWIODFMQ2GGOJRGRTGIM3GMY4TOYRVHBQTQZRSMZRDQNLEMVSWOZLDNNXQ	mmzwi.exe, 00000002.00000002.2962140246.000000C0005D2000.00000004.00001000.00020000.00000000.sdmp	false	unknown
https://github.com/urfave/cli/blob/main/docs/CHANGELOG.md#deprecated-cli-app-action-signature	mmzwi.exe, 00000002.00000002.2959142621.000000C000222000.00000004.00001000.00020000.00000000.sdmp, mmzwi.exe, 00000002.00000002.2959142621.000000C0002DE000.00000004.00001000.00020000.00000000.sdmp, mmzwi.exe, 00000002.00000002.2959142621.000000C0000F2000.00000004.00001000.00020000.00000000.sdmp	false	unknown
https://github.com/urfave/cli/blob/main/docs/CHANGELOG.mdThe	gjsdk.exe, 00000000.00000002.1748840323.000000C00060A000.00000004.00001000.00020000.00000000.sdmp	false	unknown
https://github.com/urfave/cli/blob/main/docs/CHANGELOG.md#deprecated-cli-app-action-signatureNAME:	gjsdk.exe, 00000000.00000002.1747251241.000000C000110000.00000004.00001000.00020000.00000000.sdmp, mmzwi.exe, 00000002.00000002.2959142621.000000C0002DE000.00000004.00001000.00020000.00000000.sdmp	false	unknown
http://.css	gjsdk.exe, 00000000.00000002.1747251241.000000C000300000.00000004.00001000.00020000.00000000.sdmp, mmzwi.exe, 00000002.00000002.2963616316.000000C0008C6000.00000004.00001000.00020000.00000000.sdmp	false	unknown
ftp://192.168.2.47	mmzwi.exe, 00000002.00000002.2959142621.000000C000080000.00000004.00001000.00020000.00000000.sdmp	false	unknown
https://github.com/urfave/cli/blob/main/docs/CHANGELOG.md#deprecated-cli-app-action-signatureeyJhbGc	mmzwi.exe, 00000002.00000002.2959142621.000000C0000F2000.00000004.00001000.00020000.00000000.sdmp	false	unknown
http://.jpg	gjsdk.exe, 00000000.00000002.1747251241.000000C000300000.00000004.00001000.00020000.00000000.sdmp, mmzwi.exe, 00000002.00000002.2963616316.000000C0008C6000.00000004.00001000.00020000.00000000.sdmp	false	unknown
https://github.com/go-sql-driver/mysql/wiki/old_passwords	gjsdk.exe, 00000000.00000002.1747251241.000000C000124000.00000004.00001000.00020000.00000000.sdmp, mmzwi.exe, 00000002.00000002.2959142621.000000C0002DC000.00000004.00001000.00020000.00000000.sdmp	false	unknown
https://lockn1t3.xyzocelot.jython27.xyztiger.jython27.xyz00:11:22:33:44:55cecreate	mmzwi.exe, 00000002.00000002.2963616316.000000C000904000.00000004.00001000.00020000.00000000.sdmp	false	unknown
https://github.com/urfave/cli/blob/main/docs/CHANGELOG.mdMust	mmzwi.exe, 00000002.00000002.2959142621.000000C000394000.00000004.00001000.00020000.00000000.sdmp	false	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.151.62.65	c4h10o.autos	Russian Federation		25229	VOLIA-ASUA	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1529334
Start date and time:	2024-10-08 21:29:36 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 12s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	gjsdk.exe
Detection:	MAL
Classification:	mal52.troj.evad.winEXE@4/0@1/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: gjsdk.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
VOLIA-ASUA	c8MI8gN5vm.exe	Get hash	malicious	Unknown	Browse	45.151.62.228
	na.elf	Get hash	malicious	Mirai	Browse	77.121.68.55
	BJgQPShJE7.elf	Get hash	malicious	Mirai, Moobot	Browse	93.78.155.71
	nIl2wyif6Q.elf	Get hash	malicious	Unknown	Browse	93.73.200.183
	dart.exe	Get hash	malicious	Unknown	Browse	194.61.120.50
	dart.exe	Get hash	malicious	Unknown	Browse	194.61.120.50
	QvTbUiFWlo.elf	Get hash	malicious	Mirai	Browse	77.122.59.194
	arm7.elf	Get hash	malicious	Mirai	Browse	93.77.112.98
	arm7-20240807-1021.elf	Get hash	malicious	Mirai	Browse	93.79.240.232
	sora.mpsl.elf	Get hash	malicious	Mirai	Browse	46.150.82.128

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	7.999984145243014
TrID:	Win64 Executable Console (202006/5) 81.26% UPX compressed Win32 Executable (30571/9) 12.30% Win64 Executable (generic) (12005/4) 4.83% Generic Win/DOS Executable (2004/3) 0.81% DOS Executable Generic (2002/1) 0.81%
File name:	gjsdk.exe
File size:	12'120'576 bytes
MD5:	0537541bc5c5e92570375c1178f6b8c0
SHA1:	041c02dbab31e9521f865f7e1783314364a93ec2
SHA256:	f38d1ee353a3c7f45a20a67b46bed65c4312fc24d7dcb761d800c8003d8d10e5
SHA512:	84c4bd7da7a2c14e2fb2c08b7e008fe54ebd2c6675d026ab44ab4daf068f6dd6df67b67d6fd4ef346c404e782c8ee038d399874c65fabb034e85e03deeefabc1
SSDEEP:	196608:ePP5dwn8if9Z3AANoyhJRSivD5ldQ7QcuiDNz4acPrgeYKJHCDV7fkw90GOEY:eZdHifHwWoyhXSqD5I7Qcuk1gJYNrkwg
TLSH:	E6C633B8E45BD436FDEBA9F3675134C124746C72B2436A391C22C2B87197783D9A2EC4
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................."...............Q.......Q...@...........................................`... ............................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x349f210
Entrypoint Section:	UPX1
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	6ed4f5f04d62b18d96b26d6db7c18840

Entrypoint Preview

Instruction
push ebx
push esi
push edi
push ebp
dec eax
lea esi, dword ptr [FF471E0Ah]
dec eax
lea edi, dword ptr [esi-02510025h]
push edi
mov eax, 0309D413h
push eax
dec eax
mov ecx, esp
dec eax
mov edx, edi
dec eax
mov edi, esi
mov esi, 00B8E1E0h
push ebp
dec eax
mov ebp, esp
inc esp
mov ecx, dword ptr [ecx]
dec ecx
mov eax, edx
dec eax
mov edx, esi
dec eax
lea esi, dword ptr [edi+02h]
push esi
mov al, byte ptr [edi]
dec edx
mov cl, al
and al, 07h
shr cl, 00000003h
dec eax
mov ebx, FFFFFD00h
dec eax
shl ebx, cl
mov cl, al
dec eax
lea ebx, dword ptr [esp+ebx*2-00000E78h]
dec eax
and ebx, FFFFFFC0h
push 00000000h
dec eax
cmp esp, ebx
jne 00007F68ECF13BDBh
push ebx
dec eax
lea edi, dword ptr [ebx+08h]
mov cl, byte ptr [esi-01h]
dec edx
mov byte ptr [edi+02h], al
mov al, cl
shr cl, 00000004h
mov byte ptr [edi+01h], cl
and al, 0Fh
mov byte ptr [edi], al
dec eax
lea ecx, dword ptr [edi-04h]
push eax
inc ecx
push edi
dec eax
lea eax, dword ptr [edi+04h]
inc ebp
xor edi, edi
inc ecx
push esi
inc ecx
mov esi, 00000001h
inc ecx
push ebp
inc ebp
xor ebp, ebp
inc ecx
push esp
push ebp
push ebx
dec eax
sub esp, 48h
dec eax
mov dword ptr [esp+38h], ecx
dec eax
mov dword ptr [esp+20h], eax
mov eax, 00000001h
dec eax
mov dword ptr [esp+40h], esi
dec esp
mov dword ptr [esp+30h], eax
mov ebx, eax
inc esp
mov dword ptr [esp+2Ch], ecx
movzx ecx, byte ptr [edi+02h]
shl ebx, cl
mov ecx, ebx

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x30a0000	0x9c	UPX2
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x2f6f000	0x8a81c	UPX1
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
UPX0	0x1000	0x2510000	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
UPX1	0x2511000	0xb8f000	0xb8ee00	2537a214c1e7caf6813f9b50466598cc	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
UPX2	0x30a0000	0x1000	0x200	6b3575e1d86f342657d2cebb83aeb6e9	False	0.197265625	data	1.3719135890817398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL	Import
KERNEL32.DLL	LoadLibraryA, ExitProcess, GetProcAddress, VirtualProtect

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 8, 2024 21:30:35.082040071 CEST	49730	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:35.087202072 CEST	8082	49730	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:35.087282896 CEST	49730	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:35.087506056 CEST	49730	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:35.092360020 CEST	8082	49730	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:36.632025957 CEST	8082	49730	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:36.632744074 CEST	8082	49730	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:36.633141041 CEST	8082	49730	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:36.633188009 CEST	49730	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:36.637233019 CEST	49730	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:36.638364077 CEST	8082	49730	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:36.638425112 CEST	49730	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:36.759577990 CEST	49731	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:36.764600992 CEST	8082	49731	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:36.764750957 CEST	49731	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:36.765783072 CEST	49731	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:36.770625114 CEST	8082	49731	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:38.015382051 CEST	8082	49731	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:38.015630960 CEST	8082	49731	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:38.015758038 CEST	49731	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:38.015866995 CEST	8082	49731	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:38.015870094 CEST	49731	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:38.015870094 CEST	49731	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:38.016026020 CEST	49731	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:38.022413969 CEST	8082	49731	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:38.022444010 CEST	8082	49731	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:38.232286930 CEST	8082	49731	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:38.232563972 CEST	49731	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:38.234997034 CEST	49731	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:38.237870932 CEST	8082	49731	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:38.240123987 CEST	8082	49731	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:38.795497894 CEST	8082	49731	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:38.795598984 CEST	8082	49731	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:38.795629025 CEST	8082	49731	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:38.795689106 CEST	49731	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:38.795689106 CEST	49731	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:38.795818090 CEST	49731	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:38.800894022 CEST	8082	49731	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:39.210815907 CEST	49730	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:39.219866991 CEST	8082	49730	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:39.436192989 CEST	8082	49730	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:39.436842918 CEST	49732	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:39.442080021 CEST	8082	49732	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:39.442275047 CEST	49732	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:39.442504883 CEST	49732	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:39.447566986 CEST	8082	49732	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:39.489759922 CEST	49730	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:40.147435904 CEST	8082	49732	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:40.147664070 CEST	49732	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:40.147691965 CEST	49732	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:40.152698040 CEST	8082	49732	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:40.152770996 CEST	8082	49732	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:40.365303040 CEST	8082	49732	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:40.365489006 CEST	49732	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:40.365509987 CEST	49732	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:40.370543957 CEST	8082	49732	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:40.370574951 CEST	8082	49732	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:40.583174944 CEST	8082	49732	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:40.583271980 CEST	8082	49732	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:40.583323956 CEST	49732	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:40.583323956 CEST	49732	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:40.588473082 CEST	8082	49732	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:41.585316896 CEST	49730	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:41.591180086 CEST	8082	49730	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:41.802452087 CEST	8082	49730	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:41.802999973 CEST	49733	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:41.808082104 CEST	8082	49733	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:41.808319092 CEST	49733	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:41.808455944 CEST	49733	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:41.813713074 CEST	8082	49733	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:41.855684042 CEST	49730	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:42.492193937 CEST	8082	49733	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:42.492750883 CEST	49733	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:42.492752075 CEST	49733	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:42.498011112 CEST	8082	49733	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:42.498049974 CEST	8082	49733	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:42.924274921 CEST	8082	49733	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:42.924411058 CEST	8082	49733	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:42.924452066 CEST	49733	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:42.924453020 CEST	49733	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:42.924453020 CEST	49733	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:42.929384947 CEST	8082	49733	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:42.929583073 CEST	8082	49733	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:43.144243956 CEST	8082	49733	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:43.144469023 CEST	49733	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:43.144562960 CEST	8082	49733	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:43.144639015 CEST	49733	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:43.149529934 CEST	8082	49733	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:44.044678926 CEST	49730	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:44.050096035 CEST	8082	49730	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:44.263103008 CEST	8082	49730	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:44.263658047 CEST	49734	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:44.269001007 CEST	8082	49734	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:44.269188881 CEST	49734	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:44.269368887 CEST	49734	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:44.274561882 CEST	8082	49734	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:44.316679001 CEST	49730	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:44.950408936 CEST	8082	49734	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:44.950959921 CEST	49734	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:44.950959921 CEST	49734	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:44.956412077 CEST	8082	49734	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:44.957153082 CEST	8082	49734	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:45.166781902 CEST	8082	49734	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:45.167001963 CEST	49734	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:45.167084932 CEST	49734	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:45.174155951 CEST	8082	49734	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:45.174185991 CEST	8082	49734	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:45.381473064 CEST	8082	49734	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:45.381522894 CEST	8082	49734	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:45.381587982 CEST	49734	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:45.381668091 CEST	49734	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:45.386677980 CEST	8082	49734	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:47.110218048 CEST	49730	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:47.115751028 CEST	8082	49730	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:47.328869104 CEST	8082	49730	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:47.329596043 CEST	49736	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:47.337083101 CEST	8082	49736	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:47.337487936 CEST	49736	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:47.337487936 CEST	49736	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:47.342812061 CEST	8082	49736	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:47.385201931 CEST	49730	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:48.036138058 CEST	8082	49736	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:48.036372900 CEST	49736	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:48.036427021 CEST	49736	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:48.041300058 CEST	8082	49736	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:48.042320013 CEST	8082	49736	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:48.407246113 CEST	8082	49736	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:48.454900026 CEST	49736	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:48.538392067 CEST	8082	49736	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:48.538527012 CEST	49736	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:48.538563013 CEST	49736	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:48.543414116 CEST	8082	49736	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:48.543430090 CEST	8082	49736	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:48.751105070 CEST	8082	49736	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:48.751379967 CEST	49736	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:48.751405001 CEST	8082	49736	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:48.751595974 CEST	49736	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:48.756721973 CEST	8082	49736	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:50.231997967 CEST	49730	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:50.237349987 CEST	8082	49730	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:50.448803902 CEST	8082	49730	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:50.449399948 CEST	49741	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:50.454761982 CEST	8082	49741	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:50.454907894 CEST	49741	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:50.455110073 CEST	49741	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:50.460270882 CEST	8082	49741	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:50.502520084 CEST	49730	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:51.159703970 CEST	8082	49741	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:51.162705898 CEST	49741	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:51.162705898 CEST	49741	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:51.168821096 CEST	8082	49741	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:51.168848991 CEST	8082	49741	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:51.380494118 CEST	8082	49741	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:51.382837057 CEST	49741	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:51.382869005 CEST	49741	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:51.389722109 CEST	8082	49741	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:51.389771938 CEST	8082	49741	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:51.601950884 CEST	8082	49741	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:51.602794886 CEST	8082	49741	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:51.602854967 CEST	49741	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:51.602931976 CEST	49741	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:51.603127956 CEST	8082	49741	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:51.603183985 CEST	49741	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:51.608062983 CEST	8082	49741	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:55.034473896 CEST	49730	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:55.040014029 CEST	8082	49730	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:55.251578093 CEST	8082	49730	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:55.252238035 CEST	49743	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:55.257714987 CEST	8082	49743	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:55.257910967 CEST	49743	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:55.258018017 CEST	49743	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:55.263516903 CEST	8082	49743	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:55.305394888 CEST	49730	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:55.946686983 CEST	8082	49743	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:55.946976900 CEST	49743	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:55.946978092 CEST	49743	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:55.952058077 CEST	8082	49743	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:55.952219009 CEST	8082	49743	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:56.332932949 CEST	8082	49743	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:56.333322048 CEST	49743	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:56.333322048 CEST	49743	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:56.338428974 CEST	8082	49743	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:56.338574886 CEST	8082	49743	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:56.809957981 CEST	8082	49743	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:56.810095072 CEST	8082	49743	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:56.810185909 CEST	49743	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:56.810187101 CEST	49743	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:56.810297012 CEST	8082	49743	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:56.810512066 CEST	49743	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:56.811075926 CEST	8082	49743	45.151.62.65	192.168.2.4
Oct 8, 2024 21:30:56.811250925 CEST	49743	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:30:56.815289021 CEST	8082	49743	45.151.62.65	192.168.2.4
Oct 8, 2024 21:31:03.319796085 CEST	49730	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:31:03.325006008 CEST	8082	49730	45.151.62.65	192.168.2.4
Oct 8, 2024 21:31:03.536194086 CEST	8082	49730	45.151.62.65	192.168.2.4
Oct 8, 2024 21:31:03.536772966 CEST	49744	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:31:03.541712046 CEST	8082	49744	45.151.62.65	192.168.2.4
Oct 8, 2024 21:31:03.541929960 CEST	49744	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:31:03.542020082 CEST	49744	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:31:03.547003984 CEST	8082	49744	45.151.62.65	192.168.2.4
Oct 8, 2024 21:31:03.589426994 CEST	49730	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:31:04.338728905 CEST	8082	49744	45.151.62.65	192.168.2.4
Oct 8, 2024 21:31:04.339154005 CEST	49744	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:31:04.339154959 CEST	49744	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:31:04.344302893 CEST	8082	49744	45.151.62.65	192.168.2.4
Oct 8, 2024 21:31:04.344332933 CEST	8082	49744	45.151.62.65	192.168.2.4
Oct 8, 2024 21:31:04.558128119 CEST	8082	49744	45.151.62.65	192.168.2.4
Oct 8, 2024 21:31:04.558383942 CEST	49744	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:31:04.558384895 CEST	49744	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:31:04.563294888 CEST	8082	49744	45.151.62.65	192.168.2.4
Oct 8, 2024 21:31:04.563313961 CEST	8082	49744	45.151.62.65	192.168.2.4
Oct 8, 2024 21:31:04.788444042 CEST	8082	49744	45.151.62.65	192.168.2.4
Oct 8, 2024 21:31:04.788535118 CEST	8082	49744	45.151.62.65	192.168.2.4
Oct 8, 2024 21:31:04.788626909 CEST	49744	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:31:04.788717031 CEST	49744	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:31:04.793646097 CEST	8082	49744	45.151.62.65	192.168.2.4
Oct 8, 2024 21:31:16.277853012 CEST	49730	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:31:16.283579111 CEST	8082	49730	45.151.62.65	192.168.2.4
Oct 8, 2024 21:31:16.496280909 CEST	8082	49730	45.151.62.65	192.168.2.4
Oct 8, 2024 21:31:16.497519970 CEST	49745	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:31:16.502908945 CEST	8082	49745	45.151.62.65	192.168.2.4
Oct 8, 2024 21:31:16.502984047 CEST	49745	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:31:16.503195047 CEST	49745	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:31:16.508336067 CEST	8082	49745	45.151.62.65	192.168.2.4
Oct 8, 2024 21:31:16.550723076 CEST	49730	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:31:17.208581924 CEST	8082	49745	45.151.62.65	192.168.2.4
Oct 8, 2024 21:31:17.209076881 CEST	49745	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:31:17.209134102 CEST	49745	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:31:17.214382887 CEST	8082	49745	45.151.62.65	192.168.2.4
Oct 8, 2024 21:31:17.215533018 CEST	8082	49745	45.151.62.65	192.168.2.4
Oct 8, 2024 21:31:17.427567005 CEST	8082	49745	45.151.62.65	192.168.2.4
Oct 8, 2024 21:31:17.427987099 CEST	49745	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:31:17.428061008 CEST	49745	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:31:17.433216095 CEST	8082	49745	45.151.62.65	192.168.2.4
Oct 8, 2024 21:31:17.433245897 CEST	8082	49745	45.151.62.65	192.168.2.4
Oct 8, 2024 21:31:17.645652056 CEST	8082	49745	45.151.62.65	192.168.2.4
Oct 8, 2024 21:31:17.645817995 CEST	49745	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:31:17.645920038 CEST	8082	49745	45.151.62.65	192.168.2.4
Oct 8, 2024 21:31:17.646181107 CEST	49745	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:31:17.650893927 CEST	8082	49745	45.151.62.65	192.168.2.4
Oct 8, 2024 21:31:30.364628077 CEST	49730	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:31:30.369477987 CEST	8082	49730	45.151.62.65	192.168.2.4
Oct 8, 2024 21:31:30.591501951 CEST	8082	49730	45.151.62.65	192.168.2.4
Oct 8, 2024 21:31:30.596741915 CEST	49773	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:31:30.601949930 CEST	8082	49773	45.151.62.65	192.168.2.4
Oct 8, 2024 21:31:30.602056980 CEST	49773	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:31:30.602369070 CEST	49773	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:31:30.607919931 CEST	8082	49773	45.151.62.65	192.168.2.4
Oct 8, 2024 21:31:30.633944035 CEST	49730	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:31:31.309484959 CEST	8082	49773	45.151.62.65	192.168.2.4
Oct 8, 2024 21:31:31.309957027 CEST	49773	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:31:31.309957027 CEST	49773	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:31:31.314776897 CEST	8082	49773	45.151.62.65	192.168.2.4
Oct 8, 2024 21:31:31.314814091 CEST	8082	49773	45.151.62.65	192.168.2.4
Oct 8, 2024 21:31:31.530976057 CEST	8082	49773	45.151.62.65	192.168.2.4
Oct 8, 2024 21:31:31.579849958 CEST	49773	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:31:31.664865971 CEST	8082	49773	45.151.62.65	192.168.2.4
Oct 8, 2024 21:31:31.665195942 CEST	49773	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:31:31.665195942 CEST	49773	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:31:31.670047998 CEST	8082	49773	45.151.62.65	192.168.2.4
Oct 8, 2024 21:31:31.670288086 CEST	8082	49773	45.151.62.65	192.168.2.4
Oct 8, 2024 21:31:31.887808084 CEST	8082	49773	45.151.62.65	192.168.2.4
Oct 8, 2024 21:31:31.887962103 CEST	49773	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:31:31.888854027 CEST	8082	49773	45.151.62.65	192.168.2.4
Oct 8, 2024 21:31:31.888907909 CEST	49773	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:31:31.893127918 CEST	8082	49773	45.151.62.65	192.168.2.4
Oct 8, 2024 21:32:00.494770050 CEST	49730	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:32:00.499615908 CEST	8082	49730	45.151.62.65	192.168.2.4
Oct 8, 2024 21:32:00.720268011 CEST	8082	49730	45.151.62.65	192.168.2.4
Oct 8, 2024 21:32:00.720769882 CEST	49953	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:32:00.725581884 CEST	8082	49953	45.151.62.65	192.168.2.4
Oct 8, 2024 21:32:00.725650072 CEST	49953	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:32:00.725821972 CEST	49953	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:32:00.730653048 CEST	8082	49953	45.151.62.65	192.168.2.4
Oct 8, 2024 21:32:00.773241043 CEST	49730	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:32:01.454694986 CEST	8082	49953	45.151.62.65	192.168.2.4
Oct 8, 2024 21:32:01.454919100 CEST	49953	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:32:01.454937935 CEST	49953	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:32:01.459733963 CEST	8082	49953	45.151.62.65	192.168.2.4
Oct 8, 2024 21:32:01.460118055 CEST	8082	49953	45.151.62.65	192.168.2.4
Oct 8, 2024 21:32:01.850018978 CEST	8082	49953	45.151.62.65	192.168.2.4
Oct 8, 2024 21:32:01.852109909 CEST	49953	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:32:01.852144957 CEST	49953	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:32:01.856934071 CEST	8082	49953	45.151.62.65	192.168.2.4
Oct 8, 2024 21:32:01.857259989 CEST	8082	49953	45.151.62.65	192.168.2.4
Oct 8, 2024 21:32:02.106106043 CEST	8082	49953	45.151.62.65	192.168.2.4
Oct 8, 2024 21:32:02.106359005 CEST	8082	49953	45.151.62.65	192.168.2.4
Oct 8, 2024 21:32:02.106410980 CEST	49953	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:32:02.109586954 CEST	49953	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:32:02.115150928 CEST	8082	49953	45.151.62.65	192.168.2.4
Oct 8, 2024 21:32:30.720536947 CEST	49730	8082	192.168.2.4	45.151.62.65
Oct 8, 2024 21:32:30.726006985 CEST	8082	49730	45.151.62.65	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 8, 2024 21:30:36.638293028 CEST	52137	53	192.168.2.4	1.1.1.1
Oct 8, 2024 21:30:36.754890919 CEST	53	52137	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 8, 2024 21:30:36.638293028 CEST	192.168.2.4	1.1.1.1	0x8d81	Standard query (0)	c4h10o.autos	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 8, 2024 21:30:36.754890919 CEST	1.1.1.1	192.168.2.4	0x8d81	No error (0)	c4h10o.autos		45.151.62.65	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

45.151.62.65:8082

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	45.151.62.65	8082	7588	C:\Windows\AppReadiness\mmzwi.exe

Timestamp	Bytes transferred	Direction	Data
Oct 8, 2024 21:30:35.087506056 CEST	186	OUT	GET /7FBE8Vhw_Ej3wyS05Pj-_OcuPl34HeR5tlGYDglketqIsLl6CwLCyB374ln1tVW7ajwzELAFfkyu3R5Q-hjDLQ== HTTP/1.1 Host: 45.151.62.65:8082 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip
Oct 8, 2024 21:30:36.632025957 CEST	128	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 19:30:35 GMT Content-Length: 11 Content-Type: text/plain; charset=utf-8 Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33
Oct 8, 2024 21:30:36.632744074 CEST	128	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 19:30:35 GMT Content-Length: 11 Content-Type: text/plain; charset=utf-8 Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33
Oct 8, 2024 21:30:36.633141041 CEST	128	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 19:30:35 GMT Content-Length: 11 Content-Type: text/plain; charset=utf-8 Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33
Oct 8, 2024 21:30:36.638364077 CEST	128	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 19:30:35 GMT Content-Length: 11 Content-Type: text/plain; charset=utf-8 Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33
Oct 8, 2024 21:30:39.210815907 CEST	186	OUT	GET /7FBE8Vhw_Ej3wyS05Pj-_OcuPl34HeR5tlGYDglketqIsLl6CwLCyB374ln1tVW7ajwzELAFfkyu3R5Q-hjDLQ== HTTP/1.1 Host: 45.151.62.65:8082 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip
Oct 8, 2024 21:30:39.436192989 CEST	128	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 19:30:39 GMT Content-Length: 11 Content-Type: text/plain; charset=utf-8 Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33
Oct 8, 2024 21:30:41.585316896 CEST	186	OUT	GET /7FBE8Vhw_Ej3wyS05Pj-_OcuPl34HeR5tlGYDglketqIsLl6CwLCyB374ln1tVW7ajwzELAFfkyu3R5Q-hjDLQ== HTTP/1.1 Host: 45.151.62.65:8082 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip
Oct 8, 2024 21:30:41.802452087 CEST	128	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 19:30:41 GMT Content-Length: 11 Content-Type: text/plain; charset=utf-8 Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33
Oct 8, 2024 21:30:44.044678926 CEST	186	OUT	GET /7FBE8Vhw_Ej3wyS05Pj-_OcuPl34HeR5tlGYDglketqIsLl6CwLCyB374ln1tVW7ajwzELAFfkyu3R5Q-hjDLQ== HTTP/1.1 Host: 45.151.62.65:8082 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip
Oct 8, 2024 21:30:44.263103008 CEST	128	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 19:30:44 GMT Content-Length: 11 Content-Type: text/plain; charset=utf-8 Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33
Oct 8, 2024 21:30:47.110218048 CEST	186	OUT	GET /7FBE8Vhw_Ej3wyS05Pj-_OcuPl34HeR5tlGYDglketqIsLl6CwLCyB374ln1tVW7ajwzELAFfkyu3R5Q-hjDLQ== HTTP/1.1 Host: 45.151.62.65:8082 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip
Oct 8, 2024 21:30:47.328869104 CEST	128	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 19:30:47 GMT Content-Length: 11 Content-Type: text/plain; charset=utf-8 Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33
Oct 8, 2024 21:30:50.231997967 CEST	186	OUT	GET /7FBE8Vhw_Ej3wyS05Pj-_OcuPl34HeR5tlGYDglketqIsLl6CwLCyB374ln1tVW7ajwzELAFfkyu3R5Q-hjDLQ== HTTP/1.1 Host: 45.151.62.65:8082 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip
Oct 8, 2024 21:30:50.448803902 CEST	128	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 19:30:50 GMT Content-Length: 11 Content-Type: text/plain; charset=utf-8 Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33
Oct 8, 2024 21:30:55.034473896 CEST	186	OUT	GET /7FBE8Vhw_Ej3wyS05Pj-_OcuPl34HeR5tlGYDglketqIsLl6CwLCyB374ln1tVW7ajwzELAFfkyu3R5Q-hjDLQ== HTTP/1.1 Host: 45.151.62.65:8082 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip
Oct 8, 2024 21:30:55.251578093 CEST	128	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 19:30:55 GMT Content-Length: 11 Content-Type: text/plain; charset=utf-8 Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33
Oct 8, 2024 21:31:03.319796085 CEST	186	OUT	GET /7FBE8Vhw_Ej3wyS05Pj-_OcuPl34HeR5tlGYDglketqIsLl6CwLCyB374ln1tVW7ajwzELAFfkyu3R5Q-hjDLQ== HTTP/1.1 Host: 45.151.62.65:8082 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip
Oct 8, 2024 21:31:03.536194086 CEST	128	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 19:31:03 GMT Content-Length: 11 Content-Type: text/plain; charset=utf-8 Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33
Oct 8, 2024 21:31:16.277853012 CEST	186	OUT	GET /7FBE8Vhw_Ej3wyS05Pj-_OcuPl34HeR5tlGYDglketqIsLl6CwLCyB374ln1tVW7ajwzELAFfkyu3R5Q-hjDLQ== HTTP/1.1 Host: 45.151.62.65:8082 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip
Oct 8, 2024 21:31:16.496280909 CEST	128	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 19:31:16 GMT Content-Length: 11 Content-Type: text/plain; charset=utf-8 Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33
Oct 8, 2024 21:31:30.364628077 CEST	186	OUT	GET /7FBE8Vhw_Ej3wyS05Pj-_OcuPl34HeR5tlGYDglketqIsLl6CwLCyB374ln1tVW7ajwzELAFfkyu3R5Q-hjDLQ== HTTP/1.1 Host: 45.151.62.65:8082 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip
Oct 8, 2024 21:31:30.591501951 CEST	128	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 19:31:30 GMT Content-Length: 11 Content-Type: text/plain; charset=utf-8 Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33
Oct 8, 2024 21:32:00.494770050 CEST	186	OUT	GET /7FBE8Vhw_Ej3wyS05Pj-_OcuPl34HeR5tlGYDglketqIsLl6CwLCyB374ln1tVW7ajwzELAFfkyu3R5Q-hjDLQ== HTTP/1.1 Host: 45.151.62.65:8082 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip
Oct 8, 2024 21:32:00.720268011 CEST	128	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 19:32:00 GMT Content-Length: 11 Content-Type: text/plain; charset=utf-8 Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	45.151.62.65	8082	7588	C:\Windows\AppReadiness\mmzwi.exe

Timestamp	Bytes transferred	Direction	Data
Oct 8, 2024 21:30:36.765783072 CEST	188	OUT	GET / HTTP/1.1 Host: 45.151.62.65:8082 User-Agent: Go-http-client/1.1 Connection: Upgrade Sec-WebSocket-Key: Mkj9i1IGcuFLi6pPiAlmsQ== Sec-WebSocket-Version: 13 Upgrade: websocket
Oct 8, 2024 21:30:38.015382051 CEST	129	IN	HTTP/1.1 101 Switching Protocols Upgrade: websocket Connection: Upgrade Sec-WebSocket-Accept: X6oWzr4/9gSOWvT9WBzSIky260o=
Oct 8, 2024 21:30:38.015630960 CEST	129	IN	HTTP/1.1 101 Switching Protocols Upgrade: websocket Connection: Upgrade Sec-WebSocket-Accept: X6oWzr4/9gSOWvT9WBzSIky260o=
Oct 8, 2024 21:30:38.015866995 CEST	129	IN	HTTP/1.1 101 Switching Protocols Upgrade: websocket Connection: Upgrade Sec-WebSocket-Accept: X6oWzr4/9gSOWvT9WBzSIky260o=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49732	45.151.62.65	8082	7588	C:\Windows\AppReadiness\mmzwi.exe

Timestamp	Bytes transferred	Direction	Data
Oct 8, 2024 21:30:39.442504883 CEST	188	OUT	GET / HTTP/1.1 Host: 45.151.62.65:8082 User-Agent: Go-http-client/1.1 Connection: Upgrade Sec-WebSocket-Key: GF7zLiydRprawdcGTIIheg== Sec-WebSocket-Version: 13 Upgrade: websocket
Oct 8, 2024 21:30:40.147435904 CEST	129	IN	HTTP/1.1 101 Switching Protocols Upgrade: websocket Connection: Upgrade Sec-WebSocket-Accept: DD7r9dadHGaNMT/jW/XOjNUDZrc=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49733	45.151.62.65	8082	7588	C:\Windows\AppReadiness\mmzwi.exe

Timestamp	Bytes transferred	Direction	Data
Oct 8, 2024 21:30:41.808455944 CEST	188	OUT	GET / HTTP/1.1 Host: 45.151.62.65:8082 User-Agent: Go-http-client/1.1 Connection: Upgrade Sec-WebSocket-Key: OUx2ht0WNPJoXjDZ6u3e2w== Sec-WebSocket-Version: 13 Upgrade: websocket
Oct 8, 2024 21:30:42.492193937 CEST	129	IN	HTTP/1.1 101 Switching Protocols Upgrade: websocket Connection: Upgrade Sec-WebSocket-Accept: FMmC7esZcLiAkq+RaEXZJOlrFQU=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49734	45.151.62.65	8082	7588	C:\Windows\AppReadiness\mmzwi.exe

Timestamp	Bytes transferred	Direction	Data
Oct 8, 2024 21:30:44.269368887 CEST	188	OUT	GET / HTTP/1.1 Host: 45.151.62.65:8082 User-Agent: Go-http-client/1.1 Connection: Upgrade Sec-WebSocket-Key: iEPpNfUCMB4KPKjaL5VSPQ== Sec-WebSocket-Version: 13 Upgrade: websocket
Oct 8, 2024 21:30:44.950408936 CEST	129	IN	HTTP/1.1 101 Switching Protocols Upgrade: websocket Connection: Upgrade Sec-WebSocket-Accept: c8YylEFT3yX1xV0e+Vmr/WBMX4k=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49736	45.151.62.65	8082	7588	C:\Windows\AppReadiness\mmzwi.exe

Timestamp	Bytes transferred	Direction	Data
Oct 8, 2024 21:30:47.337487936 CEST	188	OUT	GET / HTTP/1.1 Host: 45.151.62.65:8082 User-Agent: Go-http-client/1.1 Connection: Upgrade Sec-WebSocket-Key: +Z+9VSkuyjpvQkVrx8MhxQ== Sec-WebSocket-Version: 13 Upgrade: websocket
Oct 8, 2024 21:30:48.036138058 CEST	129	IN	HTTP/1.1 101 Switching Protocols Upgrade: websocket Connection: Upgrade Sec-WebSocket-Accept: Yd9iLQj+yVp5x7B1RQS1cQ3GWhE=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49741	45.151.62.65	8082	7588	C:\Windows\AppReadiness\mmzwi.exe

Timestamp	Bytes transferred	Direction	Data
Oct 8, 2024 21:30:50.455110073 CEST	188	OUT	GET / HTTP/1.1 Host: 45.151.62.65:8082 User-Agent: Go-http-client/1.1 Connection: Upgrade Sec-WebSocket-Key: C0P5MvCyAeBMUwbVkkAe/w== Sec-WebSocket-Version: 13 Upgrade: websocket
Oct 8, 2024 21:30:51.159703970 CEST	129	IN	HTTP/1.1 101 Switching Protocols Upgrade: websocket Connection: Upgrade Sec-WebSocket-Accept: 8fEFl0wi8QIforiWpGxdaRFPd6Y=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49743	45.151.62.65	8082	7588	C:\Windows\AppReadiness\mmzwi.exe

Timestamp	Bytes transferred	Direction	Data
Oct 8, 2024 21:30:55.258018017 CEST	188	OUT	GET / HTTP/1.1 Host: 45.151.62.65:8082 User-Agent: Go-http-client/1.1 Connection: Upgrade Sec-WebSocket-Key: myJxkJJ4oaSedrcwhxGnjA== Sec-WebSocket-Version: 13 Upgrade: websocket
Oct 8, 2024 21:30:55.946686983 CEST	129	IN	HTTP/1.1 101 Switching Protocols Upgrade: websocket Connection: Upgrade Sec-WebSocket-Accept: MFzJUjr5F20PbsPF62hR/pLDYrs=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49744	45.151.62.65	8082	7588	C:\Windows\AppReadiness\mmzwi.exe

Timestamp	Bytes transferred	Direction	Data
Oct 8, 2024 21:31:03.542020082 CEST	188	OUT	GET / HTTP/1.1 Host: 45.151.62.65:8082 User-Agent: Go-http-client/1.1 Connection: Upgrade Sec-WebSocket-Key: fiJuZ0206DDY4XC9dWnhuA== Sec-WebSocket-Version: 13 Upgrade: websocket
Oct 8, 2024 21:31:04.338728905 CEST	129	IN	HTTP/1.1 101 Switching Protocols Upgrade: websocket Connection: Upgrade Sec-WebSocket-Accept: /diV02oz4Y84Fi2A12g7TnIB5Pw=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49745	45.151.62.65	8082	7588	C:\Windows\AppReadiness\mmzwi.exe

Timestamp	Bytes transferred	Direction	Data
Oct 8, 2024 21:31:16.503195047 CEST	188	OUT	GET / HTTP/1.1 Host: 45.151.62.65:8082 User-Agent: Go-http-client/1.1 Connection: Upgrade Sec-WebSocket-Key: 7eYFrZDFqk4ipCw7Av6AyA== Sec-WebSocket-Version: 13 Upgrade: websocket
Oct 8, 2024 21:31:17.208581924 CEST	129	IN	HTTP/1.1 101 Switching Protocols Upgrade: websocket Connection: Upgrade Sec-WebSocket-Accept: qsQcUrcPVVIY5ILsbN7oFE6f0vM=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49773	45.151.62.65	8082	7588	C:\Windows\AppReadiness\mmzwi.exe

Timestamp	Bytes transferred	Direction	Data
Oct 8, 2024 21:31:30.602369070 CEST	188	OUT	GET / HTTP/1.1 Host: 45.151.62.65:8082 User-Agent: Go-http-client/1.1 Connection: Upgrade Sec-WebSocket-Key: FH2w5nqUvChS0FqylUd82g== Sec-WebSocket-Version: 13 Upgrade: websocket
Oct 8, 2024 21:31:31.309484959 CEST	129	IN	HTTP/1.1 101 Switching Protocols Upgrade: websocket Connection: Upgrade Sec-WebSocket-Accept: TpYyz5aVFMu0tPBdpLD3+36ziD8=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49953	45.151.62.65	8082	7588	C:\Windows\AppReadiness\mmzwi.exe

Timestamp	Bytes transferred	Direction	Data
Oct 8, 2024 21:32:00.725821972 CEST	188	OUT	GET / HTTP/1.1 Host: 45.151.62.65:8082 User-Agent: Go-http-client/1.1 Connection: Upgrade Sec-WebSocket-Key: V0fRj4PL+mkXO4y7UJYUpw== Sec-WebSocket-Version: 13 Upgrade: websocket
Oct 8, 2024 21:32:01.454694986 CEST	129	IN	HTTP/1.1 101 Switching Protocols Upgrade: websocket Connection: Upgrade Sec-WebSocket-Accept: DchnJppuT7pubx36y05mjP2Q0aw=

Target ID:	0
Start time:	15:30:31
Start date:	08/10/2024
Path:	C:\Users\user\Desktop\gjsdk.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\gjsdk.exe"
Imagebase:	0x640000
File size:	12'120'576 bytes
MD5 hash:	0537541BC5C5E92570375C1178F6B8C0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Go lang
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	15:30:31
Start date:	08/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	15:30:32
Start date:	08/10/2024
Path:	C:\Windows\AppReadiness\mmzwi.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\AppReadiness\mmzwi.exe
Imagebase:	0x640000
File size:	12'120'576 bytes
MD5 hash:	0537541BC5C5E92570375C1178F6B8C0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Go lang
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	15:31:15
Start date:	08/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report gjsdk.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

Windows Analysis Report
gjsdk.exe