Edit tour

Windows Analysis Report
Gq8uSE829K.exe

Overview

General Information

Sample name:	Gq8uSE829K.exe renamed because original name is a hash value
Original sample name:	dac7bf146d40fcd08f8507ba9462845d.exe
Analysis ID:	1623762
MD5:	dac7bf146d40fcd08f8507ba9462845d
SHA1:	82ec191eb2ec2410258284788f3a05dd0456c494
SHA256:	d17b07024f88f407c82d331897ff5f81798d9fb14a77fddf665724583806f8ed
Tags:	exeValleyRATuser-abuse_ch
Infos:

Detection

GhostRat, ValleyRAT

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected GhostRat

Yara detected ValleyRAT

C2 URLs / IPs found in malware configuration

Connects to many ports of the same IP (likely port scanning)

Contains functionality to capture and log keystrokes

Contains functionality to inject code into remote processes

Contains functionality to inject threads in other processes

Found evasive API chain (may stop execution after checking mutex)

Found stalling execution ending in API Sleep call

Joe Sandbox ML detected suspicious sample

Tries to detect sandboxes / dynamic malware analysis system (QueryWinSAT)

AV process strings found (often used to terminate AV products)

Checks for available system drives (often done to infect USB drives)

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to clear windows event logs (to hide its activities)

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to launch a program with higher privileges

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a DirectInput object (often for capturing keystrokes)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found evasive API chain (may stop execution after accessing registry keys)

Found evasive API chain checking for process token information

Installs a global mouse hook

Internet Provider seen in connection with other malware

PE file contains an invalid checksum

Stores large binary data to the registry

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Gq8uSE829K.exe (PID: 7280 cmdline: "C:\Users\user\Desktop\Gq8uSE829K.exe" MD5: DAC7BF146D40FCD08F8507BA9462845D)

cleanup

Malware Configuration

Threatname: ValleyRat

{"C2 url": ["127.0.0.1:80"]}

Threatname: GhostRat

{"C2 url": "192.168.1.200:9999"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.2927554115.0000000003E17000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
00000000.00000002.2927165878.0000000002B10000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
00000000.00000002.2926713726.0000000000BD0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
00000000.00000003.2158871721.0000000003E17000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
00000000.00000002.2927258454.0000000002CD0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
00000000.00000003.2346857432.0000000003E17000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
00000000.00000002.2926936877.0000000002710000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
00000000.00000003.1993152852.0000000003E12000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
00000000.00000003.1811010678.0000000000C6F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
Process Memory Space: Gq8uSE829K.exe PID: 7280	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
Process Memory Space: Gq8uSE829K.exe PID: 7280	JoeSecurity_ValleyRAT	Yara detected ValleyRAT	Joe Security
Click to see the 6 entries

Unpacked PEs

Source	Rule	Description	Author
0.3.Gq8uSE829K.exe.cb720d.0.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
0.3.Gq8uSE829K.exe.3e17a41.2.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
0.2.Gq8uSE829K.exe.bd1116.0.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
0.3.Gq8uSE829K.exe.c6fe8d.1.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
0.2.Gq8uSE829K.exe.2cd0000.3.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
0.2.Gq8uSE829K.exe.27106d1.1.raw.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
0.3.Gq8uSE829K.exe.3e17a41.4.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
0.2.Gq8uSE829K.exe.27106d1.1.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
0.2.Gq8uSE829K.exe.3e17a41.4.raw.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
0.3.Gq8uSE829K.exe.cb720d.0.raw.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
0.2.Gq8uSE829K.exe.3e17a41.4.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
0.2.Gq8uSE829K.exe.2cd0000.3.raw.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
0.3.Gq8uSE829K.exe.3e17a41.4.raw.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
0.3.Gq8uSE829K.exe.3e17a41.3.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
0.2.Gq8uSE829K.exe.2b111a5.2.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
0.3.Gq8uSE829K.exe.3e17a41.2.raw.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
0.2.Gq8uSE829K.exe.bd1116.0.raw.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
0.2.Gq8uSE829K.exe.2b111a5.2.raw.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
0.3.Gq8uSE829K.exe.3e17a41.3.raw.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
0.3.Gq8uSE829K.exe.c6fe8d.1.raw.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
Click to see the 15 entries

Suricata Signatures

ET MALWARE Winos4.0 Framework CnC Login Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-25T15:03:09.460531+0100	2052875	1	Malware Command and Control Activity Detected	192.168.2.4	49731	111.180.203.230	25603	TCP
2025-02-25T15:04:12.833573+0100	2052875	1	Malware Command and Control Activity Detected	192.168.2.4	49734	111.180.203.230	25603	TCP

ET MALWARE Winos4.0 Framework CnC Login Message CnC Server Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-25T15:03:18.999460+0100	2059975	1	Malware Command and Control Activity Detected	111.180.203.230	25603	192.168.2.4	49733	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.3.Gq8uSE829K.exe.3e17a41.4.unpack	Malware Configuration Extractor: GhostRat {"C2 url": "192.168.1.200:9999"}
Source: 0.2.Gq8uSE829K.exe.7ff7d04a0000.6.unpack	Malware Configuration Extractor: ValleyRat {"C2 url": ["127.0.0.1:80"]}

Multi AV Scanner detection for submitted file

Source: Gq8uSE829K.exe	Virustotal: Detection: 81%			Perma Link
Source: Gq8uSE829K.exe	ReversingLabs: Detection: 76%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: Gq8uSE829K.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Gq8uSE829K.exe	File opened: z:	Jump to behavior
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	File opened: x:	Jump to behavior
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	File opened: v:	Jump to behavior
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	File opened: t:	Jump to behavior
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	File opened: r:	Jump to behavior
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	File opened: p:	Jump to behavior
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	File opened: n:	Jump to behavior
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	File opened: l:	Jump to behavior
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	File opened: j:	Jump to behavior
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	File opened: h:	Jump to behavior
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	File opened: f:	Jump to behavior
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	File opened: b:	Jump to behavior
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	File opened: y:	Jump to behavior
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	File opened: w:	Jump to behavior
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	File opened: u:	Jump to behavior
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	File opened: s:	Jump to behavior
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	File opened: q:	Jump to behavior
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	File opened: o:	Jump to behavior
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	File opened: m:	Jump to behavior
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	File opened: k:	Jump to behavior
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	File opened: i:	Jump to behavior
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	File opened: g:	Jump to behavior
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	File opened: e:	Jump to behavior
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	File opened: [:	Jump to behavior

Source: C:\Users\user\Desktop\Gq8uSE829K.exe

Code function: 0_2_02CD9BC0 GetLogicalDriveStringsW,lstrcmpiW,lstrcmpiW,QueryDosDeviceW,lstrlenW,lstrcpyW,lstrcpyW,lstrcatW,

0_2_02CD9BC0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2052875 - Severity 1 - ET MALWARE Winos4.0 Framework CnC Login Message : 192.168.2.4:49731 -> 111.180.203.230:25603
Source: Network traffic	Suricata IDS: 2059975 - Severity 1 - ET MALWARE Winos4.0 Framework CnC Login Message CnC Server Response : 111.180.203.230:25603 -> 192.168.2.4:49733
Source: Network traffic	Suricata IDS: 2052875 - Severity 1 - ET MALWARE Winos4.0 Framework CnC Login Message : 192.168.2.4:49734 -> 111.180.203.230:25603

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: 127.0.0.1:80
Source: Malware configuration extractor	URLs: 192.168.1.200:9999

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 111.180.203.230 ports 25603,0,2,3,5,6

Source: global traffic

TCP traffic: 192.168.2.4:49731 -> 111.180.203.230:25603

Source: Joe Sandbox View

ASN Name: CHINANET-BACKBONENo31Jin-rongStreetCN CHINANET-BACKBONENo31Jin-rongStreetCN

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\Gq8uSE829K.exe

Code function: 0_2_02CD3670 select,recv,_errno,_errno,_errno,

0_2_02CD3670

Source: global traffic

DNS traffic detected: DNS query: xh3.twilight.zip

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture and log keystrokes

Source: C:\Users\user\Desktop\Gq8uSE829K.exe

Code function: [esc]

0_2_02CE2280

Source: C:\Users\user\Desktop\Gq8uSE829K.exe

Code function: 0_2_02CE2280 Sleep,SleepEx,GetTickCount,OpenClipboard,GetClipboardData,GlobalSize,GlobalLock,wsprintfW,GlobalUnlock,CloseClipboard,GetKeyState,lstrlenW,lstrlenW,lstrlenW,wsprintfW,wsprintfW,wsprintfW,lstrlenW,

0_2_02CE2280

Source: C:\Users\user\Desktop\Gq8uSE829K.exe

0_2_02CE2280

Source: C:\Users\user\Desktop\Gq8uSE829K.exe

Code function: 0_2_02CDEE40 GetDesktopWindow,GetDC,CreateCompatibleDC,GetDC,GetDeviceCaps,GetDeviceCaps,ReleaseDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,CreateCompatibleBitmap,SelectObject,SetStretchBltMode,GetSystemMetrics,GetSystemMetrics,StretchBlt,GetDIBits,DeleteObject,DeleteObject,ReleaseDC,DeleteObject,DeleteObject,ReleaseDC,

0_2_02CDEE40

Source: C:\Users\user\Desktop\Gq8uSE829K.exe

Code function: 0_2_02CE1E70 SHGetFolderPathW,lstrcatW,CreateMutexW,CreateMutexExW,WaitForSingleObject,CreateFileW,GetFileSize,CloseHandle,DeleteFileW,ReleaseMutex,DirectInput8Create,GetTickCount,GetKeyState,

0_2_02CE1E70

Source: C:\Users\user\Desktop\Gq8uSE829K.exe

Windows user hook set: 0 mouse low level C:\Windows\SYSTEM32\DINPUT8.dll

Jump to behavior

Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_02CDE2F7 ExitProcess,ExitWindowsEx,	0_2_02CDE2F7
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_02CDE348 ExitWindowsEx,	0_2_02CDE348
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_02CDE327 ExitWindowsEx,	0_2_02CDE327

Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_02CF02A4	0_2_02CF02A4
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_02CD3370	0_2_02CD3370
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_02CD86F0	0_2_02CD86F0
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_02CE1E70	0_2_02CE1E70
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_02CE1790	0_2_02CE1790
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_02CD77A0	0_2_02CD77A0
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_02CD67A0	0_2_02CD67A0
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_02CECAF0	0_2_02CECAF0
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_02CDB2B0	0_2_02CDB2B0
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_02CFCA74	0_2_02CFCA74
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_02CE6210	0_2_02CE6210
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_02CD3BB0	0_2_02CD3BB0
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_02CEB340	0_2_02CEB340
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_02CF38D0	0_2_02CF38D0
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_02CD98B0	0_2_02CD98B0
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_02CD2850	0_2_02CD2850
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_02CDF9F0	0_2_02CDF9F0
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_02CF11B0	0_2_02CF11B0
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_02CEC15C	0_2_02CEC15C
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_02CD9170	0_2_02CD9170
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_02CEB104	0_2_02CEB104
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_02CD5930	0_2_02CD5930
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_02CDEE40	0_2_02CDEE40
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_02CED638	0_2_02CED638
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_02CFBFC0	0_2_02CFBFC0
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_02CEF7F8	0_2_02CEF7F8
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_02CDF780	0_2_02CDF780
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_02CF2F80	0_2_02CF2F80
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_02CFCFB0	0_2_02CFCFB0
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_02CFB75C	0_2_02CFB75C
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_02CD9710	0_2_02CD9710
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_02CF9F10	0_2_02CF9F10
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_02CF0724	0_2_02CF0724
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_02CEACE0	0_2_02CEACE0
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_02CDC400	0_2_02CDC400
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_02CF0D10	0_2_02CF0D10
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_00007FF7D04A3390	0_2_00007FF7D04A3390
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_00007FF7D04A73D0	0_2_00007FF7D04A73D0
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_00007FF7D04A6F70	0_2_00007FF7D04A6F70
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_00007FF7D04A6860	0_2_00007FF7D04A6860
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_00007FF7D04B6130	0_2_00007FF7D04B6130
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_00007FF7D04AE1C0	0_2_00007FF7D04AE1C0
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_00007FF7D04AC28C	0_2_00007FF7D04AC28C
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_00007FF7D04AA30C	0_2_00007FF7D04AA30C
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_00007FF7D04A6C80	0_2_00007FF7D04A6C80
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_00007FF7D04B6C50	0_2_00007FF7D04B6C50
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_00007FF7D04B24BC	0_2_00007FF7D04B24BC
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_00007FF7D04AAD44	0_2_00007FF7D04AAD44
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_00007FF7D04A2880	0_2_00007FF7D04A2880
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_00007FF7D04B4898	0_2_00007FF7D04B4898
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_00007FF7D04B58CC	0_2_00007FF7D04B58CC
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_02717271	0_2_02717271
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_02716271	0_2_02716271
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_02721261	0_2_02721261
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_0271F251	0_2_0271F251
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_02732A51	0_2_02732A51
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_02712321	0_2_02712321
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_02719381	0_2_02719381
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_02721941	0_2_02721941
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_0271E911	0_2_0271E911
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_027301F5	0_2_027301F5
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_02712E41	0_2_02712E41
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_0271BED1	0_2_0271BED1
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_02713681	0_2_02713681
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_027307E1	0_2_027307E1
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_0272A7B1	0_2_0272A7B1
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_02718C41	0_2_02718C41
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_0272BC2D	0_2_0272BC2D
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_02715401	0_2_02715401
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_02725CE1	0_2_02725CE1
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_0272FD75	0_2_0272FD75

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/1@1/1

Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_02CDAB60 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,	0_2_02CDAB60
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_02CD90B0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,	0_2_02CD90B0
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_02CD8F30 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,GetModuleHandleA,GetProcAddress,OpenProcess,	0_2_02CD8F30
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_02CD9590 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,	0_2_02CD9590

Source: C:\Users\user\Desktop\Gq8uSE829K.exe

Code function: 0_2_02CD8430 GetDriveTypeW,GetDiskFreeSpaceExW,GlobalMemoryStatusEx,

0_2_02CD8430

Source: C:\Users\user\Desktop\Gq8uSE829K.exe

Code function: 0_2_02CD7150 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,

0_2_02CD7150

Source: C:\Users\user\Desktop\Gq8uSE829K.exe

Code function: 0_2_02CD77A0 lstrcatW,lstrcatW,CoCreateInstance,wsprintfW,RegOpenKeyExW,RegQueryValueExW,lstrcatW,lstrcatW,RegCloseKey,lstrlenW,lstrcatW,

0_2_02CD77A0

Source: C:\Users\user\Desktop\Gq8uSE829K.exe

Mutant created: \Sessions\1\BaseNamedObjects\2024.12.22

Source: Gq8uSE829K.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Gq8uSE829K.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Gq8uSE829K.exe	Virustotal: Detection: 81%
Source: Gq8uSE829K.exe	ReversingLabs: Detection: 76%

Source: C:\Users\user\Desktop\Gq8uSE829K.exe

File read: C:\Users\user\Desktop\Gq8uSE829K.exe

Jump to behavior

Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Section loaded: dinput8.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Section loaded: hid.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Section loaded: devenum.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Section loaded: windowscodecs.dll	Jump to behavior

Source: C:\Users\user\Desktop\Gq8uSE829K.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25E609E4-B259-11CF-BFC7-444553540000}\InProcServer32

Jump to behavior

Source: Gq8uSE829K.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: Gq8uSE829K.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Gq8uSE829K.exe

Code function: 0_2_02CE1790 GetVersionExW,LoadLibraryA,GetProcAddress,SetProcessMitigationPolicy,Sleep,SleepEx,CloseHandle,GetLocalTime,wsprintfW,SetUnhandledExceptionFilter,CloseHandle,EnumWindows,Sleep,EnumWindows,Sleep,CreateEventA,RegOpenKeyExW,Sleep,SleepEx,RegOpenKeyExW,RegQueryValueExW,Sleep,SleepEx,WaitForSingleObject,CloseHandle,Sleep,WaitForSingleObject,CloseHandle,Sleep,CloseHandle,

0_2_02CE1790

Source: Gq8uSE829K.exe

Static PE information: real checksum: 0x2bb4f should be: 0x2147e

Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_02D00B19 push rsp; iretd	0_2_02D00B22
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_02D00B39 push rbx; iretd	0_2_02D00B3A
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_02CFF94B push rbp; retf	0_2_02CFF974
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_02730755 pushfd ; ret	0_2_0273075A

Source: C:\Users\user\Desktop\Gq8uSE829K.exe

Code function: 0_2_02CDE29A OpenEventLogW,ClearEventLogW,CloseEventLog,

0_2_02CDE29A

Source: C:\Users\user\Desktop\Gq8uSE829K.exe

Key value created or modified: HKEY_CURRENT_USER\Console\1 d33f351a4aeea5e608853d1a56661059

Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\Desktop\Gq8uSE829K.exe

Evasive API call chain: CreateMutex,DecisionNodes,Sleep

graph_0-36502

Found stalling execution ending in API Sleep call

Source: C:\Users\user\Desktop\Gq8uSE829K.exe

Stalling execution: Execution stalls by calling Sleep

graph_0-36791

Tries to detect sandboxes / dynamic malware analysis system (QueryWinSAT)

Source: C:\Users\user\Desktop\Gq8uSE829K.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{05DF8D13-C355-47F4-A11E-851B338CEFB8}

Jump to behavior

Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Window / User API: threadDelayed 495	Jump to behavior
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Window / User API: threadDelayed 695	Jump to behavior
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Window / User API: threadDelayed 1323	Jump to behavior
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Window / User API: foregroundWindowGot 1681	Jump to behavior

Source: C:\Users\user\Desktop\Gq8uSE829K.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_0-36617

Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Evasive API call chain: RegQueryValue,DecisionNodes,Sleep			graph_0-36787
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep			graph_0-36856

Source: C:\Users\user\Desktop\Gq8uSE829K.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-37073

Source: C:\Users\user\Desktop\Gq8uSE829K.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\Gq8uSE829K.exe

Code function: 0_2_02CD9BC0 GetLogicalDriveStringsW,lstrcmpiW,lstrcmpiW,QueryDosDeviceW,lstrlenW,lstrcpyW,lstrcpyW,lstrcatW,

0_2_02CD9BC0

Source: C:\Users\user\Desktop\Gq8uSE829K.exe

Code function: 0_2_02CD67A0 gethostname,gethostbyname,inet_ntoa,inet_ntoa,MultiByteToWideChar,MultiByteToWideChar,GetLastInputInfo,GetTickCount,wsprintfW,MultiByteToWideChar,MultiByteToWideChar,GetSystemInfo,wsprintfW,GetForegroundWindow,GetWindowTextW,lstrlenW,lstrlenW,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,GetLocalTime,wsprintfW,lstrlenW,RegSetValueExW,RegCloseKey,GetModuleHandleW,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,wsprintfW,GetCurrentProcessId,GetTickCount,_localtime64,wsprintfW,GetLocaleInfoW,GetSystemDirectoryW,GetCurrentHwProfileW,

0_2_02CD67A0

Source: Gq8uSE829K.exe, 00000000.00000002.2926748568.0000000000C2B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllJJ'

Source: C:\Users\user\Desktop\Gq8uSE829K.exe	API call chain: ExitProcess graph end node	graph_0-36997
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	API call chain: ExitProcess graph end node	graph_0-38087
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	API call chain: ExitProcess graph end node	graph_0-38090

Source: C:\Users\user\Desktop\Gq8uSE829K.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Gq8uSE829K.exe

Code function: 0_2_02CE4F50 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_02CE4F50

Source: C:\Users\user\Desktop\Gq8uSE829K.exe

0_2_02CE1790

Source: C:\Users\user\Desktop\Gq8uSE829K.exe

Code function: 0_2_02CD7EA0 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,LookupAccountSidW,GetLastError,GetProcessHeap,HeapFree,

0_2_02CD7EA0

Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_02CE1790 GetVersionExW,LoadLibraryA,GetProcAddress,SetProcessMitigationPolicy,Sleep,SleepEx,CloseHandle,GetLocalTime,wsprintfW,SetUnhandledExceptionFilter,CloseHandle,EnumWindows,Sleep,EnumWindows,Sleep,CreateEventA,RegOpenKeyExW,Sleep,SleepEx,RegOpenKeyExW,RegQueryValueExW,Sleep,SleepEx,WaitForSingleObject,CloseHandle,Sleep,WaitForSingleObject,CloseHandle,Sleep,CloseHandle,	0_2_02CE1790
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_02CE4F50 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_02CE4F50
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_02CEC444 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_02CEC444
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_00007FF7D04A8580 SetUnhandledExceptionFilter,GetConsoleWindow,ShowWindow,GetCurrentThreadId,PostThreadMessageA,GetInputState,CreateThread,WaitForSingleObject,CloseHandle,Sleep,	0_2_00007FF7D04A8580
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_00007FF7D04A8AD0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF7D04A8AD0
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_00007FF7D04AA5F4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF7D04AA5F4
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_00007FF7D04ACF6C SetUnhandledExceptionFilter,	0_2_00007FF7D04ACF6C

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\Gq8uSE829K.exe

Code function: 0_2_02CD98B0 GetSystemDirectoryA,CreateProcessA,VirtualAllocEx,WriteProcessMemory,GetThreadContext,SetThreadContext,ResumeThread,

0_2_02CD98B0

Contains functionality to inject threads in other processes

Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_02CD9170 GetSystemDirectoryA,CreateProcessA,OpenProcess,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,GetModuleFileNameA,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,ResumeThread,		0_2_02CD9170
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: 0_2_02CDA670 VirtualAllocEx,TerminateProcess,OpenProcess,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,VirtualFreeEx,		0_2_02CDA670

Source: C:\Users\user\Desktop\Gq8uSE829K.exe

Code function: GetSystemDirectoryA,CreateProcessA,OpenProcess,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,GetModuleFileNameA,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,ResumeThread, Windows\System32\svchost.exe

0_2_02CD9170

Source: C:\Users\user\Desktop\Gq8uSE829K.exe

Code function: 0_2_02CDFD50 lstrlenW,ShellExecuteW,

0_2_02CDFD50

Source: Gq8uSE829K.exe, 00000000.00000003.2346839391.0000000003E6D000.00000004.00000020.00020000.00000000.sdmp, Gq8uSE829K.exe, 00000000.00000003.2346894523.0000000003E79000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0 minProgram Manager
Source: DisplaySessionContainers.log.0.dr	Binary or memory string: :]Program Manager
Source: Gq8uSE829K.exe, 00000000.00000002.2927639356.0000000003E79000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager

Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: gethostname,gethostbyname,inet_ntoa,inet_ntoa,MultiByteToWideChar,MultiByteToWideChar,GetLastInputInfo,GetTickCount,wsprintfW,MultiByteToWideChar,MultiByteToWideChar,GetSystemInfo,wsprintfW,GetForegroundWindow,GetWindowTextW,lstrlenW,lstrlenW,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,GetLocalTime,wsprintfW,lstrlenW,RegSetValueExW,RegCloseKey,GetModuleHandleW,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,wsprintfW,GetCurrentProcessId,GetTickCount,_localtime64,wsprintfW,GetLocaleInfoW,GetSystemDirectoryW,GetCurrentHwProfileW,	0_2_02CD67A0
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: _getptd,GetLocaleInfoA,GetLocaleInfoW,	0_2_02CF629C
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: EnumSystemLocalesA,	0_2_02CF63CC
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: GetLastError,free,free,GetLocaleInfoW,GetLocaleInfoW,free,GetLocaleInfoW,	0_2_02CEE8A0
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: _getptd,GetLocaleInfoA,	0_2_02CF5E54
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: GetLocaleInfoW,malloc,GetLocaleInfoW,WideCharToMultiByte,free,	0_2_02CF7664
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: _getptd,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoW,	0_2_02CF5FCC
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: GetLocaleInfoW,	0_2_02CF5F3C
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: _getptd,EnumSystemLocalesA,GetUserDefaultLCID,GetLocaleInfoW,GetLocaleInfoW,GetACP,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA,_itow_s,	0_2_02CF64D0
Source: C:\Users\user\Desktop\Gq8uSE829K.exe	Code function: EnumSystemLocalesA,	0_2_02CF6464

Source: C:\Users\user\Desktop\Gq8uSE829K.exe

Code function: 0_2_02CE2140 GetForegroundWindow,GetWindowTextW,lstrlenW,GetLocalTime,wsprintfW,

0_2_02CE2140

Source: C:\Users\user\Desktop\Gq8uSE829K.exe

Code function: 0_2_02CF02A4 _lock,_get_daylight,_get_daylight,_get_daylight,___lc_codepage_func,free,free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_02CF02A4

Source: C:\Users\user\Desktop\Gq8uSE829K.exe

Code function: 0_2_02CD8220 GetCurrentProcessId,wsprintfW,GetVersionExW,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,wsprintfW,

0_2_02CD8220

Source: Gq8uSE829K.exe	Binary or memory string: acs.exe
Source: Gq8uSE829K.exe	Binary or memory string: vsserv.exe
Source: Gq8uSE829K.exe	Binary or memory string: avcenter.exe
Source: Gq8uSE829K.exe	Binary or memory string: kxetray.exe
Source: Gq8uSE829K.exe	Binary or memory string: avp.exe
Source: Gq8uSE829K.exe	Binary or memory string: cfp.exe
Source: Gq8uSE829K.exe	Binary or memory string: KSafeTray.exe
Source: Gq8uSE829K.exe	Binary or memory string: 360Safe.exe
Source: Gq8uSE829K.exe	Binary or memory string: rtvscan.exe
Source: Gq8uSE829K.exe	Binary or memory string: 360tray.exe
Source: Gq8uSE829K.exe	Binary or memory string: TMBMSRV.exe
Source: Gq8uSE829K.exe	Binary or memory string: ashDisp.exe
Source: Gq8uSE829K.exe	Binary or memory string: 360Tray.exe
Source: Gq8uSE829K.exe	Binary or memory string: avgwdsvc.exe
Source: Gq8uSE829K.exe	Binary or memory string: AYAgent.aye
Source: Gq8uSE829K.exe	Binary or memory string: RavMonD.exe
Source: Gq8uSE829K.exe	Binary or memory string: QUHLPSVC.EXE
Source: Gq8uSE829K.exe	Binary or memory string: Mcshield.exe
Source: Gq8uSE829K.exe	Binary or memory string: K7TSecurity.exe

Stealing of Sensitive Information

Yara detected GhostRat

Source: Yara match	File source: 0.3.Gq8uSE829K.exe.cb720d.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Gq8uSE829K.exe.3e17a41.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Gq8uSE829K.exe.bd1116.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Gq8uSE829K.exe.c6fe8d.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Gq8uSE829K.exe.2cd0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Gq8uSE829K.exe.27106d1.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Gq8uSE829K.exe.3e17a41.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Gq8uSE829K.exe.27106d1.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Gq8uSE829K.exe.3e17a41.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Gq8uSE829K.exe.cb720d.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Gq8uSE829K.exe.3e17a41.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Gq8uSE829K.exe.2cd0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Gq8uSE829K.exe.3e17a41.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Gq8uSE829K.exe.3e17a41.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Gq8uSE829K.exe.2b111a5.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Gq8uSE829K.exe.3e17a41.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Gq8uSE829K.exe.bd1116.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Gq8uSE829K.exe.2b111a5.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Gq8uSE829K.exe.3e17a41.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Gq8uSE829K.exe.c6fe8d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2927554115.0000000003E17000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2927165878.0000000002B10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2926713726.0000000000BD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2158871721.0000000003E17000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2927258454.0000000002CD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2346857432.0000000003E17000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2926936877.0000000002710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1993152852.0000000003E12000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1811010678.0000000000C6F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Gq8uSE829K.exe PID: 7280, type: MEMORYSTR

Yara detected ValleyRAT

Source: Yara match

File source: Process Memory Space: Gq8uSE829K.exe PID: 7280, type: MEMORYSTR

Remote Access Functionality

Yara detected GhostRat

Source: Yara match	File source: 0.3.Gq8uSE829K.exe.cb720d.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Gq8uSE829K.exe.3e17a41.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Gq8uSE829K.exe.bd1116.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Gq8uSE829K.exe.c6fe8d.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Gq8uSE829K.exe.2cd0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Gq8uSE829K.exe.27106d1.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Gq8uSE829K.exe.3e17a41.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Gq8uSE829K.exe.27106d1.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Gq8uSE829K.exe.3e17a41.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Gq8uSE829K.exe.cb720d.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Gq8uSE829K.exe.3e17a41.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Gq8uSE829K.exe.2cd0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Gq8uSE829K.exe.3e17a41.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Gq8uSE829K.exe.3e17a41.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Gq8uSE829K.exe.2b111a5.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Gq8uSE829K.exe.3e17a41.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Gq8uSE829K.exe.bd1116.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Gq8uSE829K.exe.2b111a5.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Gq8uSE829K.exe.3e17a41.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Gq8uSE829K.exe.c6fe8d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2927554115.0000000003E17000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2927165878.0000000002B10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2926713726.0000000000BD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2158871721.0000000003E17000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2927258454.0000000002CD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2346857432.0000000003E17000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2926936877.0000000002710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1993152852.0000000003E12000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1811010678.0000000000C6F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Gq8uSE829K.exe PID: 7280, type: MEMORYSTR

Yara detected ValleyRAT

Source: Yara match

File source: Process Memory Space: Gq8uSE829K.exe PID: 7280, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	12 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Obfuscated Files or Information	121 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 DLL Side-Loading	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	1 Screen Capture	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Access Token Manipulation	1 Modify Registry	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	121 Input Capture	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	211 Process Injection	1 Access Token Manipulation	NTDS	16 System Information Discovery	Distributed Component Object Model	2 Clipboard Data	1 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	211 Process Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	11 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Indicator Removal	Cached Domain Credentials	3 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Gq8uSE829K.exe	82%	Virustotal		Browse
Gq8uSE829K.exe	76%	ReversingLabs	Win64.Backdoor.Farfli

Source	Detection	Scanner	Label	Link
127.0.0.1:80	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ddosme2.twilight.zip	111.180.203.230	true	true		unknown
xh3.twilight.zip	unknown	unknown	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
127.0.0.1:80	true	Avira URL Cloud: safe	unknown
192.168.1.200:9999	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
111.180.203.230	ddosme2.twilight.zip	China		4134	CHINANET-BACKBONENo31Jin-rongStreetCN	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1623762
Start date and time:	2025-02-25 15:02:16 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 17s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Gq8uSE829K.exe renamed because original name is a hash value
Original Sample Name:	dac7bf146d40fcd08f8507ba9462845d.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/1@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 67 Number of non-executed functions: 292
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.60
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:04:11	API Interceptor	3743x Sleep call for process: Gq8uSE829K.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
111.180.203.230	ySDcBZskHY.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ddosme2.twilight.zip	s2TwydQXx1.exe	Get hash	malicious	Unknown	Browse	27.25.158.108

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CHINANET-BACKBONENo31Jin-rongStreetCN	splmips.elf	Get hash	malicious	Unknown	Browse	183.137.253.1
	splm68k.elf	Get hash	malicious	Unknown	Browse	115.205.180.116
	nklspc.elf	Get hash	malicious	Unknown	Browse	171.220.211.183
	splx86.elf	Get hash	malicious	Unknown	Browse	59.56.131.195
	nabarm7.elf	Get hash	malicious	Unknown	Browse	121.230.141.77
	nklx86.elf	Get hash	malicious	Unknown	Browse	124.239.172.35
	nabppc.elf	Get hash	malicious	Unknown	Browse	117.81.155.243
	nklmpsl.elf	Get hash	malicious	Unknown	Browse	222.95.193.241
	nklsh4.elf	Get hash	malicious	Unknown	Browse	106.228.93.185
	nabspc.elf	Get hash	malicious	Unknown	Browse	114.106.100.65

Process:	C:\Users\user\Desktop\Gq8uSE829K.exe
File Type:	data
Category:	dropped
Size (bytes):	27136
Entropy (8bit):	3.630937764781144
Encrypted:	false
SSDEEP:	96:Bccccccc55555555OOOOOODDDDDDggggggtttttCCCCCCC3333333EEEEEEEhhh6:DWWWWWWj
MD5:	2D82C6DF9C42E468E1D2E7CFF3491CDA
SHA1:	DC5B4B5E59698D79BE3C89AE8DDBF7A2816A9D97
SHA-256:	9D10E55DE295E5BA878B1FE6E6FAF8C13BAC3D7A3A6918D0C0B474F563A8D653
SHA-512:	40741A9B9AE04C3E15D81B01428158CBB1151576209BA0721F5BD9A4DCD6403CC084F1C0B6A548447EFDC1FA0510F2BFBC2B7D4B512E3B99E66884A656ED4E82
Malicious:	false
Reputation:	low
Preview:	....[..h..:.].P.r.o.g.r.a.m. .M.a.n.a.g.e.r.....[..e..:.].2.0.2.5.-.2.-.2.5. . .9.:.3.:.2.0.....[..Q.[:.].....[..h..:.].P.r.o.g.r.a.m. .M.a.n.a.g.e.r.....[..e..:.].2.0.2.5.-.2.-.2.5. . .9.:.3.:.2.0.....[..Q.[:.].....[..h..:.].P.r.o.g.r.a.m. .M.a.n.a.g.e.r.....[..e..:.].2.0.2.5.-.2.-.2.5. . .9.:.3.:.2.0.....[..Q.[:.].....[..h..:.].P.r.o.g.r.a.m. .M.a.n.a.g.e.r.....[..e..:.].2.0.2.5.-.2.-.2.5. . .9.:.3.:.2.0.....[..Q.[:.].....[..h..:.].P.r.o.g.r.a.m. .M.a.n.a.g.e.r.....[..e..:.].2.0.2.5.-.2.-.2.5. . .9.:.3.:.2.0.....[..Q.[:.].....[..h..:.].P.r.o.g.r.a.m. .M.a.n.a.g.e.r.....[..e..:.].2.0.2.5.-.2.-.2.5. . .9.:.3.:.2.0.....[..Q.[:.].....[..h..:.].P.r.o.g.r.a.m. .M.a.n.a.g.e.r.....[..e..:.].2.0.2.5.-.2.-.2.5. . .9.:.3.:.2.0.....[..Q.[:.].....[..h..:.].P.r.o.g.r.a.m. .M.a.n.a.g.e.r.....[..e..:.].2.0.2.5.-.2.-.2.5. . .9.:.3.:.2.1.....[..Q.[:.].....[..h..:.].P.r.o.g.r.a.m. .M.a.n.a.g.e.r.....[..e..:.].2.0.2.5.-.2.-.2.5. . .9.:.3.:.2.1.....[..Q.[:.].....[..h..:.].P.r.o.g.r.a.m. .M.a.n.a.g.e.r...

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.106349719510873
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Gq8uSE829K.exe
File size:	133'632 bytes
MD5:	dac7bf146d40fcd08f8507ba9462845d
SHA1:	82ec191eb2ec2410258284788f3a05dd0456c494
SHA256:	d17b07024f88f407c82d331897ff5f81798d9fb14a77fddf665724583806f8ed
SHA512:	a8bbd07e30caa7bb9fd09d61e832cb3feb9ccf94b277589c63180ed041f08b3a50978facdb78531e31bda7020a8789ddda327e3b626a9cec22782e9e7a517d3a
SSDEEP:	3072:lO55k/y5dAj+BMTYlgEQnB+Y+pek7+3OrFZeUqe6ov:lO5n5d56TYZQnB+Dpekyyqm
TLSH:	5AD37D4733A450F9D4A78279C9A25A06E77374660735A7CF17A086BA2F137D0BD3A331
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........VF.g.F.g.F.g.)...+.g.)...M.g.)...k.g.O...M.g.F.f...g.)...K.g.)...G.g.RichF.g.........................PE..d.....ld.........."

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x140009a74
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x646C86AC [Tue May 23 09:26:04 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	fb51ede541a9ad63bf23d302e319d2a0

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FA08CC46A68h
dec eax
add esp, 28h
jmp 00007FA08CC42C4Bh
int3
int3
dec eax
mov dword ptr [esp+10h], ebx
dec eax
mov dword ptr [esp+18h], edi
push ebp
dec eax
mov ebp, esp
dec eax
sub esp, 60h
dec eax
mov edi, edx
dec eax
mov ebx, ecx
dec eax
lea ecx, dword ptr [ebp-40h]
dec eax
lea edx, dword ptr [0000EAE5h]
inc ecx
mov eax, 00000040h
call 00007FA08CC41E1Fh
dec eax
lea edx, dword ptr [ebp+10h]
dec eax
mov ecx, edi
dec eax
mov dword ptr [ebp-18h], ebx
dec eax
mov dword ptr [ebp-10h], edi
call 00007FA08CC4AAD5h
dec esp
mov ebx, eax
dec eax
mov dword ptr [ebp+10h], eax
dec eax
mov dword ptr [ebp-08h], eax
dec eax
test edi, edi
je 00007FA08CC42DEDh
test byte ptr [edi], 00000008h
mov ecx, 01994000h
je 00007FA08CC42DD7h
mov dword ptr [ebp-20h], ecx
jmp 00007FA08CC42DDEh
mov eax, dword ptr [ebp-20h]
dec ebp
test ebx, ebx
cmove eax, ecx
mov dword ptr [ebp-20h], eax
inc esp
mov eax, dword ptr [ebp-28h]
mov edx, dword ptr [ebp-3Ch]
mov ecx, dword ptr [ebp-40h]
dec esp
lea ecx, dword ptr [ebp-20h]
call dword ptr [0000E7AFh]
dec esp
lea ebx, dword ptr [esp+60h]
dec ecx
mov ebx, dword ptr [ebx+18h]
dec ecx
mov edi, dword ptr [ebx+20h]
dec ecx
mov esp, ebx
pop ebp
ret
int3
dec eax
mov dword ptr [esp+08h], ecx
dec eax
sub esp, 00000088h
dec eax
lea ecx, dword ptr [00016781h]
call dword ptr [0000E7B3h]
dec eax
mov eax, dword ptr [0001686Ch]

Rich Headers

Programming Language:

[ C ] VS2010 build 30319
[ASM] VS2010 build 30319
[C++] VS2010 build 30319
[IMP] VS2008 SP1 build 30729
[LNK] VS2010 build 30319

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1d028	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x27000	0x1b4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x25000	0x1578	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x28000	0x2f8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x18000	0x438	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x16606	0x16800	9cde0d8ddbf108908aa730f375bc1766	False	0.5621636284722222	zlib compressed data	6.429037086317127	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x18000	0x5d3a	0x5e00	b44503f0aa67867070e1b6433af825a5	False	0.3683926196808511	data	4.8111582224132965	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1e000	0x6770	0x2200	17ff9625942a6ef87ffc23f8584571be	False	0.22185202205882354	data	2.7058442999653725	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x25000	0x1578	0x1600	6b2fcd8de66b48f900df2c9c6b6db832	False	0.4728338068181818	data	5.019696142888745	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x27000	0x1b4	0x200	5f882a758b6b0045acd02c3e0551be90	False	0.486328125	data	5.112623549532036	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x28000	0x5be	0x600	3b9d434e2274fd734402fea8d43c6f67	False	0.3587239583333333	data	3.4572271853315204	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x27058	0x15a	ASCII text, with CRLF line terminators	English	United States	0.5491329479768786

Imports

DLL	Import
KERNEL32.dll	HeapCreate, EnterCriticalSection, DeleteCriticalSection, WaitForSingleObject, SetEvent, Sleep, CreateEventA, GetLastError, CloseHandle, GetCurrentThreadId, SwitchToThread, SetLastError, WideCharToMultiByte, lstrlenW, ResetEvent, CreateEventW, CancelIo, TryEnterCriticalSection, SetWaitableTimer, CreateWaitableTimerW, GetThreadContext, SetThreadContext, LeaveCriticalSection, GetExitCodeProcess, CreateProcessA, GetSystemDirectoryA, VirtualAllocEx, WriteProcessMemory, ResumeThread, FreeLibrary, SetUnhandledExceptionFilter, GetCurrentProcess, LoadLibraryW, GetConsoleWindow, CreateFileW, GetProcAddress, GetLocalTime, IsDebuggerPresent, GetCurrentProcessId, CreateThread, LCMapStringW, WriteConsoleW, SetStdHandle, GetStringTypeW, MultiByteToWideChar, HeapDestroy, InitializeCriticalSectionAndSpinCount, HeapFree, HeapAlloc, VirtualAlloc, OpenProcess, VirtualFree, IsValidCodePage, GetOEMCP, GetACP, GetCPInfo, GetConsoleMode, FlushFileBuffers, GetConsoleCP, SetFilePointer, GetSystemTimeAsFileTime, GetTickCount, QueryPerformanceCounter, GetStartupInfoW, GetFileType, SetHandleCount, GetEnvironmentStringsW, FreeEnvironmentStringsW, RtlUnwindEx, FlsAlloc, FlsFree, FlsSetValue, FlsGetValue, HeapReAlloc, HeapSize, GetProcessHeap, ExitThread, DecodePointer, EncodePointer, GetCommandLineW, RaiseException, RtlPcToFileHeader, TerminateProcess, UnhandledExceptionFilter, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, HeapSetInformation, GetVersion, GetModuleHandleW, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameW
USER32.dll	DispatchMessageW, PostThreadMessageA, PeekMessageW, TranslateMessage, MsgWaitForMultipleObjects, ShowWindow, GetInputState, wsprintfW
ADVAPI32.dll	RegCloseKey, RegOpenKeyExW, RegDeleteValueW, RegQueryValueExW, RegCreateKeyW, RegSetValueExW
WS2_32.dll	WSAWaitForMultipleEvents, WSAIoctl, connect, WSAStartup, select, WSAResetEvent, setsockopt, recv, socket, closesocket, gethostbyname, send, WSASetLastError, WSACreateEvent, shutdown, WSAEventSelect, WSAEnumNetworkEvents, WSAGetLastError, WSACloseEvent, htons, WSACleanup
WINMM.dll	timeGetTime

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-02-25T15:03:09.460531+0100	2052875	ET MALWARE Winos4.0 Framework CnC Login Message	1	192.168.2.4	49731	111.180.203.230	25603	TCP
2025-02-25T15:03:18.999460+0100	2059975	ET MALWARE Winos4.0 Framework CnC Login Message CnC Server Response	1	111.180.203.230	25603	192.168.2.4	49733	TCP
2025-02-25T15:04:12.833573+0100	2052875	ET MALWARE Winos4.0 Framework CnC Login Message	1	192.168.2.4	49734	111.180.203.230	25603	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 25, 2025 15:03:09.453615904 CET	49731	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:09.458692074 CET	25603	49731	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:09.458822012 CET	49731	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:09.460530996 CET	49731	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:09.465646029 CET	25603	49731	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:10.298742056 CET	25603	49731	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:10.298852921 CET	49731	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:10.299022913 CET	49731	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:12.245354891 CET	49732	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:12.250612974 CET	25603	49732	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:12.250691891 CET	49732	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:12.252125025 CET	49732	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:12.257185936 CET	25603	49732	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:16.105273008 CET	25603	49732	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:16.105361938 CET	49732	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:16.105458021 CET	49732	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:18.037100077 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:18.042792082 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:18.042990923 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:18.043606043 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:18.049829006 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:18.999459982 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:18.999891996 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:19.005752087 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.005784035 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.005812883 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.342339993 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.342359066 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.342371941 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.342385054 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.342397928 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.342410088 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.342422962 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.342436075 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.342448950 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.342461109 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.342468023 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:19.342474937 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.342513084 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:19.347476006 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.347575903 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:19.588893890 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.588943958 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.588980913 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.589016914 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.589016914 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:19.589073896 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:19.589076996 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.589114904 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.589169979 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.589170933 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:19.589210033 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.589253902 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:19.590053082 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.590089083 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.590123892 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.590143919 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:19.590159893 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.590198040 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.590218067 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:19.591038942 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.591090918 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.591126919 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.591139078 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:19.591161013 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.591177940 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:19.591196060 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.591336966 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:19.591941118 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.591994047 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.592029095 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.592041016 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:19.592063904 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.592099905 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.592108965 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:19.594393969 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.594472885 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:19.834387064 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.834415913 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.834429979 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.834443092 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.834458113 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.834517956 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:19.834564924 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.834579945 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.834603071 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.834611893 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:19.834616899 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.834642887 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.834647894 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:19.834681988 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:19.834995985 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.835009098 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.835021019 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.835026026 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.835038900 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.835052967 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.835061073 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:19.835105896 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:19.835447073 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.835459948 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.835480928 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.835491896 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.835503101 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:19.835505009 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.835513115 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.835527897 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.835563898 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:19.835988045 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.835999966 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.836010933 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.836029053 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.836035013 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:19.836040974 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.836052895 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.836055994 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:19.836091042 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:19.836527109 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.836540937 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.836561918 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.836574078 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.836585045 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:19.836585999 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.836596966 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.836611032 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:19.836622953 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:19.836632967 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.836647987 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.836661100 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.836688995 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:19.836704969 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:19.836735964 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.836750031 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.836792946 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:19.837443113 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.837459087 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.837471008 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.837505102 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:19.837515116 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.837527990 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:19.837560892 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:19.880131006 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.084275007 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.084290981 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.084311962 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.084326029 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.084342003 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.084379911 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.084381104 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.084451914 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.084465981 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.084477901 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.084516048 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.084520102 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.084520102 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.085129023 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.085139990 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.085150957 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.085177898 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.085189104 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.085199118 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.085212946 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.085226059 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.085237980 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.085259914 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.085277081 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.085594893 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.085607052 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.085618019 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.085632086 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.085644007 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.085656881 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.085661888 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.085669994 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.085688114 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.085688114 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.085706949 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.085727930 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.086030960 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.086054087 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.086066961 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.086093903 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.086116076 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.086129904 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.086158991 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.086194992 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.086208105 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.086220026 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.086232901 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.086240053 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.086266041 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.086536884 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.086549044 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.086561918 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.086575031 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.086584091 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.086599112 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.086766005 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.086780071 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.086802006 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.086813927 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.086815119 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.086826086 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.086839914 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.086839914 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.086872101 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.086906910 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.086920023 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.086931944 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.086944103 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.086950064 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.086957932 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.086977959 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.087016106 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.089760065 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.089777946 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.089863062 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.090248108 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.090257883 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.090301037 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.090394974 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.090406895 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.090444088 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.090446949 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.090460062 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.090471983 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.090495110 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.090614080 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.090639114 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.090653896 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.090691090 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.090704918 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.090704918 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.090965986 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.090980053 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.091000080 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.091012955 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.091013908 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.091026068 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.091042042 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.091046095 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.091054916 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.091070890 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.091094017 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.091290951 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.091304064 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.091322899 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.091335058 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.091471910 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.091484070 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.091505051 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.091512918 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.091517925 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.091530085 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.091541052 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.091553926 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.091586113 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.094074965 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.094088078 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.094109058 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.094124079 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.094124079 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.094135046 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.094149113 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.094152927 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.094275951 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.094331026 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.094343901 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.094372988 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.145773888 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.175403118 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.175467968 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.175503969 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.175558090 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.175592899 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.175626040 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.175659895 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.175659895 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.175694942 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.175709009 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.175730944 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.175743103 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.175766945 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.175802946 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.175811052 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.175837994 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.175873995 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.175879955 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.223903894 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.329926014 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.329976082 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.330032110 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.330034971 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.330070972 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.330106974 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.330113888 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.330189943 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.330219984 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.330235004 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.330270052 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.330303907 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.330317974 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.330336094 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.330378056 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.330389023 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.330441952 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.330476046 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.330495119 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.330511093 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.330540895 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.330559015 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.330574036 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.330607891 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.330627918 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.330645084 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.330681086 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.330693960 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.330715895 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.330751896 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.330765009 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.330806017 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.330852032 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.330895901 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.330948114 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.330982924 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.330998898 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.331041098 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.331075907 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.331089020 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.331135035 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.331176996 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.331178904 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.331207037 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.331242085 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.331274033 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.331295967 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.331341982 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.331351042 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.331402063 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.331451893 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.331459045 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.331494093 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.331528902 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.331543922 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.331582069 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.331618071 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.331633091 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.331662893 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.331717014 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.331720114 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.331751108 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.331800938 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.331809998 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.331859112 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.331892967 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.331906080 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.331947088 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.331998110 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.331999063 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.332053900 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.332087994 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.332101107 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.332123995 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.332160950 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.332178116 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.332202911 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.332232952 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.332257032 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.332283974 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.332336903 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.332345009 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.332379103 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.332412958 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.332425117 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.332447052 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.332485914 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.332494020 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.332520008 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.332561016 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.332571983 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.332592010 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.332643986 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.332654953 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.332699060 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.332731962 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.332767010 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.332799911 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.332842112 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.332842112 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.332854033 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.332886934 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.332901001 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.332921982 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.332957029 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.332968950 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.332993031 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.333022118 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.333055973 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.333061934 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.333105087 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.333110094 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.333144903 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.333178043 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.333194017 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.333211899 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.333249092 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.333257914 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.333283901 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.333317995 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.333328962 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.333352089 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.333386898 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.333399057 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.333417892 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.333451986 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.333489895 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.333523989 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.333544016 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.333544016 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.333559036 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.333590984 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.333609104 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:20.333627939 CET	25603	49733	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:20.333677053 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:21.471613884 CET	49734	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:21.476792097 CET	25603	49734	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:21.476890087 CET	49734	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:23.349056959 CET	49733	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:26.842730045 CET	49734	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:26.847883940 CET	25603	49734	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:26.847909927 CET	25603	49734	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:26.847934961 CET	25603	49734	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:26.848030090 CET	25603	49734	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:26.848042011 CET	25603	49734	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:33.065164089 CET	25603	49734	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:33.065457106 CET	49734	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:33.070466042 CET	25603	49734	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:38.710341930 CET	49734	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:38.715497017 CET	25603	49734	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:39.601902008 CET	25603	49734	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:39.645741940 CET	49734	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:39.712832928 CET	49734	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:39.718077898 CET	25603	49734	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:55.786715984 CET	49734	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:55.792006969 CET	25603	49734	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:56.175642014 CET	25603	49734	111.180.203.230	192.168.2.4
Feb 25, 2025 15:03:56.223902941 CET	49734	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:56.295034885 CET	49734	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:03:56.300133944 CET	25603	49734	111.180.203.230	192.168.2.4
Feb 25, 2025 15:04:12.833573103 CET	49734	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:04:12.838659048 CET	25603	49734	111.180.203.230	192.168.2.4
Feb 25, 2025 15:04:14.977230072 CET	25603	49734	111.180.203.230	192.168.2.4
Feb 25, 2025 15:04:15.020834923 CET	49734	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:04:15.071566105 CET	49734	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:04:15.076617002 CET	25603	49734	111.180.203.230	192.168.2.4
Feb 25, 2025 15:04:28.958658934 CET	49734	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:04:28.963727951 CET	25603	49734	111.180.203.230	192.168.2.4
Feb 25, 2025 15:04:45.270948887 CET	49734	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:04:45.276112080 CET	25603	49734	111.180.203.230	192.168.2.4
Feb 25, 2025 15:05:01.022598028 CET	49734	25603	192.168.2.4	111.180.203.230
Feb 25, 2025 15:05:01.027694941 CET	25603	49734	111.180.203.230	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 25, 2025 15:03:09.400825977 CET	56260	53	192.168.2.4	1.1.1.1
Feb 25, 2025 15:03:09.431701899 CET	53	56260	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Feb 25, 2025 15:03:09.400825977 CET	192.168.2.4	1.1.1.1	0x2690	Standard query (0)	xh3.twilight.zip	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Feb 25, 2025 15:03:09.431701899 CET	1.1.1.1	192.168.2.4	0x2690	No error (0)	xh3.twilight.zip	ddosme2.twilight.zip		CNAME (Canonical name)	IN (0x0001)	false
Feb 25, 2025 15:03:09.431701899 CET	1.1.1.1	192.168.2.4	0x2690	No error (0)	ddosme2.twilight.zip		111.180.203.230	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	09:03:05
Start date:	25/02/2025
Path:	C:\Users\user\Desktop\Gq8uSE829K.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Gq8uSE829K.exe"
Imagebase:	0x7ff7d04a0000
File size:	133'632 bytes
MD5 hash:	DAC7BF146D40FCD08F8507BA9462845D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000002.2927554115.0000000003E17000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000002.2927165878.0000000002B10000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000002.2926713726.0000000000BD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000003.2158871721.0000000003E17000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000002.2927258454.0000000002CD0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000003.2346857432.0000000003E17000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000002.2926936877.0000000002710000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000003.1993152852.0000000003E12000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000003.1811010678.0000000000C6F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Gq8uSE829K.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: ValleyRat

Threatname: GhostRat

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\DisplaySessionContainers.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

Windows Analysis Report
Gq8uSE829K.exe