Edit tour
Windows
Analysis Report
file.exe
Overview
General Information
Detection
Nymaim
Score: | 96 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Detected unpacking (overwrites its own PE header)
Yara detected Nymaim
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
PE file does not import any functions
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Found evasive API chain checking for process token information
Uses taskkill to terminate processes
Dropped file seen in connection with other malware
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality to detect sandboxes (foreground window change detection)
Creates a process in suspended mode (likely to inject code)
Classification
- System is w10x64
- file.exe (PID: 1364 cmdline:
C:\Users\u ser\Deskto p\file.exe MD5: 7E8888D098D8AF9B7F7D1A39FF7666A4) - is-71GCF.tmp (PID: 3664 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\is-F6D C2.tmp\is- 71GCF.tmp" /SL4 $303 40 "C:\Use rs\user\De sktop\file .exe" 1077 961 51712 MD5: 85B94E72C3F2D2B5464E2AAF3C9E242A) - PrintFolders.exe (PID: 4476 cmdline:
"C:\Progra m Files (x 86)\PrintF olders\Pri ntFolders. exe" MD5: A11421185D7DA999305A2A671E0244DE) - CqxAaSZxg.exe (PID: 5656 cmdline:
MD5: 3FB36CB0B7172E5298D2992D42984D06) - cmd.exe (PID: 2240 cmdline:
"C:\Window s\System32 \cmd.exe" /c taskkil l /im "Pri ntFolders. exe" /f & erase "C:\ Program Fi les (x86)\ PrintFolde rs\PrintFo lders.exe" & exit MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 4568 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - taskkill.exe (PID: 5104 cmdline:
taskkill / im "PrintF olders.exe " /f MD5: 15E2E0ACD891510C6268CB8899F2A1A1)
- cleanup
{"C2 addresses": ["45.139.105.1", "85.31.46.167"]}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security | ||
JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security | ||
JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security | ||
JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security | ||
JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security | ||
JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security |
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | URL Reputation: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: |
Source: | Virustotal: | Perma Link |
Source: | ReversingLabs: |
Source: | Joe Sandbox ML: |
Source: | Avira: |
Source: | Malware Configuration Extractor: |
Source: | Code function: | 1_2_10001000 | |
Source: | Code function: | 1_2_10001130 | |
Source: | Code function: | 2_2_00403770 |
Compliance |
---|
Source: | Unpacked PE file: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | Code function: | 1_2_0046C770 | |
Source: | Code function: | 1_2_00474708 | |
Source: | Code function: | 1_2_00451554 | |
Source: | Code function: | 1_2_0048A778 | |
Source: | Code function: | 1_2_004729D4 | |
Source: | Code function: | 1_2_0045CA54 | |
Source: | Code function: | 1_2_00406FEC | |
Source: | Code function: | 1_2_0045DB60 | |
Source: | Code function: | 1_2_0045DEF4 | |
Source: | Code function: | 2_2_00404490 | |
Source: | Code function: | 2_2_00423E2D | |
Source: | Code function: | 2_2_1000959D |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Networking |
---|
Source: | IPs: | ||
Source: | IPs: |
Source: | ASN Name: |
Source: | IP Address: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Code function: | 2_2_00401B30 |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | Binary or memory string: |
E-Banking Fraud |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Static PE information: |
Source: | Code function: | 0_2_004081C8 | |
Source: | Code function: | 1_2_00468940 | |
Source: | Code function: | 1_2_00460F30 | |
Source: | Code function: | 1_2_0043DF70 | |
Source: | Code function: | 1_2_004303A4 | |
Source: | Code function: | 1_2_0047A6D8 | |
Source: | Code function: | 1_2_004446E8 | |
Source: | Code function: | 1_2_00434994 | |
Source: | Code function: | 1_2_0045AA90 | |
Source: | Code function: | 1_2_00480BDC | |
Source: | Code function: | 1_2_00444C90 | |
Source: | Code function: | 1_2_00462F38 | |
Source: | Code function: | 1_2_00445388 | |
Source: | Code function: | 1_2_00435698 | |
Source: | Code function: | 1_2_00445794 | |
Source: | Code function: | 1_2_0042F948 | |
Source: | Code function: | 1_2_00457BB4 | |
Source: | Code function: | 2_2_00404490 | |
Source: | Code function: | 2_2_004096F0 | |
Source: | Code function: | 2_2_004056A0 | |
Source: | Code function: | 2_2_00406800 | |
Source: | Code function: | 2_2_00406AA0 | |
Source: | Code function: | 2_2_00404D40 | |
Source: | Code function: | 2_2_00405F40 | |
Source: | Code function: | 2_2_00402F20 | |
Source: | Code function: | 2_2_004150D3 | |
Source: | Code function: | 2_2_00415305 | |
Source: | Code function: | 2_2_004223A9 | |
Source: | Code function: | 2_2_00419510 | |
Source: | Code function: | 2_2_00404840 | |
Source: | Code function: | 2_2_00426850 | |
Source: | Code function: | 2_2_00410A50 | |
Source: | Code function: | 2_2_0042AB9A | |
Source: | Code function: | 2_2_00421C88 | |
Source: | Code function: | 2_2_0042ACBA | |
Source: | Code function: | 2_2_00447D2D | |
Source: | Code function: | 2_2_00428D39 | |
Source: | Code function: | 2_2_00404F20 | |
Source: | Code function: | 2_2_1000F670 | |
Source: | Code function: | 2_2_1000EC61 |
Source: | Code function: | 1_2_00423D9C | |
Source: | Code function: | 1_2_004127F0 | |
Source: | Code function: | 1_2_004551C4 |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Dropped File: |
Source: | Static PE information: |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Code function: | 0_2_00408F74 | |
Source: | Code function: | 1_2_00453A8C |
Source: | WMI Queries: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | Code function: | 2_2_00401B30 |
Source: | File read: | Jump to behavior |
Source: | Code function: | 1_2_00454498 |
Source: | Code function: | 2_2_00402BF0 |
Source: | Code function: | 2_2_00405350 |
Source: | Mutant created: |
Source: | Code function: | 1_2_0040B1E0 |
Source: | File created: | Jump to behavior |
Source: | Command line argument: | 2_2_004096F0 | |
Source: | Command line argument: | 2_2_004096F0 | |
Source: | Command line argument: | 2_2_004096F0 | |
Source: | Command line argument: | 2_2_004096F0 |
Source: | Window found: | Jump to behavior |
Source: | Window detected: |
Source: | Static file information: |
Source: | Binary string: |
Data Obfuscation |
---|
Source: | Unpacked PE file: |
Source: | Unpacked PE file: |
Source: | Code function: | 0_2_004065B9 | |
Source: | Code function: | 0_2_00404195 | |
Source: | Code function: | 0_2_0040442D | |
Source: | Code function: | 0_2_00407E89 | |
Source: | Code function: | 0_2_0040442D | |
Source: | Code function: | 0_2_00408B4F | |
Source: | Code function: | 0_2_0040442D | |
Source: | Code function: | 0_2_0040442D | |
Source: | Code function: | 1_2_00409BA5 | |
Source: | Code function: | 1_2_0040A258 | |
Source: | Code function: | 1_2_004782B3 | |
Source: | Code function: | 1_2_0040A255 | |
Source: | Code function: | 1_2_004063C9 | |
Source: | Code function: | 1_2_004303A9 | |
Source: | Code function: | 1_2_0045A751 | |
Source: | Code function: | 1_2_004108ED | |
Source: | Code function: | 1_2_00412B9B | |
Source: | Code function: | 1_2_00451023 | |
Source: | Code function: | 1_2_0040D242 | |
Source: | Code function: | 1_2_004055F9 | |
Source: | Code function: | 1_2_00443664 | |
Source: | Code function: | 1_2_00405891 | |
Source: | Code function: | 1_2_0047976D | |
Source: | Code function: | 1_2_00405891 | |
Source: | Code function: | 1_2_00405891 | |
Source: | Code function: | 1_2_00405891 | |
Source: | Code function: | 1_2_0040F7A2 | |
Source: | Code function: | 1_2_00419E45 | |
Source: | Code function: | 2_2_004311B6 | |
Source: | Code function: | 2_2_0040F4CE |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | Code function: | 1_2_00423E24 | |
Source: | Code function: | 1_2_00423E24 | |
Source: | Code function: | 1_2_004243F4 | |
Source: | Code function: | 1_2_004243AC | |
Source: | Code function: | 1_2_0041859C | |
Source: | Code function: | 1_2_00422A74 | |
Source: | Code function: | 1_2_004177B0 | |
Source: | Code function: | 1_2_00477D2C | |
Source: | Code function: | 1_2_00417EE6 | |
Source: | Code function: | 1_2_00417EE8 |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Evasive API call chain: | graph_0-5527 |
Source: | Last function: |
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file |
Source: | Check user administrative privileges: | graph_2-35037 |
Source: | Code function: | 2_2_004056A0 |
Source: | Process information queried: | Jump to behavior |
Source: | Code function: | 0_2_004095D0 |
Source: | Code function: | 1_2_0046C770 | |
Source: | Code function: | 1_2_00474708 | |
Source: | Code function: | 1_2_00451554 | |
Source: | Code function: | 1_2_0048A778 | |
Source: | Code function: | 1_2_004729D4 | |
Source: | Code function: | 1_2_0045CA54 | |
Source: | Code function: | 1_2_00406FEC | |
Source: | Code function: | 1_2_0045DB60 | |
Source: | Code function: | 1_2_0045DEF4 | |
Source: | Code function: | 2_2_00404490 | |
Source: | Code function: | 2_2_00423E2D | |
Source: | Code function: | 2_2_1000959D |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | Code function: | 2_2_0041336B |
Source: | Code function: | 2_2_00402BF0 |
Source: | Code function: | 2_2_00402F20 |
Source: | Process token adjusted: | Jump to behavior |
Source: | Code function: | 2_2_0044028F | |
Source: | Code function: | 2_2_0042041F | |
Source: | Code function: | 2_2_004429E7 | |
Source: | Code function: | 2_2_00417BAF | |
Source: | Code function: | 2_2_100091C7 | |
Source: | Code function: | 2_2_10006CE1 |
Source: | Code function: | 2_2_0040F789 | |
Source: | Code function: | 2_2_0041336B | |
Source: | Code function: | 2_2_0040F5F5 | |
Source: | Code function: | 2_2_0040EBD2 | |
Source: | Code function: | 2_2_10006180 | |
Source: | Code function: | 2_2_100035DF | |
Source: | Code function: | 2_2_10003AD4 |
Source: | Process created: | Jump to behavior |
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Code function: | 1_2_004593E4 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: | 0_2_004051C8 | |
Source: | Code function: | 0_2_00405214 | |
Source: | Code function: | 1_2_0040874C | |
Source: | Code function: | 1_2_00408798 | |
Source: | Code function: | 2_2_00404D40 | |
Source: | Code function: | 2_2_00427041 | |
Source: | Code function: | 2_2_0042708C | |
Source: | Code function: | 2_2_00427127 | |
Source: | Code function: | 2_2_004271B2 | |
Source: | Code function: | 2_2_0041E2FF | |
Source: | Code function: | 2_2_00427405 | |
Source: | Code function: | 2_2_0042752B | |
Source: | Code function: | 2_2_00427631 | |
Source: | Code function: | 2_2_00427700 | |
Source: | Code function: | 2_2_0041E821 | |
Source: | Code function: | 2_2_00426D9F |
Source: | Code function: | 2_2_0040F7F3 |
Source: | Code function: | 1_2_00455B2C |
Source: | Code function: | 0_2_004026C4 |
Source: | Code function: | 0_2_00405CB0 |
Source: | Code function: | 1_2_00453A24 |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | 1 Windows Management Instrumentation | Path Interception | 1 Access Token Manipulation | 2 Masquerading | 1 Input Capture | 1 System Time Discovery | Remote Services | 1 Input Capture | Exfiltration Over Other Network Medium | 2 Encrypted Channel | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | 2 Command and Scripting Interpreter | Boot or Logon Initialization Scripts | 13 Process Injection | 1 Disable or Modify Tools | LSASS Memory | 14 Security Software Discovery | Remote Desktop Protocol | 1 Archive Collected Data | Exfiltration Over Bluetooth | 2 Ingress Tool Transfer | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | 2 Native API | Logon Script (Windows) | Logon Script (Windows) | 1 Access Token Manipulation | Security Account Manager | 3 Process Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | 1 Non-Application Layer Protocol | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | 13 Process Injection | NTDS | 11 Application Window Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | 11 Application Layer Protocol | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | 1 Deobfuscate/Decode Files or Information | LSA Secrets | 1 Account Discovery | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | 3 Obfuscated Files or Information | Cached Domain Credentials | 1 System Owner/User Discovery | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | 23 Software Packing | DCSync | 3 File and Directory Discovery | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | Indicator Removal from Tools | Proc Filesystem | 26 System Information Discovery | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
⊘No Antivirus matches
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Joe Sandbox ML | |||
0% | ReversingLabs | |||
2% | ReversingLabs | |||
0% | ReversingLabs | |||
2% | ReversingLabs | |||
2% | ReversingLabs | |||
0% | ReversingLabs | |||
2% | ReversingLabs | |||
4% | ReversingLabs | |||
46% | ReversingLabs | Win32.Trojan.Generic |
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | TR/Crypt.XPACK.Gen8 | Download File | ||
100% | Avira | HEUR/AGEN.1250671 | Download File | ||
100% | Avira | HEUR/AGEN.1232832 | Download File | ||
100% | Avira | HEUR/AGEN.1248792 | Download File |
⊘No Antivirus matches
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
100% | URL Reputation | malware | ||
0% | URL Reputation | safe | ||
10% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
0% | Avira URL Cloud | safe | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
0% | Avira URL Cloud | safe | ||
100% | Avira URL Cloud | malware | ||
0% | Avira URL Cloud | safe | ||
100% | Avira URL Cloud | malware | ||
0% | Avira URL Cloud | safe |
⊘No contacted domains info
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false |
| unknown | |
false |
| unknown | |
false |
| unknown | |
true |
| unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown | ||
true |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
true |
| unknown | ||
true |
| unknown | ||
true |
| unknown | ||
true |
| unknown | ||
true |
| unknown | ||
false |
| unknown | ||
true |
| unknown | ||
false |
| unknown | ||
true |
| unknown | ||
false |
| unknown | ||
true |
| unknown | ||
false |
| unknown | ||
false |
| low | ||
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
45.139.105.171 | unknown | Italy | 33657 | CMCSUS | false | |
45.139.105.1 | unknown | Italy | 33657 | CMCSUS | true | |
85.31.46.167 | unknown | Germany | 43659 | CLOUDCOMPUTINGDE | true | |
107.182.129.235 | unknown | Reserved | 11070 | META-ASUS | false | |
171.22.30.106 | unknown | Germany | 33657 | CMCSUS | false |
Joe Sandbox Version: | 36.0.0 Rainbow Opal |
Analysis ID: | 753410 |
Start date and time: | 2022-11-24 19:17:06 +01:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 7m 13s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | file.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 7 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal96.troj.evad.winEXE@12/23@0/5 |
EGA Information: |
|
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Excluded IPs from analysis (whitelisted): 20.90.156.32
- Excluded domains from analysis (whitelisted): client.wns.windows.com, wns.notify.trafficmanager.net, ctldl.windowsupdate.com
- Not all processes where analyzed, report is missing behavior information
- Report creation exceeded maximum time and may have missing disassembly code information.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
Time | Type | Description |
---|---|---|
19:18:05 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
45.139.105.171 | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
⊘No context
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
CMCSUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
CMCSUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
⊘No context
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
C:\Program Files (x86)\PrintFolders\Russian.dll (copy) | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse |
Process: | C:\Users\user\AppData\Local\Temp\is-F6DC2.tmp\is-71GCF.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 118869 |
Entropy (8bit): | 7.933172616287708 |
Encrypted: | false |
SSDEEP: | 1536:a8+b7UxVIBmVQVxSHmIKruCGFkw8dctBJcIFEvSrT3eoxNjT+YL/fe3iWP7:Z+b76wV3hCb86tBJc7SffxNjqO/qiWT |
MD5: | 204A5BF160646F9A55ED70AB6E1A07A6 |
SHA1: | 5404AB219FA01C270ADC36303D447109503C4A4D |
SHA-256: | CACDD2C8BFA4BAE33A16A10ED609F4841AC5C4C2FE481ED0FD8CB04BC8016BBD |
SHA-512: | 6AAFBAF8565BF57BF4CC9E8D5EEF947E32E0D1A962C0BB619A25C35C68B7AA24599C60CB1C1B108FC9F58A1F13FF80B66E1A4DA506BE2FFD2DD05331865DAA15 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-F6DC2.tmp\is-71GCF.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 5403 |
Entropy (8bit): | 4.918324842676727 |
Encrypted: | false |
SSDEEP: | 96:uUzxQ0Bz664UbxDcqEVFUz1BDzeRGH+QanjY3ZLBxdfC4INXM/gr53F8EPeHl9j4:uU1QyZ4e9cqEfUz1BD0GH+QGjYJBxdfY |
MD5: | C8B211D81EB7D4F9EBB071A117444D51 |
SHA1: | 43BF57BB0931EBED953FE17F937C1C7FF58A027C |
SHA-256: | AFD6FEA6A792B722E45A6587F70334F30051798017F4A278508C7ED3FEEA80CC |
SHA-512: | C7C558EB666B570A0B03D1E8941217673677A6AF1F7CE4C43BE77D1AA859AD8DF7B212CF778B03678DD451535C7A7B02FEB65F20B744A8E9C969DF633F79A2AB |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-F6DC2.tmp\is-71GCF.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 3391 |
Entropy (8bit): | 4.812121234949207 |
Encrypted: | false |
SSDEEP: | 96:FjjD9GrzqpptIaj6JGcnRH7aamJL4zUtWAbakj:FYrrawhbaVFtTuk |
MD5: | A5E8094B0CBADE929AEE07F5DA5E9429 |
SHA1: | 60BB56A380CD9126AC067AE39B262E28A22532CD |
SHA-256: | F3AC2009C96EB3A42AFAEC7FA67D3A14E5E9E30819B543D572C9BEA790CFCAD1 |
SHA-512: | 018D1963A0B45A731687C5811E6447911E9BC7285B25EE3BBAD95D4D9C23718EF4E9714714C8A68617EAE4F840FB3D76BC77B0C49A64346D9605CCF70592356C |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-F6DC2.tmp\is-71GCF.tmp |
File Type: | |
Category: | modified |
Size (bytes): | 1785853 |
Entropy (8bit): | 5.935308752003533 |
Encrypted: | false |
SSDEEP: | 24576:R+A+X+y5l+g+B6+zn+zu+hcyh/mwnZqwA8oxV2yH0E:AJOyqpBTz+z3GMLZqw3oxg |
MD5: | A11421185D7DA999305A2A671E0244DE |
SHA1: | DB41764649C88DDD4B45DBAEF4989A98CF535EB5 |
SHA-256: | 35D963911A7EC845128C7625E1697BFDFA251F16414A36B4B167E3B249B6BE51 |
SHA-512: | D9AF38B9F77DACE89ECADA8CBD16DB2EB56253A263A0F3548529DA533D92C020CA7859EEAC354838BDAAE0791C0CFC6B02835B27BB4E6651BBA5F326DF36E4BB |
Malicious: | true |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-F6DC2.tmp\is-71GCF.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 21504 |
Entropy (8bit): | 4.508743257769972 |
Encrypted: | false |
SSDEEP: | 192:kxsrC3rSQgvlS7pEeHPmIOBaVeFSiLW70ygWr:csvGmIOBa5f |
MD5: | 4FB606EDBDE8EFB6D34E6E1BC5F677F1 |
SHA1: | F8F094064D107384E619DED1139932AA38476272 |
SHA-256: | A960C9DCD1D5C7B79F4FDD38D6F25299F4F7925555E381EA4AB6217681482F62 |
SHA-512: | 5B34ECB87582FFC210CA4EED06C729979D7197191CF74EB3CDB59D0F629603C171D50B6D9351DEB7DD13F6FCBBD79F8A23ED0114BBD991520CA9BFA4EF10A44D |
Malicious: | true |
Antivirus: |
|
Joe Sandbox View: |
|
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-F6DC2.tmp\is-71GCF.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 1785853 |
Entropy (8bit): | 5.9353074675304 |
Encrypted: | false |
SSDEEP: | 24576:M+A+X+y5l+g+B6+zn+zu+hcyh/mwnZqwA8oxV2yH0E:VJOyqpBTz+z3GMLZqw3oxg |
MD5: | BB631B1A1849EA76FEF8499094997EC1 |
SHA1: | 01CDE93DC7865AFBC58A7C856BE46DB2D668AD6C |
SHA-256: | A18280B01B0A74970FA9D8B05A36C2244308059C1DA91137C87C653627A54B54 |
SHA-512: | CC0410A72FEE5B046AE04C57FB61CAECE23432E02F728355BF68B0ED359138A191BF1DD1FB1D86E5FAA6E87D4CFB2FCADEC79AE203265C5B1AF463729163D8CC |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-F6DC2.tmp\is-71GCF.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 669450 |
Entropy (8bit): | 6.478399502986981 |
Encrypted: | false |
SSDEEP: | 12288:2h5UooqWolrP837JzHvA6izJgnnyFNmayiAZrvJxOx:M5NoqWolrP837JzHvA6yknyWFxvJxOx |
MD5: | CF680B53729F6E3059183D51F91D337D |
SHA1: | 4D6EB765BB4837F09283101490375DF5F68C8E37 |
SHA-256: | A3F8C832C69388A88E47DD8B612382F74D5131E8C710741EFB2410EC450BDF2D |
SHA-512: | 1F59A9A03485DFDB9E232F0D8B52CD864993FC25734E16DD2160190045626531685E81BDBCF0636EBA9F7CEDA9DA082A9AAD2DD4C5BFE165110731B7F89FCA51 |
Malicious: | true |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-F6DC2.tmp\is-71GCF.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 3391 |
Entropy (8bit): | 4.812121234949207 |
Encrypted: | false |
SSDEEP: | 96:FjjD9GrzqpptIaj6JGcnRH7aamJL4zUtWAbakj:FYrrawhbaVFtTuk |
MD5: | A5E8094B0CBADE929AEE07F5DA5E9429 |
SHA1: | 60BB56A380CD9126AC067AE39B262E28A22532CD |
SHA-256: | F3AC2009C96EB3A42AFAEC7FA67D3A14E5E9E30819B543D572C9BEA790CFCAD1 |
SHA-512: | 018D1963A0B45A731687C5811E6447911E9BC7285B25EE3BBAD95D4D9C23718EF4E9714714C8A68617EAE4F840FB3D76BC77B0C49A64346D9605CCF70592356C |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-F6DC2.tmp\is-71GCF.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 5403 |
Entropy (8bit): | 4.918324842676727 |
Encrypted: | false |
SSDEEP: | 96:uUzxQ0Bz664UbxDcqEVFUz1BDzeRGH+QanjY3ZLBxdfC4INXM/gr53F8EPeHl9j4:uU1QyZ4e9cqEfUz1BD0GH+QGjYJBxdfY |
MD5: | C8B211D81EB7D4F9EBB071A117444D51 |
SHA1: | 43BF57BB0931EBED953FE17F937C1C7FF58A027C |
SHA-256: | AFD6FEA6A792B722E45A6587F70334F30051798017F4A278508C7ED3FEEA80CC |
SHA-512: | C7C558EB666B570A0B03D1E8941217673677A6AF1F7CE4C43BE77D1AA859AD8DF7B212CF778B03678DD451535C7A7B02FEB65F20B744A8E9C969DF633F79A2AB |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-F6DC2.tmp\is-71GCF.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 21504 |
Entropy (8bit): | 4.508743257769972 |
Encrypted: | false |
SSDEEP: | 192:kxsrC3rSQgvlS7pEeHPmIOBaVeFSiLW70ygWr:csvGmIOBa5f |
MD5: | 4FB606EDBDE8EFB6D34E6E1BC5F677F1 |
SHA1: | F8F094064D107384E619DED1139932AA38476272 |
SHA-256: | A960C9DCD1D5C7B79F4FDD38D6F25299F4F7925555E381EA4AB6217681482F62 |
SHA-512: | 5B34ECB87582FFC210CA4EED06C729979D7197191CF74EB3CDB59D0F629603C171D50B6D9351DEB7DD13F6FCBBD79F8A23ED0114BBD991520CA9BFA4EF10A44D |
Malicious: | true |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-F6DC2.tmp\is-71GCF.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 118869 |
Entropy (8bit): | 7.933172616287708 |
Encrypted: | false |
SSDEEP: | 1536:a8+b7UxVIBmVQVxSHmIKruCGFkw8dctBJcIFEvSrT3eoxNjT+YL/fe3iWP7:Z+b76wV3hCb86tBJc7SffxNjqO/qiWT |
MD5: | 204A5BF160646F9A55ED70AB6E1A07A6 |
SHA1: | 5404AB219FA01C270ADC36303D447109503C4A4D |
SHA-256: | CACDD2C8BFA4BAE33A16A10ED609F4841AC5C4C2FE481ED0FD8CB04BC8016BBD |
SHA-512: | 6AAFBAF8565BF57BF4CC9E8D5EEF947E32E0D1A962C0BB619A25C35C68B7AA24599C60CB1C1B108FC9F58A1F13FF80B66E1A4DA506BE2FFD2DD05331865DAA15 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-F6DC2.tmp\is-71GCF.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 3814 |
Entropy (8bit): | 4.500239612277464 |
Encrypted: | false |
SSDEEP: | 48:l9wHkIyMHLBv8iD86plmE6FoIN0hqkLVO3471qV/LDa0zA47brL1XL8:YH/rp8iD86p45oIyhqYOIh0N4 |
MD5: | 291A7BCB6ABED2EE25A0F6CE3C60CA4D |
SHA1: | 3A4A06AEB5135CBBD1C6CF5458DE7C94588B7C2C |
SHA-256: | 2173DEEC6F1D8FB321D0DB399F48A825CA8D38A02DC71396315F49A239ABD03C |
SHA-512: | 2A0C3456D7E9E74148D342121EE1D13994314B8AE744A41BD5DDC9C8B2A4ECB252665177AC4B2F0CBA79DB42A7A26D4BAEA6CE5545454EC408819EA9549E027D |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-F6DC2.tmp\is-71GCF.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 669450 |
Entropy (8bit): | 6.478399502986981 |
Encrypted: | false |
SSDEEP: | 12288:2h5UooqWolrP837JzHvA6izJgnnyFNmayiAZrvJxOx:M5NoqWolrP837JzHvA6yknyWFxvJxOx |
MD5: | CF680B53729F6E3059183D51F91D337D |
SHA1: | 4D6EB765BB4837F09283101490375DF5F68C8E37 |
SHA-256: | A3F8C832C69388A88E47DD8B612382F74D5131E8C710741EFB2410EC450BDF2D |
SHA-512: | 1F59A9A03485DFDB9E232F0D8B52CD864993FC25734E16DD2160190045626531685E81BDBCF0636EBA9F7CEDA9DA082A9AAD2DD4C5BFE165110731B7F89FCA51 |
Malicious: | true |
Antivirus: |
|
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\fuckingdllENCR[1].dll
Download File
Process: | C:\Program Files (x86)\PrintFolders\PrintFolders.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 94224 |
Entropy (8bit): | 7.998072640845361 |
Encrypted: | true |
SSDEEP: | 1536:NsbI9W6dHdtnEXOxZpPzIUcETzNtXofjmgGTeJduLLt+YBPoJTMRmNXg30:KWW6TZVz9PNtXo8M5OR0 |
MD5: | 418619EA97671304AF80EC60F5A50B62 |
SHA1: | F11DCD709BDE2FC86EBBCCD66E1CE68A8A3F9CB6 |
SHA-256: | EB7ECE66C14849064F462DF4987D6D59073D812C44D81568429614581106E0F4 |
SHA-512: | F2E1AE47B5B0A5D3DD22DD6339E15FEE3D7F04EF03917AE2A7686E73E9F06FB95C8008038C018939BB9925F395D765C9690BF7874DC5E90BC2F77C1E730D3A00 |
Malicious: | false |
Preview: |
Process: | C:\Program Files (x86)\PrintFolders\PrintFolders.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:V:V |
MD5: | CFCD208495D565EF66E7DFF9F98764DA |
SHA1: | B6589FC6AB0DC82CF12099D1C2D40AB994E8410C |
SHA-256: | 5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9 |
SHA-512: | 31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99 |
Malicious: | false |
Preview: |
Process: | C:\Program Files (x86)\PrintFolders\PrintFolders.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:V:V |
MD5: | CFCD208495D565EF66E7DFF9F98764DA |
SHA1: | B6589FC6AB0DC82CF12099D1C2D40AB994E8410C |
SHA-256: | 5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9 |
SHA-512: | 31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99 |
Malicious: | false |
Preview: |
Process: | C:\Program Files (x86)\PrintFolders\PrintFolders.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:V:V |
MD5: | CFCD208495D565EF66E7DFF9F98764DA |
SHA1: | B6589FC6AB0DC82CF12099D1C2D40AB994E8410C |
SHA-256: | 5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9 |
SHA-512: | 31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99 |
Malicious: | false |
Preview: |
Process: | C:\Program Files (x86)\PrintFolders\PrintFolders.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 17 |
Entropy (8bit): | 3.1751231351134614 |
Encrypted: | false |
SSDEEP: | 3:nCmxEl:Cmc |
MD5: | 064DB2A4C3D31A4DC6AA2538F3FE7377 |
SHA1: | 8F877AE1873C88076D854425221E352CA4178DFA |
SHA-256: | 0A3EC2C4FC062D561F0DC989C6699E06FFF850BBDA7923F14F26135EF42107C0 |
SHA-512: | CA94BC1338FC283C3E5C427065C29BA32C5A12170782E18AA0292722826C5CB4C3B29A5134464FFEB67A77CD85D8E15715C17A049B7AD4E2C890E97385751BEE |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-F6DC2.tmp\is-71GCF.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 2560 |
Entropy (8bit): | 2.8818118453929262 |
Encrypted: | false |
SSDEEP: | 24:e1GSgDIX566lIB6SXvVmMPUjvhBrDsqZ:SgDKRlVImgUNBsG |
MD5: | A69559718AB506675E907FE49DEB71E9 |
SHA1: | BC8F404FFDB1960B50C12FF9413C893B56F2E36F |
SHA-256: | 2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC |
SHA-512: | E52E0AA7FE3F79E36330C455D944653D449BA05B2F9ABEE0914A0910C3452CFA679A40441F9AC696B3CCF9445CBB85095747E86153402FC362BB30AC08249A63 |
Malicious: | true |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-F6DC2.tmp\is-71GCF.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 4608 |
Entropy (8bit): | 4.226829458093667 |
Encrypted: | false |
SSDEEP: | 48:6Q5EWGg69eR+Xl4SH8u09tmRJ/tE/wJI/tZ/P8sB1a:32Gel4NP9tK2/wGXhHa |
MD5: | 9E5BA8A0DB2AE3A955BEE397534D535D |
SHA1: | EF08EF5FAC94F42C276E64765759F8BC71BF88CB |
SHA-256: | 08D2876741F4FD5EDFAE20054081CEF03E41C458AB1C5BBF095A288FA93627FA |
SHA-512: | 229A9C66080D59B7D2E1E651CFF9F00DB0CBDC08703E60D645651AF0664520CA143B088C71AD73813A500A33B48C63CA1795E2162B7620453935A4C26DB96B21 |
Malicious: | true |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-F6DC2.tmp\is-71GCF.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 23312 |
Entropy (8bit): | 4.596242908851566 |
Encrypted: | false |
SSDEEP: | 384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4 |
MD5: | 92DC6EF532FBB4A5C3201469A5B5EB63 |
SHA1: | 3E89FF837147C16B4E41C30D6C796374E0B8E62C |
SHA-256: | 9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87 |
SHA-512: | 9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3 |
Malicious: | false |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\Desktop\file.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 658944 |
Entropy (8bit): | 6.468629759056718 |
Encrypted: | false |
SSDEEP: | 12288:Oh5UooqWolrP837JzHvA6izJgnnyFNmayiAZrvJxO0:05NoqWolrP837JzHvA6yknyWFxvJxO0 |
MD5: | 85B94E72C3F2D2B5464E2AAF3C9E242A |
SHA1: | CE7CCAE5F50A990D059D59292D4A332979E162BA |
SHA-256: | 1441464FEEEF365573AF18802C464769B7D3107624FDE24604F57E386F97F1A7 |
SHA-512: | C0C27189989DB482BE9BDA5B6B8B1441BDC5E9B0F3A414CCAB4C4BE516E7F99E25717845361A5B196114502FAAAF21BEC7ACA91B497ACD2E2396F49C31850880 |
Malicious: | true |
Antivirus: |
|
Preview: |
Process: | C:\Program Files (x86)\PrintFolders\PrintFolders.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 73728 |
Entropy (8bit): | 6.20389308045717 |
Encrypted: | false |
SSDEEP: | 1536:bvUpDLxyxA14o3/M238r6+XfHAgbqmE8MpKdwuasZLUM7DsWlXcdyZgfmi:WDLZKa/MtXfHAgbqmEtxsfmyZgfmi |
MD5: | 3FB36CB0B7172E5298D2992D42984D06 |
SHA1: | 439827777DF4A337CBB9FA4A4640D0D3FA1738B7 |
SHA-256: | 27AE813CEFF8AA56E9FA68C8E50BB1C6C4A01636015EAC4BD8BF444AFB7020D6 |
SHA-512: | 6B39CB32D77200209A25080AC92BC71B1F468E2946B651023793F3585EE6034ADC70924DBD751CF4A51B5E71377854F1AB43C2DD287D4837E7B544FF886F470C |
Malicious: | true |
Antivirus: |
|
Preview: |
File type: | |
Entropy (8bit): | 7.988856468769687 |
TrID: |
|
File name: | file.exe |
File size: | 1313965 |
MD5: | 7e8888d098d8af9b7f7d1a39ff7666a4 |
SHA1: | 3301535903ea09ddc389f1fc3d67fd45e8215526 |
SHA256: | 64bbb72159a4bdfd522ae703ee76a1c63e8ca6ba297cb2ee8634357909a50738 |
SHA512: | d896c61e8d870106463838f3473fdab55db7e1a4c1f82b35aa16b91649cf13ea6154d43566c6792ab1be09bf74d3f2c607524fced8b4c1342e7b54103805a499 |
SSDEEP: | 24576:1izohkTpLnjwSsQiJJk/w2m+tZWQ3hU+Z3i/NA7O8gZIY7eCLxYi2:eQkTpLjVsTWWnk36NA7ENeVi2 |
TLSH: | D2553307F3A664B0E02106776C439A5496A3FE271D307620F7EC3FE8AD5B5A0965F722 |
File Content Preview: | MZP.....................@.......................Inno....z...............!..L.!..This program must be run under Win32..$7....................................................................................................................................... |
Icon Hash: | a2a0b496b2caca72 |
Entrypoint: | 0x40968c |
Entrypoint Section: | CODE |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI |
DLL Characteristics: | |
Time Stamp: | 0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 1 |
OS Version Minor: | 0 |
File Version Major: | 1 |
File Version Minor: | 0 |
Subsystem Version Major: | 1 |
Subsystem Version Minor: | 0 |
Import Hash: | da86ff6d22d7419ae7f10724a403dffd |
Instruction |
---|
push ebp |
mov ebp, esp |
add esp, FFFFFFD4h |
push ebx |
push esi |
push edi |
xor eax, eax |
mov dword ptr [ebp-10h], eax |
mov dword ptr [ebp-1Ch], eax |
call 00007F0298645C3Fh |
call 00007F0298646EEAh |
call 00007F02986490DDh |
call 00007F0298649124h |
call 00007F029864B673h |
call 00007F029864B762h |
mov esi, 0040BDE0h |
xor eax, eax |
push ebp |
push 00409D71h |
push dword ptr fs:[eax] |
mov dword ptr fs:[eax], esp |
xor edx, edx |
push ebp |
push 00409D27h |
push dword ptr fs:[edx] |
mov dword ptr fs:[edx], esp |
mov eax, dword ptr [0040B014h] |
call 00007F029864C0EFh |
call 00007F029864BCAEh |
lea edx, dword ptr [ebp-10h] |
xor eax, eax |
call 00007F0298649598h |
mov edx, dword ptr [ebp-10h] |
mov eax, 0040BDD4h |
call 00007F0298645CEBh |
push 00000002h |
push 00000000h |
push 00000001h |
mov ecx, dword ptr [0040BDD4h] |
mov dl, 01h |
mov eax, 004070C4h |
call 00007F0298649BFBh |
mov dword ptr [0040BDD8h], eax |
xor edx, edx |
push ebp |
push 00409D05h |
push dword ptr fs:[edx] |
mov dword ptr fs:[edx], esp |
lea edx, dword ptr [ebp-18h] |
mov eax, dword ptr [0040BDD8h] |
call 00007F0298649CD3h |
mov ebx, dword ptr [ebp-18h] |
mov edx, 00000030h |
mov eax, dword ptr [0040BDD8h] |
call 00007F0298649E0Dh |
mov edx, esi |
mov ecx, 0000000Ch |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0xc000 | 0x8c8 | .idata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x10000 | 0x263c | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0xf000 | 0x0 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0xe000 | 0x18 | .rdata |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
CODE | 0x1000 | 0x8e00 | 0x8e00 | False | 0.6218364876760564 | data | 6.600437911517656 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
DATA | 0xa000 | 0x248 | 0x400 | False | 0.3115234375 | data | 2.7204325510923035 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
BSS | 0xb000 | 0xe64 | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.idata | 0xc000 | 0x8c8 | 0xa00 | False | 0.389453125 | data | 4.2507970587946735 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.tls | 0xd000 | 0x8 | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rdata | 0xe000 | 0x18 | 0x200 | False | 0.052734375 | data | 0.1991075177871819 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ |
.reloc | 0xf000 | 0x86c | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ |
.rsrc | 0x10000 | 0x263c | 0x2800 | False | 0.322265625 | data | 4.568719834340923 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_ICON | 0x1030c | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 192 | English | United States |
RT_ICON | 0x10434 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 320 | English | United States |
RT_ICON | 0x1099c | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 640 | English | United States |
RT_ICON | 0x10c84 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 1152 | English | United States |
RT_STRING | 0x1152c | 0x2f2 | data | ||
RT_STRING | 0x11820 | 0x30c | data | ||
RT_STRING | 0x11b2c | 0x2ce | data | ||
RT_STRING | 0x11dfc | 0x68 | data | ||
RT_STRING | 0x11e64 | 0xb4 | data | ||
RT_STRING | 0x11f18 | 0xae | data | ||
RT_GROUP_ICON | 0x11fc8 | 0x3e | data | English | United States |
RT_VERSION | 0x12008 | 0x3a8 | data | English | United States |
RT_MANIFEST | 0x123b0 | 0x289 | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States |
DLL | Import |
---|---|
kernel32.dll | DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle |
user32.dll | MessageBoxA |
oleaut32.dll | VariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen |
advapi32.dll | RegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA |
kernel32.dll | WriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SetLastError, SetFilePointer, SetEndOfFile, RemoveDirectoryA, ReadFile, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetUserDefaultLangID, GetSystemInfo, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, InterlockedExchange, FormatMessageA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle |
user32.dll | TranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA |
comctl32.dll | InitCommonControls |
advapi32.dll | AdjustTokenPrivileges |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Nov 24, 2022 19:18:06.138360977 CET | 49706 | 80 | 192.168.2.5 | 45.139.105.171 |
Nov 24, 2022 19:18:06.166135073 CET | 80 | 49706 | 45.139.105.171 | 192.168.2.5 |
Nov 24, 2022 19:18:06.166255951 CET | 49706 | 80 | 192.168.2.5 | 45.139.105.171 |
Nov 24, 2022 19:18:06.176034927 CET | 49706 | 80 | 192.168.2.5 | 45.139.105.171 |
Nov 24, 2022 19:18:06.203965902 CET | 80 | 49706 | 45.139.105.171 | 192.168.2.5 |
Nov 24, 2022 19:18:06.208683968 CET | 80 | 49706 | 45.139.105.171 | 192.168.2.5 |
Nov 24, 2022 19:18:06.208781958 CET | 49706 | 80 | 192.168.2.5 | 45.139.105.171 |
Nov 24, 2022 19:18:06.352401972 CET | 49707 | 80 | 192.168.2.5 | 107.182.129.235 |
Nov 24, 2022 19:18:06.380523920 CET | 80 | 49707 | 107.182.129.235 | 192.168.2.5 |
Nov 24, 2022 19:18:06.380817890 CET | 49707 | 80 | 192.168.2.5 | 107.182.129.235 |
Nov 24, 2022 19:18:06.381181955 CET | 49707 | 80 | 192.168.2.5 | 107.182.129.235 |
Nov 24, 2022 19:18:06.408307076 CET | 80 | 49707 | 107.182.129.235 | 192.168.2.5 |
Nov 24, 2022 19:18:06.408601999 CET | 80 | 49707 | 107.182.129.235 | 192.168.2.5 |
Nov 24, 2022 19:18:06.408911943 CET | 49707 | 80 | 192.168.2.5 | 107.182.129.235 |
Nov 24, 2022 19:18:06.442995071 CET | 49707 | 80 | 192.168.2.5 | 107.182.129.235 |
Nov 24, 2022 19:18:06.470390081 CET | 80 | 49707 | 107.182.129.235 | 192.168.2.5 |
Nov 24, 2022 19:18:06.470576048 CET | 80 | 49707 | 107.182.129.235 | 192.168.2.5 |
Nov 24, 2022 19:18:06.470662117 CET | 80 | 49707 | 107.182.129.235 | 192.168.2.5 |
Nov 24, 2022 19:18:06.470725060 CET | 49707 | 80 | 192.168.2.5 | 107.182.129.235 |
Nov 24, 2022 19:18:06.470729113 CET | 80 | 49707 | 107.182.129.235 | 192.168.2.5 |
Nov 24, 2022 19:18:06.470725060 CET | 49707 | 80 | 192.168.2.5 | 107.182.129.235 |
Nov 24, 2022 19:18:06.470774889 CET | 49707 | 80 | 192.168.2.5 | 107.182.129.235 |
Nov 24, 2022 19:18:06.470799923 CET | 80 | 49707 | 107.182.129.235 | 192.168.2.5 |
Nov 24, 2022 19:18:06.470860958 CET | 80 | 49707 | 107.182.129.235 | 192.168.2.5 |
Nov 24, 2022 19:18:06.470957994 CET | 80 | 49707 | 107.182.129.235 | 192.168.2.5 |
Nov 24, 2022 19:18:06.470989943 CET | 49707 | 80 | 192.168.2.5 | 107.182.129.235 |
Nov 24, 2022 19:18:06.471013069 CET | 49707 | 80 | 192.168.2.5 | 107.182.129.235 |
Nov 24, 2022 19:18:06.471013069 CET | 49707 | 80 | 192.168.2.5 | 107.182.129.235 |
Nov 24, 2022 19:18:06.471020937 CET | 80 | 49707 | 107.182.129.235 | 192.168.2.5 |
Nov 24, 2022 19:18:06.471077919 CET | 49707 | 80 | 192.168.2.5 | 107.182.129.235 |
Nov 24, 2022 19:18:06.471084118 CET | 80 | 49707 | 107.182.129.235 | 192.168.2.5 |
Nov 24, 2022 19:18:06.471132040 CET | 49707 | 80 | 192.168.2.5 | 107.182.129.235 |
Nov 24, 2022 19:18:06.471143961 CET | 80 | 49707 | 107.182.129.235 | 192.168.2.5 |
Nov 24, 2022 19:18:06.471198082 CET | 49707 | 80 | 192.168.2.5 | 107.182.129.235 |
Nov 24, 2022 19:18:06.471203089 CET | 80 | 49707 | 107.182.129.235 | 192.168.2.5 |
Nov 24, 2022 19:18:06.471251011 CET | 49707 | 80 | 192.168.2.5 | 107.182.129.235 |
Nov 24, 2022 19:18:06.498931885 CET | 80 | 49707 | 107.182.129.235 | 192.168.2.5 |
Nov 24, 2022 19:18:06.498995066 CET | 80 | 49707 | 107.182.129.235 | 192.168.2.5 |
Nov 24, 2022 19:18:06.499037981 CET | 49707 | 80 | 192.168.2.5 | 107.182.129.235 |
Nov 24, 2022 19:18:06.499037981 CET | 49707 | 80 | 192.168.2.5 | 107.182.129.235 |
Nov 24, 2022 19:18:06.499053001 CET | 80 | 49707 | 107.182.129.235 | 192.168.2.5 |
Nov 24, 2022 19:18:06.499099970 CET | 80 | 49707 | 107.182.129.235 | 192.168.2.5 |
Nov 24, 2022 19:18:06.499155998 CET | 80 | 49707 | 107.182.129.235 | 192.168.2.5 |
Nov 24, 2022 19:18:06.499238014 CET | 80 | 49707 | 107.182.129.235 | 192.168.2.5 |
Nov 24, 2022 19:18:06.499303102 CET | 80 | 49707 | 107.182.129.235 | 192.168.2.5 |
Nov 24, 2022 19:18:06.499310970 CET | 49707 | 80 | 192.168.2.5 | 107.182.129.235 |
Nov 24, 2022 19:18:06.499356031 CET | 80 | 49707 | 107.182.129.235 | 192.168.2.5 |
Nov 24, 2022 19:18:06.499358892 CET | 49707 | 80 | 192.168.2.5 | 107.182.129.235 |
Nov 24, 2022 19:18:06.499385118 CET | 49707 | 80 | 192.168.2.5 | 107.182.129.235 |
Nov 24, 2022 19:18:06.499411106 CET | 80 | 49707 | 107.182.129.235 | 192.168.2.5 |
Nov 24, 2022 19:18:06.499432087 CET | 49707 | 80 | 192.168.2.5 | 107.182.129.235 |
Nov 24, 2022 19:18:06.499469995 CET | 80 | 49707 | 107.182.129.235 | 192.168.2.5 |
Nov 24, 2022 19:18:06.499484062 CET | 49707 | 80 | 192.168.2.5 | 107.182.129.235 |
Nov 24, 2022 19:18:06.499526024 CET | 49707 | 80 | 192.168.2.5 | 107.182.129.235 |
Nov 24, 2022 19:18:06.526846886 CET | 80 | 49707 | 107.182.129.235 | 192.168.2.5 |
Nov 24, 2022 19:18:06.526902914 CET | 80 | 49707 | 107.182.129.235 | 192.168.2.5 |
Nov 24, 2022 19:18:06.526940107 CET | 80 | 49707 | 107.182.129.235 | 192.168.2.5 |
Nov 24, 2022 19:18:06.526941061 CET | 49707 | 80 | 192.168.2.5 | 107.182.129.235 |
Nov 24, 2022 19:18:06.526968002 CET | 80 | 49707 | 107.182.129.235 | 192.168.2.5 |
Nov 24, 2022 19:18:06.526976109 CET | 49707 | 80 | 192.168.2.5 | 107.182.129.235 |
Nov 24, 2022 19:18:06.526988983 CET | 80 | 49707 | 107.182.129.235 | 192.168.2.5 |
Nov 24, 2022 19:18:06.527019024 CET | 80 | 49707 | 107.182.129.235 | 192.168.2.5 |
Nov 24, 2022 19:18:06.527041912 CET | 80 | 49707 | 107.182.129.235 | 192.168.2.5 |
Nov 24, 2022 19:18:06.527064085 CET | 80 | 49707 | 107.182.129.235 | 192.168.2.5 |
Nov 24, 2022 19:18:06.527086020 CET | 80 | 49707 | 107.182.129.235 | 192.168.2.5 |
Nov 24, 2022 19:18:06.527105093 CET | 49707 | 80 | 192.168.2.5 | 107.182.129.235 |
Nov 24, 2022 19:18:06.527108908 CET | 80 | 49707 | 107.182.129.235 | 192.168.2.5 |
Nov 24, 2022 19:18:06.527132988 CET | 49707 | 80 | 192.168.2.5 | 107.182.129.235 |
Nov 24, 2022 19:18:06.527134895 CET | 80 | 49707 | 107.182.129.235 | 192.168.2.5 |
Nov 24, 2022 19:18:06.527280092 CET | 49707 | 80 | 192.168.2.5 | 107.182.129.235 |
Nov 24, 2022 19:18:06.527280092 CET | 49707 | 80 | 192.168.2.5 | 107.182.129.235 |
Nov 24, 2022 19:18:06.527352095 CET | 49707 | 80 | 192.168.2.5 | 107.182.129.235 |
Nov 24, 2022 19:18:06.554533005 CET | 80 | 49707 | 107.182.129.235 | 192.168.2.5 |
Nov 24, 2022 19:18:06.554588079 CET | 80 | 49707 | 107.182.129.235 | 192.168.2.5 |
Nov 24, 2022 19:18:06.554625988 CET | 80 | 49707 | 107.182.129.235 | 192.168.2.5 |
Nov 24, 2022 19:18:06.554663897 CET | 80 | 49707 | 107.182.129.235 | 192.168.2.5 |
Nov 24, 2022 19:18:06.554701090 CET | 80 | 49707 | 107.182.129.235 | 192.168.2.5 |
Nov 24, 2022 19:18:06.554734945 CET | 80 | 49707 | 107.182.129.235 | 192.168.2.5 |
Nov 24, 2022 19:18:06.554760933 CET | 80 | 49707 | 107.182.129.235 | 192.168.2.5 |
Nov 24, 2022 19:18:06.554785967 CET | 80 | 49707 | 107.182.129.235 | 192.168.2.5 |
Nov 24, 2022 19:18:06.554811954 CET | 80 | 49707 | 107.182.129.235 | 192.168.2.5 |
Nov 24, 2022 19:18:06.554837942 CET | 80 | 49707 | 107.182.129.235 | 192.168.2.5 |
Nov 24, 2022 19:18:06.554864883 CET | 80 | 49707 | 107.182.129.235 | 192.168.2.5 |
Nov 24, 2022 19:18:06.554944992 CET | 49707 | 80 | 192.168.2.5 | 107.182.129.235 |
Nov 24, 2022 19:18:06.554944992 CET | 49707 | 80 | 192.168.2.5 | 107.182.129.235 |
Nov 24, 2022 19:18:06.554944992 CET | 49707 | 80 | 192.168.2.5 | 107.182.129.235 |
Nov 24, 2022 19:18:06.554944992 CET | 49707 | 80 | 192.168.2.5 | 107.182.129.235 |
Nov 24, 2022 19:18:06.555005074 CET | 49707 | 80 | 192.168.2.5 | 107.182.129.235 |
Nov 24, 2022 19:18:06.582448006 CET | 80 | 49707 | 107.182.129.235 | 192.168.2.5 |
Nov 24, 2022 19:18:06.582535982 CET | 80 | 49707 | 107.182.129.235 | 192.168.2.5 |
Nov 24, 2022 19:18:06.582597017 CET | 80 | 49707 | 107.182.129.235 | 192.168.2.5 |
Nov 24, 2022 19:18:06.582654953 CET | 80 | 49707 | 107.182.129.235 | 192.168.2.5 |
Nov 24, 2022 19:18:06.582709074 CET | 80 | 49707 | 107.182.129.235 | 192.168.2.5 |
Nov 24, 2022 19:18:06.582756042 CET | 80 | 49707 | 107.182.129.235 | 192.168.2.5 |
Nov 24, 2022 19:18:06.582794905 CET | 80 | 49707 | 107.182.129.235 | 192.168.2.5 |
Nov 24, 2022 19:18:06.582837105 CET | 80 | 49707 | 107.182.129.235 | 192.168.2.5 |
Nov 24, 2022 19:18:06.582854033 CET | 49707 | 80 | 192.168.2.5 | 107.182.129.235 |
Nov 24, 2022 19:18:06.582854033 CET | 49707 | 80 | 192.168.2.5 | 107.182.129.235 |
Nov 24, 2022 19:18:06.582854033 CET | 49707 | 80 | 192.168.2.5 | 107.182.129.235 |
Nov 24, 2022 19:18:06.582906008 CET | 49707 | 80 | 192.168.2.5 | 107.182.129.235 |
Nov 24, 2022 19:18:06.582932949 CET | 49707 | 80 | 192.168.2.5 | 107.182.129.235 |
Nov 24, 2022 19:18:06.582937956 CET | 80 | 49707 | 107.182.129.235 | 192.168.2.5 |
Nov 24, 2022 19:18:06.582993984 CET | 49707 | 80 | 192.168.2.5 | 107.182.129.235 |
Nov 24, 2022 19:18:06.582994938 CET | 80 | 49707 | 107.182.129.235 | 192.168.2.5 |
Nov 24, 2022 19:18:06.583048105 CET | 49707 | 80 | 192.168.2.5 | 107.182.129.235 |
Nov 24, 2022 19:18:06.583051920 CET | 80 | 49707 | 107.182.129.235 | 192.168.2.5 |
Nov 24, 2022 19:18:06.583102942 CET | 49707 | 80 | 192.168.2.5 | 107.182.129.235 |
Nov 24, 2022 19:18:06.583106995 CET | 80 | 49707 | 107.182.129.235 | 192.168.2.5 |
Nov 24, 2022 19:18:06.583158016 CET | 49707 | 80 | 192.168.2.5 | 107.182.129.235 |
Nov 24, 2022 19:18:06.610425949 CET | 80 | 49707 | 107.182.129.235 | 192.168.2.5 |
Nov 24, 2022 19:18:06.610483885 CET | 80 | 49707 | 107.182.129.235 | 192.168.2.5 |
Nov 24, 2022 19:18:06.610513926 CET | 80 | 49707 | 107.182.129.235 | 192.168.2.5 |
Nov 24, 2022 19:18:06.610542059 CET | 80 | 49707 | 107.182.129.235 | 192.168.2.5 |
Nov 24, 2022 19:18:06.610570908 CET | 80 | 49707 | 107.182.129.235 | 192.168.2.5 |
Nov 24, 2022 19:18:06.610599041 CET | 80 | 49707 | 107.182.129.235 | 192.168.2.5 |
Nov 24, 2022 19:18:06.610626936 CET | 80 | 49707 | 107.182.129.235 | 192.168.2.5 |
Nov 24, 2022 19:18:06.610655069 CET | 80 | 49707 | 107.182.129.235 | 192.168.2.5 |
Nov 24, 2022 19:18:06.610682964 CET | 80 | 49707 | 107.182.129.235 | 192.168.2.5 |
Nov 24, 2022 19:18:06.610709906 CET | 80 | 49707 | 107.182.129.235 | 192.168.2.5 |
Nov 24, 2022 19:18:06.610737085 CET | 80 | 49707 | 107.182.129.235 | 192.168.2.5 |
Nov 24, 2022 19:18:06.610737085 CET | 49707 | 80 | 192.168.2.5 | 107.182.129.235 |
Nov 24, 2022 19:18:06.610759020 CET | 80 | 49707 | 107.182.129.235 | 192.168.2.5 |
Nov 24, 2022 19:18:06.610827923 CET | 49707 | 80 | 192.168.2.5 | 107.182.129.235 |
Nov 24, 2022 19:18:06.610896111 CET | 49707 | 80 | 192.168.2.5 | 107.182.129.235 |
Nov 24, 2022 19:18:06.638362885 CET | 80 | 49707 | 107.182.129.235 | 192.168.2.5 |
Nov 24, 2022 19:18:06.638428926 CET | 80 | 49707 | 107.182.129.235 | 192.168.2.5 |
Nov 24, 2022 19:18:06.638472080 CET | 80 | 49707 | 107.182.129.235 | 192.168.2.5 |
Nov 24, 2022 19:18:06.638524055 CET | 80 | 49707 | 107.182.129.235 | 192.168.2.5 |
Nov 24, 2022 19:18:06.638565063 CET | 80 | 49707 | 107.182.129.235 | 192.168.2.5 |
Nov 24, 2022 19:18:06.638606071 CET | 80 | 49707 | 107.182.129.235 | 192.168.2.5 |
Nov 24, 2022 19:18:06.638644934 CET | 80 | 49707 | 107.182.129.235 | 192.168.2.5 |
Nov 24, 2022 19:18:06.638685942 CET | 80 | 49707 | 107.182.129.235 | 192.168.2.5 |
Nov 24, 2022 19:18:06.638806105 CET | 49707 | 80 | 192.168.2.5 | 107.182.129.235 |
Nov 24, 2022 19:18:06.638806105 CET | 49707 | 80 | 192.168.2.5 | 107.182.129.235 |
Nov 24, 2022 19:18:06.638807058 CET | 49707 | 80 | 192.168.2.5 | 107.182.129.235 |
Nov 24, 2022 19:18:06.718194962 CET | 49708 | 80 | 192.168.2.5 | 171.22.30.106 |
Nov 24, 2022 19:18:06.747112036 CET | 80 | 49708 | 171.22.30.106 | 192.168.2.5 |
Nov 24, 2022 19:18:06.747570038 CET | 49708 | 80 | 192.168.2.5 | 171.22.30.106 |
Nov 24, 2022 19:18:06.748177052 CET | 49708 | 80 | 192.168.2.5 | 171.22.30.106 |
Nov 24, 2022 19:18:06.776040077 CET | 80 | 49708 | 171.22.30.106 | 192.168.2.5 |
Nov 24, 2022 19:18:07.600012064 CET | 80 | 49708 | 171.22.30.106 | 192.168.2.5 |
Nov 24, 2022 19:18:07.600199938 CET | 49708 | 80 | 192.168.2.5 | 171.22.30.106 |
Nov 24, 2022 19:18:09.730413914 CET | 49708 | 80 | 192.168.2.5 | 171.22.30.106 |
Nov 24, 2022 19:18:09.760652065 CET | 80 | 49708 | 171.22.30.106 | 192.168.2.5 |
Nov 24, 2022 19:18:10.372955084 CET | 80 | 49708 | 171.22.30.106 | 192.168.2.5 |
Nov 24, 2022 19:18:10.373271942 CET | 49708 | 80 | 192.168.2.5 | 171.22.30.106 |
Nov 24, 2022 19:18:11.213674068 CET | 80 | 49706 | 45.139.105.171 | 192.168.2.5 |
Nov 24, 2022 19:18:11.213768005 CET | 49706 | 80 | 192.168.2.5 | 45.139.105.171 |
Nov 24, 2022 19:18:11.583908081 CET | 80 | 49707 | 107.182.129.235 | 192.168.2.5 |
Nov 24, 2022 19:18:11.584064960 CET | 49707 | 80 | 192.168.2.5 | 107.182.129.235 |
Nov 24, 2022 19:18:12.665682077 CET | 49708 | 80 | 192.168.2.5 | 171.22.30.106 |
Nov 24, 2022 19:18:12.695169926 CET | 80 | 49708 | 171.22.30.106 | 192.168.2.5 |
Nov 24, 2022 19:18:13.368314981 CET | 80 | 49708 | 171.22.30.106 | 192.168.2.5 |
Nov 24, 2022 19:18:13.368565083 CET | 49708 | 80 | 192.168.2.5 | 171.22.30.106 |
Nov 24, 2022 19:18:15.786164045 CET | 49708 | 80 | 192.168.2.5 | 171.22.30.106 |
Nov 24, 2022 19:18:15.815412045 CET | 80 | 49708 | 171.22.30.106 | 192.168.2.5 |
Nov 24, 2022 19:18:16.549029112 CET | 80 | 49708 | 171.22.30.106 | 192.168.2.5 |
Nov 24, 2022 19:18:16.549140930 CET | 49708 | 80 | 192.168.2.5 | 171.22.30.106 |
Nov 24, 2022 19:18:18.605607033 CET | 49708 | 80 | 192.168.2.5 | 171.22.30.106 |
Nov 24, 2022 19:18:18.634470940 CET | 80 | 49708 | 171.22.30.106 | 192.168.2.5 |
Nov 24, 2022 19:18:19.240708113 CET | 80 | 49708 | 171.22.30.106 | 192.168.2.5 |
Nov 24, 2022 19:18:19.240933895 CET | 49708 | 80 | 192.168.2.5 | 171.22.30.106 |
Nov 24, 2022 19:18:21.340537071 CET | 49708 | 80 | 192.168.2.5 | 171.22.30.106 |
Nov 24, 2022 19:18:21.370395899 CET | 80 | 49708 | 171.22.30.106 | 192.168.2.5 |
Nov 24, 2022 19:18:21.991055965 CET | 80 | 49708 | 171.22.30.106 | 192.168.2.5 |
Nov 24, 2022 19:18:21.991260052 CET | 49708 | 80 | 192.168.2.5 | 171.22.30.106 |
Nov 24, 2022 19:18:24.089605093 CET | 49708 | 80 | 192.168.2.5 | 171.22.30.106 |
Nov 24, 2022 19:18:24.118248940 CET | 80 | 49708 | 171.22.30.106 | 192.168.2.5 |
Nov 24, 2022 19:18:24.775511026 CET | 80 | 49708 | 171.22.30.106 | 192.168.2.5 |
Nov 24, 2022 19:18:24.775984049 CET | 49708 | 80 | 192.168.2.5 | 171.22.30.106 |
Nov 24, 2022 19:18:26.886960030 CET | 49708 | 80 | 192.168.2.5 | 171.22.30.106 |
Nov 24, 2022 19:18:26.919414043 CET | 80 | 49708 | 171.22.30.106 | 192.168.2.5 |
Nov 24, 2022 19:18:27.572810888 CET | 80 | 49708 | 171.22.30.106 | 192.168.2.5 |
Nov 24, 2022 19:18:27.575181007 CET | 49708 | 80 | 192.168.2.5 | 171.22.30.106 |
Nov 24, 2022 19:18:29.653567076 CET | 49708 | 80 | 192.168.2.5 | 171.22.30.106 |
Nov 24, 2022 19:18:29.681566954 CET | 80 | 49708 | 171.22.30.106 | 192.168.2.5 |
Nov 24, 2022 19:18:30.310436964 CET | 80 | 49708 | 171.22.30.106 | 192.168.2.5 |
Nov 24, 2022 19:18:30.310628891 CET | 49708 | 80 | 192.168.2.5 | 171.22.30.106 |
Nov 24, 2022 19:18:32.854022026 CET | 49708 | 80 | 192.168.2.5 | 171.22.30.106 |
Nov 24, 2022 19:18:32.884021997 CET | 80 | 49708 | 171.22.30.106 | 192.168.2.5 |
Nov 24, 2022 19:18:33.532494068 CET | 80 | 49708 | 171.22.30.106 | 192.168.2.5 |
Nov 24, 2022 19:18:33.532692909 CET | 49708 | 80 | 192.168.2.5 | 171.22.30.106 |
Nov 24, 2022 19:18:36.435168982 CET | 49708 | 80 | 192.168.2.5 | 171.22.30.106 |
Nov 24, 2022 19:18:36.463021040 CET | 80 | 49708 | 171.22.30.106 | 192.168.2.5 |
Nov 24, 2022 19:18:37.093343019 CET | 80 | 49708 | 171.22.30.106 | 192.168.2.5 |
Nov 24, 2022 19:18:37.096766949 CET | 49708 | 80 | 192.168.2.5 | 171.22.30.106 |
Nov 24, 2022 19:18:40.475877047 CET | 49706 | 80 | 192.168.2.5 | 45.139.105.171 |
Nov 24, 2022 19:18:40.476006031 CET | 49707 | 80 | 192.168.2.5 | 107.182.129.235 |
Nov 24, 2022 19:18:40.476138115 CET | 49708 | 80 | 192.168.2.5 | 171.22.30.106 |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.5 | 49706 | 45.139.105.171 | 80 | C:\Program Files (x86)\PrintFolders\PrintFolders.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Nov 24, 2022 19:18:06.176034927 CET | 0 | OUT | |
Nov 24, 2022 19:18:06.208683968 CET | 0 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
1 | 192.168.2.5 | 49707 | 107.182.129.235 | 80 | C:\Program Files (x86)\PrintFolders\PrintFolders.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Nov 24, 2022 19:18:06.381181955 CET | 1 | OUT | |
Nov 24, 2022 19:18:06.408601999 CET | 1 | IN | |
Nov 24, 2022 19:18:06.442995071 CET | 2 | OUT | |
Nov 24, 2022 19:18:06.470576048 CET | 3 | IN |