Windows
Analysis Report
file.exe
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- file.exe (PID: 6988 cmdline:
C:\Users\u ser\Deskto p\file.exe MD5: DAF761FB9AAA34A9C2120003694D88A3) - ComSvcConfig.exe (PID: 4572 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\Co mSvcConfig .exe MD5: 2778AE0EB674B74FF8028BF4E51F1DF5) - jsc.exe (PID: 3068 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\js c.exe MD5: 2B40A449D6034F41771A460DADD53A60)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
LgoogLoader | LgoogLoader is an installer that drops three files: a batch file, an AutoIt interpreter, and an AutoIt script. After downloading, it executes the batch file. | No Attribution |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
PUA_VULN_Driver_Sysinternalswwwsysinternalscom_procexpsys_ProcessExplorer_HoEP | Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - 97e3a44ec4ae58c8cc38eefc613e950e.bin | Florian Roth |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
SUSP_XORed_MSDOS_Stub_Message | Detects suspicious XORed MSDOS stub message | Florian Roth (Nextron Systems) |
| |
JoeSecurity_lGoogLoader | Yara detected lgoogLoader | Joe Security | ||
JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | ||
JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
INDICATOR_SUSPICIOUS_DisableWinDefender | Detects executables containing artifcats associated with disabling Widnows Defender | ditekSHen |
| |
INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM | Detects executables embedding command execution via IExecuteCommand COM object | ditekSHen |
|
Click to jump to signature section
AV Detection |
---|
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: |
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link |
Source: | Joe Sandbox ML: |
Exploits |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | HTTP traffic detected: |
Source: | IP Address: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | HTTP traffic detected: |
System Summary |
---|
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Source: | Static PE information: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process token adjusted: |
Source: | File created: | Jump to behavior |
Source: | Driver loaded: |
Source: | Dropped File: |
Source: | ReversingLabs: | ||
Source: | Virustotal: |
Source: | Static PE information: |
Source: | Key opened: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Code function: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Binary string: |
Source: | Classification label: |
Source: | Code function: |
Source: | Section loaded: |
Source: | Cryptographic APIs: |
Source: | File opened: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Data Obfuscation |
---|
Source: | File source: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: |
Persistence and Installation Behavior |
---|
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to dropped file |
Source: | Registry key created: | Jump to behavior |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Malware Analysis System Evasion |
---|
Source: | File source: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Thread sleep time: | ||
Source: | Thread sleep count: |
Source: | Evasive API call chain: | ||
Source: | Evasive API call chain: |
Source: | Dropped PE file which has not been started: | Jump to dropped file |
Source: | Thread delayed: |
Source: | Window / User API: |
Source: | Evaded block: |
Source: | API coverage: |
Source: | Process information queried: |
Source: | Thread delayed: |
Source: | API call chain: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Source: | Process token adjusted: | ||
Source: | Process token adjusted: |
Source: | Memory allocated: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: |
Source: | Reference to suspicious API methods: |
Source: | Memory written: |
Source: | Code function: |
Source: | Process created: | ||
Source: | Process created: |
Source: | Queries volume information: | ||
Source: | Queries volume information: |
Source: | Code function: |
Source: | Code function: |
Source: | Key value queried: |
Source: | Code function: |
Source: | Code function: |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1 Valid Accounts | 13 Native API | 1 Valid Accounts | 1 Valid Accounts | 1 Masquerading | OS Credential Dumping | 1 System Time Discovery | Remote Services | 11 Archive Collected Data | Exfiltration Over Other Network Medium | 1 Encrypted Channel | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | 2 Windows Service | 1 Exploitation for Privilege Escalation | 1 Valid Accounts | LSASS Memory | 121 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | 1 Ingress Tool Transfer | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | 2 LSASS Driver | 11 Access Token Manipulation | 1 Disable or Modify Tools | Security Account Manager | 1 Process Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | 1 Non-Application Layer Protocol | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | 2 Windows Service | 21 Virtualization/Sandbox Evasion | NTDS | 21 Virtualization/Sandbox Evasion | Distributed Component Object Model | Input Capture | Scheduled Transfer | 1 Application Layer Protocol | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | 211 Process Injection | 11 Access Token Manipulation | LSA Secrets | 1 Application Window Discovery | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | 2 LSASS Driver | 211 Process Injection | Cached Domain Credentials | 34 System Information Discovery | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | 1 Deobfuscate/Decode Files or Information | DCSync | Network Sniffing | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | 1 Obfuscated Files or Information | Proc Filesystem | Network Service Scanning | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
46% | ReversingLabs | Win64.Trojan.Pwsx | ||
56% | Virustotal | Browse | ||
100% | Joe Sandbox ML |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | ReversingLabs |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
100% | Avira URL Cloud | malware | ||
8% | Virustotal | Browse | ||
9% | Virustotal | Browse | ||
0% | Virustotal | Browse | ||
100% | Avira URL Cloud | malware |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
5.42.94.169 | unknown | Russian Federation | 39493 | RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU | false |
Joe Sandbox Version: | 37.1.0 Beryl |
Analysis ID: | 882700 |
Start date and time: | 2023-06-06 17:13:55 +02:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 7m 0s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 3 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample file name: | file.exe |
Detection: | MAL |
Classification: | mal100.troj.expl.evad.winEXE@5/2@0/1 |
EGA Information: |
|
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Report size getting too big, too many NtAllocateVirtualMemory calls found.
- TCP Packets have been reduced to 100
Time | Type | Description |
---|---|---|
17:14:52 | API Interceptor |
Process: | C:\Users\user\Desktop\file.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1595 |
Entropy (8bit): | 5.378294470225564 |
Encrypted: | false |
SSDEEP: | 48:MxHKn1qHGiD0HKeGiYHKGD8AoiHd+vxpNStHTG1hAHKKPz:iqnwmI0qerYqGgAoi0ZPStzG1eqKPz |
MD5: | 3D4F5C31B249A99B5AC79BB49D9894F3 |
SHA1: | C7F66B88EB5A896E235CB6C37CC752C225119173 |
SHA-256: | 472C344E0D0AB687ED38440FCE12C0E010957CF27C4514710C0683F15DC0DEC5 |
SHA-512: | CF6805ACC8DAEBFB21DC467BF533D6D68BC9EF5BED519D1DF0833BFB5E982E54828702A672EBD971EFE4FC7B828818B8DB57FAC70B673AA5A884B5AB9130CA1E |
Malicious: | true |
Reputation: | low |
Preview: |
Process: | C:\Users\user\Desktop\file.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 36208 |
Entropy (8bit): | 6.284053631838433 |
Encrypted: | false |
SSDEEP: | 768:tKCM0IWRhm8LiES4cT4iZ923OMqUD6Q4KICJw4:t7/Vhzb3pL4GJw4 |
MD5: | 97E3A44EC4AE58C8CC38EEFC613E950E |
SHA1: | BC47E15537FA7C32DFEFD23168D7E1741F8477ED |
SHA-256: | 440883CD9D6A76DB5E53517D0EC7FE13D5A50D2F6A7F91ECFC863BC3490E4F5C |
SHA-512: | 8EF7FC489B6FFED9EC14746E526AE87F44C39D5EAFFF0D4C3BFA0B3F0D28450F76D1066F446C766F4C9A20842A7F084FE4A9F94659D5487EA88959FCCB2A96EB |
Malicious: | true |
Yara Hits: |
|
Antivirus: |
|
Reputation: | moderate, very likely benign file |
Preview: |
File type: | |
Entropy (8bit): | 5.697202938635302 |
TrID: |
|
File name: | file.exe |
File size: | 30720 |
MD5: | daf761fb9aaa34a9c2120003694d88a3 |
SHA1: | 47fd2695b6da26f6444799d442662b982d70f783 |
SHA256: | 18d4850a10812f3b4d8631939d469b41c1d344a7fa9205acc31b265d0600291b |
SHA512: | 1ddf3c0b4dcbb4103d24b6a5bb3308dff706c9d9277d411be3f9356e9040e67b04c0c02c9c927ba60c5723a50d746287de34cff5545003a0aed3596ec13fd7b2 |
SSDEEP: | 768:uwVMApolbUGPPMdwdunhdH15FIU/ogyejq:bVLoljn8nhj5FF1jq |
TLSH: | 68D20800A3F98767EAFB4BF64871124447BA7ABB7936E75D0DC460DB1A637404A01BA3 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...Lx}d.........."...0.Uk............... ....@...... ....................................`................................ |
Icon Hash: | 90cececece8e8eb0 |
Entrypoint: | 0x400000 |
Entrypoint Section: | |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE |
DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x647D784C [Mon Jun 5 05:53:16 2023 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: |
Instruction |
---|
dec ebp |
pop edx |
nop |
add byte ptr [ebx], al |
add byte ptr [eax], al |
add byte ptr [eax+eax], al |
add byte ptr [eax], al |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xa000 | 0x8f4 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x8ad8 | 0x1c | .text |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x2000 | 0x48 | .text |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x2000 | 0x6b55 | 0x6c00 | False | 0.5057146990740741 | data | 5.791232238044552 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rsrc | 0xa000 | 0x8f4 | 0xa00 | False | 0.2921875 | data | 4.376579543169947 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_VERSION | 0xa0b8 | 0x328 | data | ||
RT_VERSION | 0xa3e0 | 0x328 | data | English | United States |
RT_MANIFEST | 0xa708 | 0x1ea | XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jun 6, 2023 17:14:51.786187887 CEST | 49708 | 80 | 192.168.2.6 | 5.42.94.169 |
Jun 6, 2023 17:14:51.835110903 CEST | 80 | 49708 | 5.42.94.169 | 192.168.2.6 |
Jun 6, 2023 17:14:51.835464001 CEST | 49708 | 80 | 192.168.2.6 | 5.42.94.169 |
Jun 6, 2023 17:14:51.860167980 CEST | 49708 | 80 | 192.168.2.6 | 5.42.94.169 |
Jun 6, 2023 17:14:51.911331892 CEST | 80 | 49708 | 5.42.94.169 | 192.168.2.6 |
Jun 6, 2023 17:14:51.911371946 CEST | 80 | 49708 | 5.42.94.169 | 192.168.2.6 |
Jun 6, 2023 17:14:51.911385059 CEST | 80 | 49708 | 5.42.94.169 | 192.168.2.6 |
Jun 6, 2023 17:14:51.911403894 CEST | 80 | 49708 | 5.42.94.169 | 192.168.2.6 |
Jun 6, 2023 17:14:51.911417961 CEST | 80 | 49708 | 5.42.94.169 | 192.168.2.6 |
Jun 6, 2023 17:14:51.911432028 CEST | 80 | 49708 | 5.42.94.169 | 192.168.2.6 |
Jun 6, 2023 17:14:51.911446095 CEST | 80 | 49708 | 5.42.94.169 | 192.168.2.6 |
Jun 6, 2023 17:14:51.911465883 CEST | 80 | 49708 | 5.42.94.169 | 192.168.2.6 |
Jun 6, 2023 17:14:51.911478996 CEST | 80 | 49708 | 5.42.94.169 | 192.168.2.6 |
Jun 6, 2023 17:14:51.911498070 CEST | 80 | 49708 | 5.42.94.169 | 192.168.2.6 |
Jun 6, 2023 17:14:51.911545992 CEST | 49708 | 80 | 192.168.2.6 | 5.42.94.169 |
Jun 6, 2023 17:14:51.911638021 CEST | 49708 | 80 | 192.168.2.6 | 5.42.94.169 |
Jun 6, 2023 17:14:51.960335970 CEST | 80 | 49708 | 5.42.94.169 | 192.168.2.6 |
Jun 6, 2023 17:14:51.960397005 CEST | 80 | 49708 | 5.42.94.169 | 192.168.2.6 |
Jun 6, 2023 17:14:51.960416079 CEST | 80 | 49708 | 5.42.94.169 | 192.168.2.6 |
Jun 6, 2023 17:14:51.960436106 CEST | 80 | 49708 | 5.42.94.169 | 192.168.2.6 |
Jun 6, 2023 17:14:51.960455894 CEST | 80 | 49708 | 5.42.94.169 | 192.168.2.6 |
Jun 6, 2023 17:14:51.960474014 CEST | 80 | 49708 | 5.42.94.169 | 192.168.2.6 |
Jun 6, 2023 17:14:51.960494041 CEST | 80 | 49708 | 5.42.94.169 | 192.168.2.6 |
Jun 6, 2023 17:14:51.960513115 CEST | 80 | 49708 | 5.42.94.169 | 192.168.2.6 |
Jun 6, 2023 17:14:51.960531950 CEST | 80 | 49708 | 5.42.94.169 | 192.168.2.6 |
Jun 6, 2023 17:14:51.960550070 CEST | 80 | 49708 | 5.42.94.169 | 192.168.2.6 |
Jun 6, 2023 17:14:51.960567951 CEST | 80 | 49708 | 5.42.94.169 | 192.168.2.6 |
Jun 6, 2023 17:14:51.960586071 CEST | 80 | 49708 | 5.42.94.169 | 192.168.2.6 |
Jun 6, 2023 17:14:51.960602999 CEST | 80 | 49708 | 5.42.94.169 | 192.168.2.6 |
Jun 6, 2023 17:14:51.960619926 CEST | 80 | 49708 | 5.42.94.169 | 192.168.2.6 |
Jun 6, 2023 17:14:51.960633993 CEST | 49708 | 80 | 192.168.2.6 | 5.42.94.169 |
Jun 6, 2023 17:14:51.960639000 CEST | 80 | 49708 | 5.42.94.169 | 192.168.2.6 |
Jun 6, 2023 17:14:51.960656881 CEST | 80 | 49708 | 5.42.94.169 | 192.168.2.6 |
Jun 6, 2023 17:14:51.960675001 CEST | 80 | 49708 | 5.42.94.169 | 192.168.2.6 |
Jun 6, 2023 17:14:51.960676908 CEST | 49708 | 80 | 192.168.2.6 | 5.42.94.169 |
Jun 6, 2023 17:14:51.960692883 CEST | 80 | 49708 | 5.42.94.169 | 192.168.2.6 |
Jun 6, 2023 17:14:51.960701942 CEST | 49708 | 80 | 192.168.2.6 | 5.42.94.169 |
Jun 6, 2023 17:14:51.960711002 CEST | 80 | 49708 | 5.42.94.169 | 192.168.2.6 |
Jun 6, 2023 17:14:51.960728884 CEST | 80 | 49708 | 5.42.94.169 | 192.168.2.6 |
Jun 6, 2023 17:14:51.960736990 CEST | 49708 | 80 | 192.168.2.6 | 5.42.94.169 |
Jun 6, 2023 17:14:51.960772038 CEST | 49708 | 80 | 192.168.2.6 | 5.42.94.169 |
Jun 6, 2023 17:14:52.009464979 CEST | 80 | 49708 | 5.42.94.169 | 192.168.2.6 |
Jun 6, 2023 17:14:52.009502888 CEST | 80 | 49708 | 5.42.94.169 | 192.168.2.6 |
Jun 6, 2023 17:14:52.009522915 CEST | 80 | 49708 | 5.42.94.169 | 192.168.2.6 |
Jun 6, 2023 17:14:52.009541035 CEST | 80 | 49708 | 5.42.94.169 | 192.168.2.6 |
Jun 6, 2023 17:14:52.009560108 CEST | 80 | 49708 | 5.42.94.169 | 192.168.2.6 |
Jun 6, 2023 17:14:52.009574890 CEST | 49708 | 80 | 192.168.2.6 | 5.42.94.169 |
Jun 6, 2023 17:14:52.009582043 CEST | 80 | 49708 | 5.42.94.169 | 192.168.2.6 |
Jun 6, 2023 17:14:52.009602070 CEST | 80 | 49708 | 5.42.94.169 | 192.168.2.6 |
Jun 6, 2023 17:14:52.009619951 CEST | 49708 | 80 | 192.168.2.6 | 5.42.94.169 |
Jun 6, 2023 17:14:52.009625912 CEST | 80 | 49708 | 5.42.94.169 | 192.168.2.6 |
Jun 6, 2023 17:14:52.009648085 CEST | 49708 | 80 | 192.168.2.6 | 5.42.94.169 |
Jun 6, 2023 17:14:52.009649992 CEST | 80 | 49708 | 5.42.94.169 | 192.168.2.6 |
Jun 6, 2023 17:14:52.009670973 CEST | 80 | 49708 | 5.42.94.169 | 192.168.2.6 |
Jun 6, 2023 17:14:52.009673119 CEST | 49708 | 80 | 192.168.2.6 | 5.42.94.169 |
Jun 6, 2023 17:14:52.009691954 CEST | 80 | 49708 | 5.42.94.169 | 192.168.2.6 |
Jun 6, 2023 17:14:52.009711027 CEST | 80 | 49708 | 5.42.94.169 | 192.168.2.6 |
Jun 6, 2023 17:14:52.009721994 CEST | 49708 | 80 | 192.168.2.6 | 5.42.94.169 |
Jun 6, 2023 17:14:52.009732962 CEST | 80 | 49708 | 5.42.94.169 | 192.168.2.6 |
Jun 6, 2023 17:14:52.009752989 CEST | 80 | 49708 | 5.42.94.169 | 192.168.2.6 |
Jun 6, 2023 17:14:52.009766102 CEST | 49708 | 80 | 192.168.2.6 | 5.42.94.169 |
Jun 6, 2023 17:14:52.009774923 CEST | 80 | 49708 | 5.42.94.169 | 192.168.2.6 |
Jun 6, 2023 17:14:52.009789944 CEST | 49708 | 80 | 192.168.2.6 | 5.42.94.169 |
Jun 6, 2023 17:14:52.009798050 CEST | 80 | 49708 | 5.42.94.169 | 192.168.2.6 |
Jun 6, 2023 17:14:52.009819984 CEST | 80 | 49708 | 5.42.94.169 | 192.168.2.6 |
Jun 6, 2023 17:14:52.009838104 CEST | 80 | 49708 | 5.42.94.169 | 192.168.2.6 |
Jun 6, 2023 17:14:52.009859085 CEST | 80 | 49708 | 5.42.94.169 | 192.168.2.6 |
Jun 6, 2023 17:14:52.009860039 CEST | 49708 | 80 | 192.168.2.6 | 5.42.94.169 |
Jun 6, 2023 17:14:52.009879112 CEST | 80 | 49708 | 5.42.94.169 | 192.168.2.6 |
Jun 6, 2023 17:14:52.009897947 CEST | 49708 | 80 | 192.168.2.6 | 5.42.94.169 |
Jun 6, 2023 17:14:52.009902954 CEST | 80 | 49708 | 5.42.94.169 | 192.168.2.6 |
Jun 6, 2023 17:14:52.009924889 CEST | 80 | 49708 | 5.42.94.169 | 192.168.2.6 |
Jun 6, 2023 17:14:52.009946108 CEST | 80 | 49708 | 5.42.94.169 | 192.168.2.6 |
Jun 6, 2023 17:14:52.009948969 CEST | 49708 | 80 | 192.168.2.6 | 5.42.94.169 |
Jun 6, 2023 17:14:52.009964943 CEST | 80 | 49708 | 5.42.94.169 | 192.168.2.6 |
Jun 6, 2023 17:14:52.009972095 CEST | 49708 | 80 | 192.168.2.6 | 5.42.94.169 |
Jun 6, 2023 17:14:52.009987116 CEST | 80 | 49708 | 5.42.94.169 | 192.168.2.6 |
Jun 6, 2023 17:14:52.010001898 CEST | 49708 | 80 | 192.168.2.6 | 5.42.94.169 |
Jun 6, 2023 17:14:52.010008097 CEST | 80 | 49708 | 5.42.94.169 | 192.168.2.6 |
Jun 6, 2023 17:14:52.010026932 CEST | 80 | 49708 | 5.42.94.169 | 192.168.2.6 |
Jun 6, 2023 17:14:52.010050058 CEST | 80 | 49708 | 5.42.94.169 | 192.168.2.6 |
Jun 6, 2023 17:14:52.010062933 CEST | 49708 | 80 | 192.168.2.6 | 5.42.94.169 |
Jun 6, 2023 17:14:52.010071039 CEST | 80 | 49708 | 5.42.94.169 | 192.168.2.6 |
Jun 6, 2023 17:14:52.010092974 CEST | 80 | 49708 | 5.42.94.169 | 192.168.2.6 |
Jun 6, 2023 17:14:52.010097980 CEST | 49708 | 80 | 192.168.2.6 | 5.42.94.169 |
Jun 6, 2023 17:14:52.010113955 CEST | 80 | 49708 | 5.42.94.169 | 192.168.2.6 |
Jun 6, 2023 17:14:52.010133028 CEST | 80 | 49708 | 5.42.94.169 | 192.168.2.6 |
Jun 6, 2023 17:14:52.010142088 CEST | 49708 | 80 | 192.168.2.6 | 5.42.94.169 |
Jun 6, 2023 17:14:52.010154963 CEST | 80 | 49708 | 5.42.94.169 | 192.168.2.6 |
Jun 6, 2023 17:14:52.010174990 CEST | 80 | 49708 | 5.42.94.169 | 192.168.2.6 |
Jun 6, 2023 17:14:52.010181904 CEST | 49708 | 80 | 192.168.2.6 | 5.42.94.169 |
Jun 6, 2023 17:14:52.010196924 CEST | 80 | 49708 | 5.42.94.169 | 192.168.2.6 |
Jun 6, 2023 17:14:52.010215998 CEST | 49708 | 80 | 192.168.2.6 | 5.42.94.169 |
Jun 6, 2023 17:14:52.010221958 CEST | 80 | 49708 | 5.42.94.169 | 192.168.2.6 |
Jun 6, 2023 17:14:52.010241985 CEST | 80 | 49708 | 5.42.94.169 | 192.168.2.6 |
Jun 6, 2023 17:14:52.010260105 CEST | 80 | 49708 | 5.42.94.169 | 192.168.2.6 |
Jun 6, 2023 17:14:52.010277033 CEST | 49708 | 80 | 192.168.2.6 | 5.42.94.169 |
Jun 6, 2023 17:14:52.010282993 CEST | 80 | 49708 | 5.42.94.169 | 192.168.2.6 |
Jun 6, 2023 17:14:52.010303020 CEST | 80 | 49708 | 5.42.94.169 | 192.168.2.6 |
Jun 6, 2023 17:14:52.010312080 CEST | 49708 | 80 | 192.168.2.6 | 5.42.94.169 |
|
Click to jump to process
Target ID: | 0 |
Start time: | 17:14:48 |
Start date: | 06/06/2023 |
Path: | C:\Users\user\Desktop\file.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x1f6c58b0000 |
File size: | 30720 bytes |
MD5 hash: | DAF761FB9AAA34A9C2120003694D88A3 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | .Net C# or VB.NET |
Yara matches: |
|
Reputation: | low |
Target ID: | 1 |
Start time: | 17:14:59 |
Start date: | 06/06/2023 |
Path: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x13570130000 |
File size: | 173672 bytes |
MD5 hash: | 2778AE0EB674B74FF8028BF4E51F1DF5 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Target ID: | 2 |
Start time: | 17:14:59 |
Start date: | 06/06/2023 |
Path: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x8b0000 |
File size: | 46688 bytes |
MD5 hash: | 2B40A449D6034F41771A460DADD53A60 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | moderate |