Edit tour

Windows Analysis Report
jgbC220X2U.exe

Overview

General Information

Sample name:	jgbC220X2U.exe renamed because original name is a hash value
Original sample name:	f88fa3aa1dc3a59d1914254917c835783d84d384675f3622dde5aa7893952c96.exe
Analysis ID:	1573000
MD5:	28354f3e0d66d054bf0d05c3caf1e28a
SHA1:	612fa801d24607511387c8e051bd6de9e0d26b9e
SHA256:	f88fa3aa1dc3a59d1914254917c835783d84d384675f3622dde5aa7893952c96
Tags:	exeloclx-iouser-JAMESWT_MHT
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May check the online IP address of the machine

PE file contains more sections than normal

PE file contains sections with non-standard names

Sample execution stops while process was sleeping (likely an evasion)

Classification

Process Tree

System is w10x64

jgbC220X2U.exe (PID: 1488 cmdline: "C:\Users\user\Desktop\jgbC220X2U.exe" MD5: 28354F3E0D66D054BF0D05C3CAF1E28A)

conhost.exe (PID: 6500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://pepwuecibr.eu.loclx.io/command	Avira URL Cloud: Label: phishing
Source: http://pepwuecibr.eu.loclx.io	Avira URL Cloud: Label: phishing
Source: http://pepwuecibr.eu.loclx.io/status	Avira URL Cloud: Label: phishing

Source: jgbC220X2U.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 4x nop then push rdi	0_2_00007FF72A03AB9D
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 4x nop then mov rax, qword ptr [rbp+38h]	0_2_00007FF72A06AA50
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 4x nop then sub rsp, 28h	0_2_00007FF72A0C6B00
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 4x nop then push rsi	0_2_00007FF72A042348
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 4x nop then push rsi	0_2_00007FF72A04234D
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 4x nop then mov rax, qword ptr [rbp+38h]	0_2_00007FF72A06A4D0
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 4x nop then lea rdx, qword ptr [rbp-31h]	0_2_00007FF72A02A510
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 4x nop then push rbp	0_2_00007FF729FDE2A0
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 4x nop then push r15	0_2_00007FF729FDA8B0
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 4x nop then push r14	0_2_00007FF72A0166C0
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 4x nop then sub rsp, 38h	0_2_00007FF72A077BB0
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 4x nop then sub rsp, 38h	0_2_00007FF72A0739B0
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 4x nop then mov rax, qword ptr [rbp+38h]	0_2_00007FF72A06BF80
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 4x nop then mov rax, qword ptr [rbp+38h]	0_2_00007FF72A06FF10
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 4x nop then mov rax, qword ptr [rbp+38h]	0_2_00007FF72A06B3B0
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 4x nop then mov rax, qword ptr [rbp+38h]	0_2_00007FF72A06F150
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 4x nop then mov rax, qword ptr [rbp+38h]	0_2_00007FF72A06B1F0
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 4x nop then mov rax, qword ptr [rcx]	0_2_00007FF729FD37E0
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 4x nop then push rsi	0_2_00007FF72A077640
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 4x nop then lea rdx, qword ptr [rbp-31h]	0_2_00007FF72A028FF0
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 4x nop then push rsi	0_2_00007FF72A07CEC0
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 4x nop then jmp 00007FF72A041000h	0_2_00007FF72A044348
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 4x nop then jmp 00007FF72A041000h	0_2_00007FF72A04434D
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 4x nop then mov rax, qword ptr [rbp+10h]	0_2_00007FF72A08C410
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 4x nop then mov rcx, rsi	0_2_00007FF72A06844A
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 4x nop then mov rcx, rsi	0_2_00007FF72A068457
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 4x nop then mov rcx, rsi	0_2_00007FF72A0681F0
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 4x nop then push rdi	0_2_00007FF72A0688B0
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 4x nop then mov rax, qword ptr [rbp+38h]	0_2_00007FF72A06DB20
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 4x nop then jmp 00007FF72A01E8D0h	0_2_00007FF72A021CE8
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 4x nop then jmp 00007FF72A01E8D0h	0_2_00007FF72A021CED
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 4x nop then mov rax, qword ptr [rbp+10h]	0_2_00007FF72A08D970
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 4x nop then push rdi	0_2_00007FF72A04602A
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 4x nop then push r13	0_2_00007FF72A079E60
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 4x nop then push r13	0_2_00007FF72A079E60
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 4x nop then push r13	0_2_00007FF72A0793C0
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 4x nop then push r13	0_2_00007FF72A0793C0
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 4x nop then push rsi	0_2_00007FF72A07D4E0
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 4x nop then push rdi	0_2_00007FF72A03D12D
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 4x nop then lea rdx, qword ptr [rbp-31h]	0_2_00007FF72A0AD1A0
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 4x nop then mov rax, qword ptr [rbp+38h]	0_2_00007FF72A06D220
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 4x nop then push r12	0_2_00007FF72A0512B6
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 4x nop then push r12	0_2_00007FF72A0512B1
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 4x nop then push r15	0_2_00007FF72A00D520
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 4x nop then mov rcx, rsi	0_2_00007FF72A0681F0

Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\jgbC220X2U.exe

Code function: 0_2_00007FF72A0BFA30 recv,recv,

0_2_00007FF72A0BFA30

Source: global traffic	HTTP traffic detected: GET /?format=text HTTP/1.1User-Agent: cpp-httplib/0.18.0Accept: /Host: api.ipify.orgConnection: close
Source: global traffic	HTTP traffic detected: GET /command HTTP/1.1User-Agent: cpp-httplib/0.18.0Accept: /Host: pepwuecibr.eu.loclx.ioConnection: close
Source: global traffic	HTTP traffic detected: GET /?format=text HTTP/1.1User-Agent: cpp-httplib/0.18.0Accept: /Host: api.ipify.orgConnection: close
Source: global traffic	HTTP traffic detected: GET /command HTTP/1.1User-Agent: cpp-httplib/0.18.0Accept: /Host: pepwuecibr.eu.loclx.ioConnection: close
Source: global traffic	HTTP traffic detected: GET /?format=text HTTP/1.1User-Agent: cpp-httplib/0.18.0Accept: /Host: api.ipify.orgConnection: close
Source: global traffic	HTTP traffic detected: GET /command HTTP/1.1User-Agent: cpp-httplib/0.18.0Accept: /Host: pepwuecibr.eu.loclx.ioConnection: close
Source: global traffic	HTTP traffic detected: GET /?format=text HTTP/1.1User-Agent: cpp-httplib/0.18.0Accept: /Host: api.ipify.orgConnection: close
Source: global traffic	HTTP traffic detected: GET /command HTTP/1.1User-Agent: cpp-httplib/0.18.0Accept: /Host: pepwuecibr.eu.loclx.ioConnection: close
Source: global traffic	HTTP traffic detected: GET /?format=text HTTP/1.1User-Agent: cpp-httplib/0.18.0Accept: /Host: api.ipify.orgConnection: close
Source: global traffic	HTTP traffic detected: GET /command HTTP/1.1User-Agent: cpp-httplib/0.18.0Accept: /Host: pepwuecibr.eu.loclx.ioConnection: close
Source: global traffic	HTTP traffic detected: GET /?format=text HTTP/1.1User-Agent: cpp-httplib/0.18.0Accept: /Host: api.ipify.orgConnection: close
Source: global traffic	HTTP traffic detected: GET /command HTTP/1.1User-Agent: cpp-httplib/0.18.0Accept: /Host: pepwuecibr.eu.loclx.ioConnection: close
Source: global traffic	HTTP traffic detected: GET /?format=text HTTP/1.1User-Agent: cpp-httplib/0.18.0Accept: /Host: api.ipify.orgConnection: close
Source: global traffic	HTTP traffic detected: GET /command HTTP/1.1User-Agent: cpp-httplib/0.18.0Accept: /Host: pepwuecibr.eu.loclx.ioConnection: close
Source: global traffic	HTTP traffic detected: GET /?format=text HTTP/1.1User-Agent: cpp-httplib/0.18.0Accept: /Host: api.ipify.orgConnection: close
Source: global traffic	HTTP traffic detected: GET /command HTTP/1.1User-Agent: cpp-httplib/0.18.0Accept: /Host: pepwuecibr.eu.loclx.ioConnection: close
Source: global traffic	HTTP traffic detected: GET /?format=text HTTP/1.1User-Agent: cpp-httplib/0.18.0Accept: /Host: api.ipify.orgConnection: close
Source: global traffic	HTTP traffic detected: GET /command HTTP/1.1User-Agent: cpp-httplib/0.18.0Accept: /Host: pepwuecibr.eu.loclx.ioConnection: close
Source: global traffic	HTTP traffic detected: GET /?format=text HTTP/1.1User-Agent: cpp-httplib/0.18.0Accept: /Host: api.ipify.orgConnection: close
Source: global traffic	HTTP traffic detected: GET /command HTTP/1.1User-Agent: cpp-httplib/0.18.0Accept: /Host: pepwuecibr.eu.loclx.ioConnection: close
Source: global traffic	HTTP traffic detected: GET /?format=text HTTP/1.1User-Agent: cpp-httplib/0.18.0Accept: /Host: api.ipify.orgConnection: close
Source: global traffic	HTTP traffic detected: GET /command HTTP/1.1User-Agent: cpp-httplib/0.18.0Accept: /Host: pepwuecibr.eu.loclx.ioConnection: close
Source: global traffic	HTTP traffic detected: GET /?format=text HTTP/1.1User-Agent: cpp-httplib/0.18.0Accept: /Host: api.ipify.orgConnection: close
Source: global traffic	HTTP traffic detected: GET /command HTTP/1.1User-Agent: cpp-httplib/0.18.0Accept: /Host: pepwuecibr.eu.loclx.ioConnection: close
Source: global traffic	HTTP traffic detected: GET /?format=text HTTP/1.1User-Agent: cpp-httplib/0.18.0Accept: /Host: api.ipify.orgConnection: close
Source: global traffic	HTTP traffic detected: GET /command HTTP/1.1User-Agent: cpp-httplib/0.18.0Accept: /Host: pepwuecibr.eu.loclx.ioConnection: close
Source: global traffic	HTTP traffic detected: GET /?format=text HTTP/1.1User-Agent: cpp-httplib/0.18.0Accept: /Host: api.ipify.orgConnection: close
Source: global traffic	HTTP traffic detected: GET /command HTTP/1.1User-Agent: cpp-httplib/0.18.0Accept: /Host: pepwuecibr.eu.loclx.ioConnection: close

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: pepwuecibr.eu.loclx.io

Source: unknown

HTTP traffic detected: POST /status HTTP/1.1Content-Length: 39User-Agent: cpp-httplib/0.18.0Accept: */*Host: pepwuecibr.eu.loclx.ioConnection: closeContent-Type: application/json

Source: jgbC220X2U.exe	String found in binary or memory: http://api.ipify.org
Source: jgbC220X2U.exe	String found in binary or memory: http://api.ipify.org/?format=textUnknown
Source: jgbC220X2U.exe	String found in binary or memory: http://pepwuecibr.eu.loclx.io
Source: jgbC220X2U.exe, 00000000.00000002.3289657421.00000248F1DE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.
Source: jgbC220X2U.exe, 00000000.00000002.3289536896.00000089B8FF9000.00000004.00000010.00020000.00000000.sdmp, jgbC220X2U.exe, 00000000.00000002.3289657421.00000248F1DE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.com/css?family=Nunito:700

Source: C:\Users\user\Desktop\jgbC220X2U.exe

Code function: 0_2_00007FF729FB2050 ntohs,ntohs,getnameinfo,

0_2_00007FF729FB2050

Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 0_2_00007FF729FA5450	0_2_00007FF729FA5450
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 0_2_00007FF729FCECA0	0_2_00007FF729FCECA0
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 0_2_00007FF729FF6CFE	0_2_00007FF729FF6CFE
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 0_2_00007FF729FF2AB0	0_2_00007FF729FF2AB0
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 0_2_00007FF729F8AFA0	0_2_00007FF729F8AFA0
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 0_2_00007FF729FE30B0	0_2_00007FF729FE30B0
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 0_2_00007FF72A0A6EA0	0_2_00007FF72A0A6EA0
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 0_2_00007FF729F8EF16	0_2_00007FF729F8EF16
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 0_2_00007FF729FCE380	0_2_00007FF729FCE380
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 0_2_00007FF729FF2150	0_2_00007FF729FF2150
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 0_2_00007FF729FDE2A0	0_2_00007FF729FDE2A0
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 0_2_00007FF729FD6300	0_2_00007FF729FD6300
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 0_2_00007FF729FEE815	0_2_00007FF729FEE815
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 0_2_00007FF729FDA8B0	0_2_00007FF729FDA8B0
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 0_2_00007FF729FFE900	0_2_00007FF729FFE900
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 0_2_00007FF729FFA711	0_2_00007FF729FFA711
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 0_2_00007FF729FF7B7E	0_2_00007FF729FF7B7E
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 0_2_00007FF729FFBFB0	0_2_00007FF729FFBFB0
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 0_2_00007FF729F93FFA	0_2_00007FF729F93FFA
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 0_2_00007FF729FEBD53	0_2_00007FF729FEBD53
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 0_2_00007FF729FF3DD0	0_2_00007FF729FF3DD0
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 0_2_00007FF729FFF340	0_2_00007FF729FFF340
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 0_2_00007FF729FF3480	0_2_00007FF729FF3480
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 0_2_00007FF729FD7510	0_2_00007FF729FD7510
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 0_2_00007FF729FE3270	0_2_00007FF729FE3270
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 0_2_00007FF729FFB590	0_2_00007FF729FFB590
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 0_2_00007FF729FEF6CA	0_2_00007FF729FEF6CA
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 0_2_00007FF72A068B30	0_2_00007FF72A068B30
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 0_2_00007FF729FECB93	0_2_00007FF729FECB93
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 0_2_00007FF729FF89DE	0_2_00007FF729FF89DE
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 0_2_00007FF729FFC9F0	0_2_00007FF729FFC9F0
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 0_2_00007FF729FF0EB0	0_2_00007FF729FF0EB0
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 0_2_00007FF72A0103E0	0_2_00007FF72A0103E0
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 0_2_00007FF729FD84C0	0_2_00007FF729FD84C0
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 0_2_00007FF729FDC250	0_2_00007FF729FDC250
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 0_2_00007FF729F848C0	0_2_00007FF729F848C0
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 0_2_00007FF729FF0520	0_2_00007FF729FF0520
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 0_2_00007FF729FA4690	0_2_00007FF729FA4690
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 0_2_00007FF729FED9B3	0_2_00007FF729FED9B3
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 0_2_00007FF729FE1FE0	0_2_00007FF729FE1FE0
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 0_2_00007FF72A012080	0_2_00007FF72A012080
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 0_2_00007FF729FCDE10	0_2_00007FF729FCDE10
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 0_2_00007FF729FE1E20	0_2_00007FF729FE1E20
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 0_2_00007FF729FFDE60	0_2_00007FF729FFDE60
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 0_2_00007FF729FF5EB0	0_2_00007FF729FF5EB0
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 0_2_00007FF729F85360	0_2_00007FF729F85360
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 0_2_00007FF729FFD410	0_2_00007FF729FFD410
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 0_2_00007FF729FDD290	0_2_00007FF729FDD290
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 0_2_00007FF729FF1800	0_2_00007FF729FF1800
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: 0_2_00007FF72A00D520	0_2_00007FF72A00D520

Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: String function: 00007FF72A075680 appears 138 times
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: String function: 00007FF72A0B3870 appears 41 times
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: String function: 00007FF72A0B4720 appears 158 times
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: String function: 00007FF72A076010 appears 126 times
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: String function: 00007FF72A0C4650 appears 75 times
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: String function: 00007FF72A0C44B0 appears 50 times
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: String function: 00007FF72A0C4780 appears 166 times
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: String function: 00007FF72A0C65D0 appears 103 times
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: String function: 00007FF72A0577D0 appears 182 times
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: String function: 00007FF72A0C66C0 appears 103 times
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: String function: 00007FF72A0C4B10 appears 43 times
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: String function: 00007FF72A071D40 appears 50 times
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Code function: String function: 00007FF72A069B50 appears 129 times

Source: jgbC220X2U.exe

Static PE information: Number of sections : 20 > 10

Source: classification engine

Classification label: mal48.winEXE@2/1@4/3

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6500:120:WilError_03

Source: jgbC220X2U.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\jgbC220X2U.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\jgbC220X2U.exe "C:\Users\user\Desktop\jgbC220X2U.exe"
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\jgbC220X2U.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\jgbC220X2U.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: jgbC220X2U.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: jgbC220X2U.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: jgbC220X2U.exe

Static file information: File size 7131898 > 1048576

Source: jgbC220X2U.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x146800

Source: jgbC220X2U.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\jgbC220X2U.exe

Code function: 0_2_00007FF729F815E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00007FF729F815E0

Source: jgbC220X2U.exe	Static PE information: section name: /4
Source: jgbC220X2U.exe	Static PE information: section name: .xdata
Source: jgbC220X2U.exe	Static PE information: section name: /14
Source: jgbC220X2U.exe	Static PE information: section name: /29
Source: jgbC220X2U.exe	Static PE information: section name: /41
Source: jgbC220X2U.exe	Static PE information: section name: /55
Source: jgbC220X2U.exe	Static PE information: section name: /67
Source: jgbC220X2U.exe	Static PE information: section name: /80
Source: jgbC220X2U.exe	Static PE information: section name: /91
Source: jgbC220X2U.exe	Static PE information: section name: /107
Source: jgbC220X2U.exe	Static PE information: section name: /123

Source: C:\Users\user\Desktop\jgbC220X2U.exe

API coverage: 2.2 %

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: jgbC220X2U.exe, 00000000.00000002.3289657421.00000248F1DE8000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\jgbC220X2U.exe

Code function: 0_2_00007FF729F9AB32 IsDebuggerPresent,RaiseException,

0_2_00007FF729F9AB32

Source: C:\Users\user\Desktop\jgbC220X2U.exe

Code function: 0_2_00007FF729F815E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00007FF729F815E0

Source: C:\Users\user\Desktop\jgbC220X2U.exe

Code function: 0_2_00007FF729F81154 Sleep,_initterm,_initterm,SetUnhandledExceptionFilter,_set_invalid_parameter_handler,exit,_cexit,

0_2_00007FF729F81154

Source: C:\Users\user\Desktop\jgbC220X2U.exe

Code function: 0_2_00007FF729F9EAC0 _errno,GetSystemTimeAsFileTime,GetSystemTimeAsFileTime,_errno,

0_2_00007FF729F9EAC0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Process Injection	1 Process Injection	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	Security Account Manager	1 System Network Configuration Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	2 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
jgbC220X2U.exe	5%	ReversingLabs

Source	Detection	Scanner	Label
http://pepwuecibr.eu.loclx.io/command	100%	Avira URL Cloud	phishing
http://pepwuecibr.eu.loclx.io	100%	Avira URL Cloud	phishing
http://pepwuecibr.eu.loclx.io/status	100%	Avira URL Cloud	phishing
https://fonts.googleapis.	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
eu.loclx.io	167.99.38.229	true	false	unknown
api.ipify.org	172.67.74.152	true	false	high
pepwuecibr.eu.loclx.io	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://pepwuecibr.eu.loclx.io/status	false	Avira URL Cloud: phishing	unknown
http://pepwuecibr.eu.loclx.io/command	false	Avira URL Cloud: phishing	unknown
http://api.ipify.org/?format=text	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://fonts.googleapis.	jgbC220X2U.exe, 00000000.00000002.3289657421.00000248F1DE8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pepwuecibr.eu.loclx.io	jgbC220X2U.exe	false	Avira URL Cloud: phishing	unknown
http://api.ipify.org/?format=textUnknown	jgbC220X2U.exe	false		high
http://api.ipify.org	jgbC220X2U.exe	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
167.99.38.229	eu.loclx.io	United States	14061	DIGITALOCEAN-ASNUS	false
104.26.12.205	unknown	United States	13335	CLOUDFLARENETUS	false
172.67.74.152	api.ipify.org	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1573000
Start date and time:	2024-12-11 11:28:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	jgbC220X2U.exe renamed because original name is a hash value
Original Sample Name:	f88fa3aa1dc3a59d1914254917c835783d84d384675f3622dde5aa7893952c96.exe
Detection:	MAL
Classification:	mal48.winEXE@2/1@4/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 15 Number of non-executed functions: 162
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63, 4.175.87.197
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: jgbC220X2U.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.26.12.205	xKvkNk9SXR.exe	Get hash	malicious	TrojanRansom	Browse	api.ipify.org/
	GD8c7ARn8q.exe	Get hash	malicious	TrojanRansom	Browse	api.ipify.org/
	8AbMCL2dxM.exe	Get hash	malicious	RCRU64, TrojanRansom	Browse	api.ipify.org/
	Simple2.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	Ransomware Mallox.exe	Get hash	malicious	Targeted Ransomware	Browse	api.ipify.org/
	Yc9hcFC1ux.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	6706e721f2c06.exe	Get hash	malicious	Remcos	Browse	api.ipify.org/
	perfcc.elf	Get hash	malicious	Xmrig	Browse	api.ipify.org/
	SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
172.67.74.152	malware.exe	Get hash	malicious	Targeted Ransomware, TrojanRansom	Browse	api.ipify.org/
	Simple1.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	Simple2.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	systemConfigChecker.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	systemConfigChecker.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	2b7cu0KwZl.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	Zc9eO57fgF.elf	Get hash	malicious	Unknown	Browse	api.ipify.org/
	67065b4c84713_Javiles.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	Yc9hcFC1ux.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	4F08j2Rmd9.bin	Get hash	malicious	Xmrig	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.ipify.org	QUOTATION#08670.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	INVOICE NO. USF23-24072 IGR23110.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	SPECIFICATIONS.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	EEMsLiXoiTzoaDd.scr	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	Statement 2024-11-29 (K07234).exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	Employee_Letter.pdf	Get hash	malicious	HTMLPhisher	Browse	104.26.13.205
	1mr7lpFIVI.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	jKDBppzWTb.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	enyi.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
	proforma invoice.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	nicegirlforyou.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	104.21.84.67
	nicewithgreatfeaturesreturnformebestthingsgivensoofar.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	104.21.84.67
	invoice09850.xls	Get hash	malicious	Remcos	Browse	188.114.96.6
	Reqt 83291.vbs	Get hash	malicious	Remcos, GuLoader	Browse	104.21.86.72
	EBUdultKh7.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.78.149
	https://@%EF%BD%88%EF%BD%94%EF%BD%94%EF%BD%90%EF%BD%93%EF%BC%9A%E2%93%97%E2%93%A3%E2%93%A3%E2%93%9F%E2%93%A2:@%74%72%61%6E%73%6C%61%74%65.google.al/%74%72%61%6E%73%6C%61%74%65?sl=auto&tl=en&hl=en-US&u=https://google.com/amp/%F0%9F%84%B8%F0%9F%84%BF%F0%9F%84%B5%F0%9F%85%82.%E2%93%98%E2%93%9E/%69%70%66%73/%62%61%66%79%62%65%69%64%66%32%67%68%76%35%76%61%6B%65%71%6C%63%71%71%76%7A%66%73%65%74%74%37%75%7A%73%65%71%6D%6D%75%74%6E%75%61%65%73%74%6F%7A%71%69%6F%75%65%66%32%72%71%32%79%23XNick.Atkin@Yorkshirehousing.co.uk	Get hash	malicious	HTMLPhisher	Browse	104.18.41.169
	https://renemattner.simvoly.com/?preview=__PREVIEW_ONLY&c=E,1,Ks6Sg62CfOE_CkRSGsjWzEZqQJ4kslHIx5N9ygK8IrTT7dwyHfXwvE4VbQEnQwQXPVvQMpZGcaIV_fVQbP7vMcdrXBRSSDaH5Z18aBsWUw,,&typo=1	Get hash	malicious	HTMLPhisher	Browse	104.18.95.41
	Nieuwebestellingen10122024.exe	Get hash	malicious	FormBook	Browse	172.64.41.3
	https://smialex.id/Frbleuelsas	Get hash	malicious	Anonymous Proxy	Browse	104.21.37.221
	https://smialex.id/Frbleuelsas	Get hash	malicious	Anonymous Proxy	Browse	172.67.213.233
DIGITALOCEAN-ASNUS	https://hongkongliving.com	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	159.89.194.120
	http://prntbl.concejomunicipaldechinu.gov.co	Get hash	malicious	Unknown	Browse	167.172.148.114
	Josho.arm.elf	Get hash	malicious	Unknown	Browse	157.230.180.175
	hax.arm.elf	Get hash	malicious	Mirai	Browse	45.55.195.236
	http://abercombie.com	Get hash	malicious	Unknown	Browse	104.248.224.96
	https://listafrica.org/Receipt.html	Get hash	malicious	WinSearchAbuse	Browse	68.183.112.81
	https://t.ly/8cSDx	Get hash	malicious	Unknown	Browse	188.166.17.21
	Forhandlingsfriheden.exe	Get hash	malicious	FormBook, GuLoader	Browse	165.22.38.185
	http://email.edms.trackingmore.com/c/eJx0zrFuhDAMgOGnCWPE2YHAkKELr4FsxwF05EBJWun69JU6den8D_8XQz88mKXT8PCICDi6udsDJB44oUuePHiZGCABe0UvMAlP3RGGSSHOI4w--d7NiUdBAlQPKglkNq7Pb9sKyfN4bfkqauXK3Rn21m6DHwYWA0usZKlGu50X03lT2-tOJ1mNn_Z1G1hK7PJ7zVorbboe8Y9z_T7kWS7W0tD1xvVbpuP8vZTwf_sK8BMAAP__3p9Nvw#4UjjVf19156dXgi477henjyiztuh1607QELNKWKBNFUHFFI32RLCJ32096s9/84502vqz	Get hash	malicious	Phisher	Browse	159.65.226.43
	la.bot.powerpc.elf	Get hash	malicious	Mirai	Browse	188.166.27.224
CLOUDFLARENETUS	nicegirlforyou.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	104.21.84.67
	nicewithgreatfeaturesreturnformebestthingsgivensoofar.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	104.21.84.67
	invoice09850.xls	Get hash	malicious	Remcos	Browse	188.114.96.6
	Reqt 83291.vbs	Get hash	malicious	Remcos, GuLoader	Browse	104.21.86.72
	EBUdultKh7.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.78.149
	https://@%EF%BD%88%EF%BD%94%EF%BD%94%EF%BD%90%EF%BD%93%EF%BC%9A%E2%93%97%E2%93%A3%E2%93%A3%E2%93%9F%E2%93%A2:@%74%72%61%6E%73%6C%61%74%65.google.al/%74%72%61%6E%73%6C%61%74%65?sl=auto&tl=en&hl=en-US&u=https://google.com/amp/%F0%9F%84%B8%F0%9F%84%BF%F0%9F%84%B5%F0%9F%85%82.%E2%93%98%E2%93%9E/%69%70%66%73/%62%61%66%79%62%65%69%64%66%32%67%68%76%35%76%61%6B%65%71%6C%63%71%71%76%7A%66%73%65%74%74%37%75%7A%73%65%71%6D%6D%75%74%6E%75%61%65%73%74%6F%7A%71%69%6F%75%65%66%32%72%71%32%79%23XNick.Atkin@Yorkshirehousing.co.uk	Get hash	malicious	HTMLPhisher	Browse	104.18.41.169
	https://renemattner.simvoly.com/?preview=__PREVIEW_ONLY&c=E,1,Ks6Sg62CfOE_CkRSGsjWzEZqQJ4kslHIx5N9ygK8IrTT7dwyHfXwvE4VbQEnQwQXPVvQMpZGcaIV_fVQbP7vMcdrXBRSSDaH5Z18aBsWUw,,&typo=1	Get hash	malicious	HTMLPhisher	Browse	104.18.95.41
	Nieuwebestellingen10122024.exe	Get hash	malicious	FormBook	Browse	172.64.41.3
	https://smialex.id/Frbleuelsas	Get hash	malicious	Anonymous Proxy	Browse	104.21.37.221
	https://smialex.id/Frbleuelsas	Get hash	malicious	Anonymous Proxy	Browse	172.67.213.233

Process:	C:\Users\user\Desktop\jgbC220X2U.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	336
Entropy (8bit):	3.7406015629507228
Encrypted:	false
SSDEEP:	6:UoLF3oLF3oLF3oLF3oLF3oLF3oLF3oLF3oLF3oLF3oLF3oLF3oLF3oLFy:NFmFmFmFmFmFmFmFmFmFmFmFmFmFy
MD5:	13D131A6EDC53FE2FDADC4EA0203A08A
SHA1:	30F818ED02C33FB137D0F8B419B6538BBAEEE14B
SHA-256:	92185235AF3FBCF3F0157EFBDAAA9834B3A27CA66A4A00B1552F15448C21BAA3
SHA-512:	CF5DA223E39E7F85CBF6CA5D6C0DE04B12B9B51AA01A2555BDBCC83F021CE489915040518D4E7C2648C2E1300EF8547F329FA8721A24FD1739DB0ED75DD8E99F
Malicious:	false
Reputation:	low
Preview:	Failed to send status...Failed to send status...Failed to send status...Failed to send status...Failed to send status...Failed to send status...Failed to send status...Failed to send status...Failed to send status...Failed to send status...Failed to send status...Failed to send status...Failed to send status...Failed to send status...

Static File Info

General

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	5.889389316114988
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	jgbC220X2U.exe
File size:	7'131'898 bytes
MD5:	28354f3e0d66d054bf0d05c3caf1e28a
SHA1:	612fa801d24607511387c8e051bd6de9e0d26b9e
SHA256:	f88fa3aa1dc3a59d1914254917c835783d84d384675f3622dde5aa7893952c96
SHA512:	a15e48bd8be9f74a98d6bb3cce4b2b55625629ea972fdd9a05179f5a6c6957b3bfa90883e6427cc66171fef49837912a58d230ac03c7aecd2b5c31775db2bb15
SSDEEP:	98304:pUkIJaHXWPAfyCdpj6tDW47zhOBJkb9aiieIaH8CRwd9uzhOY2o3QwBSHsg5t61F:ikIRR5h6HE1rL5LGfvt2
TLSH:	E576D9A715AB5CE5EAC673BCB5C7623D9B34FC22CD69192F9204C435AC832847D2EB41
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......g.........&.....h...\|......%..........@.....................................Um...`... ............................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x140001125
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x670D7FE8 [Mon Oct 14 20:32:40 2024 UTC]
TLS Callbacks:	0x4000bfe0, 0x1, 0x4000c0a0, 0x1, 0x4001b54e, 0x1
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	ef8b3b70a03909079864c2140721ce14

Entrypoint Preview

Instruction
push ebp
dec eax
mov ebp, esp
dec eax
sub esp, 30h
mov dword ptr [ebp-04h], 000000FFh
dec eax
mov eax, dword ptr [001545B5h]
mov dword ptr [eax], 00000000h
call 00007F412122A703h
mov dword ptr [ebp-04h], eax
nop
nop
mov eax, dword ptr [ebp-04h]
dec eax
add esp, 30h
pop ebp
ret
push ebp
dec eax
mov ebp, esp
dec eax
sub esp, 70h
dec eax
mov dword ptr [ebp-10h], 00000000h
mov dword ptr [ebp-1Ch], 00000030h
mov eax, dword ptr [ebp-1Ch]
dec eax
mov eax, dword ptr [eax]
dec eax
mov dword ptr [ebp-28h], eax
dec eax
mov eax, dword ptr [ebp-28h]
dec eax
mov eax, dword ptr [eax+08h]
dec eax
mov dword ptr [ebp-18h], eax
mov dword ptr [ebp-04h], 00000000h
jmp 00007F412122A713h
dec eax
mov eax, dword ptr [ebp-10h]
dec eax
cmp eax, dword ptr [ebp-18h]
jne 00007F412122A6FBh
mov dword ptr [ebp-04h], 00000001h
jmp 00007F412122A737h
mov ecx, 000003E8h
dec eax
mov eax, dword ptr [001A8746h]
call eax
dec eax
mov eax, dword ptr [0015459Dh]
dec eax
mov dword ptr [ebp-30h], eax
dec eax
mov eax, dword ptr [ebp-18h]
dec eax
mov dword ptr [ebp-38h], eax
dec eax
mov dword ptr [ebp-40h], 00000000h
dec eax
mov ecx, dword ptr [ebp-38h]
dec eax
mov eax, dword ptr [ebp-40h]
dec eax
mov edx, dword ptr [ebp-30h]
dec eax
cmpxchg dword ptr [edx], ecx
dec eax
mov dword ptr [ebp-10h], eax
dec eax
cmp dword ptr [ebp-10h], 00000000h
jne 00007F412122A69Ah
dec eax
mov eax, dword ptr [00154576h]
mov eax, dword ptr [eax]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1a9000	0x1d50	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x16a000	0x1a8d4	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1ad000	0x1d68	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x153f20	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1a9768	0x638	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x146700	0x146800	77349d5ce0842838be283c444b1e7fa0	False	0.31570037327718226	data	6.011577155215405	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x148000	0x4ca0	0x4e00	1a246a5035db48224f189597fa5571ea	False	0.031600560897435896	data	0.5703995935155458	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x14d000	0x1b260	0x1b400	61af7993cdd0dd079eb666aeac4897be	False	0.20101956708715596	data	5.289366783312055	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
/4	0x169000	0x4	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x16a000	0x1a8d4	0x1aa00	32a19f1d5eaa9f8d6018332c3953aaa4	False	0.5223921654929577	data	6.170793177437251	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.xdata	0x185000	0x2245c	0x22600	8daf71ea83cefd59f84d26a67bd78028	False	0.17060369318181817	shared library	4.76992069970833	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0x1a8000	0xd80	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x1a9000	0x1d50	0x1e00	85c7fb81abf5152ee91f00c23d90fe4a	False	0.3067708333333333	data	4.470422394573293	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x1ab000	0x68	0x200	b9b680875ff1ac6dc2d841039d9c0882	False	0.076171875	data	0.37020935604047256	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x1ac000	0x10	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x1ad000	0x1d68	0x1e00	f6f4e4b1783d86a4ba1b2e0d407ad73d	False	0.35208333333333336	data	5.429210425100174	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/14	0x1af000	0xd0	0x200	4c5ccc9a8c7e1f50c9332e402fcdd6e6	False	0.154296875	data	0.8135941418709078	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/29	0x1b0000	0x46f9	0x4800	8a70cdea438dd463d8d169b649d5cef3	False	0.3792860243055556	Matlab v4 mat-file (little endian) @\001, rows 134283269, columns 0, imaginary	5.830938126363056	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/41	0x1b5000	0x8a5	0xa00	8c412e1ec809bc2d22840ac0c0dd9436	False	0.326953125	data	4.517567710861818	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/55	0x1b6000	0x97f	0xa00	93edfdff4dd5e8ebd761fe7a54efc881	False	0.540625	data	4.789641841730167	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/67	0x1b7000	0x498	0x600	94009fe3acab9a4989e90d3e57374634	False	0.3444010416666667	data	3.151620531573487	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/80	0x1b8000	0xce	0x200	292217cd9caa0647d900f44faf753dd5	False	0.34375	data	2.8722615854557496	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/91	0x1b9000	0x461	0x600	75a450f8317627827fe1cca60ebb0ae6	False	0.181640625	data	4.17072784657899	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/107	0x1ba000	0x88b	0xa00	fd46d698c19f66b45ec30d6988f5b6d4	False	0.398828125	data	4.021570199541239	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/123	0x1bb000	0x108	0x200	06fb2fd98c2a2dd2828869db38f7cb4e	False	0.294921875	data	2.3510720891965007	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
KERNEL32.dll	AddVectoredExceptionHandler, CloseHandle, CreateEventA, CreateFileMappingW, CreateFileW, CreateSemaphoreA, DeleteCriticalSection, DuplicateHandle, EnterCriticalSection, FormatMessageA, FreeLibrary, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetCurrentThreadId, GetFileSizeEx, GetHandleInformation, GetLastError, GetModuleHandleA, GetProcAddress, GetProcessAffinityMask, GetSystemTimeAsFileTime, GetThreadContext, GetThreadPriority, GetTickCount64, InitializeCriticalSection, IsDebuggerPresent, LeaveCriticalSection, LoadLibraryA, LocalFree, MapViewOfFile, MultiByteToWideChar, OpenProcess, OutputDebugStringA, RaiseException, ReleaseSemaphore, RemoveVectoredExceptionHandler, ResetEvent, ResumeThread, RtlCaptureContext, RtlLookupFunctionEntry, RtlUnwindEx, RtlVirtualUnwind, SetEvent, SetLastError, SetProcessAffinityMask, SetThreadContext, SetThreadPriority, SetUnhandledExceptionFilter, Sleep, SuspendThread, TlsAlloc, TlsGetValue, TlsSetValue, TryEnterCriticalSection, UnmapViewOfFile, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WideCharToMultiByte
api-ms-win-crt-convert-l1-1-0.dll	_ultoa, mbrtowc, strtol, strtoll, strtoul, strtoull, wcrtomb
api-ms-win-crt-environment-l1-1-0.dll	__p__environ, __p__wenviron, getenv
api-ms-win-crt-filesystem-l1-1-0.dll	_fstat64, _stat64
api-ms-win-crt-heap-l1-1-0.dll	_set_new_mode, calloc, free, malloc, realloc
api-ms-win-crt-locale-l1-1-0.dll	___lc_codepage_func, ___mb_cur_max_func, localeconv, setlocale
api-ms-win-crt-math-l1-1-0.dll	__setusermatherr, _fdopen
api-ms-win-crt-private-l1-1-0.dll	__C_specific_handler, __intrinsic_setjmpex, longjmp, memchr, memcmp, memcpy, memmove, strchr
api-ms-win-crt-runtime-l1-1-0.dll	__p___argc, __p___argv, __p___wargv, _assert, _beginthreadex, _cexit, _configure_narrow_argv, _configure_wide_argv, _crt_at_quick_exit, _crt_atexit, _endthreadex, _errno, _exit, _initialize_narrow_environment, _initialize_wide_environment, _initterm, _set_app_type, _set_invalid_parameter_handler, abort, exit, signal, strerror, system
api-ms-win-crt-stdio-l1-1-0.dll	__acrt_iob_func, __p__commode, __p__fmode, __stdio_common_vfprintf, __stdio_common_vfwprintf, __stdio_common_vsprintf, __stdio_common_vswprintf, _fileno, _fseeki64, _ftelli64, _lseeki64, _read, _wfopen, _write, fclose, fflush, fgetwc, fopen, fputc, fputs, fread, fwrite, getc, getwc, putc, putwc, setvbuf, ungetc, ungetwc
api-ms-win-crt-string-l1-1-0.dll	_strdup, iswctype, memset, strcmp, strcoll, strlen, strncmp, strxfrm, towlower, towupper, wcscoll, wcslen, wcsxfrm
api-ms-win-crt-time-l1-1-0.dll	__daylight, __timezone, __tzname, _tzset, strftime, wcsftime
api-ms-win-crt-utility-l1-1-0.dll	rand_s
WS2_32.dll	WSACleanup, WSAGetLastError, WSASocketW, WSAStartup, __WSAFDIsSet, closesocket, connect, freeaddrinfo, getaddrinfo, getnameinfo, getpeername, getsockname, getsockopt, ioctlsocket, ntohs, recv, select, send, setsockopt, shutdown, socket

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 11, 2024 11:28:58.618937016 CET	49704	80	192.168.2.5	172.67.74.152
Dec 11, 2024 11:28:58.742666960 CET	80	49704	172.67.74.152	192.168.2.5
Dec 11, 2024 11:28:58.742782116 CET	49704	80	192.168.2.5	172.67.74.152
Dec 11, 2024 11:28:58.776192904 CET	49704	80	192.168.2.5	172.67.74.152
Dec 11, 2024 11:28:58.898510933 CET	80	49704	172.67.74.152	192.168.2.5
Dec 11, 2024 11:28:59.841166019 CET	80	49704	172.67.74.152	192.168.2.5
Dec 11, 2024 11:28:59.841892958 CET	49704	80	192.168.2.5	172.67.74.152
Dec 11, 2024 11:28:59.841926098 CET	80	49704	172.67.74.152	192.168.2.5
Dec 11, 2024 11:28:59.842000961 CET	49704	80	192.168.2.5	172.67.74.152
Dec 11, 2024 11:28:59.964108944 CET	80	49704	172.67.74.152	192.168.2.5
Dec 11, 2024 11:29:00.476305008 CET	49705	80	192.168.2.5	167.99.38.229
Dec 11, 2024 11:29:00.599672079 CET	80	49705	167.99.38.229	192.168.2.5
Dec 11, 2024 11:29:00.599808931 CET	49705	80	192.168.2.5	167.99.38.229
Dec 11, 2024 11:29:00.612281084 CET	49705	80	192.168.2.5	167.99.38.229
Dec 11, 2024 11:29:00.735930920 CET	80	49705	167.99.38.229	192.168.2.5
Dec 11, 2024 11:29:00.735989094 CET	49705	80	192.168.2.5	167.99.38.229
Dec 11, 2024 11:29:00.860642910 CET	80	49705	167.99.38.229	192.168.2.5
Dec 11, 2024 11:29:01.844504118 CET	80	49705	167.99.38.229	192.168.2.5
Dec 11, 2024 11:29:01.844525099 CET	80	49705	167.99.38.229	192.168.2.5
Dec 11, 2024 11:29:01.844536066 CET	80	49705	167.99.38.229	192.168.2.5
Dec 11, 2024 11:29:01.844670057 CET	49705	80	192.168.2.5	167.99.38.229
Dec 11, 2024 11:29:01.844922066 CET	49705	80	192.168.2.5	167.99.38.229
Dec 11, 2024 11:29:01.862426043 CET	49706	80	192.168.2.5	167.99.38.229
Dec 11, 2024 11:29:01.970168114 CET	80	49705	167.99.38.229	192.168.2.5
Dec 11, 2024 11:29:01.987384081 CET	80	49706	167.99.38.229	192.168.2.5
Dec 11, 2024 11:29:01.987464905 CET	49706	80	192.168.2.5	167.99.38.229
Dec 11, 2024 11:29:01.987719059 CET	49706	80	192.168.2.5	167.99.38.229
Dec 11, 2024 11:29:02.111521006 CET	80	49706	167.99.38.229	192.168.2.5
Dec 11, 2024 11:29:03.231303930 CET	80	49706	167.99.38.229	192.168.2.5
Dec 11, 2024 11:29:03.231328011 CET	80	49706	167.99.38.229	192.168.2.5
Dec 11, 2024 11:29:03.231349945 CET	80	49706	167.99.38.229	192.168.2.5
Dec 11, 2024 11:29:03.231373072 CET	49706	80	192.168.2.5	167.99.38.229
Dec 11, 2024 11:29:03.231414080 CET	49706	80	192.168.2.5	167.99.38.229
Dec 11, 2024 11:29:03.232486963 CET	49706	80	192.168.2.5	167.99.38.229
Dec 11, 2024 11:29:03.357249975 CET	80	49706	167.99.38.229	192.168.2.5
Dec 11, 2024 11:29:08.222858906 CET	49707	80	192.168.2.5	172.67.74.152
Dec 11, 2024 11:29:08.346604109 CET	80	49707	172.67.74.152	192.168.2.5
Dec 11, 2024 11:29:08.346791029 CET	49707	80	192.168.2.5	172.67.74.152
Dec 11, 2024 11:29:08.347069979 CET	49707	80	192.168.2.5	172.67.74.152
Dec 11, 2024 11:29:08.467957973 CET	80	49707	172.67.74.152	192.168.2.5
Dec 11, 2024 11:29:09.444174051 CET	80	49707	172.67.74.152	192.168.2.5
Dec 11, 2024 11:29:09.444520950 CET	80	49707	172.67.74.152	192.168.2.5
Dec 11, 2024 11:29:09.444525957 CET	49707	80	192.168.2.5	172.67.74.152
Dec 11, 2024 11:29:09.444575071 CET	49707	80	192.168.2.5	172.67.74.152
Dec 11, 2024 11:29:09.445609093 CET	49708	80	192.168.2.5	167.99.38.229
Dec 11, 2024 11:29:09.565968990 CET	80	49707	172.67.74.152	192.168.2.5
Dec 11, 2024 11:29:09.565984964 CET	80	49708	167.99.38.229	192.168.2.5
Dec 11, 2024 11:29:09.566185951 CET	49708	80	192.168.2.5	167.99.38.229
Dec 11, 2024 11:29:09.566456079 CET	49708	80	192.168.2.5	167.99.38.229
Dec 11, 2024 11:29:09.686184883 CET	80	49708	167.99.38.229	192.168.2.5
Dec 11, 2024 11:29:09.686248064 CET	49708	80	192.168.2.5	167.99.38.229
Dec 11, 2024 11:29:09.805650949 CET	80	49708	167.99.38.229	192.168.2.5
Dec 11, 2024 11:29:10.803586960 CET	80	49708	167.99.38.229	192.168.2.5
Dec 11, 2024 11:29:10.803620100 CET	80	49708	167.99.38.229	192.168.2.5
Dec 11, 2024 11:29:10.803632975 CET	80	49708	167.99.38.229	192.168.2.5
Dec 11, 2024 11:29:10.803716898 CET	49708	80	192.168.2.5	167.99.38.229
Dec 11, 2024 11:29:10.803757906 CET	49708	80	192.168.2.5	167.99.38.229
Dec 11, 2024 11:29:10.804024935 CET	49708	80	192.168.2.5	167.99.38.229
Dec 11, 2024 11:29:10.805242062 CET	49709	80	192.168.2.5	167.99.38.229
Dec 11, 2024 11:29:10.923233986 CET	80	49708	167.99.38.229	192.168.2.5
Dec 11, 2024 11:29:10.924577951 CET	80	49709	167.99.38.229	192.168.2.5
Dec 11, 2024 11:29:10.924681902 CET	49709	80	192.168.2.5	167.99.38.229
Dec 11, 2024 11:29:10.940543890 CET	49709	80	192.168.2.5	167.99.38.229
Dec 11, 2024 11:29:11.060894012 CET	80	49709	167.99.38.229	192.168.2.5
Dec 11, 2024 11:29:12.177777052 CET	80	49709	167.99.38.229	192.168.2.5
Dec 11, 2024 11:29:12.177824020 CET	80	49709	167.99.38.229	192.168.2.5
Dec 11, 2024 11:29:12.177912951 CET	49709	80	192.168.2.5	167.99.38.229
Dec 11, 2024 11:29:12.179074049 CET	80	49709	167.99.38.229	192.168.2.5
Dec 11, 2024 11:29:12.179132938 CET	49709	80	192.168.2.5	167.99.38.229
Dec 11, 2024 11:29:12.179236889 CET	49709	80	192.168.2.5	167.99.38.229
Dec 11, 2024 11:29:12.298531055 CET	80	49709	167.99.38.229	192.168.2.5
Dec 11, 2024 11:29:17.191245079 CET	49714	80	192.168.2.5	172.67.74.152
Dec 11, 2024 11:29:17.310621977 CET	80	49714	172.67.74.152	192.168.2.5
Dec 11, 2024 11:29:17.310827017 CET	49714	80	192.168.2.5	172.67.74.152
Dec 11, 2024 11:29:17.311166048 CET	49714	80	192.168.2.5	172.67.74.152
Dec 11, 2024 11:29:17.430489063 CET	80	49714	172.67.74.152	192.168.2.5
Dec 11, 2024 11:29:18.416271925 CET	80	49714	172.67.74.152	192.168.2.5
Dec 11, 2024 11:29:18.416594028 CET	49714	80	192.168.2.5	172.67.74.152
Dec 11, 2024 11:29:18.417280912 CET	80	49714	172.67.74.152	192.168.2.5
Dec 11, 2024 11:29:18.417356014 CET	49714	80	192.168.2.5	172.67.74.152
Dec 11, 2024 11:29:18.417546034 CET	49715	80	192.168.2.5	167.99.38.229
Dec 11, 2024 11:29:18.535995960 CET	80	49714	172.67.74.152	192.168.2.5
Dec 11, 2024 11:29:18.536818027 CET	80	49715	167.99.38.229	192.168.2.5
Dec 11, 2024 11:29:18.537636995 CET	49715	80	192.168.2.5	167.99.38.229
Dec 11, 2024 11:29:18.538021088 CET	49715	80	192.168.2.5	167.99.38.229
Dec 11, 2024 11:29:18.657259941 CET	80	49715	167.99.38.229	192.168.2.5
Dec 11, 2024 11:29:18.657406092 CET	49715	80	192.168.2.5	167.99.38.229
Dec 11, 2024 11:29:18.777507067 CET	80	49715	167.99.38.229	192.168.2.5
Dec 11, 2024 11:29:19.777371883 CET	80	49715	167.99.38.229	192.168.2.5
Dec 11, 2024 11:29:19.777470112 CET	80	49715	167.99.38.229	192.168.2.5
Dec 11, 2024 11:29:19.777481079 CET	80	49715	167.99.38.229	192.168.2.5
Dec 11, 2024 11:29:19.777533054 CET	49715	80	192.168.2.5	167.99.38.229
Dec 11, 2024 11:29:19.777764082 CET	49715	80	192.168.2.5	167.99.38.229
Dec 11, 2024 11:29:19.779202938 CET	49722	80	192.168.2.5	167.99.38.229
Dec 11, 2024 11:29:19.897191048 CET	80	49715	167.99.38.229	192.168.2.5
Dec 11, 2024 11:29:19.898448944 CET	80	49722	167.99.38.229	192.168.2.5
Dec 11, 2024 11:29:19.898566008 CET	49722	80	192.168.2.5	167.99.38.229
Dec 11, 2024 11:29:19.898974895 CET	49722	80	192.168.2.5	167.99.38.229
Dec 11, 2024 11:29:20.019660950 CET	80	49722	167.99.38.229	192.168.2.5
Dec 11, 2024 11:29:21.139556885 CET	80	49722	167.99.38.229	192.168.2.5
Dec 11, 2024 11:29:21.139596939 CET	80	49722	167.99.38.229	192.168.2.5
Dec 11, 2024 11:29:21.139638901 CET	80	49722	167.99.38.229	192.168.2.5
Dec 11, 2024 11:29:21.139748096 CET	49722	80	192.168.2.5	167.99.38.229
Dec 11, 2024 11:29:21.157259941 CET	49722	80	192.168.2.5	167.99.38.229
Dec 11, 2024 11:29:21.276712894 CET	80	49722	167.99.38.229	192.168.2.5
Dec 11, 2024 11:29:26.160058022 CET	49739	80	192.168.2.5	172.67.74.152
Dec 11, 2024 11:29:26.279346943 CET	80	49739	172.67.74.152	192.168.2.5
Dec 11, 2024 11:29:26.279480934 CET	49739	80	192.168.2.5	172.67.74.152
Dec 11, 2024 11:29:26.279794931 CET	49739	80	192.168.2.5	172.67.74.152
Dec 11, 2024 11:29:26.401876926 CET	80	49739	172.67.74.152	192.168.2.5
Dec 11, 2024 11:29:27.468954086 CET	80	49739	172.67.74.152	192.168.2.5
Dec 11, 2024 11:29:27.468986034 CET	80	49739	172.67.74.152	192.168.2.5
Dec 11, 2024 11:29:27.469058037 CET	49739	80	192.168.2.5	172.67.74.152
Dec 11, 2024 11:29:27.469275951 CET	49739	80	192.168.2.5	172.67.74.152
Dec 11, 2024 11:29:27.470248938 CET	49740	80	192.168.2.5	167.99.38.229
Dec 11, 2024 11:29:27.588727951 CET	80	49739	172.67.74.152	192.168.2.5
Dec 11, 2024 11:29:27.589598894 CET	80	49740	167.99.38.229	192.168.2.5
Dec 11, 2024 11:29:27.589725018 CET	49740	80	192.168.2.5	167.99.38.229
Dec 11, 2024 11:29:27.589978933 CET	49740	80	192.168.2.5	167.99.38.229
Dec 11, 2024 11:29:27.709287882 CET	80	49740	167.99.38.229	192.168.2.5
Dec 11, 2024 11:29:27.713669062 CET	49740	80	192.168.2.5	167.99.38.229
Dec 11, 2024 11:29:27.832911968 CET	80	49740	167.99.38.229	192.168.2.5
Dec 11, 2024 11:29:28.824376106 CET	80	49740	167.99.38.229	192.168.2.5
Dec 11, 2024 11:29:28.824450016 CET	80	49740	167.99.38.229	192.168.2.5
Dec 11, 2024 11:29:28.824465990 CET	80	49740	167.99.38.229	192.168.2.5
Dec 11, 2024 11:29:28.824501038 CET	49740	80	192.168.2.5	167.99.38.229
Dec 11, 2024 11:29:28.824537039 CET	49740	80	192.168.2.5	167.99.38.229
Dec 11, 2024 11:29:28.824805021 CET	49740	80	192.168.2.5	167.99.38.229
Dec 11, 2024 11:29:28.826442957 CET	49746	80	192.168.2.5	167.99.38.229
Dec 11, 2024 11:29:28.944211960 CET	80	49740	167.99.38.229	192.168.2.5
Dec 11, 2024 11:29:28.945799112 CET	80	49746	167.99.38.229	192.168.2.5
Dec 11, 2024 11:29:28.945935965 CET	49746	80	192.168.2.5	167.99.38.229
Dec 11, 2024 11:29:28.946234941 CET	49746	80	192.168.2.5	167.99.38.229
Dec 11, 2024 11:29:29.065547943 CET	80	49746	167.99.38.229	192.168.2.5
Dec 11, 2024 11:29:30.188648939 CET	80	49746	167.99.38.229	192.168.2.5
Dec 11, 2024 11:29:30.188750029 CET	80	49746	167.99.38.229	192.168.2.5
Dec 11, 2024 11:29:30.188760996 CET	80	49746	167.99.38.229	192.168.2.5
Dec 11, 2024 11:29:30.188834906 CET	49746	80	192.168.2.5	167.99.38.229
Dec 11, 2024 11:29:30.189090967 CET	49746	80	192.168.2.5	167.99.38.229
Dec 11, 2024 11:29:30.308557034 CET	80	49746	167.99.38.229	192.168.2.5
Dec 11, 2024 11:29:35.191498995 CET	49762	80	192.168.2.5	172.67.74.152
Dec 11, 2024 11:29:35.310954094 CET	80	49762	172.67.74.152	192.168.2.5
Dec 11, 2024 11:29:35.313772917 CET	49762	80	192.168.2.5	172.67.74.152
Dec 11, 2024 11:29:35.314178944 CET	49762	80	192.168.2.5	172.67.74.152
Dec 11, 2024 11:29:35.434171915 CET	80	49762	172.67.74.152	192.168.2.5
Dec 11, 2024 11:29:36.414221048 CET	80	49762	172.67.74.152	192.168.2.5
Dec 11, 2024 11:29:36.414546013 CET	49762	80	192.168.2.5	172.67.74.152
Dec 11, 2024 11:29:36.415210009 CET

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report jgbC220X2U.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Network Port Distribution

TCP Packets

Windows Analysis Report
jgbC220X2U.exe