Windows
Analysis Report
7yJsmmW4wS.exe
Overview
General Information
Sample name: | 7yJsmmW4wS.exerenamed because original name is a hash value |
Original sample name: | 4aecacc803e54cc06db8e3a84e910d5376f58867e2436eb68a19a9c203043bd2.exe |
Analysis ID: | 1532626 |
MD5: | 3dcc9cfed0a716b6ad3c4f4aaf1a1f46 |
SHA1: | e512e9a92247439ca3bbb8e412ec46f191025b41 |
SHA256: | 4aecacc803e54cc06db8e3a84e910d5376f58867e2436eb68a19a9c203043bd2 |
Tags: | exeuser-Chainskilabs |
Infos: | |
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- 7yJsmmW4wS.exe (PID: 2548 cmdline:
"C:\Users\ user\Deskt op\7yJsmmW 4wS.exe" MD5: 3DCC9CFED0A716B6AD3C4F4AAF1A1F46) - rat.exe (PID: 1240 cmdline:
"C:\Users\ user~1\App Data\Local \Temp\rat. exe" MD5: 0F43E9B3D93B65843F0346D76282BDC7) - schtasks.exe (PID: 7356 cmdline:
"C:\Window s\System32 \schtasks. exe" /crea te /f /RL HIGHEST /s c minute / mo 1 /tn " edge" /tr "C:\Users\ user\AppDa ta\Roaming \edge.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2) - conhost.exe (PID: 7364 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - freeware.exe (PID: 2980 cmdline:
"C:\Users\ user~1\App Data\Local \Temp\free ware.exe" MD5: BFDFA3FAE0BF91D83DDDF5A708DBEFB1) - conhost.exe (PID: 7192 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- edge.exe (PID: 7468 cmdline:
C:\Users\u ser\AppDat a\Roaming\ edge.exe MD5: 0F43E9B3D93B65843F0346D76282BDC7)
- edge.exe (PID: 7744 cmdline:
C:\Users\u ser\AppDat a\Roaming\ edge.exe MD5: 0F43E9B3D93B65843F0346D76282BDC7)
- edge.exe (PID: 8052 cmdline:
MD5: 0F43E9B3D93B65843F0346D76282BDC7)
- edge.exe (PID: 7396 cmdline:
MD5: 0F43E9B3D93B65843F0346D76282BDC7)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
XWorm | Malware with wide range of capabilities ranging from RAT to ransomware. | No Attribution |
{"C2 url": ["authors-reflections.gl.at.ply.gg"], "Port": "19578", "Aes key": "<Xwormmm>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_XWorm | Yara detected XWorm | Joe Security | ||
MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
| |
JoeSecurity_XWorm | Yara detected XWorm | Joe Security | ||
MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_XWorm | Yara detected XWorm | Joe Security | ||
MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
| |
JoeSecurity_XWorm | Yara detected XWorm | Joe Security | ||
MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
| |
JoeSecurity_XWorm | Yara detected XWorm | Joe Security | ||
Click to see the 1 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_XWorm | Yara detected XWorm | Joe Security | ||
MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
| |
JoeSecurity_XWorm | Yara detected XWorm | Joe Security | ||
MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
| |
JoeSecurity_XWorm | Yara detected XWorm | Joe Security | ||
Click to see the 1 entries |
System Summary |
---|
Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): |
Source: | Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): |
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: frack113, Nasreddine Bencherchali: |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-10-13T19:16:24.283835+0200 | 2853193 | 1 | Malware Command and Control Activity Detected | 192.168.2.7 | 49979 | 147.185.221.23 | 19578 | TCP |
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | Avira: | ||
Source: | Avira: |
Source: | Malware Configuration Extractor: |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: |
Source: | Joe Sandbox ML: |
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | 9_2_00007FF7953992B4 | |
Source: | Code function: | 9_2_00007FF795399210 |
Networking |
---|
Source: | Suricata IDS: | ||
Source: | Suricata IDS: |
Source: | URLs: |
Source: | TCP traffic: |
Source: | TCP traffic: |
Source: | IP Address: |
Source: | ASN Name: |
Source: | UDP traffic detected without corresponding DNS query: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Code function: | 9_2_00007FF7952B9D64 |
Operating System Destruction |
---|
Source: | Process information set: | Jump to behavior |
System Summary |
---|
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Process Stats: |
Source: | Code function: | 9_2_00007FF7952B6A08 |
Source: | Code function: | 9_2_00007FF7952B7228 |
Source: | Code function: | 0_2_00007FFAACCE0A21 | |
Source: | Code function: | 8_2_00007FFAACCE2719 | |
Source: | Code function: | 8_2_00007FFAACCE1289 | |
Source: | Code function: | 8_2_00007FFAACCE8A66 | |
Source: | Code function: | 8_2_00007FFAACCE9812 | |
Source: | Code function: | 8_2_00007FFAACCE0E33 | |
Source: | Code function: | 8_2_00007FFAACCE3769 | |
Source: | Code function: | 8_2_00007FFAACCE1BC5 | |
Source: | Code function: | 9_2_00007FF7952B7228 | |
Source: | Code function: | 9_2_00007FF7952D225C | |
Source: | Code function: | 9_2_00007FF7952B5E5C | |
Source: | Code function: | 9_2_00007FF7952CF2D5 | |
Source: | Code function: | 9_2_00007FF7953992B4 | |
Source: | Code function: | 9_2_00007FF7952B2980 | |
Source: | Code function: | 9_2_00007FF7952D11BC | |
Source: | Code function: | 9_2_00007FF7952BC214 | |
Source: | Code function: | 9_2_00007FF7952B6A08 | |
Source: | Code function: | 9_2_00007FF7952C2E0C | |
Source: | Code function: | 9_2_00007FF7952CA5D8 | |
Source: | Code function: | 9_2_00007FF7952C7CC0 | |
Source: | Code function: | 9_2_00007FF7952B90B0 | |
Source: | Code function: | 14_2_00007FFAACCE1289 | |
Source: | Code function: | 14_2_00007FFAACCE1BC5 | |
Source: | Code function: | 16_2_00007FFAACCD1289 | |
Source: | Code function: | 16_2_00007FFAACCD1BC5 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Static PE information: |
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: |
Source: | Base64 encoded string: | ||
Source: | Base64 encoded string: | ||
Source: | Base64 encoded string: |
Source: | Security API names: | ||
Source: | Security API names: | ||
Source: | Security API names: | ||
Source: | Security API names: | ||
Source: | Security API names: | ||
Source: | Security API names: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Classification label: |
Source: | Code function: | 9_2_00007FF7952BB728 |
Source: | File created: | Jump to behavior |
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | Static file information: |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | LNK file: |
Source: | File opened: | Jump to behavior |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static file information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Data Obfuscation |
---|
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: |
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: |
Source: | Code function: | 0_2_00007FFAACCE00C1 | |
Source: | Code function: | 8_2_00007FFAACCE00C1 | |
Source: | Code function: | 9_2_00007FF7952CE536 | |
Source: | Code function: | 9_2_00007FF7952BE08E | |
Source: | Code function: | 9_2_00007FF7952BBF35 | |
Source: | Code function: | 9_2_00007FF7952BBFE7 | |
Source: | Code function: | 14_2_00007FFAACCE00C1 | |
Source: | Code function: | 16_2_00007FFAACCD00C1 |
Source: | Static PE information: |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Boot Survival |
---|
Source: | Process created: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Registry value created or modified: | Jump to behavior | ||
Source: | Registry value created or modified: | Jump to behavior |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion |
---|
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior |
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior |
Source: | Window / User API: | Jump to behavior | ||
Source: | Window / User API: | Jump to behavior |
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior |
Source: | Last function: | ||
Source: | Last function: |
Source: | File Volume queried: | Jump to behavior | ||
Source: | File Volume queried: | Jump to behavior | ||
Source: | File Volume queried: | Jump to behavior | ||
Source: | File Volume queried: | Jump to behavior | ||
Source: | File Volume queried: | Jump to behavior | ||
Source: | File Volume queried: | Jump to behavior | ||
Source: | File Volume queried: | Jump to behavior | ||
Source: | File Volume queried: | Jump to behavior | ||
Source: | File Volume queried: | Jump to behavior | ||
Source: | File Volume queried: | Jump to behavior | ||
Source: | File Volume queried: | Jump to behavior | ||
Source: | File Volume queried: | Jump to behavior | ||
Source: | File Volume queried: | Jump to behavior | ||
Source: | File Volume queried: | Jump to behavior | ||
Source: | File Volume queried: | Jump to behavior |
Source: | Code function: | 9_2_00007FF7953992B4 | |
Source: | Code function: | 9_2_00007FF795399210 |
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior |
Source: | Binary or memory string: |
Anti Debugging |
---|
Source: | System information queried: | Jump to behavior | ||
Source: | System information queried: | Jump to behavior |
Source: | Process token adjusted: | Jump to behavior | ||
Source: | Process token adjusted: | Jump to behavior | ||
Source: | Process token adjusted: | Jump to behavior | ||
Source: | Process token adjusted: | Jump to behavior | ||
Source: | Process token adjusted: | Jump to behavior | ||
Source: | Process token adjusted: | Jump to behavior |
Source: | Code function: | 9_2_00007FF795398080 |
Source: | Memory allocated: | Jump to behavior |
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Code function: | 9_2_00007FF795398D90 |
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior |
Source: | Code function: | 9_2_00007FF795398C10 |
Source: | Key value queried: | Jump to behavior |
Source: | Binary or memory string: |
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 11 Windows Management Instrumentation | 1 Scheduled Task/Job | 11 Process Injection | 1 Masquerading | 11 Input Capture | 1 System Time Discovery | Remote Services | 11 Input Capture | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | 1 Scheduled Task/Job | 21 Registry Run Keys / Startup Folder | 1 Scheduled Task/Job | 1 Disable or Modify Tools | LSASS Memory | 321 Security Software Discovery | Remote Desktop Protocol | 11 Archive Collected Data | 1 Non-Standard Port | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | 1 DLL Side-Loading | 21 Registry Run Keys / Startup Folder | 231 Virtualization/Sandbox Evasion | Security Account Manager | 231 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | 1 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | 1 DLL Side-Loading | 11 Process Injection | NTDS | 1 Process Discovery | Distributed Component Object Model | Input Capture | 11 Application Layer Protocol | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 11 Deobfuscate/Decode Files or Information | LSA Secrets | 1 Application Window Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 31 Obfuscated Files or Information | Cached Domain Credentials | 2 File and Directory Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 22 Software Packing | DCSync | 24 System Information Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | 1 DLL Side-Loading | Proc Filesystem | System Owner/User Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
55% | Virustotal | Browse | ||
74% | ReversingLabs | ByteCode-MSIL.Trojan.XWormRAT | ||
100% | Avira | TR/Dropper.Gen | ||
100% | Joe Sandbox ML |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Avira | HEUR/AGEN.1305769 | ||
100% | Avira | HEUR/AGEN.1305769 | ||
100% | Joe Sandbox ML | |||
100% | Joe Sandbox ML | |||
42% | Virustotal | Browse | ||
88% | ReversingLabs | ByteCode-MSIL.Trojan.Jalapeno | ||
73% | Virustotal | Browse | ||
88% | ReversingLabs | ByteCode-MSIL.Trojan.Jalapeno | ||
73% | Virustotal | Browse |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
4% | Virustotal | Browse |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | Virustotal | Browse | ||
0% | Virustotal | Browse | ||
0% | Virustotal | Browse | ||
4% | Virustotal | Browse | ||
0% | Virustotal | Browse | ||
0% | Virustotal | Browse | ||
0% | Virustotal | Browse |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
authors-reflections.gl.at.ply.gg | 147.185.221.23 | true | true |
| unknown |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | unknown | |||
false | unknown | |||
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
147.185.221.23 | authors-reflections.gl.at.ply.gg | United States | 12087 | SALSGIVERUS | true |
Joe Sandbox version: | 41.0.0 Charoite |
Analysis ID: | 1532626 |
Start date and time: | 2024-10-13 19:12:08 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 8m 41s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 23 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Sample name: | 7yJsmmW4wS.exerenamed because original name is a hash value |
Original Sample Name: | 4aecacc803e54cc06db8e3a84e910d5376f58867e2436eb68a19a9c203043bd2.exe |
Detection: | MAL |
Classification: | mal100.troj.evad.winEXE@13/6@1/1 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
- Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
- Execution Graph export aborted for target 7yJsmmW4wS.exe, PID 2548 because it is empty
- Execution Graph export aborted for target edge.exe, PID 7468 because it is empty
- Execution Graph export aborted for target edge.exe, PID 7744 because it is empty
- Execution Graph export aborted for target freeware.exe, PID 2980 because there are no executed function
- Not all processes where analyzed, report is missing behavior information
- Report size exceeded maximum capacity and may have missing behavior information.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
Time | Type | Description |
---|---|---|
13:13:11 | API Interceptor | |
19:13:12 | Task Scheduler | |
19:13:12 | Autostart | |
20:55:59 | Autostart | |
20:56:19 | Autostart |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
147.185.221.23 | Get hash | malicious | XWorm | Browse | ||
Get hash | malicious | XWorm | Browse | |||
Get hash | malicious | XWorm | Browse | |||
Get hash | malicious | XWorm | Browse | |||
Get hash | malicious | Blank Grabber, XWorm | Browse | |||
Get hash | malicious | AsyncRAT, XWorm | Browse | |||
Get hash | malicious | XWorm | Browse |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
SALSGIVERUS | Get hash | malicious | XWorm | Browse |
| |
Get hash | malicious | XWorm | Browse |
| ||
Get hash | malicious | XWorm | Browse |
| ||
Get hash | malicious | XWorm | Browse |
| ||
Get hash | malicious | XWorm | Browse |
| ||
Get hash | malicious | XWorm | Browse |
| ||
Get hash | malicious | XWorm | Browse |
| ||
Get hash | malicious | AsyncRAT, XWorm | Browse |
| ||
Get hash | malicious | XWorm | Browse |
| ||
Get hash | malicious | XWorm | Browse |
|
Process: | C:\Users\user\Desktop\7yJsmmW4wS.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 654 |
Entropy (8bit): | 5.380476433908377 |
Encrypted: | false |
SSDEEP: | 12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT |
MD5: | 30E4BDFC34907D0E4D11152CAEBE27FA |
SHA1: | 825402D6B151041BA01C5117387228EC9B7168BF |
SHA-256: | A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63 |
SHA-512: | 89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA |
Malicious: | true |
Reputation: | moderate, very likely benign file |
Preview: |
Process: | C:\Users\user\AppData\Roaming\edge.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 654 |
Entropy (8bit): | 5.380476433908377 |
Encrypted: | false |
SSDEEP: | 12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT |
MD5: | 30E4BDFC34907D0E4D11152CAEBE27FA |
SHA1: | 825402D6B151041BA01C5117387228EC9B7168BF |
SHA-256: | A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63 |
SHA-512: | 89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
Process: | C:\Users\user\Desktop\7yJsmmW4wS.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 2322432 |
Entropy (8bit): | 7.007547565174849 |
Encrypted: | false |
SSDEEP: | 49152:5iDc4qGH0Ux97b7b7blyAaqWq47gmEEnyKPZHRKttY+z+4y5PuL1dxhVQcmYD:2CUlaRqyZxKttYN/PuL1ZVF |
MD5: | BFDFA3FAE0BF91D83DDDF5A708DBEFB1 |
SHA1: | EFDE91E21BE9CC72F232FF7EECE993D044308BB7 |
SHA-256: | 7EAD32808AB47500FF3E36FC1B4702E797457ACC46E2769CD23004E5FAEB6761 |
SHA-512: | 740429D8D3E15EB4DA2ED45F5C3BBE159D3F8C4B734044A26A478F71E6B529881CA0A198A00578105BFFDD34B013B024D6D94F404AEE91C1EAC0A53414F25A6F |
Malicious: | true |
Antivirus: |
|
Reputation: | low |
Preview: |
Process: | C:\Users\user\Desktop\7yJsmmW4wS.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 40448 |
Entropy (8bit): | 5.636394334726735 |
Encrypted: | false |
SSDEEP: | 768:ET7JKHWcEbDvghvq3cJ+uap/5fzbN2WzFPw9UwOphwuA4c:A7JKHWcqcLiFN2iFY9UwOpGh4c |
MD5: | 0F43E9B3D93B65843F0346D76282BDC7 |
SHA1: | 140BE5EEC263CDBADB57579201AA7CCACD3C770D |
SHA-256: | 108FF90BF1870B1618CCBA08FFA06DAE87028F514BDF2410B46204AFA2F8248B |
SHA-512: | E322DA86925D29C214223F7E05C52B86104333D8E6A28C8F91A2B261B5B50DD08A209EFBA59AEAEE17607BE52EC2C2405030FC6945CE11FA0DCA01FEFDA8A029 |
Malicious: | true |
Yara Hits: |
|
Antivirus: |
|
Reputation: | low |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\rat.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 751 |
Entropy (8bit): | 5.067548280755048 |
Encrypted: | false |
SSDEEP: | 12:8ocO4gN+2Chsi1Y//jt6AALuQaJ8+aDjAvNHTBHFeQJCQJzBmV:8fl2f9muQz+yAppF9JZJtm |
MD5: | 8236853F02B2A1FCE12A171121A196F0 |
SHA1: | D9F5512AABFB2A7464386289EF58CE355E6385AE |
SHA-256: | FFA9411284490D1CAA872B22CC5D35505EBD51CE2B3BEA04C5F02E2398EDF237 |
SHA-512: | A9FEF469758F1700D4D0B3BD31DC5E2246517C9461ADF3AD0F572E828506F75A335434872B18CB73D4E4F7B068BFBFCC56B469610FAA495AF875A8D4E40ADAFA |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\rat.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 40448 |
Entropy (8bit): | 5.636394334726735 |
Encrypted: | false |
SSDEEP: | 768:ET7JKHWcEbDvghvq3cJ+uap/5fzbN2WzFPw9UwOphwuA4c:A7JKHWcqcLiFN2iFY9UwOpGh4c |
MD5: | 0F43E9B3D93B65843F0346D76282BDC7 |
SHA1: | 140BE5EEC263CDBADB57579201AA7CCACD3C770D |
SHA-256: | 108FF90BF1870B1618CCBA08FFA06DAE87028F514BDF2410B46204AFA2F8248B |
SHA-512: | E322DA86925D29C214223F7E05C52B86104333D8E6A28C8F91A2B261B5B50DD08A209EFBA59AEAEE17607BE52EC2C2405030FC6945CE11FA0DCA01FEFDA8A029 |
Malicious: | true |
Yara Hits: |
|
Antivirus: |
|
Preview: |
File type: | |
Entropy (8bit): | 7.997859272989848 |
TrID: |
|
File name: | 7yJsmmW4wS.exe |
File size: | 1'464'320 bytes |
MD5: | 3dcc9cfed0a716b6ad3c4f4aaf1a1f46 |
SHA1: | e512e9a92247439ca3bbb8e412ec46f191025b41 |
SHA256: | 4aecacc803e54cc06db8e3a84e910d5376f58867e2436eb68a19a9c203043bd2 |
SHA512: | 9400b6f93ea25a644be656d2a1d9d3ba7a44ba2abdeb2140e6428fcdd4ba198216628c094602684744de2293bcbfe7e323c6ad74e4d7c6e16c77b66d1f65666c |
SSDEEP: | 24576:bvx5AU4Cte393UvHQbyGDfa1HSiSvcXKF41oVMz8f9ShSpwRs6MmgBXzAnPcWJ+G:bvPJ4Ue1IweVpSiGIec8Pr6MmgBX3H0g |
TLSH: | 016533B08BFCF325EED8573568603601C362A4A6784F1C5E8DA0892A631FA5F065DFD7 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)c.g.................N...........l... ........@.. ....................................@................................ |
Icon Hash: | 00928e8e8686b000 |
Entrypoint: | 0x566cae |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x670B6329 [Sun Oct 13 06:05:29 2024 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | f34d5f2d4577ed6d9ceec516c1f5a744 |
Instruction |
---|
jmp dword ptr [00402000h] |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x166c54 | 0x57 | .text |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x168000 | 0x4e0 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x16a000 | 0xc | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x2000 | 0x8 | .text |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x2008 | 0x48 | .text |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x2000 | 0x164cb4 | 0x164e00 | d2b6185c2aee59bf0e792e0d80bef820 | False | 0.9953542305166375 | data | 7.998334006790471 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rsrc | 0x168000 | 0x4e0 | 0x600 | 07e863eeca965422f6550ca650e23d0d | False | 0.3776041666666667 | data | 3.726934327461166 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x16a000 | 0xc | 0x200 | b5ddd55df5d98f6eaa46a44d28165bd9 | False | 0.044921875 | data | 0.10191042566270775 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_VERSION | 0x1680a0 | 0x24c | data | 0.47278911564625853 | ||
RT_MANIFEST | 0x1682f0 | 0x1ea | XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators | 0.5469387755102041 |
DLL | Import |
---|---|
mscoree.dll | _CorExeMain |
Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-10-13T19:15:50.862264+0200 | 2855924 | ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound | 1 | 192.168.2.7 | 49977 | 147.185.221.23 | 19578 | TCP |
2024-10-13T19:16:24.283835+0200 | 2853193 | ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound | 1 | 192.168.2.7 | 49979 | 147.185.221.23 | 19578 | TCP |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Oct 13, 2024 19:13:12.315424919 CEST | 49700 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:13:12.320256948 CEST | 19578 | 49700 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:13:12.320333004 CEST | 49700 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:13:12.470298052 CEST | 49700 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:13:12.475204945 CEST | 19578 | 49700 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:13:23.118040085 CEST | 49700 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:13:23.122948885 CEST | 19578 | 49700 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:13:33.719511986 CEST | 19578 | 49700 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:13:33.719578028 CEST | 49700 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:13:35.124120951 CEST | 49700 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:13:35.128941059 CEST | 19578 | 49700 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:13:35.146059990 CEST | 49839 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:13:35.150938034 CEST | 19578 | 49839 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:13:35.151021957 CEST | 49839 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:13:35.247178078 CEST | 49839 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:13:35.252778053 CEST | 19578 | 49839 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:13:45.393857956 CEST | 49839 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:13:45.398719072 CEST | 19578 | 49839 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:13:55.533729076 CEST | 49839 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:13:55.538716078 CEST | 19578 | 49839 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:13:56.525755882 CEST | 19578 | 49839 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:13:56.525816917 CEST | 49839 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:13:56.580553055 CEST | 49839 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:13:56.581928968 CEST | 49969 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:13:56.585289001 CEST | 19578 | 49839 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:13:56.586813927 CEST | 19578 | 49969 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:13:56.586884975 CEST | 49969 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:13:56.621480942 CEST | 49969 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:13:56.626348019 CEST | 19578 | 49969 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:14:11.221467972 CEST | 49969 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:14:11.226448059 CEST | 19578 | 49969 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:14:17.964137077 CEST | 19578 | 49969 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:14:17.967668056 CEST | 49969 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:14:19.377350092 CEST | 49969 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:14:19.379607916 CEST | 49974 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:14:19.382204056 CEST | 19578 | 49969 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:14:19.384478092 CEST | 19578 | 49974 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:14:19.384545088 CEST | 49974 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:14:19.419876099 CEST | 49974 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:14:19.424793005 CEST | 19578 | 49974 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:14:29.643280983 CEST | 49974 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:14:29.648325920 CEST | 19578 | 49974 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:14:29.690316916 CEST | 49974 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:14:29.695425034 CEST | 19578 | 49974 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:14:29.721411943 CEST | 49974 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:14:29.726260900 CEST | 19578 | 49974 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:14:29.736875057 CEST | 49974 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:14:29.741830111 CEST | 19578 | 49974 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:14:29.783880949 CEST | 49974 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:14:29.788938046 CEST | 19578 | 49974 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:14:29.862142086 CEST | 49974 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:14:29.868067026 CEST | 19578 | 49974 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:14:29.940114021 CEST | 49974 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:14:29.946146965 CEST | 19578 | 49974 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:14:29.971299887 CEST | 49974 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:14:29.977231979 CEST | 19578 | 49974 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:14:37.424400091 CEST | 49974 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:14:37.429410934 CEST | 19578 | 49974 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:14:40.765373945 CEST | 19578 | 49974 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:14:40.766608000 CEST | 49974 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:14:45.408560991 CEST | 49974 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:14:45.411724091 CEST | 49975 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:14:45.413568020 CEST | 19578 | 49974 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:14:45.416692972 CEST | 19578 | 49975 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:14:45.416778088 CEST | 49975 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:14:45.452955008 CEST | 49975 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:14:45.457941055 CEST | 19578 | 49975 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:14:45.486896992 CEST | 49975 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:14:45.491996050 CEST | 19578 | 49975 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:14:45.502448082 CEST | 49975 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:14:45.507559061 CEST | 19578 | 49975 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:14:45.533838034 CEST | 49975 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:14:45.538928032 CEST | 19578 | 49975 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:14:45.549283028 CEST | 49975 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:14:45.554351091 CEST | 19578 | 49975 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:14:45.736910105 CEST | 49975 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:14:45.741889954 CEST | 19578 | 49975 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:14:45.783823967 CEST | 49975 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:14:45.788809061 CEST | 19578 | 49975 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:14:45.799665928 CEST | 49975 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:14:45.804627895 CEST | 19578 | 49975 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:14:45.846390963 CEST | 49975 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:14:45.851336956 CEST | 19578 | 49975 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:14:48.721702099 CEST | 49975 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:14:48.726679087 CEST | 19578 | 49975 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:14:51.408878088 CEST | 49975 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:14:51.413763046 CEST | 19578 | 49975 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:15:01.799370050 CEST | 49975 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:15:01.806263924 CEST | 19578 | 49975 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:15:01.908783913 CEST | 49975 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:15:01.914226055 CEST | 19578 | 49975 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:15:06.855192900 CEST | 19578 | 49975 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:15:06.855282068 CEST | 49975 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:15:06.939958096 CEST | 49975 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:15:06.943466902 CEST | 49976 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:15:06.944812059 CEST | 19578 | 49975 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:15:06.948431969 CEST | 19578 | 49976 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:15:06.948540926 CEST | 49976 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:15:07.081887007 CEST | 49976 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:15:07.086827040 CEST | 19578 | 49976 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:15:07.674572945 CEST | 49976 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:15:07.679570913 CEST | 19578 | 49976 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:15:10.848048925 CEST | 49976 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:15:10.853168964 CEST | 19578 | 49976 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:15:12.783811092 CEST | 49976 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:15:12.788872957 CEST | 19578 | 49976 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:15:17.690049887 CEST | 49976 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:15:17.694977045 CEST | 19578 | 49976 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:15:17.721215963 CEST | 49976 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:15:17.726059914 CEST | 19578 | 49976 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:15:21.255433083 CEST | 49976 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:15:21.260545969 CEST | 19578 | 49976 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:15:28.002547979 CEST | 49976 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:15:28.007566929 CEST | 19578 | 49976 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:15:28.080559015 CEST | 49976 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:15:28.085670948 CEST | 19578 | 49976 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:15:28.342479944 CEST | 19578 | 49976 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:15:28.342569113 CEST | 49976 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:15:33.128576040 CEST | 49976 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:15:33.128580093 CEST | 49977 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:15:33.134095907 CEST | 19578 | 49976 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:15:33.134119034 CEST | 19578 | 49977 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:15:33.134320021 CEST | 49977 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:15:33.340935946 CEST | 49977 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:15:33.346555948 CEST | 19578 | 49977 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:15:44.018284082 CEST | 49977 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:15:44.023838997 CEST | 19578 | 49977 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:15:44.049375057 CEST | 49977 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:15:44.054466009 CEST | 19578 | 49977 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:15:44.064918041 CEST | 49977 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:15:44.069832087 CEST | 19578 | 49977 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:15:44.111962080 CEST | 49977 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:15:44.117388010 CEST | 19578 | 49977 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:15:47.612032890 CEST | 49977 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:15:47.617244005 CEST | 19578 | 49977 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:15:49.190114021 CEST | 49977 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:15:49.195138931 CEST | 19578 | 49977 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:15:50.862263918 CEST | 49977 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:15:50.867635965 CEST | 19578 | 49977 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:15:54.252501965 CEST | 49977 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:15:54.258184910 CEST | 19578 | 49977 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:15:54.268260002 CEST | 49977 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:15:54.273252010 CEST | 19578 | 49977 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:15:54.314955950 CEST | 49977 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:15:54.321305990 CEST | 19578 | 49977 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:15:54.393167973 CEST | 49977 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:15:54.398389101 CEST | 19578 | 49977 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:15:54.408688068 CEST | 49977 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:15:54.413759947 CEST | 19578 | 49977 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:15:54.424344063 CEST | 49977 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:15:54.431130886 CEST | 19578 | 49977 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:15:54.439965010 CEST | 49977 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:15:54.445360899 CEST | 19578 | 49977 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:15:54.455471039 CEST | 49977 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:15:54.460642099 CEST | 19578 | 49977 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:15:54.544955969 CEST | 19578 | 49977 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:15:54.545120001 CEST | 49977 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:15:54.545197010 CEST | 49977 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:15:54.549498081 CEST | 49978 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:15:54.550345898 CEST | 19578 | 49977 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:15:54.554411888 CEST | 19578 | 49978 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:15:54.554852009 CEST | 49978 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:15:54.625579119 CEST | 49978 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:15:54.630707979 CEST | 19578 | 49978 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:15:59.658829927 CEST | 49978 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:15:59.663826942 CEST | 19578 | 49978 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:15:59.674532890 CEST | 49978 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:15:59.679414034 CEST | 19578 | 49978 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:15:59.705761909 CEST | 49978 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:15:59.710664988 CEST | 19578 | 49978 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:16:08.486913919 CEST | 49978 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:16:08.492258072 CEST | 19578 | 49978 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:16:09.971357107 CEST | 49978 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:16:09.976516008 CEST | 19578 | 49978 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:16:10.018122911 CEST | 49978 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:16:10.023272038 CEST | 19578 | 49978 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:16:15.752569914 CEST | 49978 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:16:15.757730961 CEST | 19578 | 49978 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:16:15.935811996 CEST | 19578 | 49978 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:16:15.935904980 CEST | 49978 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:16:20.033565998 CEST | 49978 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:16:20.035181046 CEST | 49979 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:16:20.038546085 CEST | 19578 | 49978 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:16:20.040201902 CEST | 19578 | 49979 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:16:20.040301085 CEST | 49979 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:16:20.077361107 CEST | 49979 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:16:20.082518101 CEST | 19578 | 49979 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:16:20.111892939 CEST | 49979 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:16:20.117163897 CEST | 19578 | 49979 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:16:20.127420902 CEST | 49979 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:16:20.132342100 CEST | 19578 | 49979 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:16:22.096450090 CEST | 49979 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:16:22.103252888 CEST | 19578 | 49979 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:16:24.283834934 CEST | 49979 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:16:24.288813114 CEST | 19578 | 49979 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:16:28.846292019 CEST | 49979 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:16:28.851497889 CEST | 19578 | 49979 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:16:30.299346924 CEST | 49979 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:16:30.304512024 CEST | 19578 | 49979 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:16:30.377510071 CEST | 49979 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:16:30.382648945 CEST | 19578 | 49979 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:16:38.143547058 CEST | 49979 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:16:38.149203062 CEST | 19578 | 49979 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:16:40.502579927 CEST | 49979 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:16:40.507596970 CEST | 19578 | 49979 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:16:40.518424988 CEST | 49979 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:16:40.523890972 CEST | 19578 | 49979 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:16:40.533864021 CEST | 49979 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:16:40.540795088 CEST | 19578 | 49979 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:16:41.439224958 CEST | 19578 | 49979 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:16:41.439307928 CEST | 49979 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:16:45.627420902 CEST | 49979 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:16:45.629724979 CEST | 49980 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:16:45.632397890 CEST | 19578 | 49979 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:16:45.634630919 CEST | 19578 | 49980 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:16:45.634701967 CEST | 49980 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:16:45.671724081 CEST | 49980 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:16:45.676738977 CEST | 19578 | 49980 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:16:45.690026999 CEST | 49980 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:16:45.694914103 CEST | 19578 | 49980 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:16:45.799429893 CEST | 49980 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:16:45.804594040 CEST | 19578 | 49980 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:16:45.815069914 CEST | 49980 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:16:45.820954084 CEST | 19578 | 49980 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:16:45.893460989 CEST | 49980 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:16:45.898900986 CEST | 19578 | 49980 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:16:45.924372911 CEST | 49980 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:16:45.930237055 CEST | 19578 | 49980 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:16:45.955668926 CEST | 49980 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:16:45.961458921 CEST | 19578 | 49980 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:16:45.971252918 CEST | 49980 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:16:45.976907015 CEST | 19578 | 49980 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:16:51.064929008 CEST | 49980 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:16:51.070713043 CEST | 19578 | 49980 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:16:57.877717018 CEST | 49980 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:16:57.882839918 CEST | 19578 | 49980 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:17:02.315188885 CEST | 49980 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:17:02.320342064 CEST | 19578 | 49980 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:17:07.014601946 CEST | 19578 | 49980 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:17:07.017436028 CEST | 49980 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:17:15.299349070 CEST | 49980 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:17:15.300802946 CEST | 49981 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:17:15.304425001 CEST | 19578 | 49980 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:17:15.305763960 CEST | 19578 | 49981 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:17:15.305876970 CEST | 49981 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:17:15.333889008 CEST | 49981 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:17:15.338860989 CEST | 19578 | 49981 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:17:29.862045050 CEST | 49981 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:17:29.866965055 CEST | 19578 | 49981 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:17:36.703522921 CEST | 19578 | 49981 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:17:36.703648090 CEST | 49981 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:17:42.799305916 CEST | 49981 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:17:42.800616980 CEST | 49982 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:17:42.805026054 CEST | 19578 | 49981 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:17:42.805994034 CEST | 19578 | 49982 | 147.185.221.23 | 192.168.2.7 |
Oct 13, 2024 19:17:42.806272984 CEST | 49982 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:17:42.844145060 CEST | 49982 | 19578 | 192.168.2.7 | 147.185.221.23 |
Oct 13, 2024 19:17:42.849191904 CEST | 19578 | 49982 | 147.185.221.23 | 192.168.2.7 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Oct 13, 2024 19:13:12.294356108 CEST | 63185 | 53 | 192.168.2.7 | 1.1.1.1 |
Oct 13, 2024 19:13:12.307651997 CEST | 53 | 63185 | 1.1.1.1 | 192.168.2.7 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Oct 13, 2024 19:13:12.294356108 CEST | 192.168.2.7 | 1.1.1.1 | 0xcbd6 | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Oct 13, 2024 19:13:12.307651997 CEST | 1.1.1.1 | 192.168.2.7 | 0xcbd6 | No error (0) | 147.185.221.23 | A (IP address) | IN (0x0001) | false |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 13:13:02 |
Start date: | 13/10/2024 |
Path: | C:\Users\user\Desktop\7yJsmmW4wS.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0xed0000 |
File size: | 1'464'320 bytes |
MD5 hash: | 3DCC9CFED0A716B6AD3C4F4AAF1A1F46 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Has exited: | true |
Target ID: | 8 |
Start time: | 13:13:06 |
Start date: | 13/10/2024 |
Path: | C:\Users\user\AppData\Local\Temp\rat.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x370000 |
File size: | 40'448 bytes |
MD5 hash: | 0F43E9B3D93B65843F0346D76282BDC7 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Antivirus matches: |
|
Reputation: | low |
Has exited: | false |
Target ID: | 9 |
Start time: | 13:13:06 |
Start date: | 13/10/2024 |
Path: | C:\Users\user\AppData\Local\Temp\freeware.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7952b0000 |
File size: | 2'322'432 bytes |
MD5 hash: | BFDFA3FAE0BF91D83DDDF5A708DBEFB1 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Antivirus matches: |
|
Reputation: | low |
Has exited: | false |
Target ID: | 10 |
Start time: | 13:13:06 |
Start date: | 13/10/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff75da10000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | false |
Target ID: | 12 |
Start time: | 13:13:10 |
Start date: | 13/10/2024 |
Path: | C:\Windows\System32\schtasks.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff68aec0000 |
File size: | 235'008 bytes |
MD5 hash: | 76CD6626DD8834BD4A42E6A565104DC2 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 13 |
Start time: | 13:13:10 |
Start date: | 13/10/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff75da10000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 14 |
Start time: | 13:13:12 |
Start date: | 13/10/2024 |
Path: | C:\Users\user\AppData\Roaming\edge.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0xe00000 |
File size: | 40'448 bytes |
MD5 hash: | 0F43E9B3D93B65843F0346D76282BDC7 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Antivirus matches: |
|
Reputation: | low |
Has exited: | true |
Target ID: | 16 |
Start time: | 14:56:00 |
Start date: | 13/10/2024 |
Path: | C:\Users\user\AppData\Roaming\edge.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x500000 |
File size: | 40'448 bytes |
MD5 hash: | 0F43E9B3D93B65843F0346D76282BDC7 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Target ID: | 20 |
Start time: | 14:57:00 |
Start date: | 13/10/2024 |
Path: | C:\Users\user\AppData\Roaming\edge.exe |
Wow64 process (32bit): | |
Commandline: | |
Imagebase: | |
File size: | 40'448 bytes |
MD5 hash: | 0F43E9B3D93B65843F0346D76282BDC7 |
Has elevated privileges: | |
Has administrator privileges: | |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | false |
Target ID: | 22 |
Start time: | 14:58:01 |
Start date: | 13/10/2024 |
Path: | C:\Users\user\AppData\Roaming\edge.exe |
Wow64 process (32bit): | |
Commandline: | |
Imagebase: | |
File size: | 40'448 bytes |
MD5 hash: | 0F43E9B3D93B65843F0346D76282BDC7 |
Has elevated privileges: | |
Has administrator privileges: | |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | false |
Function 00007FFAACCE0A21 Relevance: .4, Instructions: 398COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FFAACCE109E Relevance: .0, Instructions: 39COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FFAACCE09E6 Relevance: .0, Instructions: 21COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Execution Graph
Execution Coverage: | 20.4% |
Dynamic/Decrypted Code Coverage: | 100% |
Signature Coverage: | 0% |
Total number of Nodes: | 3 |
Total number of Limit Nodes: | 0 |
Graph
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7952B7228 Relevance: 38.8, APIs: 20, Strings: 2, Instructions: 340libraryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7952B2980 Relevance: 31.9, APIs: 12, Strings: 6, Instructions: 442COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7952B6A08 Relevance: 31.8, APIs: 14, Strings: 4, Instructions: 313nativememorylibraryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7952C7CC0 Relevance: 28.4, APIs: 10, Strings: 6, Instructions: 378COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7952BC214 Relevance: 26.6, APIs: 12, Strings: 3, Instructions: 330COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7952B9D64 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 274COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7952B90B0 Relevance: 10.9, APIs: 7, Instructions: 389keyboardCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7952D225C Relevance: 10.8, APIs: 2, Strings: 5, Instructions: 262COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7952BB728 Relevance: 9.0, APIs: 6, Instructions: 40processstringCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF795398C10 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF795398D90 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7952C8820 Relevance: 33.5, APIs: 11, Strings: 8, Instructions: 281COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7952B9978 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 222COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7952D4C88 Relevance: 28.4, APIs: 11, Strings: 5, Instructions: 400COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7952C6A40 Relevance: 28.4, APIs: 14, Strings: 2, Instructions: 379COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7952C95F0 Relevance: 26.6, APIs: 12, Strings: 3, Instructions: 351COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7952C76E0 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 344COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7952C5F7C Relevance: 24.8, APIs: 12, Strings: 2, Instructions: 273COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7952C8290 Relevance: 24.8, APIs: 11, Strings: 3, Instructions: 270COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7952C708C Relevance: 23.0, APIs: 8, Strings: 5, Instructions: 289COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7952BBC65 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 118registryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7952D580C Relevance: 18.0, APIs: 6, Strings: 4, Instructions: 467stringCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7952BC7C4 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 238stringCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7952C27F4 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 314COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7952BF158 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 225COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7952BCBF8 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 141stringCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7952B7AD4 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 103libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7952C935C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 177COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7952CE69C Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 112COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7952BD557 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 105windowCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7952B11E8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 51registryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7952B1038 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 51registryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF795300D08 Relevance: 9.2, APIs: 5, Strings: 1, Instructions: 222COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7952C5C8C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7952B2340 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 157COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7952C74F0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 128COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7952C9F98 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 127COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7952BF924 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 120COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7952D2F28 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 155COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7952C5A80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 138COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7952BC664 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83fileCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7952B87C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7952B7A2E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF795398EA8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7952B28A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FFAACCE1289 Relevance: .8, Instructions: 758COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FFAACCE1BC5 Relevance: .2, Instructions: 199COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FFAACCE0BFE Relevance: .8, Instructions: 772COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FFAACCE0DB0 Relevance: .6, Instructions: 564COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FFAACCE04C8 Relevance: .1, Instructions: 136COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FFAACCE0A91 Relevance: .1, Instructions: 127COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FFAACCE093A Relevance: .1, Instructions: 117COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FFAACCE1D81 Relevance: .1, Instructions: 63COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FFAACCD1289 Relevance: .8, Instructions: 759COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FFAACCD1BC5 Relevance: .2, Instructions: 199COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FFAACCD0BFE Relevance: .8, Instructions: 773COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FFAACCD0DB0 Relevance: .6, Instructions: 565COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FFAACCD04C8 Relevance: .1, Instructions: 137COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FFAACCD0A91 Relevance: .1, Instructions: 125COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FFAACCD0949 Relevance: .1, Instructions: 112COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FFAACCD1D81 Relevance: .1, Instructions: 63COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|