Edit tour
Windows
Analysis Report
SecuriteInfo.com.Trojan.Inject.3564.exe
Overview
General Information
Detection
GuLoader, Remcos
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Remcos RAT
Antivirus detection for URL or domain
Yara detected GuLoader
Snort IDS alert for network traffic
Hides threads from debuggers
Installs a global keyboard hook
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality for execution timing, often used to detect debuggers
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard
Classification
- System is w10x64native
- SecuriteInfo.com.Trojan.Inject.3564.exe (PID: 4756 cmdline:
"C:\Users\ user\Deskt op\Securit eInfo.com. Trojan.Inj ect.3564.e xe" MD5: 0D6D5BEF9FC4A8D2E0FC32BB4D524AAF) - SecuriteInfo.com.Trojan.Inject.3564.exe (PID: 4000 cmdline:
"C:\Users\ user\Deskt op\Securit eInfo.com. Trojan.Inj ect.3564.e xe" MD5: 0D6D5BEF9FC4A8D2E0FC32BB4D524AAF)
- cleanup
{"Payload URL": "http://185.222.57.79/SALES/1%20FEB%202-22_jalPPiWqFb130.bin"}
{"Host:Port:Password": "185.222.57.217:8780:|", "Assigned name": "Host", "Connect interval": "5", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "remcos.exe", "Startup value": "remcos", "Hide file": "Disable", "Mutex": "remcos_rurbibqnnhyclpl", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screens", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "audio", "Connect delay": "0", "Copy folder": "remcos", "Keylog folder": "remcos"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
JoeSecurity_GuLoader_2 | Yara detected GuLoader | Joe Security | ||
JoeSecurity_GuLoader_2 | Yara detected GuLoader | Joe Security | ||
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security |
⊘No Sigma rule has matched
Timestamp: | 192.168.11.20185.222.57.2174974987802825931 05/27/22-14:48:49.901221 |
SID: | 2825931 |
Source Port: | 49749 |
Destination Port: | 8780 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.11.20185.222.57.7949748802018752 05/27/22-14:40:51.779893 |
SID: | 2018752 |
Source Port: | 49748 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.11.20185.222.57.2174974987802829308 05/27/22-14:48:49.901221 |
SID: | 2829308 |
Source Port: | 49749 |
Destination Port: | 8780 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 185.222.57.217192.168.11.208780497492825930 05/27/22-14:48:49.899380 |
SID: | 2825930 |
Source Port: | 8780 |
Destination Port: | 49749 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.11.20185.222.57.2174974987802825929 05/27/22-14:40:51.910166 |
SID: | 2825929 |
Source Port: | 49749 |
Destination Port: | 8780 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Malware Configuration Extractor: | ||
Source: | Malware Configuration Extractor: |
Source: | Virustotal: | Perma Link |
Source: | File source: | ||
Source: | File source: |
Source: | Avira URL Cloud: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | 1_2_00405D74 | |
Source: | Code function: | 1_2_0040290B | |
Source: | Code function: | 1_2_0040699E |
Networking |
---|
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: |
Source: | URLs: | ||
Source: | URLs: |
Source: | ASN Name: | ||
Source: | ASN Name: |
Source: | HTTP traffic detected: |
Source: | TCP traffic: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | HTTP traffic detected: |
Key, Mouse, Clipboard, Microphone and Screen Capturing |
---|
Source: | Windows user hook set: | Jump to behavior |
Source: | Code function: | 1_2_00405809 |
E-Banking Fraud |
---|
Source: | File source: | ||
Source: | File source: |
Source: | Static PE information: |
Source: | Code function: | 1_2_00403640 |
Source: | Code function: | 1_2_00406D5F | |
Source: | Code function: | 1_2_719D1BFF | |
Source: | Code function: | 1_2_032CCBB5 | |
Source: | Code function: | 1_2_032CE1CD | |
Source: | Code function: | 1_2_032C533D | |
Source: | Code function: | 1_2_032C8F32 | |
Source: | Code function: | 1_2_032C6706 | |
Source: | Code function: | 1_2_032C6772 | |
Source: | Code function: | 1_2_032C8B4C | |
Source: | Code function: | 1_2_032C8757 | |
Source: | Code function: | 1_2_032C67EE | |
Source: | Code function: | 1_2_032CEBE0 | |
Source: | Code function: | 1_2_032C5224 | |
Source: | Code function: | 1_2_032CEE3E | |
Source: | Code function: | 1_2_032CE632 | |
Source: | Code function: | 1_2_032C6662 | |
Source: | Code function: | 1_2_032C864B | |
Source: | Code function: | 1_2_032C9A93 | |
Source: | Code function: | 1_2_032C86E7 | |
Source: | Code function: | 1_2_032CAACE | |
Source: | Code function: | 1_2_032C6936 | |
Source: | Code function: | 1_2_032C890D | |
Source: | Code function: | 1_2_032C5552 | |
Source: | Code function: | 1_2_032C51A5 | |
Source: | Code function: | 1_2_032C69A7 | |
Source: | Code function: | 1_2_032C5587 | |
Source: | Code function: | 1_2_032C8595 | |
Source: | Code function: | 1_2_032C8593 | |
Source: | Code function: | 1_2_032C85EE | |
Source: | Code function: | 1_2_032C55D6 | |
Source: | Code function: | 1_2_032C503A | |
Source: | Code function: | 1_2_032C8808 | |
Source: | Code function: | 1_2_032C501D | |
Source: | Code function: | 1_2_032C5478 | |
Source: | Code function: | 1_2_032C88A2 | |
Source: | Code function: | 1_2_032C5CBF | |
Source: | Code function: | 1_2_032C508C | |
Source: | Code function: | 1_2_032C6888 | |
Source: | Code function: | 1_2_032C5094 | |
Source: | Code function: | 1_2_032C50F2 | |
Source: | Code function: | 1_2_032C54CF |
Source: | Code function: | 1_2_032CFF03 | |
Source: | Code function: | 1_2_032CFA59 | |
Source: | Code function: | 1_2_032CE1CD |
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Virustotal: |
Source: | File read: | Jump to behavior |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Code function: | 1_2_00403640 |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | Code function: | 1_2_004021AA |
Source: | File read: | Jump to behavior |
Source: | Code function: | 1_2_00404AB5 |
Source: | Mutant created: |
Source: | File written: | Jump to behavior |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Data Obfuscation |
---|
Source: | File source: | ||
Source: | File source: |
Source: | Code function: | 1_2_719D30EE | |
Source: | Code function: | 1_2_032C3C98 | |
Source: | Code function: | 1_2_032C8F2D | |
Source: | Code function: | 1_2_032C9822 | |
Source: | Code function: | 1_2_032C4326 | |
Source: | Code function: | 1_2_032C729F | |
Source: | Code function: | 1_2_032C4326 | |
Source: | Code function: | 1_2_032C4326 | |
Source: | Code function: | 1_2_032C4326 | |
Source: | Code function: | 1_2_032C9A11 | |
Source: | Code function: | 1_2_032C3C98 | |
Source: | Code function: | 1_2_032C4326 | |
Source: | Code function: | 1_2_032C34C9 |
Source: | Code function: | 1_2_719D1BFF |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | Registry value created or modified: | Jump to behavior | ||
Source: | Registry value created or modified: | Jump to behavior | ||
Source: | Registry value created or modified: | Jump to behavior | ||
Source: | Registry value created or modified: | Jump to behavior |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion |
---|
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior |
Source: | Last function: |
Source: | Dropped PE file which has not been started: | Jump to dropped file |
Source: | Code function: | 1_2_032C6424 |
Source: | Window / User API: | Jump to behavior | ||
Source: | Window / User API: | Jump to behavior |
Source: | Code function: | 1_2_00405D74 | |
Source: | Code function: | 1_2_0040290B | |
Source: | Code function: | 1_2_0040699E |
Source: | System information queried: | Jump to behavior |
Source: | API call chain: | graph_1-9495 | ||
Source: | API call chain: | graph_1-9714 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Anti Debugging |
---|
Source: | Thread information set: | Jump to behavior | ||
Source: | Thread information set: | Jump to behavior |
Source: | Code function: | 1_2_719D1BFF |
Source: | Code function: | 1_2_032C6424 |
Source: | Code function: | 1_2_032C8B7A | |
Source: | Code function: | 1_2_032C8B4C | |
Source: | Code function: | 1_2_032CEBE0 | |
Source: | Code function: | 1_2_032CB229 | |
Source: | Code function: | 1_2_032CEE3E | |
Source: | Code function: | 1_2_032CDE50 | |
Source: | Code function: | 1_2_032C8D2A | |
Source: | Code function: | 1_2_032C8D19 | |
Source: | Code function: | 1_2_032C8D19 | |
Source: | Code function: | 1_2_032C8595 | |
Source: | Code function: | 1_2_032C8593 | |
Source: | Code function: | 1_2_032C8C0A | |
Source: | Code function: | 1_2_032C8CBE | |
Source: | Code function: | 1_2_032C508C |
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior |
Source: | Code function: | 1_2_032CC478 |
Source: | Process created: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: | 1_2_00403640 |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | 1 Native API | 1 Registry Run Keys / Startup Folder | 1 Access Token Manipulation | 1 Masquerading | 11 Input Capture | 321 Security Software Discovery | Remote Services | 11 Input Capture | Exfiltration Over Other Network Medium | 1 Encrypted Channel | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | 1 System Shutdown/Reboot |
Default Accounts | Scheduled Task/Job | 1 DLL Side-Loading | 12 Process Injection | 22 Virtualization/Sandbox Evasion | LSASS Memory | 22 Virtualization/Sandbox Evasion | Remote Desktop Protocol | 1 Archive Collected Data | Exfiltration Over Bluetooth | 1 Non-Standard Port | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | 1 Registry Run Keys / Startup Folder | 1 Access Token Manipulation | Security Account Manager | 1 Process Discovery | SMB/Windows Admin Shares | 1 Clipboard Data | Automated Exfiltration | 1 Ingress Tool Transfer | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | 1 DLL Side-Loading | 12 Process Injection | NTDS | 1 Application Window Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | 1 Non-Application Layer Protocol | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | 1 Obfuscated Files or Information | LSA Secrets | 3 File and Directory Discovery | SSH | Keylogging | Data Transfer Size Limits | 111 Application Layer Protocol | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | 1 DLL Side-Loading | Cached Domain Credentials | 4 System Information Discovery | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
12% | Virustotal | Browse | ||
5% | ReversingLabs |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Metadefender | Browse | ||
0% | ReversingLabs | |||
3% | Metadefender | Browse | ||
0% | ReversingLabs |
⊘No Antivirus matches
⊘No Antivirus matches
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
2% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
100% | Avira URL Cloud | malware | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
⊘No contacted domains info
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown | |
true |
| unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
true |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
true |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
185.222.57.217 | unknown | Netherlands | 51447 | ROOTLAYERNETNL | true | |
185.222.57.79 | unknown | Netherlands | 51447 | ROOTLAYERNETNL | true |
Joe Sandbox Version: | 34.0.0 Boulder Opal |
Analysis ID: | 635115 |
Start date and time: 27/05/202214:38:35 | 2022-05-27 14:38:35 +02:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 12m 48s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | SecuriteInfo.com.Trojan.Inject.3564.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301 |
Run name: | Suspected Instruction Hammering |
Number of analysed new started processes analysed: | 5 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal100.troj.spyw.evad.winEXE@3/13@0/2 |
EGA Information: |
|
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, backgroundTaskHost.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 51.124.57.242
- Excluded domains from analysis (whitelisted): wdcpalt.microsoft.com, ctldl.windowsupdate.com, wdcp.microsoft.com, wd-prod-cp.trafficmanager.net, wd-prod-cp-eu-west-3-fe.westeurope.cloudapp.azure.com
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
Time | Type | Description |
---|---|---|
14:40:50 | API Interceptor | |
14:40:52 | Autostart | |
14:41:00 | Autostart |
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
185.222.57.217 | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
185.222.57.79 | Get hash | malicious | Browse |
|
⊘No context
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
ROOTLAYERNETNL | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
ROOTLAYERNETNL | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
⊘No context
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
C:\Users\user\AppData\Local\Temp\ThrottlePlugin.dll | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
C:\Users\user\AppData\Local\Temp\nsw99C.tmp\System.dll | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse |
Process: | C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
File Type: | |
Category: | modified |
Size (bytes): | 43 |
Entropy (8bit): | 4.693479289485192 |
Encrypted: | false |
SSDEEP: | 3:JODb6MHIymy32ov:Jebozyn |
MD5: | 8B36E2227A5BD0472C64194B43581D90 |
SHA1: | E391FCABCE78C902A95B2B3A90F46380AA0E6031 |
SHA-256: | 7A5D1B27408729909236B8B98CD3D19002750B7297981F32A6E6DD743B16BFB4 |
SHA-512: | FE426325981C65C37C16AE8021B2D8EDB50009743DC54C3EA2F496CA020BB980BCC43D70F5A2498A2AB8315183F5D2437DB72CCE69698978D927FA0E25DB1375 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1245 |
Entropy (8bit): | 5.462849750105637 |
Encrypted: | false |
SSDEEP: | 24:hM0mIAvy4Wvsqs1Ra7JZRGNeHX+AYcvP2wk1RjdEF3qpMk5:lmIAq1UqsziJZ+eHX+AdP2TvpMk5 |
MD5: | 5343C1A8B203C162A3BF3870D9F50FD4 |
SHA1: | 04B5B886C20D88B57EEA6D8FF882624A4AC1E51D |
SHA-256: | DC1D54DAB6EC8C00F70137927504E4F222C8395F10760B6BEECFCFA94E08249F |
SHA-512: | E0F50ACB6061744E825A4051765CEBF23E8C489B55B190739409D8A79BB08DAC8F919247A4E5F65A015EA9C57D326BBEF7EA045163915129E01F316C4958D949 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
Process: | C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 40 |
Entropy (8bit): | 4.412814895472355 |
Encrypted: | false |
SSDEEP: | 3:bAL2Wlv3AhWuvU2:bu2gYEd2 |
MD5: | 176F3A8631F14F0421935D07502B8CD9 |
SHA1: | 70C91B54BDE9BA107AB322ECACF16C60E0D8E57B |
SHA-256: | F507F6BB14F286DD6835A18FC9ECDB86F73DBA96E9E281D626718447F1C496BB |
SHA-512: | CC963E6BD3577D12FAC185D3D61CCC72098C52E5F2E907E5724BA7BC9FF022A2E74D0DF18D82AD7EC645FEE9328458B7493B1BDD7F1216A677A42F8516568336 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 133390 |
Entropy (8bit): | 4.032963937138419 |
Encrypted: | false |
SSDEEP: | 768:8qWwx5hfUOSsrEMcRjmsUOvH0i7yx3CuhoP3tcD1stuSKjKNY1lDY491:84xrf+JJFvLuxyuhm3tcDqdCDZ91 |
MD5: | 88518E49F5833B3DC505A5CA9E5A17EA |
SHA1: | 9C2EB3D3451DAE1531233D5D7B5323ED8F7D0E55 |
SHA-256: | DCC92754CBDB814A5AB672426B7072C7EC06D0B35CAC59DEB17E808019B38C1E |
SHA-512: | 76441315E4BA246AB527AE1D9E833C1F5A1EC019EBE4BDC46251E4B680CB8B62671574E09320148B3696F1C0580B1D3E6E62243EF04762D10142D5F45984C0E4 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 380640 |
Entropy (8bit): | 6.00755593352656 |
Encrypted: | false |
SSDEEP: | 6144:tqpZKqQPNb5tPcACMBdK99Uf2o7nypI83l4tHY1706ePrz2lxf:tqEvcA49Ro7R64Pi |
MD5: | 07B4E869E84B557512EE38A5C283FEF3 |
SHA1: | 85AFD748ACB7DB97C763ABFEA292E8543B084517 |
SHA-256: | C718B6BF9A427A117FFC1AB1C0E02551AFB2675406BAC625534E02179DB12C9D |
SHA-512: | C1E7E9781B538D6FD1265DF135606483DCC80B190FFB6DE6C9A7C4DD83B2B4453C746FE7C4E4AE577BE5DD40D4BB98BE8D0325119148D81D8D3CD094E92606E7 |
Malicious: | false |
Antivirus: |
|
Joe Sandbox View: | |
Reputation: | low |
Preview: |
Process: | C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 685 |
Entropy (8bit): | 7.621282940093077 |
Encrypted: | false |
SSDEEP: | 12:6v/7U+KyobNKxqUPO9/qRw6l2ZK2zirFLDbFJXy+MAg+eElsD8itXaBdHjGGrOKF:N+KyobksUVRqK2+LX/zlsYR3HjGCbx |
MD5: | 8C4F73C63672801A4629BA32BFAF9E31 |
SHA1: | C59877FEA56A2D45E36389366B0CCBC0AC2B720B |
SHA-256: | DFAFC0CCDCD4A2B74B8F74ECBE0BE82FC9FF3D055A8C9585DD78379DB7F01063 |
SHA-512: | E4479DFE6F342212DA86B0B4BE1095162F07F7AE98AC1921CC9ED7BB650E7024CF80D1A82EA99D3744C9127FA046E82C81D4D82D17152D868DD7D1D78ACE20E5 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 166 |
Entropy (8bit): | 5.876785121167948 |
Encrypted: | false |
SSDEEP: | 3:yionv//thPl9vt3lAnsrtxBllZMFnt4UoEw2GUqcklEj9h0XGqV/maXyj2fllljp:6v/lhPysLEnt4UoEwsqckGpq6jy/jp |
MD5: | A008C1D205C5B08639C0A8D8673C6C72 |
SHA1: | 5190570B97A6F75F1D10D3D1EC6E46AEC8705B0B |
SHA-256: | 54A3EBAD22462339574D87D835CA626E039E9B38A625806BAA051F80A327C428 |
SHA-512: | AC5F3ED7773C04223650B757F6168FA4F6C57BA4F0C073BD5AB933B96F0FC3AEE918543C4AEA703A9F472045C6FC5CEA012935850F2971A8107772B96F341AB5 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 12288 |
Entropy (8bit): | 5.814115788739565 |
Encrypted: | false |
SSDEEP: | 192:Zjvco0qWTlt70m5Aj/lQ0sEWD/wtYbBHFNaDybC7y+XBz0QPi:FHQlt70mij/lQRv/9VMjzr |
MD5: | CFF85C549D536F651D4FB8387F1976F2 |
SHA1: | D41CE3A5FF609DF9CF5C7E207D3B59BF8A48530E |
SHA-256: | 8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8 |
SHA-512: | 531D6328DAF3B86D85556016D299798FA06FEFC81604185108A342D000E203094C8C12226A12BD6E1F89B0DB501FB66F827B610D460B933BD4AB936AC2FD8A88 |
Malicious: | false |
Antivirus: |
|
Joe Sandbox View: |
|
Preview: |
Process: | C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1292652 |
Entropy (8bit): | 3.864768543104337 |
Encrypted: | false |
SSDEEP: | 3072:veHaqq95T1TpRKkYxyZuSkIRipOp1MbSqh43FFc23lRxSsopQfql1Ody29kn1jYF:XaekadZaJiaeQMV |
MD5: | 2D947C4C9147622CFC588FC5C17DDDEC |
SHA1: | B367B48D1282E39E37B8992615FF9947DEE8CFED |
SHA-256: | EBB8155AC71DD53258CE3772F189B4771272BA55E15A6DABDE2BEA6896DC2CC3 |
SHA-512: | 3213B423153A1350AA3A0213079EDF21D77022C7839EB3A905F7EE8A02028E6A572499223889A55C2EF4646C0D3B2CB6DC64E1DCCEF26053EF80D34313EAD885 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 658027 |
Entropy (8bit): | 6.79371907132509 |
Encrypted: | false |
SSDEEP: | 12288:rYgT387AbTc/v4b0h2gdYBXnQLGT/Fp0hZAvcG0ePzNSd01RHqtZCCNfn6THbMcy:rYgo7AbTc/v4b0h2gqBXnQLGT/Fp0hZB |
MD5: | D2DD4E8168706A8AE302E5F59D7BB993 |
SHA1: | DF22F35E6C42E7717D821387DA387093D6ED4E12 |
SHA-256: | 0AB4A5721960B4959FFAC1451C15EE114E5C45905A8DA1E5AEA28C3F506CC9FB |
SHA-512: | EB7CB3B76859CAB2F633E231449387F414DEF3F950DCCDAB5D5C97EE60F1319EB14F3B772D5DF8431D125BE70F84F179E8299A7F785A65EDD4A9AEF1E20F925D |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4730 |
Entropy (8bit): | 4.970880293743837 |
Encrypted: | false |
SSDEEP: | 96:VkoIankPYfLoIJomlXTlUxSHtuubQLqJlm0mxmOmTGmVm/mYmY:VkfcMI64RfIubQW/BEjPoKlp |
MD5: | 8F7C767AFA41E6D03BDE59296DFF8175 |
SHA1: | EEFA541D3A06CAFEB62A535B86D1A95D6AAE1CD6 |
SHA-256: | 292770B23ED69AF4EDE9255BB66ADF3D3A0FF62D827D2BA05ED2C44A57228ED6 |
SHA-512: | FFE75CCD2EFFA74E24955BF36DBD86BB1B30F880D233D8F5C5431E99169224E89E7C59FDD052C6F9544E05CF11FD425F01ADD6E87B512C318132D963CB338B04 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 208 |
Entropy (8bit): | 6.572781220141588 |
Encrypted: | false |
SSDEEP: | 3:yionv//thPl9vt3lAnsrtxBllUxPFp/7l04sR5/7dY+MK6Ie+ed0oxIwsoazRC4I:6v/lhPysIzlZsfdY+MKda8RC4KymCeVp |
MD5: | E2FC23D36F5488D1F2888D524F933582 |
SHA1: | 335CA8F69FF42E4418F0C95A9626F7B027F62139 |
SHA-256: | 07AEFFEAC02CD1501C54E5D66ED1816B83AF04E51B1676AF3C4A538FDC9E9E4A |
SHA-512: | EA3B15A24F8B3FF83DE6ABB7392A0672A55F1F87DDC485B2AD517E76B48358C852484CF2D23FD7989992676AF73640D6CC2002FD2F0FD2EAA29C39C7DFE503BA |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 105 |
Entropy (8bit): | 3.661849232724529 |
Encrypted: | false |
SSDEEP: | 3:M1XKe31t4yv1gKe31t4yv1gKe3n:0aK4y9K4y9S |
MD5: | 5FEEACD53BE58F9804B2BB6AC90A0654 |
SHA1: | 01060E129AA59B305C49C95C9C6F8FB514D77015 |
SHA-256: | 93F869F792A944A9779883A627B90351E4870AA22959C694BA85A00C7D010261 |
SHA-512: | 370C395EDDFB2414F997A50D5945B74061F2D3320BE3F9A756EF6DAB185E4B8584C50D7657D16D474DB51EC1CF829AC3DE7534ADC0321B8DA19A3D8146685D6F |
Malicious: | false |
Preview: |
File type: | |
Entropy (8bit): | 6.793727437239704 |
TrID: |
|
File name: | SecuriteInfo.com.Trojan.Inject.3564.exe |
File size: | 658027 |
MD5: | 0d6d5bef9fc4a8d2e0fc32bb4d524aaf |
SHA1: | 78ba54ad4ff986e5d96a35cd441de47517455ba9 |
SHA256: | 824a49f83e2e0d1be82a9aee6ac76add4d9ff7ac3dc633e754e5dad1977a9cf9 |
SHA512: | 7893c1bd4a437a11dae17ef6f6f3ad2ca4c0e4aa432d0cbfe9e9862d34b511a556d37fb9be946bebd8ebbf927603643a3a184d43fa9005fa53e318884178e856 |
SSDEEP: | 12288:0YgT387AbTc/v4b0h2gdYBXnQLGT/Fp0hZAvcG0ePzNSd01RHqtZCCNfn6THbMcy:0Ygo7AbTc/v4b0h2gqBXnQLGT/Fp0hZB |
TLSH: | 72E429B2A570868AD5E91EF25E4AB93091B22C7CDCE2110DA9F6330DD6F231145DEB4F |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L.....Oa.................h...*..... |
Icon Hash: | ac9eb23233b28eaa |
Entrypoint: | 0x403640 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
DLL Characteristics: | NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Time Stamp: | 0x614F9B1F [Sat Sep 25 21:56:47 2021 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | 61259b55b8912888e90f516ca08dc514 |
Instruction |
---|
push ebp |
mov ebp, esp |
sub esp, 000003F4h |
push ebx |
push esi |
push edi |
push 00000020h |
pop edi |
xor ebx, ebx |
push 00008001h |
mov dword ptr [ebp-14h], ebx |
mov dword ptr [ebp-04h], 0040A230h |
mov dword ptr [ebp-10h], ebx |
call dword ptr [004080C8h] |
mov esi, dword ptr [004080CCh] |
lea eax, dword ptr [ebp-00000140h] |
push eax |
mov dword ptr [ebp-0000012Ch], ebx |
mov dword ptr [ebp-2Ch], ebx |
mov dword ptr [ebp-28h], ebx |
mov dword ptr [ebp-00000140h], 0000011Ch |
call esi |
test eax, eax |
jne 00007FC31CD2100Ah |
lea eax, dword ptr [ebp-00000140h] |
mov dword ptr [ebp-00000140h], 00000114h |
push eax |
call esi |
mov ax, word ptr [ebp-0000012Ch] |
mov ecx, dword ptr [ebp-00000112h] |
sub ax, 00000053h |
add ecx, FFFFFFD0h |
neg ax |
sbb eax, eax |
mov byte ptr [ebp-26h], 00000004h |
not eax |
and eax, ecx |
mov word ptr [ebp-2Ch], ax |
cmp dword ptr [ebp-0000013Ch], 0Ah |
jnc 00007FC31CD20FDAh |
and word ptr [ebp-00000132h], 0000h |
mov eax, dword ptr [ebp-00000134h] |
movzx ecx, byte ptr [ebp-00000138h] |
mov dword ptr [0042A318h], eax |
xor eax, eax |
mov ah, byte ptr [ebp-0000013Ch] |
movzx eax, ax |
or eax, ecx |
xor ecx, ecx |
mov ch, byte ptr [ebp-2Ch] |
movzx ecx, cx |
shl eax, 10h |
or eax, ecx |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x8504 | 0xa0 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x52000 | 0x63d38 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x8000 | 0x2b0 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x6676 | 0x6800 | False | 0.656813401442 | data | 6.41745998719 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rdata | 0x8000 | 0x139a | 0x1400 | False | 0.4498046875 | data | 5.14106681717 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0xa000 | 0x20378 | 0x600 | False | 0.509765625 | data | 4.11058212765 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.ndata | 0x2b000 | 0x27000 | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.rsrc | 0x52000 | 0x63d38 | 0x63e00 | False | 0.295598990926 | data | 5.64645184571 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_BITMAP | 0x523d0 | 0x368 | data | English | United States |
RT_ICON | 0x52738 | 0x4180c | data | English | United States |
RT_ICON | 0x93f48 | 0x10828 | dBase III DBT, version number 0, next free block index 40 | English | United States |
RT_ICON | 0xa4770 | 0x94a8 | data | English | United States |
RT_ICON | 0xadc18 | 0x4228 | dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0 | English | United States |
RT_ICON | 0xb1e40 | 0x25a8 | dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 95 | English | United States |
RT_ICON | 0xb43e8 | 0x988 | data | English | United States |
RT_ICON | 0xb4d70 | 0x468 | GLS_BINARY_LSB_FIRST | English | United States |
RT_DIALOG | 0xb51d8 | 0xb8 | data | English | United States |
RT_DIALOG | 0xb5290 | 0x144 | data | English | United States |
RT_DIALOG | 0xb53d8 | 0x13c | data | English | United States |
RT_DIALOG | 0xb5518 | 0x100 | data | English | United States |
RT_DIALOG | 0xb5618 | 0x11c | data | English | United States |
RT_DIALOG | 0xb5738 | 0x60 | data | English | United States |
RT_GROUP_ICON | 0xb5798 | 0x68 | data | English | United States |
RT_VERSION | 0xb5800 | 0x1f4 | data | English | United States |
RT_MANIFEST | 0xb59f8 | 0x33e | XML 1.0 document, ASCII text, with very long lines, with no line terminators | English | United States |
DLL | Import |
---|---|
ADVAPI32.dll | RegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW |
SHELL32.dll | SHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW |
ole32.dll | OleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree |
COMCTL32.dll | ImageList_Create, ImageList_Destroy, ImageList_AddMasked |
USER32.dll | GetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu |
GDI32.dll | SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject |
KERNEL32.dll | GetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, CreateFileW, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW |
Description | Data |
---|---|
ProductName | Wadiesant |
FileDescription | Unpackagedfotomo |
FileVersion | 19.29.0 |
Comments | CHONDROITI |
CompanyName | Conteketra |
Translation | 0x0409 0x04b0 |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
192.168.11.20185.222.57.2174974987802825931 05/27/22-14:48:49.901221 | TCP | 2825931 | ETPRO TROJAN MSIL/Remcos RAT CnC Keep-Alive (Outbound) | 49749 | 8780 | 192.168.11.20 | 185.222.57.217 |
192.168.11.20185.222.57.7949748802018752 05/27/22-14:40:51.779893 | TCP | 2018752 | ET TROJAN Generic .bin download from Dotted Quad | 49748 | 80 | 192.168.11.20 | 185.222.57.79 |
192.168.11.20185.222.57.2174974987802829308 05/27/22-14:48:49.901221 | TCP | 2829308 | ETPRO TROJAN MSIL/Remcos Variant CnC Checkin | 49749 | 8780 | 192.168.11.20 | 185.222.57.217 |
185.222.57.217192.168.11.208780497492825930 05/27/22-14:48:49.899380 | TCP | 2825930 | ETPRO TROJAN MSIL/Remcos RAT CnC Keep-Alive (Inbound) | 8780 | 49749 | 185.222.57.217 | 192.168.11.20 |
192.168.11.20185.222.57.2174974987802825929 05/27/22-14:40:51.910166 | TCP | 2825929 | ETPRO TROJAN MSIL/Remcos RAT CnC Checkin | 49749 | 8780 | 192.168.11.20 | 185.222.57.217 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
May 27, 2022 14:40:51.765161991 CEST | 49748 | 80 | 192.168.11.20 | 185.222.57.79 |
May 27, 2022 14:40:51.779087067 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:51.779284954 CEST | 49748 | 80 | 192.168.11.20 | 185.222.57.79 |
May 27, 2022 14:40:51.779892921 CEST | 49748 | 80 | 192.168.11.20 | 185.222.57.79 |
May 27, 2022 14:40:51.796084881 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:51.796176910 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:51.796226025 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:51.796272993 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:51.796305895 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:51.796341896 CEST | 49748 | 80 | 192.168.11.20 | 185.222.57.79 |
May 27, 2022 14:40:51.796376944 CEST | 49748 | 80 | 192.168.11.20 | 185.222.57.79 |
May 27, 2022 14:40:51.796480894 CEST | 49748 | 80 | 192.168.11.20 | 185.222.57.79 |
May 27, 2022 14:40:51.810017109 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:51.810096979 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:51.810146093 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:51.810215950 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:51.810262918 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:51.810311079 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:51.810338974 CEST | 49748 | 80 | 192.168.11.20 | 185.222.57.79 |
May 27, 2022 14:40:51.810349941 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:51.810389042 CEST | 49748 | 80 | 192.168.11.20 | 185.222.57.79 |
May 27, 2022 14:40:51.810420036 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:51.810432911 CEST | 49748 | 80 | 192.168.11.20 | 185.222.57.79 |
May 27, 2022 14:40:51.810524940 CEST | 49748 | 80 | 192.168.11.20 | 185.222.57.79 |
May 27, 2022 14:40:51.810540915 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:51.810590982 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:51.810652018 CEST | 49748 | 80 | 192.168.11.20 | 185.222.57.79 |
May 27, 2022 14:40:51.810702085 CEST | 49748 | 80 | 192.168.11.20 | 185.222.57.79 |
May 27, 2022 14:40:51.824186087 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:51.824246883 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:51.824316978 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:51.824343920 CEST | 49748 | 80 | 192.168.11.20 | 185.222.57.79 |
May 27, 2022 14:40:51.824419975 CEST | 49748 | 80 | 192.168.11.20 | 185.222.57.79 |
May 27, 2022 14:40:51.824429035 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:51.824498892 CEST | 49748 | 80 | 192.168.11.20 | 185.222.57.79 |
May 27, 2022 14:40:51.824567080 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:51.824609995 CEST | 49748 | 80 | 192.168.11.20 | 185.222.57.79 |
May 27, 2022 14:40:51.824624062 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:51.824668884 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:51.824717045 CEST | 49748 | 80 | 192.168.11.20 | 185.222.57.79 |
May 27, 2022 14:40:51.824719906 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:51.824780941 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:51.824800014 CEST | 49748 | 80 | 192.168.11.20 | 185.222.57.79 |
May 27, 2022 14:40:51.824848890 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:51.824898005 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:51.824933052 CEST | 49748 | 80 | 192.168.11.20 | 185.222.57.79 |
May 27, 2022 14:40:51.824949980 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:51.824978113 CEST | 49748 | 80 | 192.168.11.20 | 185.222.57.79 |
May 27, 2022 14:40:51.825017929 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:51.825064898 CEST | 49748 | 80 | 192.168.11.20 | 185.222.57.79 |
May 27, 2022 14:40:51.825069904 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:51.825126886 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:51.825139046 CEST | 49748 | 80 | 192.168.11.20 | 185.222.57.79 |
May 27, 2022 14:40:51.825172901 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:51.825222015 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:51.825237989 CEST | 49748 | 80 | 192.168.11.20 | 185.222.57.79 |
May 27, 2022 14:40:51.825285912 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:51.825308084 CEST | 49748 | 80 | 192.168.11.20 | 185.222.57.79 |
May 27, 2022 14:40:51.825325966 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:51.825381041 CEST | 49748 | 80 | 192.168.11.20 | 185.222.57.79 |
May 27, 2022 14:40:51.825469971 CEST | 49748 | 80 | 192.168.11.20 | 185.222.57.79 |
May 27, 2022 14:40:51.838953018 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:51.839004993 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:51.839107037 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:51.839169979 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:51.839205980 CEST | 49748 | 80 | 192.168.11.20 | 185.222.57.79 |
May 27, 2022 14:40:51.839257002 CEST | 49748 | 80 | 192.168.11.20 | 185.222.57.79 |
May 27, 2022 14:40:51.839294910 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:51.839358091 CEST | 49748 | 80 | 192.168.11.20 | 185.222.57.79 |
May 27, 2022 14:40:51.839394093 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:51.839498997 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:51.839574099 CEST | 49748 | 80 | 192.168.11.20 | 185.222.57.79 |
May 27, 2022 14:40:51.839593887 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:51.839672089 CEST | 49748 | 80 | 192.168.11.20 | 185.222.57.79 |
May 27, 2022 14:40:51.839682102 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:51.839751005 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:51.839788914 CEST | 49748 | 80 | 192.168.11.20 | 185.222.57.79 |
May 27, 2022 14:40:51.839828014 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:51.839878082 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:51.839925051 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:51.839927912 CEST | 49748 | 80 | 192.168.11.20 | 185.222.57.79 |
May 27, 2022 14:40:51.839989901 CEST | 49748 | 80 | 192.168.11.20 | 185.222.57.79 |
May 27, 2022 14:40:51.839992046 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:51.840053082 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:51.840095043 CEST | 49748 | 80 | 192.168.11.20 | 185.222.57.79 |
May 27, 2022 14:40:51.840130091 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:51.840182066 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:51.840213060 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:51.840251923 CEST | 49748 | 80 | 192.168.11.20 | 185.222.57.79 |
May 27, 2022 14:40:51.840265036 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:51.840296984 CEST | 49748 | 80 | 192.168.11.20 | 185.222.57.79 |
May 27, 2022 14:40:51.840331078 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:51.840349913 CEST | 49748 | 80 | 192.168.11.20 | 185.222.57.79 |
May 27, 2022 14:40:51.840401888 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:51.840414047 CEST | 49748 | 80 | 192.168.11.20 | 185.222.57.79 |
May 27, 2022 14:40:51.840468884 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:51.840501070 CEST | 49748 | 80 | 192.168.11.20 | 185.222.57.79 |
May 27, 2022 14:40:51.840528011 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:51.840579987 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:51.840625048 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:51.840671062 CEST | 49748 | 80 | 192.168.11.20 | 185.222.57.79 |
May 27, 2022 14:40:51.840673923 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:51.840733051 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:51.840734005 CEST | 49748 | 80 | 192.168.11.20 | 185.222.57.79 |
May 27, 2022 14:40:51.840794086 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:51.840796947 CEST | 49748 | 80 | 192.168.11.20 | 185.222.57.79 |
May 27, 2022 14:40:51.840853930 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:51.840878010 CEST | 49748 | 80 | 192.168.11.20 | 185.222.57.79 |
May 27, 2022 14:40:51.840918064 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:51.840966940 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:51.841012955 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:51.841039896 CEST | 49748 | 80 | 192.168.11.20 | 185.222.57.79 |
May 27, 2022 14:40:51.841069937 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:51.841094017 CEST | 49748 | 80 | 192.168.11.20 | 185.222.57.79 |
May 27, 2022 14:40:51.841135979 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:51.841166019 CEST | 49748 | 80 | 192.168.11.20 | 185.222.57.79 |
May 27, 2022 14:40:51.841175079 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:51.841238976 CEST | 49748 | 80 | 192.168.11.20 | 185.222.57.79 |
May 27, 2022 14:40:51.841363907 CEST | 49748 | 80 | 192.168.11.20 | 185.222.57.79 |
May 27, 2022 14:40:51.854739904 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:51.854804993 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:51.854854107 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:51.854899883 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:51.854933977 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:51.854980946 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:51.854993105 CEST | 49748 | 80 | 192.168.11.20 | 185.222.57.79 |
May 27, 2022 14:40:51.855017900 CEST | 49748 | 80 | 192.168.11.20 | 185.222.57.79 |
May 27, 2022 14:40:51.855027914 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:51.855076075 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:51.855087042 CEST | 49748 | 80 | 192.168.11.20 | 185.222.57.79 |
May 27, 2022 14:40:51.855123043 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:51.855169058 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:51.855214119 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:51.855232954 CEST | 49748 | 80 | 192.168.11.20 | 185.222.57.79 |
May 27, 2022 14:40:51.855256081 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:51.855293989 CEST | 49748 | 80 | 192.168.11.20 | 185.222.57.79 |
May 27, 2022 14:40:51.855365992 CEST | 49748 | 80 | 192.168.11.20 | 185.222.57.79 |
May 27, 2022 14:40:51.855457067 CEST | 49748 | 80 | 192.168.11.20 | 185.222.57.79 |
May 27, 2022 14:40:51.892596960 CEST | 49749 | 8780 | 192.168.11.20 | 185.222.57.217 |
May 27, 2022 14:40:51.909425974 CEST | 8780 | 49749 | 185.222.57.217 | 192.168.11.20 |
May 27, 2022 14:40:51.909677029 CEST | 49749 | 8780 | 192.168.11.20 | 185.222.57.217 |
May 27, 2022 14:40:51.910166025 CEST | 49749 | 8780 | 192.168.11.20 | 185.222.57.217 |
May 27, 2022 14:40:51.966089010 CEST | 8780 | 49749 | 185.222.57.217 | 192.168.11.20 |
May 27, 2022 14:40:51.967972994 CEST | 49749 | 8780 | 192.168.11.20 | 185.222.57.217 |
May 27, 2022 14:40:52.036706924 CEST | 8780 | 49749 | 185.222.57.217 | 192.168.11.20 |
May 27, 2022 14:40:57.315802097 CEST | 80 | 49748 | 185.222.57.79 | 192.168.11.20 |
May 27, 2022 14:40:57.316078901 CEST | 49748 | 80 | 192.168.11.20 | 185.222.57.79 |
May 27, 2022 14:41:09.519524097 CEST | 8780 | 49749 | 185.222.57.217 | 192.168.11.20 |
May 27, 2022 14:41:09.521661997 CEST | 49749 | 8780 | 192.168.11.20 | 185.222.57.217 |
May 27, 2022 14:41:09.586447954 CEST | 8780 | 49749 | 185.222.57.217 | 192.168.11.20 |
May 27, 2022 14:41:29.536793947 CEST | 8780 | 49749 | 185.222.57.217 | 192.168.11.20 |
May 27, 2022 14:41:29.538261890 CEST | 49749 | 8780 | 192.168.11.20 | 185.222.57.217 |
May 27, 2022 14:41:29.602741957 CEST | 8780 | 49749 | 185.222.57.217 | 192.168.11.20 |
May 27, 2022 14:41:49.550504923 CEST | 8780 | 49749 | 185.222.57.217 | 192.168.11.20 |
May 27, 2022 14:41:49.551881075 CEST | 49749 | 8780 | 192.168.11.20 | 185.222.57.217 |
May 27, 2022 14:41:49.613806009 CEST | 8780 | 49749 | 185.222.57.217 | 192.168.11.20 |
May 27, 2022 14:42:09.564507008 CEST | 8780 | 49749 | 185.222.57.217 | 192.168.11.20 |
May 27, 2022 14:42:09.566737890 CEST | 49749 | 8780 | 192.168.11.20 | 185.222.57.217 |
May 27, 2022 14:42:09.628336906 CEST | 8780 | 49749 | 185.222.57.217 | 192.168.11.20 |
May 27, 2022 14:42:29.584209919 CEST | 8780 | 49749 | 185.222.57.217 | 192.168.11.20 |
May 27, 2022 14:42:29.585550070 CEST | 49749 | 8780 | 192.168.11.20 | 185.222.57.217 |
May 27, 2022 14:42:29.643564939 CEST | 8780 | 49749 | 185.222.57.217 | 192.168.11.20 |
May 27, 2022 14:42:41.726543903 CEST | 49748 | 80 | 192.168.11.20 | 185.222.57.79 |
May 27, 2022 14:42:42.038945913 CEST | 49748 | 80 | 192.168.11.20 | 185.222.57.79 |
May 27, 2022 14:42:42.648375988 CEST | 49748 | 80 | 192.168.11.20 | 185.222.57.79 |
May 27, 2022 14:42:43.851396084 CEST | 49748 | 80 | 192.168.11.20 | 185.222.57.79 |
May 27, 2022 14:42:46.256798029 CEST | 49748 | 80 | 192.168.11.20 | 185.222.57.79 |
May 27, 2022 14:42:49.607424021 CEST | 8780 | 49749 | 185.222.57.217 | 192.168.11.20 |
May 27, 2022 14:42:49.609297037 CEST | 49749 | 8780 | 192.168.11.20 | 185.222.57.217 |
May 27, 2022 14:42:49.674144983 CEST | 8780 | 49749 | 185.222.57.217 | 192.168.11.20 |
May 27, 2022 14:42:51.068121910 CEST | 49748 | 80 | 192.168.11.20 | 185.222.57.79 |
May 27, 2022 14:43:00.675611973 CEST | 49748 | 80 | 192.168.11.20 | 185.222.57.79 |
May 27, 2022 14:43:09.635492086 CEST | 8780 | 49749 | 185.222.57.217 | 192.168.11.20 |
May 27, 2022 14:43:09.637228012 CEST | 49749 | 8780 | 192.168.11.20 | 185.222.57.217 |
May 27, 2022 14:43:09.702321053 CEST | 8780 | 49749 | 185.222.57.217 | 192.168.11.20 |
May 27, 2022 14:43:29.649985075 CEST | 8780 | 49749 | 185.222.57.217 | 192.168.11.20 |
May 27, 2022 14:43:29.651794910 CEST | 49749 | 8780 | 192.168.11.20 | 185.222.57.217 |
May 27, 2022 14:43:29.720768929 CEST | 8780 | 49749 | 185.222.57.217 | 192.168.11.20 |
May 27, 2022 14:43:49.664567947 CEST | 8780 | 49749 | 185.222.57.217 | 192.168.11.20 |
May 27, 2022 14:43:49.666330099 CEST | 49749 | 8780 | 192.168.11.20 | 185.222.57.217 |
May 27, 2022 14:43:49.723932028 CEST | 8780 | 49749 | 185.222.57.217 | 192.168.11.20 |
May 27, 2022 14:44:09.681591988 CEST | 8780 | 49749 | 185.222.57.217 | 192.168.11.20 |
May 27, 2022 14:44:09.684058905 CEST | 49749 | 8780 | 192.168.11.20 | 185.222.57.217 |
May 27, 2022 14:44:09.749193907 CEST | 8780 | 49749 | 185.222.57.217 | 192.168.11.20 |
May 27, 2022 14:44:29.699016094 CEST | 8780 | 49749 | 185.222.57.217 | 192.168.11.20 |
May 27, 2022 14:44:29.701432943 CEST | 49749 | 8780 | 192.168.11.20 | 185.222.57.217 |
May 27, 2022 14:44:29.764764071 CEST | 8780 | 49749 | 185.222.57.217 | 192.168.11.20 |
May 27, 2022 14:44:49.711889029 CEST | 8780 | 49749 | 185.222.57.217 | 192.168.11.20 |
May 27, 2022 14:44:49.713532925 CEST | 49749 | 8780 | 192.168.11.20 | 185.222.57.217 |
May 27, 2022 14:44:49.781593084 CEST | 8780 | 49749 | 185.222.57.217 | 192.168.11.20 |
May 27, 2022 14:45:09.735999107 CEST | 8780 | 49749 | 185.222.57.217 | 192.168.11.20 |
May 27, 2022 14:45:09.737559080 CEST | 49749 | 8780 | 192.168.11.20 | 185.222.57.217 |
May 27, 2022 14:45:09.801655054 CEST | 8780 | 49749 | 185.222.57.217 | 192.168.11.20 |
May 27, 2022 14:45:29.752448082 CEST | 8780 | 49749 | 185.222.57.217 | 192.168.11.20 |
May 27, 2022 14:45:29.753885031 CEST | 49749 | 8780 | 192.168.11.20 | 185.222.57.217 |
May 27, 2022 14:45:29.818679094 CEST | 8780 | 49749 | 185.222.57.217 | 192.168.11.20 |
May 27, 2022 14:45:49.765389919 CEST | 8780 | 49749 | 185.222.57.217 | 192.168.11.20 |
May 27, 2022 14:45:49.767124891 CEST | 49749 | 8780 | 192.168.11.20 | 185.222.57.217 |
May 27, 2022 14:45:49.831275940 CEST | 8780 | 49749 | 185.222.57.217 | 192.168.11.20 |
May 27, 2022 14:46:09.780602932 CEST | 8780 | 49749 | 185.222.57.217 | 192.168.11.20 |
May 27, 2022 14:46:09.782464981 CEST | 49749 | 8780 | 192.168.11.20 | 185.222.57.217 |
May 27, 2022 14:46:09.847007036 CEST | 8780 | 49749 | 185.222.57.217 | 192.168.11.20 |
May 27, 2022 14:46:29.796618938 CEST | 8780 | 49749 | 185.222.57.217 | 192.168.11.20 |
May 27, 2022 14:46:29.798805952 CEST | 49749 | 8780 | 192.168.11.20 | 185.222.57.217 |
May 27, 2022 14:46:29.860445976 CEST | 8780 | 49749 | 185.222.57.217 | 192.168.11.20 |
May 27, 2022 14:46:49.815222025 CEST | 8780 | 49749 | 185.222.57.217 | 192.168.11.20 |
May 27, 2022 14:46:49.817147970 CEST | 49749 | 8780 | 192.168.11.20 | 185.222.57.217 |
May 27, 2022 14:46:49.875062943 CEST | 8780 | 49749 | 185.222.57.217 | 192.168.11.20 |
May 27, 2022 14:47:09.829471111 CEST | 8780 | 49749 | 185.222.57.217 | 192.168.11.20 |
May 27, 2022 14:47:09.831192017 CEST | 49749 | 8780 | 192.168.11.20 | 185.222.57.217 |
May 27, 2022 14:47:09.899657965 CEST | 8780 | 49749 | 185.222.57.217 | 192.168.11.20 |
May 27, 2022 14:47:29.846134901 CEST | 8780 | 49749 | 185.222.57.217 | 192.168.11.20 |
May 27, 2022 14:47:29.847579956 CEST | 49749 | 8780 | 192.168.11.20 | 185.222.57.217 |
May 27, 2022 14:47:29.909173012 CEST | 8780 | 49749 | 185.222.57.217 | 192.168.11.20 |
May 27, 2022 14:47:49.859510899 CEST | 8780 | 49749 | 185.222.57.217 | 192.168.11.20 |
May 27, 2022 14:47:49.861386061 CEST | 49749 | 8780 | 192.168.11.20 | 185.222.57.217 |
May 27, 2022 14:47:49.925905943 CEST | 8780 | 49749 | 185.222.57.217 | 192.168.11.20 |
May 27, 2022 14:48:09.872395039 CEST | 8780 | 49749 | 185.222.57.217 | 192.168.11.20 |
May 27, 2022 14:48:09.874696970 CEST | 49749 | 8780 | 192.168.11.20 | 185.222.57.217 |
May 27, 2022 14:48:09.937750101 CEST | 8780 | 49749 | 185.222.57.217 | 192.168.11.20 |
May 27, 2022 14:48:29.888045073 CEST | 8780 | 49749 | 185.222.57.217 | 192.168.11.20 |
May 27, 2022 14:48:29.889626026 CEST | 49749 | 8780 | 192.168.11.20 | 185.222.57.217 |
May 27, 2022 14:48:29.953197956 CEST | 8780 | 49749 | 185.222.57.217 | 192.168.11.20 |
May 27, 2022 14:48:49.899379969 CEST | 8780 | 49749 | 185.222.57.217 | 192.168.11.20 |
May 27, 2022 14:48:49.901221037 CEST | 49749 | 8780 | 192.168.11.20 | 185.222.57.217 |
May 27, 2022 14:48:49.963721037 CEST | 8780 | 49749 | 185.222.57.217 | 192.168.11.20 |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.11.20 | 49748 | 185.222.57.79 | 80 | C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject.3564.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
May 27, 2022 14:40:51.779892921 CEST | 21 | OUT | |
May 27, 2022 14:40:51.796084881 CEST | 22 | IN |