Edit tour
Windows
Analysis Report
PHHOjspjmp.exe
Overview
General Information
| Sample name: | PHHOjspjmp.exerenamed because original name is a hash value |
| Original sample name: | 46d004a90bfc51d6447a0661f440e7a5.exe |
| Analysis ID: | 1432016 |
| MD5: | 46d004a90bfc51d6447a0661f440e7a5 |
| SHA1: | fe33bb099ec660d4cc2607a34bcf55c92c5dc0f8 |
| SHA256: | a50139923127672a8083b6d24b45e102e358aa0fcb8b558a85386cf9892605aa |
| Tags: | 32exe |
| Infos: |   |
 | |
Detection
CMSBrute
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected CMSBrute
Contains functionality to inject code into remote processes
Drops PE files with benign system names
Found Tor onion address
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May use the Tor software to hide its network traffic
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Suspicious Process Parents
Sigma detected: System File Execution Location Anomaly
Connects to several IPs in different countries
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (may stop execution after checking a module file name)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match
Classification
- System is w10x64
PHHOjspjmp.exe (PID: 6576 cmdline: "C:\Users\ user\Deskt op\PHHOjsp jmp.exe" MD5: 46D004A90BFC51D6447A0661F440E7A5) - PHHOjspjmp.exe (PID: 6512 cmdline:
"C:\Users\ user\Deskt op\PHHOjsp jmp.exe" MD5: 46D004A90BFC51D6447A0661F440E7A5)
- csrss.exe (PID: 2624 cmdline:
"C:\Progra mData\Driv ers\csrss. exe" MD5: 46D004A90BFC51D6447A0661F440E7A5) - csrss.exe (PID: 2792 cmdline:
"C:\Progra mData\Driv ers\csrss. exe" MD5: 46D004A90BFC51D6447A0661F440E7A5)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| CMSBrute | No Attribution |
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| Windows_Trojan_RedLineStealer_ed346e4c | unknown | unknown |
| |
| Windows_Trojan_RedLineStealer_ed346e4c | unknown | unknown |
| |
| JoeSecurity_CMSBrute | Yara detected CMSBrute | Joe Security | ||
| JoeSecurity_CMSBrute | Yara detected CMSBrute | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CMSBrute | Yara detected CMSBrute | Joe Security | ||
| JoeSecurity_CMSBrute | Yara detected CMSBrute | Joe Security |
System Summary |   |
|---|
| Source: | Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: | ||
| Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): | ||
| Source: | Author: vburov: | ||
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | ReversingLabs: | |||
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Virustotal: | Perma Link | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Binary or memory string: | memstr_5f442bbf-0 | |
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
Networking | |
|---|
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | JA3 fingerprint: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
E-Banking Fraud | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
System Summary | |
|---|
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Code function: | 0_2_06020110 | |
| Source: | Code function: | 3_2_061E0110 | |
| Source: | Code function: | 0_2_00406515 | |
| Source: | Code function: | 3_2_00406515 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 0_2_044BF7C6 | |
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | ReversingLabs: | ||
| Source: | Virustotal: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 1_2_0069D030 | |
| Source: | Code function: | 0_2_00407738 | |
| Source: | Code function: | 0_2_04619A53 | |
| Source: | Code function: | 0_2_04566A36 | |
| Source: | Code function: | 0_2_0460DAEB | |
| Source: | Code function: | 0_2_045322C9 | |
| Source: | Code function: | 0_2_04619AB7 | |
| Source: | Code function: | 0_2_0454A3F3 | |
| Source: | Code function: | 1_2_006962AC | |
| Source: | Code function: | 3_2_00407738 | |
| Source: | Code function: | 3_2_0485AA97 | |
| Source: | Code function: | 3_2_0484EACB | |
| Source: | Code function: | 3_2_047A7A16 | |
| Source: | Code function: | 3_2_0485AA33 | |
| Source: | Code function: | 3_2_047732A9 | |
| Source: | Code function: | 3_2_0478B3D3 | |
| Source: | Code function: | 4_2_006962AC | |
Persistence and Installation Behavior | |
|---|
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | Registry value created or modified: | Jump to behavior | ||
| Source: | Registry value created or modified: | Jump to behavior | ||
Hooking and other Techniques for Hiding and Protection | |
|---|
| Source: | Binary or memory string: | ||
| Source: | Code function: | 0_2_00406515 | |
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Evasive API call chain: | graph_0-1360 | ||
| Source: | Evasive API call chain: | graph_3-1365 | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Last function: | ||
| Source: | Last function: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | API call chain: | graph_0-1362 | ||
| Source: | API call chain: | graph_3-1367 | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 0_2_0040A882 | |
| Source: | Code function: | 1_2_0069D030 | |
| Source: | Code function: | 0_2_044BF0A3 | |
| Source: | Code function: | 0_2_06020042 | |
| Source: | Code function: | 3_2_04700083 | |
| Source: | Code function: | 3_2_061E0042 | |
| Source: | Code function: | 0_2_00406914 | |
| Source: | Code function: | 0_2_0040A80D | |
| Source: | Code function: | 1_2_006943E0 | |
| Source: | Code function: | 1_2_00694A78 | |
| Source: | Code function: | 3_2_0040A80D | |
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Code function: | 0_2_06020110 | |
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_0040A2D9 | |
| Source: | Key value queried: | Jump to behavior | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 2 Native API | 1 Registry Run Keys / Startup Folder | 211 Process Injection | 1 Masquerading | OS Credential Dumping | 1 System Time Discovery | Remote Services | 11 Archive Collected Data | 12 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | 1 DLL Side-Loading | 1 Registry Run Keys / Startup Folder | 1 Virtualization/Sandbox Evasion | LSASS Memory | 121 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Non-Standard Port | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | 1 DLL Side-Loading | 211 Process Injection | Security Account Manager | 1 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | 1 Multi-hop Proxy | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Obfuscated Files or Information | NTDS | 2 Process Discovery | Distributed Component Object Model | Input Capture | 1 Application Layer Protocol | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 DLL Side-Loading | LSA Secrets | 1 Application Window Discovery | SSH | Keylogging | 2 Proxy | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | Steganography | Cached Domain Credentials | 1 File and Directory Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | Compile After Delivery | DCSync | 13 System Information Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 50% | ReversingLabs | Win32.Trojan.Generic | ||
| 50% | Virustotal | Browse | ||
| 100% | Avira | HEUR/AGEN.1312652 | ||
| 100% | Joe Sandbox ML |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 100% | Avira | HEUR/AGEN.1312652 | ||
| 100% | Joe Sandbox ML | |||
| 50% | ReversingLabs | Win32.Trojan.Generic | ||
| 50% | Virustotal | Browse |
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Virustotal | Browse | ||
| 0% | Virustotal | Browse | ||
| 0% | Virustotal | Browse |
⊘No contacted domains info
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| low | ||
| false |
| unknown | ||
| true |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 171.25.193.9 | unknown | Sweden | 198093 | DFRI-ASForeningenfordigitalafri-ochrattigheterSE | false | |
| 85.10.240.250 | unknown | Germany | 24940 | HETZNER-ASDE | false | |
| 45.66.33.45 | unknown | Netherlands | 47482 | SPECTRENL | false | |
| 195.201.94.113 | unknown | Germany | 24940 | HETZNER-ASDE | false | |
| 8.209.79.125 | unknown | Singapore | 45102 | CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC | false | |
| 143.107.229.120 | unknown | Brazil | 28571 | UNIVERSIDADEDESAOPAULOBR | false | |
| 51.158.147.25 | unknown | France | 12876 | OnlineSASFR | false | |
| 95.216.154.139 | unknown | Germany | 24940 | HETZNER-ASDE | false | |
| 86.59.21.38 | unknown | Austria | 8437 | UTA-ASAT | false | |
| 93.186.202.32 | unknown | Germany | 24961 | MYLOC-ASIPBackboneofmyLocmanagedITAGDE | false | |
| 154.35.175.225 | unknown | United States | 14987 | RETHEMHOSTINGUS | false | |
| 128.31.0.39 | unknown | United States | 3 | MIT-GATEWAYSUS | false | |
| 62.78.194.4 | unknown | Finland | 16086 | DNAFI | false | |
| 51.91.121.255 | unknown | France | 16276 | OVHFR | false | |
| 195.154.106.60 | unknown | France | 12876 | OnlineSASFR | false | |
| 47.56.94.99 | unknown | United States | 45102 | CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC | false | |
| 185.220.101.205 | unknown | Germany | 208294 | ASMKNL | false | |
| 204.13.164.118 | unknown | United States | 25700 | 25700US | false | |
| 109.70.100.14 | unknown | Austria | 208323 | APPLIEDPRIVACY-ASAT | false | |
| 188.195.109.45 | unknown | Germany | 31334 | KABELDEUTSCHLAND-ASDE | false | |
| 46.105.227.109 | unknown | France | 16276 | OVHFR | false | |
| 151.197.240.154 | unknown | United States | 701 | UUNETUS | false | |
| 23.129.64.239 | unknown | United States | 396507 | EMERALD-ONIONUS | false | |
| 185.65.205.10 | unknown | Turkey | 59895 | CITYNETHOST-ASTR | false | |
| 104.149.129.210 | unknown | United States | 40676 | AS40676US | false | |
| 37.187.23.232 | unknown | France | 16276 | OVHFR | false | |
| 167.86.94.107 | unknown | Germany | 51167 | CONTABODE | false | |
| 217.160.255.217 | unknown | Germany | 8560 | ONEANDONE-ASBrauerstrasse48DE | false | |
| 149.56.98.216 | unknown | Canada | 16276 | OVHFR | false | |
| 88.88.79.90 | unknown | Norway | 2119 | TELENOR-NEXTELTelenorNorgeASNO | false | |
| 198.245.49.18 | unknown | Canada | 16276 | OVHFR | false | |
| 31.127.34.9 | unknown | United Kingdom | 12576 | EELtdGB | false | |
| 193.218.118.100 | unknown | Ukraine | 207656 | EPINATURAUA | false | |
| 212.8.243.229 | unknown | Netherlands | 49981 | WORLDSTREAMNL | false | |
| 80.66.135.13 | unknown | Belgium | 1239 | SPRINTLINKUS | false | |
| 131.188.40.189 | unknown | Germany | 680 | DFNVereinzurFoerderungeinesDeutschenForschungsnetzese | false | |
| 188.68.53.92 | unknown | Germany | 197540 | NETCUP-ASnetcupGmbHDE | false | |
| 185.220.101.20 | unknown | Germany | 208294 | ASMKNL | false | |
| 46.188.6.64 | unknown | Russian Federation | 8334 | CO-2COM-ASMoscowRU | false | |
| 45.153.160.131 | unknown | Czech Republic | 55933 | CLOUDIE-AS-APCloudieLimitedHK | false | |
| 134.249.185.176 | unknown | Ukraine | 15895 | KSNET-ASUA | false | |
| 130.225.244.90 | unknown | Denmark | 1835 | FSKNET-DKForskningsnettet-DanishnetworkforResearchand | false | |
| 199.58.81.140 | unknown | Canada | 7765 | KOUMBITCA | false | |
| 212.47.227.71 | unknown | France | 12876 | OnlineSASFR | false | |
| 192.0.128.86 | unknown | Canada | 5645 | TEKSAVVYCA | false | |
| 91.121.160.6 | unknown | France | 16276 | OVHFR | false | |
| 75.176.45.87 | unknown | United States | 11426 | TWC-11426-CAROLINASUS | false | |
| 209.58.180.90 | unknown | Singapore | 59253 | LEASEWEB-APAC-SIN-11LeasewebAsiaPacificpteltdSG | false | |
| 50.7.8.141 | unknown | United States | 174 | COGENT-174US | false | |
| 51.15.246.170 | unknown | France | 12876 | OnlineSASFR | false | |
| 51.38.65.160 | unknown | France | 16276 | OVHFR | false | |
| 173.249.63.227 | unknown | Germany | 51167 | CONTABODE | false |
| IP |
|---|
| 127.0.0.1 |
| Joe Sandbox version: | 40.0.0 Tourmaline |
| Analysis ID: | 1432016 |
| Start date and time: | 2024-04-26 09:40:06 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 9m 22s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 7 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | PHHOjspjmp.exerenamed because original name is a hash value |
| Original Sample Name: | 46d004a90bfc51d6447a0661f440e7a5.exe |
| Detection: | MAL |
| Classification: | mal100.troj.evad.winEXE@6/3@0/53 |
| EGA Information: |
|
| HCA Information: | Failed |
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Execution Graph export aborted for target csrss.exe, PID 2792 because there are no executed function
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
| Time | Type | Description |
|---|---|---|
| 09:40:56 | Autostart | |
| 09:41:31 | API Interceptor | |
| 09:41:41 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 171.25.193.9 | Get hash | malicious | SystemBC | Browse |
| |
| Get hash | malicious | SystemBC | Browse |
| ||
| Get hash | malicious | SystemBC | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | TinyNuke | Browse |
| ||
| Get hash | malicious | Kronos | Browse |
| ||
| Get hash | malicious | Kronos | Browse |
| ||
| Get hash | malicious | Kronos | Browse |
| ||
| 85.10.240.250 | Get hash | malicious | Unknown | Browse | ||
| Get hash | malicious | Glupteba, SmokeLoader, Socks5Systemz, Stealc, Vidar | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| 45.66.33.45 | Get hash | malicious | Unknown | Browse | ||
| Get hash | malicious | LummaC, Glupteba, LummaC Stealer, SmokeLoader, Stealc, Xmrig | Browse | |||
| Get hash | malicious | LummaC, Glupteba, LummaC Stealer, Mars Stealer, SmokeLoader, Stealc, Vidar | Browse | |||
| Get hash | malicious | LummaC, Glupteba, LummaC Stealer, SmokeLoader, Socks5Systemz, Stealc | Browse | |||
| Get hash | malicious | Glupteba, LummaC Stealer, SmokeLoader, Stealc | Browse | |||
| Get hash | malicious | LummaC, Glupteba, LummaC Stealer, SmokeLoader, Stealc, SystemBC | Browse | |||
| Get hash | malicious | Glupteba, LummaC Stealer, SmokeLoader, Stealc, SystemBC, Xmrig | Browse | |||
| Get hash | malicious | Glupteba, LummaC Stealer, SmokeLoader, Stealc, Xmrig | Browse | |||
| Get hash | malicious | Glupteba, LummaC Stealer, SmokeLoader, Stealc | Browse | |||
| Get hash | malicious | Glupteba, SmokeLoader, Stealc | Browse |
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| HETZNER-ASDE | Get hash | malicious | Phisher | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | GRQ Scam | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | AgentTesla, PureLog Stealer | Browse |
| ||
| Get hash | malicious | Babuk, Clipboard Hijacker, Djvu, Vidar | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Babuk, Djvu, Vidar | Browse |
| ||
| Get hash | malicious | Clipboard Hijacker, Djvu, Vidar | Browse |
| ||
| SPECTRENL | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC, Glupteba, LummaC Stealer, SmokeLoader, Stealc, Xmrig | Browse |
| ||
| Get hash | malicious | LummaC, Glupteba, LummaC Stealer, Mars Stealer, SmokeLoader, Stealc, Vidar | Browse |
| ||
| Get hash | malicious | LummaC, Glupteba, LummaC Stealer, SmokeLoader, Socks5Systemz, Stealc | Browse |
| ||
| Get hash | malicious | Glupteba, LummaC Stealer, SmokeLoader, Stealc | Browse |
| ||
| Get hash | malicious | LummaC, Glupteba, LummaC Stealer, SmokeLoader, Stealc, SystemBC | Browse |
| ||
| Get hash | malicious | Glupteba, LummaC Stealer, SmokeLoader, Stealc, SystemBC, Xmrig | Browse |
| ||
| Get hash | malicious | Glupteba, LummaC Stealer, SmokeLoader, Stealc, Xmrig | Browse |
| ||
| Get hash | malicious | Glupteba, LummaC Stealer, SmokeLoader, Stealc | Browse |
| ||
| DFRI-ASForeningenfordigitalafri-ochrattigheterSE | Get hash | malicious | Xmrig | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Amadey, Glupteba, LummaC Stealer, Mars Stealer, SmokeLoader, Socks5Systemz, Stealc | Browse |
| ||
| Get hash | malicious | Amadey, Glupteba, LummaC Stealer, Mars Stealer, SmokeLoader, Stealc, Vidar | Browse |
| ||
| Get hash | malicious | LummaC, Glupteba, LummaC Stealer, SmokeLoader, Stealc, Xmrig | Browse |
| ||
| Get hash | malicious | LummaC, Glupteba, LummaC Stealer, SmokeLoader, Socks5Systemz, Stealc, Xmrig | Browse |
| ||
| Get hash | malicious | LummaC, Glupteba, LummaC Stealer, Mars Stealer, SmokeLoader, Socks5Systemz, Stealc | Browse |
| ||
| Get hash | malicious | LummaC, Glupteba, LummaC Stealer, Mars Stealer, SmokeLoader, Stealc, Vidar | Browse |
| ||
| Get hash | malicious | Glupteba, LummaC Stealer, SmokeLoader, Stealc | Browse |
| ||
| HETZNER-ASDE | Get hash | malicious | Phisher | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | GRQ Scam | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | AgentTesla, PureLog Stealer | Browse |
| ||
| Get hash | malicious | Babuk, Clipboard Hijacker, Djvu, Vidar | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Babuk, Djvu, Vidar | Browse |
| ||
| Get hash | malicious | Clipboard Hijacker, Djvu, Vidar | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 83d60721ecc423892660e275acc4dffd | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Amadey, Glupteba, LummaC Stealer, Mars Stealer, SmokeLoader, Socks5Systemz, Stealc | Browse |
| ||
| Get hash | malicious | LummaC, Amadey, Glupteba, LummaC Stealer, Mars Stealer, RedLine, SmokeLoader | Browse |
| ||
| Get hash | malicious | Amadey, Glupteba, LummaC Stealer, Mars Stealer, SmokeLoader, Stealc, Vidar | Browse |
| ||
| Get hash | malicious | LummaC, Glupteba, LummaC Stealer, Mars Stealer, SmokeLoader, Socks5Systemz, Stealc | Browse |
| ||
| Get hash | malicious | LummaC, Glupteba, LummaC Stealer, SmokeLoader, Stealc, Xmrig | Browse |
| ||
| Get hash | malicious | Glupteba, LummaC Stealer, SmokeLoader, Stealc, Xmrig | Browse |
|
⊘No context
| Process: | C:\Users\user\Desktop\PHHOjspjmp.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1984000 |
| Entropy (8bit): | 7.929315097580162 |
| Encrypted: | false |
| SSDEEP: | 49152:nLxAcJhTYQsED8CC4C7xgFXlS/Gd5cRGrbnnSr:n1A89sIrC7xqSOd1Pn |
| MD5: | 46D004A90BFC51D6447A0661F440E7A5 |
| SHA1: | FE33BB099EC660D4CC2607A34BCF55C92C5DC0F8 |
| SHA-256: | A50139923127672A8083B6D24B45E102E358AA0FCB8B558A85386CF9892605AA |
| SHA-512: | D3D98C10323BB70867899D710333D06A0B47FC289D13E755FEA5C411E11AF236D066F8F44635F8D38BD71CE9173A56C9D3FC5E9FC5A624D2D3835119C962D355 |
| Malicious: | true |
| Antivirus: |
|
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\PHHOjspjmp.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 209 |
| Entropy (8bit): | 4.751493858603209 |
| Encrypted: | false |
| SSDEEP: | 6:SbdWwxXrMdznXr87+QVe2vwR/Ep5fM8VFYQz:bwxXAdzXr87HVBvwNCdJz |
| MD5: | DBFFD796E5DECCE9AFF4EF0376EB6DEF |
| SHA1: | FCF1870EEBA15B82D512DF94DB94803DF0A5E449 |
| SHA-256: | 6C8D917EA7563003A742C8D654D57DEB9408426A131B16FADCDFF33DF5D8F57E |
| SHA-512: | 7DBA51EB1DB344F780A1BBB85C7C7EE46101D5A46A0BE57F7B4E23778C28E68930EFA37FA99868FCBA1FF1CED456B57D695B3BE292C9B696DA89D1D335C9C2F4 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\PHHOjspjmp.exe |
| File Type: | |
| Category: | modified |
| Size (bytes): | 209 |
| Entropy (8bit): | 4.751493858603209 |
| Encrypted: | false |
| SSDEEP: | 6:SbdWwxXrMdznXr87+QVe2vwR/Ep5fM8VFYQz:bwxXAdzXr87HVBvwNCdJz |
| MD5: | DBFFD796E5DECCE9AFF4EF0376EB6DEF |
| SHA1: | FCF1870EEBA15B82D512DF94DB94803DF0A5E449 |
| SHA-256: | 6C8D917EA7563003A742C8D654D57DEB9408426A131B16FADCDFF33DF5D8F57E |
| SHA-512: | 7DBA51EB1DB344F780A1BBB85C7C7EE46101D5A46A0BE57F7B4E23778C28E68930EFA37FA99868FCBA1FF1CED456B57D695B3BE292C9B696DA89D1D335C9C2F4 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| File type: | |
| Entropy (8bit): | 7.929315097580162 |
| TrID: |
|
| File name: | PHHOjspjmp.exe |
| File size: | 1'984'000 bytes |
| MD5: | 46d004a90bfc51d6447a0661f440e7a5 |
| SHA1: | fe33bb099ec660d4cc2607a34bcf55c92c5dc0f8 |
| SHA256: | a50139923127672a8083b6d24b45e102e358aa0fcb8b558a85386cf9892605aa |
| SHA512: | d3d98c10323bb70867899d710333d06a0b47fc289d13e755fea5c411e11af236d066f8f44635f8d38bd71ce9173a56c9d3fc5e9fc5a624d2d3835119c962d355 |
| SSDEEP: | 49152:nLxAcJhTYQsED8CC4C7xgFXlS/Gd5cRGrbnnSr:n1A89sIrC7xqSOd1Pn |
| TLSH: | 04953302FEE6D0A0E1A7577A18907F21463DFD619E21B66B638C3F6D6D74A409312733 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................q.......N.......O.......=.............X/K.......u.....X/p.....Rich....................PE..L...n/.d........... |
 | |
| Icon Hash: | 411145554545410d |
| Entrypoint: | 0x404457 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x64C72F6E [Mon Jul 31 03:50:06 2023 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 5 |
| OS Version Minor: | 1 |
| File Version Major: | 5 |
| File Version Minor: | 1 |
| Subsystem Version Major: | 5 |
| Subsystem Version Minor: | 1 |
| Import Hash: | 35d2f187a446fa7dcfd6bfdfd63133ca |
| Instruction |
|---|
| call 00007FBD9CD763D2h |
| jmp 00007FBD9CD70555h |
| push 00000014h |
| push 00418048h |
| call 00007FBD9CD737C8h |
| call 00007FBD9CD765A3h |
| movzx esi, ax |
| push 00000002h |
| call 00007FBD9CD76365h |
| pop ecx |
| mov eax, 00005A4Dh |
| cmp word ptr [00400000h], ax |
| je 00007FBD9CD70556h |
| xor ebx, ebx |
| jmp 00007FBD9CD70585h |
| mov eax, dword ptr [0040003Ch] |
| cmp dword ptr [eax+00400000h], 00004550h |
| jne 00007FBD9CD7053Dh |
| mov ecx, 0000010Bh |
| cmp word ptr [eax+00400018h], cx |
| jne 00007FBD9CD7052Fh |
| xor ebx, ebx |
| cmp dword ptr [eax+00400074h], 0Eh |
| jbe 00007FBD9CD7055Bh |
| cmp dword ptr [eax+004000E8h], ebx |
| setne bl |
| mov dword ptr [ebp-1Ch], ebx |
| call 00007FBD9CD7299Fh |
| test eax, eax |
| jne 00007FBD9CD7055Ah |
| push 0000001Ch |
| call 00007FBD9CD70631h |
| pop ecx |
| call 00007FBD9CD71F52h |
| test eax, eax |
| jne 00007FBD9CD7055Ah |
| push 00000010h |
| call 00007FBD9CD70620h |
| pop ecx |
| call 00007FBD9CD763DEh |
| and dword ptr [ebp-04h], 00000000h |
| call 00007FBD9CD74781h |
| test eax, eax |
| jns 00007FBD9CD7055Ah |
| push 0000001Bh |
| call 00007FBD9CD70606h |
| pop ecx |
| call dword ptr [004120B0h] |
| mov dword ptr [041C52A4h], eax |
| call 00007FBD9CD763F9h |
| mov dword ptr [005D780Ch], eax |
| call 00007FBD9CD75FB6h |
| test eax, eax |
| jns 00007FBD9CD7055Ah |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x18454 | 0x28 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x3dc6000 | 0xd5f8 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x3dd4000 | 0x137c | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x121f0 | 0x38 | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x17970 | 0x40 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x12000 | 0x17c | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x10035 | 0x10200 | dffe2d8fb38e0d1593fe6fc268529a8a | False | 0.6009114583333334 | data | 6.6896002971759545 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x12000 | 0x6ce4 | 0x6e00 | 5a414d0b57c53fcf7a644ec6d167da94 | False | 0.39147727272727273 | data | 4.729783722836041 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x19000 | 0x3dac2a8 | 0x1be800 | c05b89c9fa7c65518e2e5e63f9ebdc90 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x3dc6000 | 0xd5f8 | 0xd600 | b6f07f7386462f0049219f160416f5ae | False | 0.5152234228971962 | data | 5.491653671420701 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x3dd4000 | 0x137c | 0x1400 | a2aace44608a5bb5aa85da63c5cc59de | False | 0.74765625 | data | 6.462085016602893 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| AFX_DIALOG_LAYOUT | 0x3dd2e38 | 0xe | data | 1.5714285714285714 | ||
| RT_ICON | 0x3dc64a0 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 0 | Romanian | Romania | 0.5671641791044776 |
| RT_ICON | 0x3dc7348 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | Romanian | Romania | 0.5496389891696751 |
| RT_ICON | 0x3dc7bf0 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 0 | Romanian | Romania | 0.6170520231213873 |
| RT_ICON | 0x3dc8158 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | Romanian | Romania | 0.4631742738589212 |
| RT_ICON | 0x3dca700 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | Romanian | Romania | 0.4873358348968105 |
| RT_ICON | 0x3dcb7a8 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 0 | Romanian | Romania | 0.49631147540983606 |
| RT_ICON | 0x3dcc130 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | Romanian | Romania | 0.4530141843971631 |
| RT_ICON | 0x3dcc600 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 0 | Romanian | Romania | 0.4240405117270789 |
| RT_ICON | 0x3dcd4a8 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | Romanian | Romania | 0.4833032490974729 |
| RT_ICON | 0x3dcdd50 | 0x6c8 | Device independent bitmap graphic, 24 x 48 x 8, image size 0 | Romanian | Romania | 0.5835253456221198 |
| RT_ICON | 0x3dce418 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 0 | Romanian | Romania | 0.4913294797687861 |
| RT_ICON | 0x3dce980 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | Romanian | Romania | 0.4701244813278008 |
| RT_ICON | 0x3dd0f28 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | Romanian | Romania | 0.4878048780487805 |
| RT_ICON | 0x3dd1fd0 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 0 | Romanian | Romania | 0.5032786885245901 |
| RT_ICON | 0x3dd2958 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | Romanian | Romania | 0.5514184397163121 |
| RT_STRING | 0x3dd3088 | 0x2bc | data | Romanian | Romania | 0.49142857142857144 |
| RT_STRING | 0x3dd3348 | 0x2ac | data | Romanian | Romania | 0.48830409356725146 |
| RT_GROUP_ICON | 0x3dcc598 | 0x68 | data | Romanian | Romania | 0.6923076923076923 |
| RT_GROUP_ICON | 0x3dd2dc0 | 0x76 | data | Romanian | Romania | 0.6779661016949152 |
| RT_VERSION | 0x3dd2e48 | 0x23c | data | 0.5314685314685315 |
| DLL | Import |
|---|---|
| KERNEL32.dll | GlobalMemoryStatus, GetLocaleInfoA, FindResourceExW, LocalCompact, InterlockedDecrement, GetComputerNameW, CreateHardLinkA, GetSystemDefaultLCID, BackupSeek, GetTickCount, GetConsoleAliasesA, GetWindowsDirectoryA, EnumTimeFormatsW, GetUserDefaultLangID, SetCommState, GlobalAlloc, LoadLibraryW, ReadConsoleInputA, WriteConsoleW, GetModuleFileNameW, MultiByteToWideChar, GetLastError, ChangeTimerQueueTimer, SetLastError, GetThreadLocale, GetProcAddress, RemoveDirectoryA, SetFileAttributesA, BuildCommDCBW, LoadLibraryA, SetCalendarInfoW, GetExitCodeThread, AddAtomW, GlobalFindAtomW, GetOEMCP, LoadLibraryExA, VirtualProtect, GetConsoleProcessList, GetTempPathA, GetVolumeInformationW, HeapAlloc, EncodePointer, DecodePointer, IsProcessorFeaturePresent, GetCommandLineA, RaiseException, RtlUnwind, IsDebuggerPresent, IsValidCodePage, GetACP, GetCPInfo, GetCurrentThreadId, HeapFree, ExitProcess, GetModuleHandleExW, WideCharToMultiByte, GetStdHandle, WriteFile, GetProcessHeap, EnterCriticalSection, LeaveCriticalSection, FlushFileBuffers, GetConsoleCP, GetConsoleMode, DeleteCriticalSection, HeapSize, GetFileType, GetStartupInfoW, CloseHandle, GetModuleFileNameA, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, GetEnvironmentStringsW, FreeEnvironmentStringsW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, InitializeCriticalSectionAndSpinCount, Sleep, GetCurrentProcess, TerminateProcess, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetModuleHandleW, GetStringTypeW, LoadLibraryExW, OutputDebugStringW, LCMapStringW, SetStdHandle, SetFilePointerEx, HeapReAlloc, CreateFileW |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| Romanian | Romania |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Apr 26, 2024 09:40:58.116678953 CEST | 49706 | 443 | 192.168.2.5 | 46.105.227.109 |
| Apr 26, 2024 09:40:58.116717100 CEST | 443 | 49706 | 46.105.227.109 | 192.168.2.5 |
| Apr 26, 2024 09:40:58.116802931 CEST | 49706 | 443 | 192.168.2.5 | 46.105.227.109 |
| Apr 26, 2024 09:40:58.121822119 CEST | 49706 | 443 | 192.168.2.5 | 46.105.227.109 |
| Apr 26, 2024 09:40:58.121850014 CEST | 443 | 49706 | 46.105.227.109 | 192.168.2.5 |
| Apr 26, 2024 09:40:58.956267118 CEST | 49707 | 9001 | 192.168.2.5 | 31.127.34.9 |
| Apr 26, 2024 09:40:59.971399069 CEST | 49707 | 9001 | 192.168.2.5 | 31.127.34.9 |
| Apr 26, 2024 09:41:00.956336975 CEST | 49708 | 9001 | 192.168.2.5 | 75.176.45.87 |
| Apr 26, 2024 09:41:01.971421003 CEST | 49708 | 9001 | 192.168.2.5 | 75.176.45.87 |
| Apr 26, 2024 09:41:01.971555948 CEST | 49707 | 9001 | 192.168.2.5 | 31.127.34.9 |
| Apr 26, 2024 09:41:03.971407890 CEST | 49708 | 9001 | 192.168.2.5 | 75.176.45.87 |
| Apr 26, 2024 09:41:05.971374035 CEST | 49707 | 9001 | 192.168.2.5 | 31.127.34.9 |
| Apr 26, 2024 09:41:07.971452951 CEST | 49708 | 9001 | 192.168.2.5 | 75.176.45.87 |
| Apr 26, 2024 09:41:13.971407890 CEST | 49707 | 9001 | 192.168.2.5 | 31.127.34.9 |
| Apr 26, 2024 09:41:15.971388102 CEST | 49708 | 9001 | 192.168.2.5 | 75.176.45.87 |
| Apr 26, 2024 09:41:19.972317934 CEST | 49719 | 443 | 192.168.2.5 | 51.15.246.170 |
| Apr 26, 2024 09:41:19.972397089 CEST | 49720 | 443 | 192.168.2.5 | 204.13.164.118 |
| Apr 26, 2024 09:41:19.972410917 CEST | 443 | 49719 | 51.15.246.170 | 192.168.2.5 |
| Apr 26, 2024 09:41:19.972435951 CEST | 443 | 49720 | 204.13.164.118 | 192.168.2.5 |
| Apr 26, 2024 09:41:19.972543955 CEST | 49719 | 443 | 192.168.2.5 | 51.15.246.170 |
| Apr 26, 2024 09:41:19.972744942 CEST | 49720 | 443 | 192.168.2.5 | 204.13.164.118 |
| Apr 26, 2024 09:41:19.972754002 CEST | 49719 | 443 | 192.168.2.5 | 51.15.246.170 |
| Apr 26, 2024 09:41:19.972793102 CEST | 443 | 49719 | 51.15.246.170 | 192.168.2.5 |
| Apr 26, 2024 09:41:19.972863913 CEST | 49720 | 443 | 192.168.2.5 | 204.13.164.118 |
| Apr 26, 2024 09:41:19.972872019 CEST | 443 | 49720 | 204.13.164.118 | 192.168.2.5 |
| Apr 26, 2024 09:41:20.611978054 CEST | 443 | 49720 | 204.13.164.118 | 192.168.2.5 |
| Apr 26, 2024 09:41:20.612072945 CEST | 49720 | 443 | 192.168.2.5 | 204.13.164.118 |
| Apr 26, 2024 09:41:20.615999937 CEST | 49720 | 443 | 192.168.2.5 | 204.13.164.118 |
| Apr 26, 2024 09:41:20.616008043 CEST | 443 | 49720 | 204.13.164.118 | 192.168.2.5 |
| Apr 26, 2024 09:41:20.616447926 CEST | 443 | 49720 | 204.13.164.118 | 192.168.2.5 |
| Apr 26, 2024 09:41:20.620009899 CEST | 49720 | 443 | 192.168.2.5 | 204.13.164.118 |
| Apr 26, 2024 09:41:20.664119959 CEST | 443 | 49720 | 204.13.164.118 | 192.168.2.5 |
| Apr 26, 2024 09:41:21.035801888 CEST | 443 | 49719 | 51.15.246.170 | 192.168.2.5 |
| Apr 26, 2024 09:41:21.035986900 CEST | 49719 | 443 | 192.168.2.5 | 51.15.246.170 |
| Apr 26, 2024 09:41:21.039870024 CEST | 49719 | 443 | 192.168.2.5 | 51.15.246.170 |
| Apr 26, 2024 09:41:21.039901018 CEST | 443 | 49719 | 51.15.246.170 | 192.168.2.5 |
| Apr 26, 2024 09:41:21.040144920 CEST | 443 | 49719 | 51.15.246.170 | 192.168.2.5 |
| Apr 26, 2024 09:41:21.040462017 CEST | 49719 | 443 | 192.168.2.5 | 51.15.246.170 |
| Apr 26, 2024 09:41:21.088124990 CEST | 443 | 49719 | 51.15.246.170 | 192.168.2.5 |
| Apr 26, 2024 09:42:10.206613064 CEST | 49722 | 9001 | 192.168.2.5 | 51.91.121.255 |
| Apr 26, 2024 09:42:11.221463919 CEST | 49722 | 9001 | 192.168.2.5 | 51.91.121.255 |
| Apr 26, 2024 09:42:13.128273010 CEST | 49723 | 443 | 192.168.2.5 | 198.245.49.18 |
| Apr 26, 2024 09:42:13.128371954 CEST | 443 | 49723 | 198.245.49.18 | 192.168.2.5 |
| Apr 26, 2024 09:42:13.128446102 CEST | 49723 | 443 | 192.168.2.5 | 198.245.49.18 |
| Apr 26, 2024 09:42:13.128524065 CEST | 49724 | 443 | 192.168.2.5 | 154.35.175.225 |
| Apr 26, 2024 09:42:13.128554106 CEST | 443 | 49724 | 154.35.175.225 | 192.168.2.5 |
| Apr 26, 2024 09:42:13.128597975 CEST | 49724 | 443 | 192.168.2.5 | 154.35.175.225 |
| Apr 26, 2024 09:42:13.128750086 CEST | 49723 | 443 | 192.168.2.5 | 198.245.49.18 |
| Apr 26, 2024 09:42:13.128768921 CEST | 443 | 49723 | 198.245.49.18 | 192.168.2.5 |
| Apr 26, 2024 09:42:13.128933907 CEST | 49724 | 443 | 192.168.2.5 | 154.35.175.225 |
| Apr 26, 2024 09:42:13.128940105 CEST | 443 | 49724 | 154.35.175.225 | 192.168.2.5 |
| Apr 26, 2024 09:42:13.221426964 CEST | 49722 | 9001 | 192.168.2.5 | 51.91.121.255 |
| Apr 26, 2024 09:42:17.221338034 CEST | 49722 | 9001 | 192.168.2.5 | 51.91.121.255 |
| Apr 26, 2024 09:42:24.064701080 CEST | 49724 | 443 | 192.168.2.5 | 154.35.175.225 |
| Apr 26, 2024 09:42:24.064785957 CEST | 49723 | 443 | 192.168.2.5 | 198.245.49.18 |
| Apr 26, 2024 09:42:24.064918041 CEST | 49719 | 443 | 192.168.2.5 | 51.15.246.170 |
| Apr 26, 2024 09:42:24.064990997 CEST | 49720 | 443 | 192.168.2.5 | 204.13.164.118 |
| Apr 26, 2024 09:42:24.065062046 CEST | 443 | 49719 | 51.15.246.170 | 192.168.2.5 |
| Apr 26, 2024 09:42:24.065120935 CEST | 49719 | 443 | 192.168.2.5 | 51.15.246.170 |
| Apr 26, 2024 09:42:24.065190077 CEST | 443 | 49720 | 204.13.164.118 | 192.168.2.5 |
| Apr 26, 2024 09:42:24.065257072 CEST | 49720 | 443 | 192.168.2.5 | 204.13.164.118 |
| Apr 26, 2024 09:42:24.065289974 CEST | 49706 | 443 | 192.168.2.5 | 46.105.227.109 |
| Apr 26, 2024 09:42:24.082918882 CEST | 49726 | 9001 | 192.168.2.5 | 95.216.154.139 |
| Apr 26, 2024 09:42:24.083142042 CEST | 49727 | 80 | 192.168.2.5 | 171.25.193.9 |
| Apr 26, 2024 09:42:24.096352100 CEST | 49728 | 443 | 192.168.2.5 | 195.201.94.113 |
| Apr 26, 2024 09:42:24.096385002 CEST | 443 | 49728 | 195.201.94.113 | 192.168.2.5 |
| Apr 26, 2024 09:42:24.096435070 CEST | 49728 | 443 | 192.168.2.5 | 195.201.94.113 |
| Apr 26, 2024 09:42:24.096654892 CEST | 49728 | 443 | 192.168.2.5 | 195.201.94.113 |
| Apr 26, 2024 09:42:24.096669912 CEST | 443 | 49728 | 195.201.94.113 | 192.168.2.5 |
| Apr 26, 2024 09:42:24.108119011 CEST | 443 | 49723 | 198.245.49.18 | 192.168.2.5 |
| Apr 26, 2024 09:42:24.108124971 CEST | 443 | 49724 | 154.35.175.225 | 192.168.2.5 |
| Apr 26, 2024 09:42:24.108149052 CEST | 443 | 49706 | 46.105.227.109 | 192.168.2.5 |
| Apr 26, 2024 09:42:24.339060068 CEST | 80 | 49727 | 171.25.193.9 | 192.168.2.5 |
| Apr 26, 2024 09:42:24.340010881 CEST | 49727 | 80 | 192.168.2.5 | 171.25.193.9 |
| Apr 26, 2024 09:42:24.340612888 CEST | 49727 | 80 | 192.168.2.5 | 171.25.193.9 |
| Apr 26, 2024 09:42:24.341690063 CEST | 49728 | 443 | 192.168.2.5 | 195.201.94.113 |
| Apr 26, 2024 09:42:24.342390060 CEST | 49729 | 9101 | 192.168.2.5 | 128.31.0.39 |
| Apr 26, 2024 09:42:24.342879057 CEST | 49730 | 443 | 192.168.2.5 | 23.129.64.239 |
| Apr 26, 2024 09:42:24.342926979 CEST | 443 | 49730 | 23.129.64.239 | 192.168.2.5 |
| Apr 26, 2024 09:42:24.343086004 CEST | 49730 | 443 | 192.168.2.5 | 23.129.64.239 |
| Apr 26, 2024 09:42:24.343794107 CEST | 49730 | 443 | 192.168.2.5 | 23.129.64.239 |
| Apr 26, 2024 09:42:24.343821049 CEST | 443 | 49730 | 23.129.64.239 | 192.168.2.5 |
| Apr 26, 2024 09:42:24.344485998 CEST | 49731 | 10020 | 192.168.2.5 | 185.220.101.20 |
| Apr 26, 2024 09:42:24.347357035 CEST | 9001 | 49726 | 95.216.154.139 | 192.168.2.5 |
| Apr 26, 2024 09:42:24.388113976 CEST | 443 | 49728 | 195.201.94.113 | 192.168.2.5 |
| Apr 26, 2024 09:42:24.506947994 CEST | 9101 | 49729 | 128.31.0.39 | 192.168.2.5 |
| Apr 26, 2024 09:42:24.589322090 CEST | 10020 | 49731 | 185.220.101.20 | 192.168.2.5 |
| Apr 26, 2024 09:42:24.598270893 CEST | 80 | 49727 | 171.25.193.9 | 192.168.2.5 |
| Apr 26, 2024 09:42:24.602351904 CEST | 49727 | 80 | 192.168.2.5 | 171.25.193.9 |
| Apr 26, 2024 09:42:24.617652893 CEST | 49730 | 443 | 192.168.2.5 | 23.129.64.239 |
| Apr 26, 2024 09:42:24.617892027 CEST | 49727 | 80 | 192.168.2.5 | 171.25.193.9 |
| Apr 26, 2024 09:42:24.637928009 CEST | 443 | 49730 | 23.129.64.239 | 192.168.2.5 |
| Apr 26, 2024 09:42:24.649780989 CEST | 49732 | 9001 | 192.168.2.5 | 193.218.118.100 |
| Apr 26, 2024 09:42:24.650038958 CEST | 49733 | 443 | 192.168.2.5 | 45.66.33.45 |
| Apr 26, 2024 09:42:24.650078058 CEST | 443 | 49733 | 45.66.33.45 | 192.168.2.5 |
| Apr 26, 2024 09:42:24.650160074 CEST | 49733 | 443 | 192.168.2.5 | 45.66.33.45 |
| Apr 26, 2024 09:42:24.658953905 CEST | 49733 | 443 | 192.168.2.5 | 45.66.33.45 |
| Apr 26, 2024 09:42:24.658982992 CEST | 443 | 49733 | 45.66.33.45 | 192.168.2.5 |
| Apr 26, 2024 09:42:24.847742081 CEST | 443 | 49728 | 195.201.94.113 | 192.168.2.5 |
| Apr 26, 2024 09:42:24.847817898 CEST | 49728 | 443 | 192.168.2.5 | 195.201.94.113 |
| Apr 26, 2024 09:42:24.847817898 CEST | 49728 | 443 | 192.168.2.5 | 195.201.94.113 |
| Apr 26, 2024 09:42:24.858779907 CEST | 80 | 49727 | 171.25.193.9 | 192.168.2.5 |
| Apr 26, 2024 09:42:24.859889030 CEST | 49727 | 80 | 192.168.2.5 | 171.25.193.9 |
| Apr 26, 2024 09:42:24.862214088 CEST | 49733 | 443 | 192.168.2.5 | 45.66.33.45 |
| Apr 26, 2024 09:42:24.873933077 CEST | 80 | 49727 | 171.25.193.9 | 192.168.2.5 |
| Apr 26, 2024 09:42:24.873969078 CEST | 80 | 49727 | 171.25.193.9 | 192.168.2.5 |
| Apr 26, 2024 09:42:24.873985052 CEST | 49727 | 80 | 192.168.2.5 | 171.25.193.9 |
| Apr 26, 2024 09:42:24.874021053 CEST | 49727 | 80 | 192.168.2.5 | 171.25.193.9 |
| Apr 26, 2024 09:42:24.874927998 CEST | 49734 | 443 | 192.168.2.5 | 217.160.255.217 |
| Apr 26, 2024 09:42:24.875003099 CEST | 443 | 49734 | 217.160.255.217 | 192.168.2.5 |
| Apr 26, 2024 09:42:24.875093937 CEST | 49734 | 443 | 192.168.2.5 | 217.160.255.217 |
| Apr 26, 2024 09:42:24.875194073 CEST | 49735 | 443 | 192.168.2.5 | 199.58.81.140 |
| Apr 26, 2024 09:42:24.875228882 CEST | 443 | 49735 | 199.58.81.140 | 192.168.2.5 |
| Apr 26, 2024 09:42:24.875376940 CEST | 49734 | 443 | 192.168.2.5 | 217.160.255.217 |
| Apr 26, 2024 09:42:24.875396013 CEST | 49735 | 443 | 192.168.2.5 | 199.58.81.140 |
| Apr 26, 2024 09:42:24.875423908 CEST | 443 | 49734 | 217.160.255.217 | 192.168.2.5 |
| Apr 26, 2024 09:42:24.875528097 CEST | 49735 | 443 | 192.168.2.5 | 199.58.81.140 |
| Apr 26, 2024 09:42:24.875569105 CEST | 443 | 49735 | 199.58.81.140 | 192.168.2.5 |
| Apr 26, 2024 09:42:24.904115915 CEST | 443 | 49733 | 45.66.33.45 | 192.168.2.5 |
| Apr 26, 2024 09:42:24.918163061 CEST | 9001 | 49732 | 193.218.118.100 | 192.168.2.5 |
| Apr 26, 2024 09:42:25.443141937 CEST | 443 | 49735 | 199.58.81.140 | 192.168.2.5 |
| Apr 26, 2024 09:42:25.443238974 CEST | 49735 | 443 | 192.168.2.5 | 199.58.81.140 |
| Apr 26, 2024 09:42:25.446548939 CEST | 49735 | 443 | 192.168.2.5 | 199.58.81.140 |
| Apr 26, 2024 09:42:25.446566105 CEST | 443 | 49735 | 199.58.81.140 | 192.168.2.5 |
| Apr 26, 2024 09:42:25.446966887 CEST | 443 | 49735 | 199.58.81.140 | 192.168.2.5 |
| Apr 26, 2024 09:42:25.486932993 CEST | 49735 | 443 | 192.168.2.5 | 199.58.81.140 |
| Apr 26, 2024 09:42:25.487994909 CEST | 49735 | 443 | 192.168.2.5 | 199.58.81.140 |
| Apr 26, 2024 09:42:25.503854990 CEST | 49734 | 443 | 192.168.2.5 | 217.160.255.217 |
| Apr 26, 2024 09:42:25.544116974 CEST | 443 | 49734 | 217.160.255.217 | 192.168.2.5 |
| Apr 26, 2024 09:42:25.552944899 CEST | 49736 | 40233 | 192.168.2.5 | 143.107.229.120 |
| Apr 26, 2024 09:42:25.800277948 CEST | 40233 | 49736 | 143.107.229.120 | 192.168.2.5 |
| Apr 26, 2024 09:42:26.326419115 CEST | 49737 | 9001 | 192.168.2.5 | 192.0.128.86 |
| Apr 26, 2024 09:42:26.326582909 CEST | 49738 | 443 | 192.168.2.5 | 199.58.81.140 |
| Apr 26, 2024 09:42:26.326634884 CEST | 443 | 49738 | 199.58.81.140 | 192.168.2.5 |
| Apr 26, 2024 09:42:26.326692104 CEST | 49738 | 443 | 192.168.2.5 | 199.58.81.140 |
| Apr 26, 2024 09:42:26.327111006 CEST | 49738 | 443 | 192.168.2.5 | 199.58.81.140 |
| Apr 26, 2024 09:42:26.327126980 CEST | 443 | 49738 | 199.58.81.140 | 192.168.2.5 |
| Apr 26, 2024 09:42:26.855554104 CEST | 443 | 49738 | 199.58.81.140 | 192.168.2.5 |
| Apr 26, 2024 09:42:26.855660915 CEST | 49738 | 443 | 192.168.2.5 | 199.58.81.140 |
| Apr 26, 2024 09:42:26.861443043 CEST | 49738 | 443 | 192.168.2.5 | 199.58.81.140 |
| Apr 26, 2024 09:42:26.861479998 CEST | 443 | 49738 | 199.58.81.140 | 192.168.2.5 |
| Apr 26, 2024 09:42:26.861989021 CEST | 443 | 49738 | 199.58.81.140 | 192.168.2.5 |
| Apr 26, 2024 09:42:26.883654118 CEST | 49738 | 443 | 192.168.2.5 | 199.58.81.140 |
| Apr 26, 2024 09:42:26.887180090 CEST | 49739 | 443 | 192.168.2.5 | 154.35.175.225 |
| Apr 26, 2024 09:42:26.887227058 CEST | 443 | 49739 | 154.35.175.225 | 192.168.2.5 |
| Apr 26, 2024 09:42:26.887283087 CEST | 49739 | 443 | 192.168.2.5 | 154.35.175.225 |
| Apr 26, 2024 09:42:26.887367964 CEST | 49740 | 9001 | 192.168.2.5 | 151.197.240.154 |
| Apr 26, 2024 09:42:26.887495041 CEST | 49739 | 443 | 192.168.2.5 | 154.35.175.225 |
| Apr 26, 2024 09:42:26.887514114 CEST | 443 | 49739 | 154.35.175.225 | 192.168.2.5 |
| Apr 26, 2024 09:42:27.879890919 CEST | 49740 | 9001 | 192.168.2.5 | 151.197.240.154 |
| Apr 26, 2024 09:42:27.935189009 CEST | 49739 | 443 | 192.168.2.5 | 154.35.175.225 |
| Apr 26, 2024 09:42:27.976124048 CEST | 443 | 49739 | 154.35.175.225 | 192.168.2.5 |
| Apr 26, 2024 09:42:29.060456991 CEST | 49741 | 9001 | 192.168.2.5 | 46.188.6.64 |
| Apr 26, 2024 09:42:32.474675894 CEST | 49742 | 9001 | 192.168.2.5 | 173.249.63.227 |
| Apr 26, 2024 09:42:32.720665932 CEST | 9001 | 49742 | 173.249.63.227 | 192.168.2.5 |
| Apr 26, 2024 09:42:34.392432928 CEST | 49743 | 9001 | 192.168.2.5 | 47.56.94.99 |
| Apr 26, 2024 09:42:35.393187046 CEST | 49743 | 9001 | 192.168.2.5 | 47.56.94.99 |
| Apr 26, 2024 09:42:35.430202961 CEST | 49744 | 9001 | 192.168.2.5 | 80.66.135.13 |
| Apr 26, 2024 09:42:36.468961954 CEST | 49745 | 80 | 192.168.2.5 | 88.88.79.90 |
| Apr 26, 2024 09:42:36.469266891 CEST | 49746 | 9001 | 192.168.2.5 | 8.209.79.125 |
| Apr 26, 2024 09:42:37.471318960 CEST | 49746 | 9001 | 192.168.2.5 | 8.209.79.125 |
| Apr 26, 2024 09:42:37.471329927 CEST | 49745 | 80 | 192.168.2.5 | 88.88.79.90 |
| Apr 26, 2024 09:42:37.542545080 CEST | 49747 | 443 | 192.168.2.5 | 104.149.129.210 |
| Apr 26, 2024 09:42:37.542591095 CEST | 443 | 49747 | 104.149.129.210 | 192.168.2.5 |
| Apr 26, 2024 09:42:37.542710066 CEST | 49747 | 443 | 192.168.2.5 | 104.149.129.210 |
| Apr 26, 2024 09:42:37.542901993 CEST | 49747 | 443 | 192.168.2.5 | 104.149.129.210 |
| Apr 26, 2024 09:42:37.542916059 CEST | 443 | 49747 | 104.149.129.210 | 192.168.2.5 |
| Apr 26, 2024 09:42:38.179908991 CEST | 49747 | 443 | 192.168.2.5 | 104.149.129.210 |
| Apr 26, 2024 09:42:38.184957981 CEST | 49748 | 9001 | 192.168.2.5 | 167.86.94.107 |
| Apr 26, 2024 09:42:38.224118948 CEST | 443 | 49747 | 104.149.129.210 | 192.168.2.5 |
| Apr 26, 2024 09:42:39.279866934 CEST | 49749 | 443 | 192.168.2.5 | 50.7.8.141 |
| Apr 26, 2024 09:42:39.279917955 CEST | 443 | 49749 | 50.7.8.141 | 192.168.2.5 |
| Apr 26, 2024 09:42:39.279993057 CEST | 49749 | 443 | 192.168.2.5 | 50.7.8.141 |
| Apr 26, 2024 09:42:39.280205011 CEST | 49749 | 443 | 192.168.2.5 | 50.7.8.141 |
| Apr 26, 2024 09:42:39.280220032 CEST | 443 | 49749 | 50.7.8.141 | 192.168.2.5 |
| Apr 26, 2024 09:42:40.293611050 CEST | 49749 | 443 | 192.168.2.5 | 50.7.8.141 |
| Apr 26, 2024 09:42:40.298737049 CEST | 49750 | 443 | 192.168.2.5 | 85.10.240.250 |
| Apr 26, 2024 09:42:40.298787117 CEST | 443 | 49750 | 85.10.240.250 | 192.168.2.5 |
| Apr 26, 2024 09:42:40.298841000 CEST | 49750 | 443 | 192.168.2.5 | 85.10.240.250 |
| Apr 26, 2024 09:42:40.299113989 CEST | 49750 | 443 | 192.168.2.5 | 85.10.240.250 |
| Apr 26, 2024 09:42:40.299129009 CEST | 443 | 49750 | 85.10.240.250 | 192.168.2.5 |
| Apr 26, 2024 09:42:40.336159945 CEST | 443 | 49749 | 50.7.8.141 | 192.168.2.5 |
| Apr 26, 2024 09:42:41.065591097 CEST | 443 | 49750 | 85.10.240.250 | 192.168.2.5 |
| Apr 26, 2024 09:42:41.065680027 CEST | 49750 | 443 | 192.168.2.5 | 85.10.240.250 |
| Apr 26, 2024 09:42:41.071650982 CEST | 49750 | 443 | 192.168.2.5 | 85.10.240.250 |
| Apr 26, 2024 09:42:41.071676970 CEST | 443 | 49750 | 85.10.240.250 | 192.168.2.5 |
| Apr 26, 2024 09:42:41.072024107 CEST | 443 | 49750 | 85.10.240.250 | 192.168.2.5 |
| Apr 26, 2024 09:42:41.072160959 CEST | 49750 | 443 | 192.168.2.5 | 85.10.240.250 |
| Apr 26, 2024 09:42:41.079564095 CEST | 49751 | 9001 | 192.168.2.5 | 93.186.202.32 |
| Apr 26, 2024 09:42:41.327071905 CEST | 9001 | 49751 | 93.186.202.32 | 192.168.2.5 |
| Apr 26, 2024 09:42:41.986932993 CEST | 49751 | 9001 | 192.168.2.5 | 93.186.202.32 |
| Apr 26, 2024 09:42:42.233513117 CEST | 9001 | 49751 | 93.186.202.32 | 192.168.2.5 |
| Apr 26, 2024 09:42:43.168162107 CEST | 49752 | 443 | 192.168.2.5 | 195.154.106.60 |
| Apr 26, 2024 09:42:43.168241024 CEST | 443 | 49752 | 195.154.106.60 | 192.168.2.5 |
| Apr 26, 2024 09:42:43.168307066 CEST | 49752 | 443 | 192.168.2.5 | 195.154.106.60 |
| Apr 26, 2024 09:42:43.168463945 CEST | 49753 | 443 | 192.168.2.5 | 131.188.40.189 |
| Apr 26, 2024 09:42:43.168513060 CEST | 443 | 49753 | 131.188.40.189 | 192.168.2.5 |
| Apr 26, 2024 09:42:43.168559074 CEST | 49753 | 443 | 192.168.2.5 | 131.188.40.189 |
| Apr 26, 2024 09:42:43.168705940 CEST | 49752 | 443 | 192.168.2.5 | 195.154.106.60 |
| Apr 26, 2024 09:42:43.168732882 CEST | 443 | 49752 | 195.154.106.60 | 192.168.2.5 |
| Apr 26, 2024 09:42:43.168891907 CEST | 49753 | 443 | 192.168.2.5 | 131.188.40.189 |
| Apr 26, 2024 09:42:43.168908119 CEST | 443 | 49753 | 131.188.40.189 | 192.168.2.5 |
| Apr 26, 2024 09:42:43.648991108 CEST | 443 | 49752 | 195.154.106.60 | 192.168.2.5 |
| Apr 26, 2024 09:42:43.649101973 CEST | 49752 | 443 | 192.168.2.5 | 195.154.106.60 |
| Apr 26, 2024 09:42:43.653047085 CEST | 49752 | 443 | 192.168.2.5 | 195.154.106.60 |
| Apr 26, 2024 09:42:43.653070927 CEST | 443 | 49752 | 195.154.106.60 | 192.168.2.5 |
| Apr 26, 2024 09:42:43.653332949 CEST | 443 | 49752 | 195.154.106.60 | 192.168.2.5 |
| Apr 26, 2024 09:42:43.653371096 CEST | 49753 | 443 | 192.168.2.5 | 131.188.40.189 |
| Apr 26, 2024 09:42:43.681530952 CEST | 49752 | 443 | 192.168.2.5 | 195.154.106.60 |
| Apr 26, 2024 09:42:43.690329075 CEST | 49754 | 9001 | 192.168.2.5 | 62.78.194.4 |
| Apr 26, 2024 09:42:43.700118065 CEST | 443 | 49753 | 131.188.40.189 | 192.168.2.5 |
| Apr 26, 2024 09:42:43.940874100 CEST | 443 | 49753 | 131.188.40.189 | 192.168.2.5 |
| Apr 26, 2024 09:42:43.940968037 CEST | 49753 | 443 | 192.168.2.5 | 131.188.40.189 |
| Apr 26, 2024 09:42:43.940968037 CEST | 49753 | 443 | 192.168.2.5 | 131.188.40.189 |
| Apr 26, 2024 09:42:44.545993090 CEST | 49755 | 9001 | 192.168.2.5 | 51.38.65.160 |
| Apr 26, 2024 09:42:44.797739029 CEST | 9001 | 49755 | 51.38.65.160 | 192.168.2.5 |
| Apr 26, 2024 09:42:44.797832012 CEST | 49755 | 9001 | 192.168.2.5 | 51.38.65.160 |
| Apr 26, 2024 09:42:44.798155069 CEST | 49755 | 9001 | 192.168.2.5 | 51.38.65.160 |
| Apr 26, 2024 09:42:44.798691034 CEST | 49756 | 9001 | 192.168.2.5 | 212.8.243.229 |
| Apr 26, 2024 09:42:45.032668114 CEST | 9001 | 49756 | 212.8.243.229 | 192.168.2.5 |
| Apr 26, 2024 09:42:45.058219910 CEST | 9001 | 49755 | 51.38.65.160 | 192.168.2.5 |
| Apr 26, 2024 09:42:45.063555956 CEST | 9001 | 49755 | 51.38.65.160 | 192.168.2.5 |
| Apr 26, 2024 09:42:45.068481922 CEST | 49755 | 9001 | 192.168.2.5 | 51.38.65.160 |
| Apr 26, 2024 09:42:45.068869114 CEST | 49755 | 9001 | 192.168.2.5 | 51.38.65.160 |
| Apr 26, 2024 09:42:45.073894024 CEST | 49757 | 443 | 192.168.2.5 | 188.68.53.92 |
| Apr 26, 2024 09:42:45.073980093 CEST | 443 | 49757 | 188.68.53.92 | 192.168.2.5 |
| Apr 26, 2024 09:42:45.074059010 CEST | 49757 | 443 | 192.168.2.5 | 188.68.53.92 |
| Apr 26, 2024 09:42:45.081006050 CEST | 49757 | 443 | 192.168.2.5 | 188.68.53.92 |
| Apr 26, 2024 09:42:45.081036091 CEST | 443 | 49757 | 188.68.53.92 | 192.168.2.5 |
| Apr 26, 2024 09:42:45.326925993 CEST | 9001 | 49755 | 51.38.65.160 | 192.168.2.5 |
| Apr 26, 2024 09:42:45.326971054 CEST | 9001 | 49755 | 51.38.65.160 | 192.168.2.5 |
| Apr 26, 2024 09:42:45.327927113 CEST | 49755 | 9001 | 192.168.2.5 | 51.38.65.160 |
| Apr 26, 2024 09:42:45.327927113 CEST | 49755 | 9001 | 192.168.2.5 | 51.38.65.160 |
| Apr 26, 2024 09:42:45.960643053 CEST | 49757 | 443 | 192.168.2.5 | 188.68.53.92 |
| Apr 26, 2024 09:42:45.970371962 CEST | 49758 | 443 | 192.168.2.5 | 109.70.100.14 |
| Apr 26, 2024 09:42:45.970426083 CEST | 443 | 49758 | 109.70.100.14 | 192.168.2.5 |
| Apr 26, 2024 09:42:45.973994970 CEST | 49758 | 443 | 192.168.2.5 | 109.70.100.14 |
| Apr 26, 2024 09:42:45.994496107 CEST | 49758 | 443 | 192.168.2.5 | 109.70.100.14 |
| Apr 26, 2024 09:42:45.994513988 CEST | 443 | 49758 | 109.70.100.14 | 192.168.2.5 |
| Apr 26, 2024 09:42:46.008155107 CEST | 443 | 49757 | 188.68.53.92 | 192.168.2.5 |
| Apr 26, 2024 09:42:46.096399069 CEST | 49758 | 443 | 192.168.2.5 | 109.70.100.14 |
| Apr 26, 2024 09:42:46.140140057 CEST | 443 | 49758 | 109.70.100.14 | 192.168.2.5 |
| Apr 26, 2024 09:42:46.261601925 CEST | 443 | 49758 | 109.70.100.14 | 192.168.2.5 |
| Apr 26, 2024 09:42:47.138362885 CEST | 49759 | 443 | 192.168.2.5 | 130.225.244.90 |
| Apr 26, 2024 09:42:47.138425112 CEST | 443 | 49759 | 130.225.244.90 | 192.168.2.5 |
| Apr 26, 2024 09:42:47.138488054 CEST | 49759 | 443 | 192.168.2.5 | 130.225.244.90 |
| Apr 26, 2024 09:42:47.138765097 CEST | 49759 | 443 | 192.168.2.5 | 130.225.244.90 |
| Apr 26, 2024 09:42:47.138782978 CEST | 443 | 49759 | 130.225.244.90 | 192.168.2.5 |
| Apr 26, 2024 09:42:47.954581976 CEST | 443 | 49759 | 130.225.244.90 | 192.168.2.5 |
| Apr 26, 2024 09:42:47.954684019 CEST | 49759 | 443 | 192.168.2.5 | 130.225.244.90 |
| Apr 26, 2024 09:42:47.963887930 CEST | 49759 | 443 | 192.168.2.5 | 130.225.244.90 |
| Apr 26, 2024 09:42:47.963908911 CEST | 443 | 49759 | 130.225.244.90 | 192.168.2.5 |
| Apr 26, 2024 09:42:47.964200020 CEST | 443 | 49759 | 130.225.244.90 | 192.168.2.5 |
| Apr 26, 2024 09:42:48.053487062 CEST | 49759 | 443 | 192.168.2.5 | 130.225.244.90 |
| Apr 26, 2024 09:42:50.928241968 CEST | 49760 | 443 | 192.168.2.5 | 51.158.147.25 |
| Apr 26, 2024 09:42:50.928287983 CEST | 443 | 49760 | 51.158.147.25 | 192.168.2.5 |
| Apr 26, 2024 09:42:50.928344011 CEST | 49760 | 443 | 192.168.2.5 | 51.158.147.25 |
| Apr 26, 2024 09:42:50.928580046 CEST | 49760 | 443 | 192.168.2.5 | 51.158.147.25 |
| Apr 26, 2024 09:42:50.928597927 CEST | 443 | 49760 | 51.158.147.25 | 192.168.2.5 |
| Apr 26, 2024 09:42:51.439898968 CEST | 443 | 49760 | 51.158.147.25 | 192.168.2.5 |
| Apr 26, 2024 09:42:51.440036058 CEST | 49760 | 443 | 192.168.2.5 | 51.158.147.25 |
| Apr 26, 2024 09:42:51.447676897 CEST | 49760 | 443 | 192.168.2.5 | 51.158.147.25 |
| Apr 26, 2024 09:42:51.447702885 CEST | 443 | 49760 | 51.158.147.25 | 192.168.2.5 |
| Apr 26, 2024 09:42:51.447858095 CEST | 49760 | 443 | 192.168.2.5 | 51.158.147.25 |
| Apr 26, 2024 09:42:51.448057890 CEST | 443 | 49760 | 51.158.147.25 | 192.168.2.5 |
| Apr 26, 2024 09:42:51.448260069 CEST | 443 | 49760 | 51.158.147.25 | 192.168.2.5 |
| Apr 26, 2024 09:42:51.448260069 CEST | 49760 | 443 | 192.168.2.5 | 51.158.147.25 |
| Apr 26, 2024 09:42:51.449481010 CEST | 49760 | 443 | 192.168.2.5 | 51.158.147.25 |
| Apr 26, 2024 09:42:52.374377012 CEST | 49761 | 9001 | 192.168.2.5 | 45.153.160.131 |
| Apr 26, 2024 09:42:52.374460936 CEST | 49762 | 443 | 192.168.2.5 | 45.66.33.45 |
| Apr 26, 2024 09:42:52.374500990 CEST | 443 | 49762 | 45.66.33.45 | 192.168.2.5 |
| Apr 26, 2024 09:42:52.374591112 CEST | 49762 | 443 | 192.168.2.5 | 45.66.33.45 |
| Apr 26, 2024 09:42:52.374768972 CEST | 49762 | 443 | 192.168.2.5 | 45.66.33.45 |
| Apr 26, 2024 09:42:52.374779940 CEST | 443 | 49762 | 45.66.33.45 | 192.168.2.5 |
| Apr 26, 2024 09:42:52.541320086 CEST | 9001 | 49761 | 45.153.160.131 | 192.168.2.5 |
| Apr 26, 2024 09:42:52.674865007 CEST | 49762 | 443 | 192.168.2.5 | 45.66.33.45 |
| Apr 26, 2024 09:42:52.679996967 CEST | 49763 | 10205 | 192.168.2.5 | 185.220.101.205 |
| Apr 26, 2024 09:42:52.720119953 CEST | 443 | 49762 | 45.66.33.45 | 192.168.2.5 |
| Apr 26, 2024 09:42:52.929615021 CEST | 10205 | 49763 | 185.220.101.205 | 192.168.2.5 |
| Apr 26, 2024 09:42:53.487874031 CEST | 49763 | 10205 | 192.168.2.5 | 185.220.101.205 |
| Apr 26, 2024 09:42:53.735579014 CEST | 10205 | 49763 | 185.220.101.205 | 192.168.2.5 |
| Apr 26, 2024 09:42:54.283799887 CEST | 49763 | 10205 | 192.168.2.5 | 185.220.101.205 |
| Apr 26, 2024 09:42:54.529665947 CEST | 10205 | 49763 | 185.220.101.205 | 192.168.2.5 |
| Apr 26, 2024 09:42:56.386188984 CEST | 49764 | 9001 | 192.168.2.5 | 212.47.227.71 |
| Apr 26, 2024 09:42:58.444003105 CEST | 49765 | 80 | 192.168.2.5 | 37.187.23.232 |
| Apr 26, 2024 09:42:58.677386999 CEST | 80 | 49765 | 37.187.23.232 | 192.168.2.5 |
| Apr 26, 2024 09:42:58.677475929 CEST | 49765 | 80 | 192.168.2.5 | 37.187.23.232 |
| Apr 26, 2024 09:42:58.677861929 CEST | 49765 | 80 | 192.168.2.5 | 37.187.23.232 |
| Apr 26, 2024 09:42:58.911151886 CEST | 80 | 49765 | 37.187.23.232 | 192.168.2.5 |
| Apr 26, 2024 09:42:58.927617073 CEST | 80 | 49765 | 37.187.23.232 | 192.168.2.5 |
| Apr 26, 2024 09:42:58.932523966 CEST | 49765 | 80 | 192.168.2.5 | 37.187.23.232 |
| Apr 26, 2024 09:42:59.170227051 CEST | 80 | 49765 | 37.187.23.232 | 192.168.2.5 |
| Apr 26, 2024 09:42:59.176306963 CEST | 49765 | 80 | 192.168.2.5 | 37.187.23.232 |
| Apr 26, 2024 09:42:59.409863949 CEST | 80 | 49765 | 37.187.23.232 | 192.168.2.5 |
| Apr 26, 2024 09:42:59.409929991 CEST | 80 | 49765 | 37.187.23.232 | 192.168.2.5 |
| Apr 26, 2024 09:42:59.414150000 CEST | 49765 | 80 | 192.168.2.5 | 37.187.23.232 |
| Apr 26, 2024 09:42:59.414150000 CEST | 49765 | 80 | 192.168.2.5 | 37.187.23.232 |
| Apr 26, 2024 09:43:02.321631908 CEST | 49766 | 9001 | 192.168.2.5 | 149.56.98.216 |
| Apr 26, 2024 09:43:05.131942987 CEST | 49767 | 9001 | 192.168.2.5 | 134.249.185.176 |
| Apr 26, 2024 09:43:07.944817066 CEST | 443 | 49706 | 46.105.227.109 | 192.168.2.5 |
| Apr 26, 2024 09:43:10.448343039 CEST | 49768 | 9001 | 192.168.2.5 | 188.195.109.45 |
| Apr 26, 2024 09:43:11.471282005 CEST | 49768 | 9001 | 192.168.2.5 | 188.195.109.45 |
| Apr 26, 2024 09:43:26.352849007 CEST | 49769 | 443 | 192.168.2.5 | 209.58.180.90 |
| Apr 26, 2024 09:43:26.352910995 CEST | 443 | 49769 | 209.58.180.90 | 192.168.2.5 |
| Apr 26, 2024 09:43:26.352977991 CEST | 49769 | 443 | 192.168.2.5 | 209.58.180.90 |
| Apr 26, 2024 09:43:26.353097916 CEST | 49770 | 443 | 192.168.2.5 | 86.59.21.38 |
| Apr 26, 2024 09:43:26.353136063 CEST | 443 | 49770 | 86.59.21.38 | 192.168.2.5 |
| Apr 26, 2024 09:43:26.353240013 CEST | 49770 | 443 | 192.168.2.5 | 86.59.21.38 |
| Apr 26, 2024 09:43:26.353401899 CEST | 49769 | 443 | 192.168.2.5 | 209.58.180.90 |
| Apr 26, 2024 09:43:26.353420019 CEST | 443 | 49769 | 209.58.180.90 | 192.168.2.5 |
| Apr 26, 2024 09:43:26.353634119 CEST | 49770 | 443 | 192.168.2.5 | 86.59.21.38 |
| Apr 26, 2024 09:43:26.353646994 CEST | 443 | 49770 | 86.59.21.38 | 192.168.2.5 |
| Apr 26, 2024 09:43:26.606384993 CEST | 443 | 49770 | 86.59.21.38 | 192.168.2.5 |
| Apr 26, 2024 09:43:26.606770992 CEST | 49769 | 443 | 192.168.2.5 | 209.58.180.90 |
| Apr 26, 2024 09:43:26.648159027 CEST | 443 | 49769 | 209.58.180.90 | 192.168.2.5 |
| Apr 26, 2024 09:43:27.454508066 CEST | 443 | 49769 | 209.58.180.90 | 192.168.2.5 |
| Apr 26, 2024 09:43:27.454719067 CEST | 443 | 49769 | 209.58.180.90 | 192.168.2.5 |
| Apr 26, 2024 09:43:27.454734087 CEST | 49769 | 443 | 192.168.2.5 | 209.58.180.90 |
| Apr 26, 2024 09:43:27.454735041 CEST | 49769 | 443 | 192.168.2.5 | 209.58.180.90 |
| Apr 26, 2024 09:43:27.454843044 CEST | 49769 | 443 | 192.168.2.5 | 209.58.180.90 |
| Apr 26, 2024 09:43:45.891865015 CEST | 49771 | 9001 | 192.168.2.5 | 91.121.160.6 |
| Apr 26, 2024 09:43:45.892085075 CEST | 49772 | 80 | 192.168.2.5 | 171.25.193.9 |
| Apr 26, 2024 09:43:46.126060963 CEST | 9001 | 49771 | 91.121.160.6 | 192.168.2.5 |
| Apr 26, 2024 09:43:46.154262066 CEST | 80 | 49772 | 171.25.193.9 | 192.168.2.5 |
| Apr 26, 2024 09:43:46.154346943 CEST | 49772 | 80 | 192.168.2.5 | 171.25.193.9 |
| Apr 26, 2024 09:43:46.154720068 CEST | 49772 | 80 | 192.168.2.5 | 171.25.193.9 |
| Apr 26, 2024 09:43:46.418283939 CEST | 80 | 49772 | 171.25.193.9 | 192.168.2.5 |
| Apr 26, 2024 09:43:46.422144890 CEST | 49772 | 80 | 192.168.2.5 | 171.25.193.9 |
| Apr 26, 2024 09:43:46.422261000 CEST | 49772 | 80 | 192.168.2.5 | 171.25.193.9 |
| Apr 26, 2024 09:43:46.684336901 CEST | 80 | 49772 | 171.25.193.9 | 192.168.2.5 |
| Apr 26, 2024 09:43:46.684443951 CEST | 80 | 49772 | 171.25.193.9 | 192.168.2.5 |
| Apr 26, 2024 09:43:46.684480906 CEST | 80 | 49772 | 171.25.193.9 | 192.168.2.5 |
| Apr 26, 2024 09:43:46.684595108 CEST | 49772 | 80 | 192.168.2.5 | 171.25.193.9 |
| Apr 26, 2024 09:43:46.684595108 CEST | 49772 | 80 | 192.168.2.5 | 171.25.193.9 |
| Apr 26, 2024 09:44:06.165486097 CEST | 49773 | 443 | 192.168.2.5 | 185.65.205.10 |
| Apr 26, 2024 09:44:06.165594101 CEST | 443 | 49773 | 185.65.205.10 | 192.168.2.5 |
| Apr 26, 2024 09:44:06.165663004 CEST | 49773 | 443 | 192.168.2.5 | 185.65.205.10 |
| Apr 26, 2024 09:44:06.165834904 CEST | 49774 | 443 | 192.168.2.5 | 199.58.81.140 |
| Apr 26, 2024 09:44:06.165865898 CEST | 443 | 49774 | 199.58.81.140 | 192.168.2.5 |
| Apr 26, 2024 09:44:06.165911913 CEST | 49774 | 443 | 192.168.2.5 | 199.58.81.140 |
| Apr 26, 2024 09:44:06.166136026 CEST | 49773 | 443 | 192.168.2.5 | 185.65.205.10 |
| Apr 26, 2024 09:44:06.166176081 CEST | 443 | 49773 | 185.65.205.10 | 192.168.2.5 |
| Apr 26, 2024 09:44:06.166274071 CEST | 49774 | 443 | 192.168.2.5 | 199.58.81.140 |
| Apr 26, 2024 09:44:06.166286945 CEST | 443 | 49774 | 199.58.81.140 | 192.168.2.5 |
| Apr 26, 2024 09:44:06.694346905 CEST | 443 | 49774 | 199.58.81.140 | 192.168.2.5 |
| Apr 26, 2024 09:44:06.694495916 CEST | 49774 | 443 | 192.168.2.5 | 199.58.81.140 |
| Apr 26, 2024 09:44:06.698194981 CEST | 49774 | 443 | 192.168.2.5 | 199.58.81.140 |
| Apr 26, 2024 09:44:06.698194981 CEST | 49774 | 443 | 192.168.2.5 | 199.58.81.140 |
| Apr 26, 2024 09:44:06.698204041 CEST | 443 | 49774 | 199.58.81.140 | 192.168.2.5 |
| Apr 26, 2024 09:44:06.698587894 CEST | 443 | 49774 | 199.58.81.140 | 192.168.2.5 |
| Apr 26, 2024 09:44:06.698720932 CEST | 49774 | 443 | 192.168.2.5 | 199.58.81.140 |
| Apr 26, 2024 09:44:06.752274036 CEST | 49773 | 443 | 192.168.2.5 | 185.65.205.10 |
| Apr 26, 2024 09:44:06.800120115 CEST | 443 | 49773 | 185.65.205.10 | 192.168.2.5 |
| Apr 26, 2024 09:44:06.902483940 CEST | 443 | 49773 | 185.65.205.10 | 192.168.2.5 |
| Apr 26, 2024 09:44:06.902585030 CEST | 49773 | 443 | 192.168.2.5 | 185.65.205.10 |
| Apr 26, 2024 09:44:06.902585030 CEST | 49773 | 443 | 192.168.2.5 | 185.65.205.10 |
| Apr 26, 2024 09:44:24.174326897 CEST | 49724 | 443 | 192.168.2.5 | 154.35.175.225 |
| Apr 26, 2024 09:44:24.174329042 CEST | 49723 | 443 | 192.168.2.5 | 198.245.49.18 |
| Apr 26, 2024 09:44:24.971218109 CEST | 49733 | 443 | 192.168.2.5 | 45.66.33.45 |
| Apr 26, 2024 09:44:25.674331903 CEST | 49734 | 443 | 192.168.2.5 | 217.160.255.217 |
| Apr 26, 2024 09:44:28.174326897 CEST | 49739 | 443 | 192.168.2.5 | 154.35.175.225 |
| Apr 26, 2024 09:44:37.630269051 CEST | 49775 | 443 | 192.168.2.5 | 204.13.164.118 |
| Apr 26, 2024 09:44:37.630302906 CEST | 443 | 49775 | 204.13.164.118 | 192.168.2.5 |
| Apr 26, 2024 09:44:37.630358934 CEST | 49775 | 443 | 192.168.2.5 | 204.13.164.118 |
| Apr 26, 2024 09:44:37.630604982 CEST | 49775 | 443 | 192.168.2.5 | 204.13.164.118 |
| Apr 26, 2024 09:44:37.630614996 CEST | 443 | 49775 | 204.13.164.118 | 192.168.2.5 |
| Apr 26, 2024 09:44:38.257878065 CEST | 443 | 49775 | 204.13.164.118 | 192.168.2.5 |
| Apr 26, 2024 09:44:38.257951975 CEST | 49775 | 443 | 192.168.2.5 | 204.13.164.118 |
| Apr 26, 2024 09:44:38.262583017 CEST | 49775 | 443 | 192.168.2.5 | 204.13.164.118 |
| Apr 26, 2024 09:44:38.262593031 CEST | 443 | 49775 | 204.13.164.118 | 192.168.2.5 |
| Apr 26, 2024 09:44:38.262727976 CEST | 49775 | 443 | 192.168.2.5 | 204.13.164.118 |
| Apr 26, 2024 09:44:38.262989998 CEST | 443 | 49775 | 204.13.164.118 | 192.168.2.5 |
| Apr 26, 2024 09:44:38.263046980 CEST | 49775 | 443 | 192.168.2.5 | 204.13.164.118 |
| Apr 26, 2024 09:44:38.361804962 CEST | 49747 | 443 | 192.168.2.5 | 104.149.129.210 |
| Apr 26, 2024 09:44:40.487895966 CEST | 49749 | 443 | 192.168.2.5 | 50.7.8.141 |
| Apr 26, 2024 09:44:46.080575943 CEST | 49757 | 443 | 192.168.2.5 | 188.68.53.92 |
| Apr 26, 2024 09:44:52.783776045 CEST | 49762 | 443 | 192.168.2.5 | 45.66.33.45 |
| Timestamp | Source IP | Dest IP | Checksum | Code | Type |
|---|---|---|---|---|---|
| Apr 26, 2024 09:42:38.430630922 CEST | 167.86.94.107 | 192.168.2.5 | c58b | (Unknown) | Destination Unreachable |
| Apr 26, 2024 09:43:10.710418940 CEST | 188.195.109.45 | 192.168.2.5 | d2e | (Unknown) | Destination Unreachable |
| Apr 26, 2024 09:43:11.729929924 CEST | 188.195.109.45 | 192.168.2.5 | d2e | (Unknown) | Destination Unreachable |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.5 | 49727 | 171.25.193.9 | 80 | 6512 | C:\Users\user\Desktop\PHHOjspjmp.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Apr 26, 2024 09:42:24.340612888 CEST | 201 | OUT | |
| Apr 26, 2024 09:42:24.598270893 CEST | 1017 | IN | |
| Apr 26, 2024 09:42:24.602351904 CEST | 126 | OUT | |
| Apr 26, 2024 09:42:24.858779907 CEST | 51 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.5 | 49765 | 37.187.23.232 | 80 | 6512 | C:\Users\user\Desktop\PHHOjspjmp.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Apr 26, 2024 09:42:58.677861929 CEST | 203 | OUT | |
| Apr 26, 2024 09:42:58.927617073 CEST | 1005 | IN | |
| Apr 26, 2024 09:42:58.932523966 CEST | 126 | OUT | |
| Apr 26, 2024 09:42:59.170227051 CEST | 51 | IN | |
| Apr 26, 2024 09:42:59.409863949 CEST | 31 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.5 | 49772 | 171.25.193.9 | 80 | 6512 | C:\Users\user\Desktop\PHHOjspjmp.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Apr 26, 2024 09:43:46.154720068 CEST | 190 | OUT | |
| Apr 26, 2024 09:43:46.418283939 CEST | 1017 | IN | |
| Apr 26, 2024 09:43:46.422144890 CEST | 126 | OUT | |
| Apr 26, 2024 09:43:46.684443951 CEST | 51 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 09:40:54 |
| Start date: | 26/04/2024 |
| Path: | C:\Users\user\Desktop\PHHOjspjmp.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 1'984'000 bytes |
| MD5 hash: | 46D004A90BFC51D6447A0661F440E7A5 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | true |
| Target ID: | 1 |
| Start time: | 09:40:55 |
| Start date: | 26/04/2024 |
| Path: | C:\Users\user\Desktop\PHHOjspjmp.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 1'984'000 bytes |
| MD5 hash: | 46D004A90BFC51D6447A0661F440E7A5 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | false |
| Target ID: | 3 |
| Start time: | 09:41:04 |
| Start date: | 26/04/2024 |
| Path: | C:\ProgramData\Drivers\csrss.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 1'984'000 bytes |
| MD5 hash: | 46D004A90BFC51D6447A0661F440E7A5 |
| Has elevated privileges: | false |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Antivirus matches: |
|
| Reputation: | low |
| Has exited: | true |
| Target ID: | 4 |
| Start time: | 09:41:05 |
| Start date: | 26/04/2024 |
| Path: | C:\ProgramData\Drivers\csrss.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 1'984'000 bytes |
| MD5 hash: | 46D004A90BFC51D6447A0661F440E7A5 |
| Has elevated privileges: | false |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | false |
Execution Graph
| Execution Coverage: | 24.4% |
| Dynamic/Decrypted Code Coverage: | 16.4% |
| Signature Coverage: | 13.4% |
| Total number of Nodes: | 232 |
| Total number of Limit Nodes: | 8 |
Graph
Function 06020110 Relevance: 22.7, APIs: 15, Instructions: 248memorynativethreadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 044BF7C6 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 044BF485 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00406914 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 044BF0A3 Relevance: .1, Instructions: 61COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 06020042 Relevance: .1, Instructions: 61COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004050CB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Execution Graph
| Execution Coverage: | 15.6% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 0% |
| Total number of Nodes: | 27 |
| Total number of Limit Nodes: | 0 |
Graph
Callgraph
Function 00694A87 Relevance: 6.0, APIs: 4, Instructions: 44memoryCOMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Execution Graph
| Execution Coverage: | 24.3% |
| Dynamic/Decrypted Code Coverage: | 16.7% |
| Signature Coverage: | 0% |
| Total number of Nodes: | 233 |
| Total number of Limit Nodes: | 7 |
Graph
Function 061E0110 Relevance: 22.7, APIs: 15, Instructions: 248memorynativethreadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 047007A6 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 04700465 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004050CB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |