Edit tour
Windows
Analysis Report
file.exe
Overview
General Information
Detection
Nymaim
Score: | 88 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Detected unpacking (overwrites its own PE header)
Yara detected Nymaim
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
PE file does not import any functions
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Found evasive API chain checking for process token information
Uses taskkill to terminate processes
Dropped file seen in connection with other malware
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality to detect sandboxes (foreground window change detection)
Creates a process in suspended mode (likely to inject code)
Classification
- System is w10x64
- file.exe (PID: 2144 cmdline:
C:\Users\u ser\Deskto p\file.exe MD5: 3B97FD1136B9ED348734E5EA77AAA75A) - is-8PA5U.tmp (PID: 244 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\is-OJD TA.tmp\is- 8PA5U.tmp" /SL4 $402 5C "C:\Use rs\user\De sktop\file .exe" 1079 207 51712 MD5: 85B94E72C3F2D2B5464E2AAF3C9E242A) - PrintFolders.exe (PID: 2344 cmdline:
"C:\Progra m Files (x 86)\PrintF olders\Pri ntFolders. exe" MD5: 988A479E180E7899959663226C9AAC1B) - 1mWX2l.exe (PID: 4668 cmdline:
MD5: 3FB36CB0B7172E5298D2992D42984D06) - cmd.exe (PID: 6128 cmdline:
"C:\Window s\System32 \cmd.exe" /c taskkil l /im "Pri ntFolders. exe" /f & erase "C:\ Program Fi les (x86)\ PrintFolde rs\PrintFo lders.exe" & exit MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 1688 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - taskkill.exe (PID: 3172 cmdline:
taskkill / im "PrintF olders.exe " /f MD5: 15E2E0ACD891510C6268CB8899F2A1A1)
- cleanup
{"C2 addresses": ["45.139.105.1", "85.31.46.167", "107.182.129.235", "171.22.30.106"]}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security | ||
JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security | ||
JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security | ||
JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security | ||
JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security | ||
JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security |
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | URL Reputation: |
Source: | ReversingLabs: |
Source: | Joe Sandbox ML: |
Source: | Avira: | ||
Source: | Avira: |
Source: | Malware Configuration Extractor: |
Source: | Code function: | 1_2_10001000 | |
Source: | Code function: | 1_2_10001130 | |
Source: | Code function: | 2_2_00403770 |
Compliance |
---|
Source: | Unpacked PE file: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | Code function: | 1_2_0046C770 | |
Source: | Code function: | 1_2_00474708 | |
Source: | Code function: | 1_2_00451554 | |
Source: | Code function: | 1_2_0048A778 | |
Source: | Code function: | 1_2_004729D4 | |
Source: | Code function: | 1_2_0045CA54 | |
Source: | Code function: | 1_2_00406FEC | |
Source: | Code function: | 1_2_0045DB60 | |
Source: | Code function: | 1_2_0045DEF4 | |
Source: | Code function: | 2_2_00404490 | |
Source: | Code function: | 2_2_00423E2D | |
Source: | Code function: | 2_2_1000959D |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Networking |
---|
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: |
Source: | ASN Name: |
Source: | IP Address: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Code function: | 2_2_00401B30 |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | Binary or memory string: |
E-Banking Fraud |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Static PE information: |
Source: | Code function: | 0_2_004081C8 | |
Source: | Code function: | 1_2_00468940 | |
Source: | Code function: | 1_2_00460F30 | |
Source: | Code function: | 1_2_0043DF70 | |
Source: | Code function: | 1_2_004303A4 | |
Source: | Code function: | 1_2_0047A6D8 | |
Source: | Code function: | 1_2_004446E8 | |
Source: | Code function: | 1_2_00434994 | |
Source: | Code function: | 1_2_0045AA90 | |
Source: | Code function: | 1_2_00480BDC | |
Source: | Code function: | 1_2_00444C90 | |
Source: | Code function: | 1_2_00462F38 | |
Source: | Code function: | 1_2_00445388 | |
Source: | Code function: | 1_2_00435698 | |
Source: | Code function: | 1_2_00445794 | |
Source: | Code function: | 1_2_0042F948 | |
Source: | Code function: | 1_2_00457BB4 | |
Source: | Code function: | 2_2_00404490 | |
Source: | Code function: | 2_2_004096F0 | |
Source: | Code function: | 2_2_004056A0 | |
Source: | Code function: | 2_2_00406800 | |
Source: | Code function: | 2_2_00406AA0 | |
Source: | Code function: | 2_2_00404D40 | |
Source: | Code function: | 2_2_00405F40 | |
Source: | Code function: | 2_2_00402F20 | |
Source: | Code function: | 2_2_004150D3 | |
Source: | Code function: | 2_2_00415305 | |
Source: | Code function: | 2_2_004223A9 | |
Source: | Code function: | 2_2_00419510 | |
Source: | Code function: | 2_2_00404840 | |
Source: | Code function: | 2_2_00426850 | |
Source: | Code function: | 2_2_00410A50 | |
Source: | Code function: | 2_2_0042AB9A | |
Source: | Code function: | 2_2_00421C88 | |
Source: | Code function: | 2_2_0042ACBA | |
Source: | Code function: | 2_2_00447D2D | |
Source: | Code function: | 2_2_00428D39 | |
Source: | Code function: | 2_2_00404F20 | |
Source: | Code function: | 2_2_1000F670 | |
Source: | Code function: | 2_2_1000EC61 |
Source: | Code function: | 1_2_00423D9C | |
Source: | Code function: | 1_2_004127F0 | |
Source: | Code function: | 1_2_004551C4 |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Dropped File: |
Source: | Static PE information: |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Code function: | 0_2_00408F74 | |
Source: | Code function: | 1_2_00453A8C |
Source: | WMI Queries: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | Code function: | 2_2_00401B30 |
Source: | File read: | Jump to behavior |
Source: | Code function: | 1_2_00454498 |
Source: | Code function: | 2_2_00402BF0 |
Source: | Code function: | 2_2_00405350 |
Source: | Mutant created: |
Source: | Code function: | 1_2_0040B1E0 |
Source: | File created: | Jump to behavior |
Source: | Command line argument: | 2_2_004096F0 | |
Source: | Command line argument: | 2_2_004096F0 | |
Source: | Command line argument: | 2_2_004096F0 | |
Source: | Command line argument: | 2_2_004096F0 |
Source: | Window found: | Jump to behavior |
Source: | Window detected: |
Source: | Static file information: |
Source: | Binary string: |
Data Obfuscation |
---|
Source: | Unpacked PE file: |
Source: | Unpacked PE file: |
Source: | Code function: | 0_2_004065B9 | |
Source: | Code function: | 0_2_00404195 | |
Source: | Code function: | 0_2_0040442D | |
Source: | Code function: | 0_2_00407E89 | |
Source: | Code function: | 0_2_0040442D | |
Source: | Code function: | 0_2_00408B4F | |
Source: | Code function: | 0_2_0040442D | |
Source: | Code function: | 0_2_0040442D | |
Source: | Code function: | 1_2_00409BA5 | |
Source: | Code function: | 1_2_0040A258 | |
Source: | Code function: | 1_2_004782B3 | |
Source: | Code function: | 1_2_0040A255 | |
Source: | Code function: | 1_2_004063C9 | |
Source: | Code function: | 1_2_004303A9 | |
Source: | Code function: | 1_2_0045A751 | |
Source: | Code function: | 1_2_004108ED | |
Source: | Code function: | 1_2_00412B9B | |
Source: | Code function: | 1_2_00451023 | |
Source: | Code function: | 1_2_0040D242 | |
Source: | Code function: | 1_2_004055F9 | |
Source: | Code function: | 1_2_00443664 | |
Source: | Code function: | 1_2_00405891 | |
Source: | Code function: | 1_2_0047976D | |
Source: | Code function: | 1_2_00405891 | |
Source: | Code function: | 1_2_00405891 | |
Source: | Code function: | 1_2_00405891 | |
Source: | Code function: | 1_2_0040F7A2 | |
Source: | Code function: | 1_2_00419E45 | |
Source: | Code function: | 2_2_004311B6 | |
Source: | Code function: | 2_2_0040F4CE |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | Code function: | 1_2_00423E24 | |
Source: | Code function: | 1_2_00423E24 | |
Source: | Code function: | 1_2_004243F4 | |
Source: | Code function: | 1_2_004243AC | |
Source: | Code function: | 1_2_0041859C | |
Source: | Code function: | 1_2_00422A74 | |
Source: | Code function: | 1_2_004177B0 | |
Source: | Code function: | 1_2_00477D2C | |
Source: | Code function: | 1_2_00417EE6 | |
Source: | Code function: | 1_2_00417EE8 |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Evasive API call chain: | graph_0-5350 |
Source: | Last function: |
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file |
Source: | Check user administrative privileges: | graph_2-35022 |
Source: | Code function: | 2_2_004056A0 |
Source: | Process information queried: | Jump to behavior |
Source: | Code function: | 0_2_004095D0 |
Source: | Code function: | 1_2_0046C770 | |
Source: | Code function: | 1_2_00474708 | |
Source: | Code function: | 1_2_00451554 | |
Source: | Code function: | 1_2_0048A778 | |
Source: | Code function: | 1_2_004729D4 | |
Source: | Code function: | 1_2_0045CA54 | |
Source: | Code function: | 1_2_00406FEC | |
Source: | Code function: | 1_2_0045DB60 | |
Source: | Code function: | 1_2_0045DEF4 | |
Source: | Code function: | 2_2_00404490 | |
Source: | Code function: | 2_2_00423E2D | |
Source: | Code function: | 2_2_1000959D |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: | 2_2_0041336B |
Source: | Code function: | 2_2_00402BF0 |
Source: | Code function: | 2_2_00402F20 |
Source: | Process token adjusted: | Jump to behavior |
Source: | Code function: | 2_2_0044028F | |
Source: | Code function: | 2_2_0042041F | |
Source: | Code function: | 2_2_004429E7 | |
Source: | Code function: | 2_2_00417BAF | |
Source: | Code function: | 2_2_100091C7 | |
Source: | Code function: | 2_2_10006CE1 |
Source: | Code function: | 2_2_0040F789 | |
Source: | Code function: | 2_2_0041336B | |
Source: | Code function: | 2_2_0040F5F5 | |
Source: | Code function: | 2_2_0040EBD2 | |
Source: | Code function: | 2_2_10006180 | |
Source: | Code function: | 2_2_100035DF | |
Source: | Code function: | 2_2_10003AD4 |
Source: | Process created: | Jump to behavior |
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Code function: | 1_2_004593E4 |
Source: | Code function: | 0_2_004051C8 | |
Source: | Code function: | 0_2_00405214 | |
Source: | Code function: | 1_2_0040874C | |
Source: | Code function: | 1_2_00408798 | |
Source: | Code function: | 2_2_00404D40 | |
Source: | Code function: | 2_2_00427041 | |
Source: | Code function: | 2_2_0042708C | |
Source: | Code function: | 2_2_00427127 | |
Source: | Code function: | 2_2_004271B2 | |
Source: | Code function: | 2_2_0041E2FF | |
Source: | Code function: | 2_2_00427405 | |
Source: | Code function: | 2_2_0042752B | |
Source: | Code function: | 2_2_00427631 | |
Source: | Code function: | 2_2_00427700 | |
Source: | Code function: | 2_2_0041E821 | |
Source: | Code function: | 2_2_00426D9F |
Source: | Code function: | 2_2_0040F7F3 |
Source: | Code function: | 1_2_00455B2C |
Source: | Code function: | 0_2_004026C4 |
Source: | Code function: | 0_2_00405CB0 |
Source: | Code function: | 1_2_00453A24 |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | 1 Windows Management Instrumentation | Path Interception | 1 Access Token Manipulation | 2 Masquerading | 1 Input Capture | 1 System Time Discovery | Remote Services | 1 Input Capture | Exfiltration Over Other Network Medium | 2 Encrypted Channel | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | 2 Command and Scripting Interpreter | Boot or Logon Initialization Scripts | 12 Process Injection | 1 Disable or Modify Tools | LSASS Memory | 141 Security Software Discovery | Remote Desktop Protocol | 1 Archive Collected Data | Exfiltration Over Bluetooth | 2 Ingress Tool Transfer | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | 2 Native API | Logon Script (Windows) | Logon Script (Windows) | 1 Access Token Manipulation | Security Account Manager | 2 Process Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | 1 Non-Application Layer Protocol | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | 12 Process Injection | NTDS | 11 Application Window Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | 11 Application Layer Protocol | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | 1 Deobfuscate/Decode Files or Information | LSA Secrets | 1 Account Discovery | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | 3 Obfuscated Files or Information | Cached Domain Credentials | 1 System Owner/User Discovery | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | 23 Software Packing | DCSync | 3 File and Directory Discovery | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | Indicator Removal from Tools | Proc Filesystem | 26 System Information Discovery | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
⊘No Antivirus matches
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Joe Sandbox ML | |||
0% | ReversingLabs | |||
2% | ReversingLabs | |||
0% | ReversingLabs | |||
2% | ReversingLabs | |||
2% | ReversingLabs | |||
0% | ReversingLabs | |||
2% | ReversingLabs | |||
4% | ReversingLabs | |||
46% | ReversingLabs | Win32.Trojan.Generic |
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | TR/Crypt.XPACK.Gen8 | Download File | ||
100% | Avira | HEUR/AGEN.1232832 | Download File | ||
100% | Avira | HEUR/AGEN.1250671 | Download File | ||
100% | Avira | TR/Patched.Ren.Gen | Download File | ||
100% | Avira | HEUR/AGEN.1248792 | Download File |
⊘No Antivirus matches
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
100% | URL Reputation | malware | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Virustotal | Browse |
⊘No contacted domains info
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false |
| unknown | |
true |
| unknown | |
true |
| unknown | |
true |
| unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| low | ||
false |
| unknown | ||
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
45.139.105.171 | unknown | Italy | 33657 | CMCSUS | false | |
45.139.105.1 | unknown | Italy | 33657 | CMCSUS | true | |
85.31.46.167 | unknown | Germany | 43659 | CLOUDCOMPUTINGDE | true | |
107.182.129.235 | unknown | Reserved | 11070 | META-ASUS | true | |
171.22.30.106 | unknown | Germany | 33657 | CMCSUS | true |
Joe Sandbox Version: | 36.0.0 Rainbow Opal |
Analysis ID: | 753419 |
Start date and time: | 2022-11-24 19:47:10 +01:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 7m 8s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | file.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 7 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal88.troj.evad.winEXE@12/23@0/5 |
EGA Information: |
|
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Not all processes where analyzed, report is missing behavior information
- Report creation exceeded maximum time and may have missing disassembly code information.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
Time | Type | Description |
---|---|---|
19:48:07 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
45.139.105.171 | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
⊘No context
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
CMCSUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
CMCSUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
⊘No context
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
C:\Program Files (x86)\PrintFolders\Russian.dll (copy) | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse |
Process: | C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 118869 |
Entropy (8bit): | 7.933172616287708 |
Encrypted: | false |
SSDEEP: | 1536:a8+b7UxVIBmVQVxSHmIKruCGFkw8dctBJcIFEvSrT3eoxNjT+YL/fe3iWP7:Z+b76wV3hCb86tBJc7SffxNjqO/qiWT |
MD5: | 204A5BF160646F9A55ED70AB6E1A07A6 |
SHA1: | 5404AB219FA01C270ADC36303D447109503C4A4D |
SHA-256: | CACDD2C8BFA4BAE33A16A10ED609F4841AC5C4C2FE481ED0FD8CB04BC8016BBD |
SHA-512: | 6AAFBAF8565BF57BF4CC9E8D5EEF947E32E0D1A962C0BB619A25C35C68B7AA24599C60CB1C1B108FC9F58A1F13FF80B66E1A4DA506BE2FFD2DD05331865DAA15 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 5403 |
Entropy (8bit): | 4.918324842676727 |
Encrypted: | false |
SSDEEP: | 96:uUzxQ0Bz664UbxDcqEVFUz1BDzeRGH+QanjY3ZLBxdfC4INXM/gr53F8EPeHl9j4:uU1QyZ4e9cqEfUz1BD0GH+QGjYJBxdfY |
MD5: | C8B211D81EB7D4F9EBB071A117444D51 |
SHA1: | 43BF57BB0931EBED953FE17F937C1C7FF58A027C |
SHA-256: | AFD6FEA6A792B722E45A6587F70334F30051798017F4A278508C7ED3FEEA80CC |
SHA-512: | C7C558EB666B570A0B03D1E8941217673677A6AF1F7CE4C43BE77D1AA859AD8DF7B212CF778B03678DD451535C7A7B02FEB65F20B744A8E9C969DF633F79A2AB |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 3391 |
Entropy (8bit): | 4.812121234949207 |
Encrypted: | false |
SSDEEP: | 96:FjjD9GrzqpptIaj6JGcnRH7aamJL4zUtWAbakj:FYrrawhbaVFtTuk |
MD5: | A5E8094B0CBADE929AEE07F5DA5E9429 |
SHA1: | 60BB56A380CD9126AC067AE39B262E28A22532CD |
SHA-256: | F3AC2009C96EB3A42AFAEC7FA67D3A14E5E9E30819B543D572C9BEA790CFCAD1 |
SHA-512: | 018D1963A0B45A731687C5811E6447911E9BC7285B25EE3BBAD95D4D9C23718EF4E9714714C8A68617EAE4F840FB3D76BC77B0C49A64346D9605CCF70592356C |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp |
File Type: | |
Category: | modified |
Size (bytes): | 1785853 |
Entropy (8bit): | 5.942323714155969 |
Encrypted: | false |
SSDEEP: | 24576:6+68+Hj+x+D9+k+F+rsu+Y+VHbB2gqthjMt7qKwgevCVtLBpvLFs:T0H6xfdkrcxZ+tFMt7sv4ZW |
MD5: | 988A479E180E7899959663226C9AAC1B |
SHA1: | 17D641877924F5C55E3E4D310CA7DFE45C175F7D |
SHA-256: | 5B026DFAEA2B8A837CDBC90FD42E5951E6AB4B75A7E1937EFCE2265611E11276 |
SHA-512: | E494EBB7B7E3EC5EBC5960E98A46AB7863B1A7CDC7300E50F2C85563610F30BE60CC3667F148D760017009D96D018BC7002F8C6DE64AF105D7E1F698DC3267DE |
Malicious: | true |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 21504 |
Entropy (8bit): | 4.508743257769972 |
Encrypted: | false |
SSDEEP: | 192:kxsrC3rSQgvlS7pEeHPmIOBaVeFSiLW70ygWr:csvGmIOBa5f |
MD5: | 4FB606EDBDE8EFB6D34E6E1BC5F677F1 |
SHA1: | F8F094064D107384E619DED1139932AA38476272 |
SHA-256: | A960C9DCD1D5C7B79F4FDD38D6F25299F4F7925555E381EA4AB6217681482F62 |
SHA-512: | 5B34ECB87582FFC210CA4EED06C729979D7197191CF74EB3CDB59D0F629603C171D50B6D9351DEB7DD13F6FCBBD79F8A23ED0114BBD991520CA9BFA4EF10A44D |
Malicious: | true |
Antivirus: |
|
Joe Sandbox View: |
|
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 118869 |
Entropy (8bit): | 7.933172616287708 |
Encrypted: | false |
SSDEEP: | 1536:a8+b7UxVIBmVQVxSHmIKruCGFkw8dctBJcIFEvSrT3eoxNjT+YL/fe3iWP7:Z+b76wV3hCb86tBJc7SffxNjqO/qiWT |
MD5: | 204A5BF160646F9A55ED70AB6E1A07A6 |
SHA1: | 5404AB219FA01C270ADC36303D447109503C4A4D |
SHA-256: | CACDD2C8BFA4BAE33A16A10ED609F4841AC5C4C2FE481ED0FD8CB04BC8016BBD |
SHA-512: | 6AAFBAF8565BF57BF4CC9E8D5EEF947E32E0D1A962C0BB619A25C35C68B7AA24599C60CB1C1B108FC9F58A1F13FF80B66E1A4DA506BE2FFD2DD05331865DAA15 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 1785853 |
Entropy (8bit): | 5.942322646015392 |
Encrypted: | false |
SSDEEP: | 24576:R+68+Hj+x+D9+k+F+rsu+Y+VHbB2gqthjMt7qKwgevCVtLBpvLFs:A0H6xfdkrcxZ+tFMt7sv4ZW |
MD5: | 24DBF089638D212A0988EE71792025E8 |
SHA1: | 6E62F67E5476060B2171526A8458A80525F21F94 |
SHA-256: | B4264A3B330A97C5BC9D419ABF9515966D3397017DF074A5BA08A7BF72A61687 |
SHA-512: | 282A3A3DFA5B86D5FA50376024915F194B143A3F51415B713A335BEB74F8220A5B912E126C4B1E462F599B25069423F1BA836EB628452C0414D12E1FEE6E22AA |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 3391 |
Entropy (8bit): | 4.812121234949207 |
Encrypted: | false |
SSDEEP: | 96:FjjD9GrzqpptIaj6JGcnRH7aamJL4zUtWAbakj:FYrrawhbaVFtTuk |
MD5: | A5E8094B0CBADE929AEE07F5DA5E9429 |
SHA1: | 60BB56A380CD9126AC067AE39B262E28A22532CD |
SHA-256: | F3AC2009C96EB3A42AFAEC7FA67D3A14E5E9E30819B543D572C9BEA790CFCAD1 |
SHA-512: | 018D1963A0B45A731687C5811E6447911E9BC7285B25EE3BBAD95D4D9C23718EF4E9714714C8A68617EAE4F840FB3D76BC77B0C49A64346D9605CCF70592356C |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 669450 |
Entropy (8bit): | 6.478399502986981 |
Encrypted: | false |
SSDEEP: | 12288:2h5UooqWolrP837JzHvA6izJgnnyFNmayiAZrvJxOx:M5NoqWolrP837JzHvA6yknyWFxvJxOx |
MD5: | CF680B53729F6E3059183D51F91D337D |
SHA1: | 4D6EB765BB4837F09283101490375DF5F68C8E37 |
SHA-256: | A3F8C832C69388A88E47DD8B612382F74D5131E8C710741EFB2410EC450BDF2D |
SHA-512: | 1F59A9A03485DFDB9E232F0D8B52CD864993FC25734E16DD2160190045626531685E81BDBCF0636EBA9F7CEDA9DA082A9AAD2DD4C5BFE165110731B7F89FCA51 |
Malicious: | true |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 5403 |
Entropy (8bit): | 4.918324842676727 |
Encrypted: | false |
SSDEEP: | 96:uUzxQ0Bz664UbxDcqEVFUz1BDzeRGH+QanjY3ZLBxdfC4INXM/gr53F8EPeHl9j4:uU1QyZ4e9cqEfUz1BD0GH+QGjYJBxdfY |
MD5: | C8B211D81EB7D4F9EBB071A117444D51 |
SHA1: | 43BF57BB0931EBED953FE17F937C1C7FF58A027C |
SHA-256: | AFD6FEA6A792B722E45A6587F70334F30051798017F4A278508C7ED3FEEA80CC |
SHA-512: | C7C558EB666B570A0B03D1E8941217673677A6AF1F7CE4C43BE77D1AA859AD8DF7B212CF778B03678DD451535C7A7B02FEB65F20B744A8E9C969DF633F79A2AB |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 21504 |
Entropy (8bit): | 4.508743257769972 |
Encrypted: | false |
SSDEEP: | 192:kxsrC3rSQgvlS7pEeHPmIOBaVeFSiLW70ygWr:csvGmIOBa5f |
MD5: | 4FB606EDBDE8EFB6D34E6E1BC5F677F1 |
SHA1: | F8F094064D107384E619DED1139932AA38476272 |
SHA-256: | A960C9DCD1D5C7B79F4FDD38D6F25299F4F7925555E381EA4AB6217681482F62 |
SHA-512: | 5B34ECB87582FFC210CA4EED06C729979D7197191CF74EB3CDB59D0F629603C171D50B6D9351DEB7DD13F6FCBBD79F8A23ED0114BBD991520CA9BFA4EF10A44D |
Malicious: | true |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 3813 |
Entropy (8bit): | 4.502801686145839 |
Encrypted: | false |
SSDEEP: | 48:wGITyMHLBv8iD86plmE6FoIN0hqkLVO3471qV/LDa0zA47brL1XLjt:fUrp8iD86p45oIyhqYOIh0Nft |
MD5: | 5B3F2721E0A66E1839F68D766D4CA56A |
SHA1: | 3A0C94379344A2224A9E5FA5B23400D3BCB4D921 |
SHA-256: | 9F088E172E91E763423A1E153AD9C74E1739A70AB5DD0E04B0DBDA97D867C9A6 |
SHA-512: | 95D531100020CEA7DC8C0A12CD544865D6119CAA42296C9B76BEA24175431C97E7179019C0E5C68D1779C55FBA2127660CC776BB2BA1C1065D5994309DDC78B9 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 669450 |
Entropy (8bit): | 6.478399502986981 |
Encrypted: | false |
SSDEEP: | 12288:2h5UooqWolrP837JzHvA6izJgnnyFNmayiAZrvJxOx:M5NoqWolrP837JzHvA6yknyWFxvJxOx |
MD5: | CF680B53729F6E3059183D51F91D337D |
SHA1: | 4D6EB765BB4837F09283101490375DF5F68C8E37 |
SHA-256: | A3F8C832C69388A88E47DD8B612382F74D5131E8C710741EFB2410EC450BDF2D |
SHA-512: | 1F59A9A03485DFDB9E232F0D8B52CD864993FC25734E16DD2160190045626531685E81BDBCF0636EBA9F7CEDA9DA082A9AAD2DD4C5BFE165110731B7F89FCA51 |
Malicious: | true |
Antivirus: |
|
Preview: |
Process: | C:\Program Files (x86)\PrintFolders\PrintFolders.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:V:V |
MD5: | CFCD208495D565EF66E7DFF9F98764DA |
SHA1: | B6589FC6AB0DC82CF12099D1C2D40AB994E8410C |
SHA-256: | 5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9 |
SHA-512: | 31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\fuckingdllENCR[1].dll
Download File
Process: | C:\Program Files (x86)\PrintFolders\PrintFolders.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 94224 |
Entropy (8bit): | 7.998072640845361 |
Encrypted: | true |
SSDEEP: | 1536:NsbI9W6dHdtnEXOxZpPzIUcETzNtXofjmgGTeJduLLt+YBPoJTMRmNXg30:KWW6TZVz9PNtXo8M5OR0 |
MD5: | 418619EA97671304AF80EC60F5A50B62 |
SHA1: | F11DCD709BDE2FC86EBBCCD66E1CE68A8A3F9CB6 |
SHA-256: | EB7ECE66C14849064F462DF4987D6D59073D812C44D81568429614581106E0F4 |
SHA-512: | F2E1AE47B5B0A5D3DD22DD6339E15FEE3D7F04EF03917AE2A7686E73E9F06FB95C8008038C018939BB9925F395D765C9690BF7874DC5E90BC2F77C1E730D3A00 |
Malicious: | false |
Preview: |
Process: | C:\Program Files (x86)\PrintFolders\PrintFolders.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:V:V |
MD5: | CFCD208495D565EF66E7DFF9F98764DA |
SHA1: | B6589FC6AB0DC82CF12099D1C2D40AB994E8410C |
SHA-256: | 5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9 |
SHA-512: | 31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99 |
Malicious: | false |
Preview: |
Process: | C:\Program Files (x86)\PrintFolders\PrintFolders.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 17 |
Entropy (8bit): | 3.1751231351134614 |
Encrypted: | false |
SSDEEP: | 3:nCmxEl:Cmc |
MD5: | 064DB2A4C3D31A4DC6AA2538F3FE7377 |
SHA1: | 8F877AE1873C88076D854425221E352CA4178DFA |
SHA-256: | 0A3EC2C4FC062D561F0DC989C6699E06FFF850BBDA7923F14F26135EF42107C0 |
SHA-512: | CA94BC1338FC283C3E5C427065C29BA32C5A12170782E18AA0292722826C5CB4C3B29A5134464FFEB67A77CD85D8E15715C17A049B7AD4E2C890E97385751BEE |
Malicious: | false |
Preview: |
Process: | C:\Program Files (x86)\PrintFolders\PrintFolders.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:V:V |
MD5: | CFCD208495D565EF66E7DFF9F98764DA |
SHA1: | B6589FC6AB0DC82CF12099D1C2D40AB994E8410C |
SHA-256: | 5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9 |
SHA-512: | 31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 2560 |
Entropy (8bit): | 2.8818118453929262 |
Encrypted: | false |
SSDEEP: | 24:e1GSgDIX566lIB6SXvVmMPUjvhBrDsqZ:SgDKRlVImgUNBsG |
MD5: | A69559718AB506675E907FE49DEB71E9 |
SHA1: | BC8F404FFDB1960B50C12FF9413C893B56F2E36F |
SHA-256: | 2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC |
SHA-512: | E52E0AA7FE3F79E36330C455D944653D449BA05B2F9ABEE0914A0910C3452CFA679A40441F9AC696B3CCF9445CBB85095747E86153402FC362BB30AC08249A63 |
Malicious: | true |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 4608 |
Entropy (8bit): | 4.226829458093667 |
Encrypted: | false |
SSDEEP: | 48:6Q5EWGg69eR+Xl4SH8u09tmRJ/tE/wJI/tZ/P8sB1a:32Gel4NP9tK2/wGXhHa |
MD5: | 9E5BA8A0DB2AE3A955BEE397534D535D |
SHA1: | EF08EF5FAC94F42C276E64765759F8BC71BF88CB |
SHA-256: | 08D2876741F4FD5EDFAE20054081CEF03E41C458AB1C5BBF095A288FA93627FA |
SHA-512: | 229A9C66080D59B7D2E1E651CFF9F00DB0CBDC08703E60D645651AF0664520CA143B088C71AD73813A500A33B48C63CA1795E2162B7620453935A4C26DB96B21 |
Malicious: | true |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 23312 |
Entropy (8bit): | 4.596242908851566 |
Encrypted: | false |
SSDEEP: | 384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4 |
MD5: | 92DC6EF532FBB4A5C3201469A5B5EB63 |
SHA1: | 3E89FF837147C16B4E41C30D6C796374E0B8E62C |
SHA-256: | 9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87 |
SHA-512: | 9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3 |
Malicious: | false |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\Desktop\file.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 658944 |
Entropy (8bit): | 6.468629759056718 |
Encrypted: | false |
SSDEEP: | 12288:Oh5UooqWolrP837JzHvA6izJgnnyFNmayiAZrvJxO0:05NoqWolrP837JzHvA6yknyWFxvJxO0 |
MD5: | 85B94E72C3F2D2B5464E2AAF3C9E242A |
SHA1: | CE7CCAE5F50A990D059D59292D4A332979E162BA |
SHA-256: | 1441464FEEEF365573AF18802C464769B7D3107624FDE24604F57E386F97F1A7 |
SHA-512: | C0C27189989DB482BE9BDA5B6B8B1441BDC5E9B0F3A414CCAB4C4BE516E7F99E25717845361A5B196114502FAAAF21BEC7ACA91B497ACD2E2396F49C31850880 |
Malicious: | true |
Antivirus: |
|
Preview: |
Process: | C:\Program Files (x86)\PrintFolders\PrintFolders.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 73728 |
Entropy (8bit): | 6.20389308045717 |
Encrypted: | false |
SSDEEP: | 1536:bvUpDLxyxA14o3/M238r6+XfHAgbqmE8MpKdwuasZLUM7DsWlXcdyZgfmi:WDLZKa/MtXfHAgbqmEtxsfmyZgfmi |
MD5: | 3FB36CB0B7172E5298D2992D42984D06 |
SHA1: | 439827777DF4A337CBB9FA4A4640D0D3FA1738B7 |
SHA-256: | 27AE813CEFF8AA56E9FA68C8E50BB1C6C4A01636015EAC4BD8BF444AFB7020D6 |
SHA-512: | 6B39CB32D77200209A25080AC92BC71B1F468E2946B651023793F3585EE6034ADC70924DBD751CF4A51B5E71377854F1AB43C2DD287D4837E7B544FF886F470C |
Malicious: | true |
Antivirus: |
|
Preview: |
File type: | |
Entropy (8bit): | 7.988937012959573 |
TrID: |
|
File name: | file.exe |
File size: | 1315223 |
MD5: | 3b97fd1136b9ed348734e5ea77aaa75a |
SHA1: | fa3e9db1c2f462cf41d43487f0f73be6615876ba |
SHA256: | dbcb891f6ed1d7aca11dd0263d68b3ce082d2e7eca152a098981307da9a6cc24 |
SHA512: | 3df7d8cc58d848a5b7d7e13feb8bb052cb23f6128f748c21164ae03e925e7efe7d81e2cc22fdfae2f5b3f91a230d5f0582c16939bf9451776aa69a50b9dcb6bf |
SSDEEP: | 24576:tiz5xUo9TmhntrEQ5NYa3MH7vfLtduGvvAu1CT7gZIY7eCLxYi3:GMiKbZ5SHuQxMgNeVi3 |
TLSH: | EB553303CED5A434E4F18DB32C6A106859BC7D1239B16072E17D9EE85D1BB89BD2E32D |
File Content Preview: | MZP.....................@.......................Innoo...................!..L.!..This program must be run under Win32..$7....................................................................................................................................... |
Icon Hash: | a2a0b496b2caca72 |
Entrypoint: | 0x40968c |
Entrypoint Section: | CODE |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI |
DLL Characteristics: | |
Time Stamp: | 0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 1 |
OS Version Minor: | 0 |
File Version Major: | 1 |
File Version Minor: | 0 |
Subsystem Version Major: | 1 |
Subsystem Version Minor: | 0 |
Import Hash: | da86ff6d22d7419ae7f10724a403dffd |
Instruction |
---|
push ebp |
mov ebp, esp |
add esp, FFFFFFD4h |
push ebx |
push esi |
push edi |
xor eax, eax |
mov dword ptr [ebp-10h], eax |
mov dword ptr [ebp-1Ch], eax |
call 00007F4F0CCE9C5Fh |
call 00007F4F0CCEAF0Ah |
call 00007F4F0CCED0FDh |
call 00007F4F0CCED144h |
call 00007F4F0CCEF693h |
call 00007F4F0CCEF782h |
mov esi, 0040BDE0h |
xor eax, eax |
push ebp |
push 00409D71h |
push dword ptr fs:[eax] |
mov dword ptr fs:[eax], esp |
xor edx, edx |
push ebp |
push 00409D27h |
push dword ptr fs:[edx] |
mov dword ptr fs:[edx], esp |
mov eax, dword ptr [0040B014h] |
call 00007F4F0CCF010Fh |
call 00007F4F0CCEFCCEh |
lea edx, dword ptr [ebp-10h] |
xor eax, eax |
call 00007F4F0CCED5B8h |
mov edx, dword ptr [ebp-10h] |
mov eax, 0040BDD4h |
call 00007F4F0CCE9D0Bh |
push 00000002h |
push 00000000h |
push 00000001h |
mov ecx, dword ptr [0040BDD4h] |
mov dl, 01h |
mov eax, 004070C4h |
call 00007F4F0CCEDC1Bh |
mov dword ptr [0040BDD8h], eax |
xor edx, edx |
push ebp |
push 00409D05h |
push dword ptr fs:[edx] |
mov dword ptr fs:[edx], esp |
lea edx, dword ptr [ebp-18h] |
mov eax, dword ptr [0040BDD8h] |
call 00007F4F0CCEDCF3h |
mov ebx, dword ptr [ebp-18h] |
mov edx, 00000030h |
mov eax, dword ptr [0040BDD8h] |
call 00007F4F0CCEDE2Dh |
mov edx, esi |
mov ecx, 0000000Ch |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0xc000 | 0x8c8 | .idata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x10000 | 0x263c | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0xf000 | 0x0 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0xe000 | 0x18 | .rdata |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
CODE | 0x1000 | 0x8e00 | 0x8e00 | False | 0.6218364876760564 | data | 6.600437911517656 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
DATA | 0xa000 | 0x248 | 0x400 | False | 0.3115234375 | data | 2.7204325510923035 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
BSS | 0xb000 | 0xe64 | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.idata | 0xc000 | 0x8c8 | 0xa00 | False | 0.389453125 | data | 4.2507970587946735 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.tls | 0xd000 | 0x8 | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rdata | 0xe000 | 0x18 | 0x200 | False | 0.052734375 | data | 0.1991075177871819 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ |
.reloc | 0xf000 | 0x86c | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ |
.rsrc | 0x10000 | 0x263c | 0x2800 | False | 0.322265625 | data | 4.568719834340923 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_ICON | 0x1030c | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 192 | English | United States |
RT_ICON | 0x10434 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 320 | English | United States |
RT_ICON | 0x1099c | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 640 | English | United States |
RT_ICON | 0x10c84 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 1152 | English | United States |
RT_STRING | 0x1152c | 0x2f2 | data | ||
RT_STRING | 0x11820 | 0x30c | data | ||
RT_STRING | 0x11b2c | 0x2ce | data | ||
RT_STRING | 0x11dfc | 0x68 | data | ||
RT_STRING | 0x11e64 | 0xb4 | data | ||
RT_STRING | 0x11f18 | 0xae | data | ||
RT_GROUP_ICON | 0x11fc8 | 0x3e | data | English | United States |
RT_VERSION | 0x12008 | 0x3a8 | data | English | United States |
RT_MANIFEST | 0x123b0 | 0x289 | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States |
DLL | Import |
---|---|
kernel32.dll | DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle |
user32.dll | MessageBoxA |
oleaut32.dll | VariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen |
advapi32.dll | RegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA |
kernel32.dll | WriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SetLastError, SetFilePointer, SetEndOfFile, RemoveDirectoryA, ReadFile, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetUserDefaultLangID, GetSystemInfo, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, InterlockedExchange, FormatMessageA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle |
user32.dll | TranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA |
comctl32.dll | InitCommonControls |
advapi32.dll | AdjustTokenPrivileges |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Nov 24, 2022 19:48:08.845411062 CET | 49695 | 80 | 192.168.2.4 | 45.139.105.171 |
Nov 24, 2022 19:48:08.872612953 CET | 80 | 49695 | 45.139.105.171 | 192.168.2.4 |
Nov 24, 2022 19:48:08.872729063 CET | 49695 | 80 | 192.168.2.4 | 45.139.105.171 |
Nov 24, 2022 19:48:08.873241901 CET | 49695 | 80 | 192.168.2.4 | 45.139.105.171 |
Nov 24, 2022 19:48:08.901078939 CET | 80 | 49695 | 45.139.105.171 | 192.168.2.4 |
Nov 24, 2022 19:48:08.906027079 CET | 80 | 49695 | 45.139.105.171 | 192.168.2.4 |
Nov 24, 2022 19:48:08.906120062 CET | 49695 | 80 | 192.168.2.4 | 45.139.105.171 |
Nov 24, 2022 19:48:08.952500105 CET | 49696 | 80 | 192.168.2.4 | 107.182.129.235 |
Nov 24, 2022 19:48:08.980077982 CET | 80 | 49696 | 107.182.129.235 | 192.168.2.4 |
Nov 24, 2022 19:48:08.980241060 CET | 49696 | 80 | 192.168.2.4 | 107.182.129.235 |
Nov 24, 2022 19:48:08.980861902 CET | 49696 | 80 | 192.168.2.4 | 107.182.129.235 |
Nov 24, 2022 19:48:09.008341074 CET | 80 | 49696 | 107.182.129.235 | 192.168.2.4 |
Nov 24, 2022 19:48:09.008464098 CET | 80 | 49696 | 107.182.129.235 | 192.168.2.4 |
Nov 24, 2022 19:48:09.008567095 CET | 49696 | 80 | 192.168.2.4 | 107.182.129.235 |
Nov 24, 2022 19:48:09.039063931 CET | 49696 | 80 | 192.168.2.4 | 107.182.129.235 |
Nov 24, 2022 19:48:09.066371918 CET | 80 | 49696 | 107.182.129.235 | 192.168.2.4 |
Nov 24, 2022 19:48:09.066755056 CET | 80 | 49696 | 107.182.129.235 | 192.168.2.4 |
Nov 24, 2022 19:48:09.066803932 CET | 80 | 49696 | 107.182.129.235 | 192.168.2.4 |
Nov 24, 2022 19:48:09.066845894 CET | 80 | 49696 | 107.182.129.235 | 192.168.2.4 |
Nov 24, 2022 19:48:09.066903114 CET | 49696 | 80 | 192.168.2.4 | 107.182.129.235 |
Nov 24, 2022 19:48:09.066903114 CET | 49696 | 80 | 192.168.2.4 | 107.182.129.235 |
Nov 24, 2022 19:48:09.066903114 CET | 49696 | 80 | 192.168.2.4 | 107.182.129.235 |
Nov 24, 2022 19:48:09.066922903 CET | 80 | 49696 | 107.182.129.235 | 192.168.2.4 |
Nov 24, 2022 19:48:09.066966057 CET | 80 | 49696 | 107.182.129.235 | 192.168.2.4 |
Nov 24, 2022 19:48:09.066988945 CET | 49696 | 80 | 192.168.2.4 | 107.182.129.235 |
Nov 24, 2022 19:48:09.067008972 CET | 80 | 49696 | 107.182.129.235 | 192.168.2.4 |
Nov 24, 2022 19:48:09.067040920 CET | 49696 | 80 | 192.168.2.4 | 107.182.129.235 |
Nov 24, 2022 19:48:09.067050934 CET | 80 | 49696 | 107.182.129.235 | 192.168.2.4 |
Nov 24, 2022 19:48:09.067066908 CET | 49696 | 80 | 192.168.2.4 | 107.182.129.235 |
Nov 24, 2022 19:48:09.067095041 CET | 80 | 49696 | 107.182.129.235 | 192.168.2.4 |
Nov 24, 2022 19:48:09.067109108 CET | 49696 | 80 | 192.168.2.4 | 107.182.129.235 |
Nov 24, 2022 19:48:09.067137957 CET | 80 | 49696 | 107.182.129.235 | 192.168.2.4 |
Nov 24, 2022 19:48:09.067181110 CET | 80 | 49696 | 107.182.129.235 | 192.168.2.4 |
Nov 24, 2022 19:48:09.067195892 CET | 49696 | 80 | 192.168.2.4 | 107.182.129.235 |
Nov 24, 2022 19:48:09.067259073 CET | 49696 | 80 | 192.168.2.4 | 107.182.129.235 |
Nov 24, 2022 19:48:09.094621897 CET | 80 | 49696 | 107.182.129.235 | 192.168.2.4 |
Nov 24, 2022 19:48:09.094691038 CET | 80 | 49696 | 107.182.129.235 | 192.168.2.4 |
Nov 24, 2022 19:48:09.094738007 CET | 80 | 49696 | 107.182.129.235 | 192.168.2.4 |
Nov 24, 2022 19:48:09.094780922 CET | 80 | 49696 | 107.182.129.235 | 192.168.2.4 |
Nov 24, 2022 19:48:09.094821930 CET | 80 | 49696 | 107.182.129.235 | 192.168.2.4 |
Nov 24, 2022 19:48:09.094830036 CET | 49696 | 80 | 192.168.2.4 | 107.182.129.235 |
Nov 24, 2022 19:48:09.094830990 CET | 49696 | 80 | 192.168.2.4 | 107.182.129.235 |
Nov 24, 2022 19:48:09.094866037 CET | 80 | 49696 | 107.182.129.235 | 192.168.2.4 |
Nov 24, 2022 19:48:09.094914913 CET | 49696 | 80 | 192.168.2.4 | 107.182.129.235 |
Nov 24, 2022 19:48:09.094937086 CET | 49696 | 80 | 192.168.2.4 | 107.182.129.235 |
Nov 24, 2022 19:48:09.094944000 CET | 80 | 49696 | 107.182.129.235 | 192.168.2.4 |
Nov 24, 2022 19:48:09.094988108 CET | 80 | 49696 | 107.182.129.235 | 192.168.2.4 |
Nov 24, 2022 19:48:09.095006943 CET | 49696 | 80 | 192.168.2.4 | 107.182.129.235 |
Nov 24, 2022 19:48:09.095030069 CET | 80 | 49696 | 107.182.129.235 | 192.168.2.4 |
Nov 24, 2022 19:48:09.095033884 CET | 49696 | 80 | 192.168.2.4 | 107.182.129.235 |
Nov 24, 2022 19:48:09.095074892 CET | 80 | 49696 | 107.182.129.235 | 192.168.2.4 |
Nov 24, 2022 19:48:09.095083952 CET | 49696 | 80 | 192.168.2.4 | 107.182.129.235 |
Nov 24, 2022 19:48:09.095130920 CET | 49696 | 80 | 192.168.2.4 | 107.182.129.235 |
Nov 24, 2022 19:48:09.123045921 CET | 80 | 49696 | 107.182.129.235 | 192.168.2.4 |
Nov 24, 2022 19:48:09.123111010 CET | 80 | 49696 | 107.182.129.235 | 192.168.2.4 |
Nov 24, 2022 19:48:09.123155117 CET | 80 | 49696 | 107.182.129.235 | 192.168.2.4 |
Nov 24, 2022 19:48:09.123194933 CET | 80 | 49696 | 107.182.129.235 | 192.168.2.4 |
Nov 24, 2022 19:48:09.123235941 CET | 80 | 49696 | 107.182.129.235 | 192.168.2.4 |
Nov 24, 2022 19:48:09.123246908 CET | 49696 | 80 | 192.168.2.4 | 107.182.129.235 |
Nov 24, 2022 19:48:09.123246908 CET | 49696 | 80 | 192.168.2.4 | 107.182.129.235 |
Nov 24, 2022 19:48:09.123281002 CET | 80 | 49696 | 107.182.129.235 | 192.168.2.4 |
Nov 24, 2022 19:48:09.123302937 CET | 49696 | 80 | 192.168.2.4 | 107.182.129.235 |
Nov 24, 2022 19:48:09.123326063 CET | 80 | 49696 | 107.182.129.235 | 192.168.2.4 |
Nov 24, 2022 19:48:09.123344898 CET | 49696 | 80 | 192.168.2.4 | 107.182.129.235 |
Nov 24, 2022 19:48:09.123368025 CET | 80 | 49696 | 107.182.129.235 | 192.168.2.4 |
Nov 24, 2022 19:48:09.123387098 CET | 49696 | 80 | 192.168.2.4 | 107.182.129.235 |
Nov 24, 2022 19:48:09.123410940 CET | 80 | 49696 | 107.182.129.235 | 192.168.2.4 |
Nov 24, 2022 19:48:09.123424053 CET | 49696 | 80 | 192.168.2.4 | 107.182.129.235 |
Nov 24, 2022 19:48:09.123452902 CET | 80 | 49696 | 107.182.129.235 | 192.168.2.4 |
Nov 24, 2022 19:48:09.123467922 CET | 49696 | 80 | 192.168.2.4 | 107.182.129.235 |
Nov 24, 2022 19:48:09.123495102 CET | 80 | 49696 | 107.182.129.235 | 192.168.2.4 |
Nov 24, 2022 19:48:09.123506069 CET | 49696 | 80 | 192.168.2.4 | 107.182.129.235 |
Nov 24, 2022 19:48:09.123547077 CET | 49696 | 80 | 192.168.2.4 | 107.182.129.235 |
Nov 24, 2022 19:48:09.151106119 CET | 80 | 49696 | 107.182.129.235 | 192.168.2.4 |
Nov 24, 2022 19:48:09.151173115 CET | 80 | 49696 | 107.182.129.235 | 192.168.2.4 |
Nov 24, 2022 19:48:09.151259899 CET | 80 | 49696 | 107.182.129.235 | 192.168.2.4 |
Nov 24, 2022 19:48:09.151293993 CET | 49696 | 80 | 192.168.2.4 | 107.182.129.235 |
Nov 24, 2022 19:48:09.151293993 CET | 49696 | 80 | 192.168.2.4 | 107.182.129.235 |
Nov 24, 2022 19:48:09.151305914 CET | 80 | 49696 | 107.182.129.235 | 192.168.2.4 |
Nov 24, 2022 19:48:09.151349068 CET | 80 | 49696 | 107.182.129.235 | 192.168.2.4 |
Nov 24, 2022 19:48:09.151355028 CET | 49696 | 80 | 192.168.2.4 | 107.182.129.235 |
Nov 24, 2022 19:48:09.151355028 CET | 49696 | 80 | 192.168.2.4 | 107.182.129.235 |
Nov 24, 2022 19:48:09.151391983 CET | 80 | 49696 | 107.182.129.235 | 192.168.2.4 |
Nov 24, 2022 19:48:09.151417971 CET | 49696 | 80 | 192.168.2.4 | 107.182.129.235 |
Nov 24, 2022 19:48:09.151433945 CET | 80 | 49696 | 107.182.129.235 | 192.168.2.4 |
Nov 24, 2022 19:48:09.151444912 CET | 49696 | 80 | 192.168.2.4 | 107.182.129.235 |
Nov 24, 2022 19:48:09.151477098 CET | 80 | 49696 | 107.182.129.235 | 192.168.2.4 |
Nov 24, 2022 19:48:09.151489019 CET | 49696 | 80 | 192.168.2.4 | 107.182.129.235 |
Nov 24, 2022 19:48:09.151520014 CET | 80 | 49696 | 107.182.129.235 | 192.168.2.4 |
Nov 24, 2022 19:48:09.151531935 CET | 49696 | 80 | 192.168.2.4 | 107.182.129.235 |
Nov 24, 2022 19:48:09.151562929 CET | 80 | 49696 | 107.182.129.235 | 192.168.2.4 |
Nov 24, 2022 19:48:09.151580095 CET | 49696 | 80 | 192.168.2.4 | 107.182.129.235 |
Nov 24, 2022 19:48:09.151604891 CET | 80 | 49696 | 107.182.129.235 | 192.168.2.4 |
Nov 24, 2022 19:48:09.151627064 CET | 49696 | 80 | 192.168.2.4 | 107.182.129.235 |
Nov 24, 2022 19:48:09.151657104 CET | 49696 | 80 | 192.168.2.4 | 107.182.129.235 |
Nov 24, 2022 19:48:09.179450035 CET | 80 | 49696 | 107.182.129.235 | 192.168.2.4 |
Nov 24, 2022 19:48:09.179513931 CET | 80 | 49696 | 107.182.129.235 | 192.168.2.4 |
Nov 24, 2022 19:48:09.179558992 CET | 80 | 49696 | 107.182.129.235 | 192.168.2.4 |
Nov 24, 2022 19:48:09.179627895 CET | 49696 | 80 | 192.168.2.4 | 107.182.129.235 |
Nov 24, 2022 19:48:09.179680109 CET | 80 | 49696 | 107.182.129.235 | 192.168.2.4 |
Nov 24, 2022 19:48:09.179682970 CET | 49696 | 80 | 192.168.2.4 | 107.182.129.235 |
Nov 24, 2022 19:48:09.179725885 CET | 80 | 49696 | 107.182.129.235 | 192.168.2.4 |
Nov 24, 2022 19:48:09.179764032 CET | 49696 | 80 | 192.168.2.4 | 107.182.129.235 |
Nov 24, 2022 19:48:09.179768085 CET | 80 | 49696 | 107.182.129.235 | 192.168.2.4 |
Nov 24, 2022 19:48:09.179804087 CET | 49696 | 80 | 192.168.2.4 | 107.182.129.235 |
Nov 24, 2022 19:48:09.179811001 CET | 80 | 49696 | 107.182.129.235 | 192.168.2.4 |
Nov 24, 2022 19:48:09.179843903 CET | 49696 | 80 | 192.168.2.4 | 107.182.129.235 |
Nov 24, 2022 19:48:09.179855108 CET | 80 | 49696 | 107.182.129.235 | 192.168.2.4 |
Nov 24, 2022 19:48:09.179877996 CET | 49696 | 80 | 192.168.2.4 | 107.182.129.235 |
Nov 24, 2022 19:48:09.179899931 CET | 80 | 49696 | 107.182.129.235 | 192.168.2.4 |
Nov 24, 2022 19:48:09.179917097 CET | 49696 | 80 | 192.168.2.4 | 107.182.129.235 |
Nov 24, 2022 19:48:09.179943085 CET | 80 | 49696 | 107.182.129.235 | 192.168.2.4 |
Nov 24, 2022 19:48:09.179956913 CET | 49696 | 80 | 192.168.2.4 | 107.182.129.235 |
Nov 24, 2022 19:48:09.179984093 CET | 80 | 49696 | 107.182.129.235 | 192.168.2.4 |
Nov 24, 2022 19:48:09.180001974 CET | 49696 | 80 | 192.168.2.4 | 107.182.129.235 |
Nov 24, 2022 19:48:09.180027008 CET | 80 | 49696 | 107.182.129.235 | 192.168.2.4 |
Nov 24, 2022 19:48:09.180052042 CET | 49696 | 80 | 192.168.2.4 | 107.182.129.235 |
Nov 24, 2022 19:48:09.180088997 CET | 49696 | 80 | 192.168.2.4 | 107.182.129.235 |
Nov 24, 2022 19:48:09.207709074 CET | 80 | 49696 | 107.182.129.235 | 192.168.2.4 |
Nov 24, 2022 19:48:09.207778931 CET | 80 | 49696 | 107.182.129.235 | 192.168.2.4 |
Nov 24, 2022 19:48:09.207813978 CET | 80 | 49696 | 107.182.129.235 | 192.168.2.4 |
Nov 24, 2022 19:48:09.207847118 CET | 80 | 49696 | 107.182.129.235 | 192.168.2.4 |
Nov 24, 2022 19:48:09.207880020 CET | 80 | 49696 | 107.182.129.235 | 192.168.2.4 |
Nov 24, 2022 19:48:09.207927942 CET | 80 | 49696 | 107.182.129.235 | 192.168.2.4 |
Nov 24, 2022 19:48:09.207969904 CET | 80 | 49696 | 107.182.129.235 | 192.168.2.4 |
Nov 24, 2022 19:48:09.208009958 CET | 80 | 49696 | 107.182.129.235 | 192.168.2.4 |
Nov 24, 2022 19:48:09.208050013 CET | 80 | 49696 | 107.182.129.235 | 192.168.2.4 |
Nov 24, 2022 19:48:09.208091021 CET | 80 | 49696 | 107.182.129.235 | 192.168.2.4 |
Nov 24, 2022 19:48:09.208087921 CET | 49696 | 80 | 192.168.2.4 | 107.182.129.235 |
Nov 24, 2022 19:48:09.208133936 CET | 80 | 49696 | 107.182.129.235 | 192.168.2.4 |
Nov 24, 2022 19:48:09.208178043 CET | 80 | 49696 | 107.182.129.235 | 192.168.2.4 |
Nov 24, 2022 19:48:09.208187103 CET | 49696 | 80 | 192.168.2.4 | 107.182.129.235 |
Nov 24, 2022 19:48:09.208250046 CET | 49696 | 80 | 192.168.2.4 | 107.182.129.235 |
Nov 24, 2022 19:48:09.237535000 CET | 80 | 49696 | 107.182.129.235 | 192.168.2.4 |
Nov 24, 2022 19:48:09.237602949 CET | 80 | 49696 | 107.182.129.235 | 192.168.2.4 |
Nov 24, 2022 19:48:09.237646103 CET | 80 | 49696 | 107.182.129.235 | 192.168.2.4 |
Nov 24, 2022 19:48:09.237688065 CET | 80 | 49696 | 107.182.129.235 | 192.168.2.4 |
Nov 24, 2022 19:48:09.237729073 CET | 80 | 49696 | 107.182.129.235 | 192.168.2.4 |
Nov 24, 2022 19:48:09.237768888 CET | 80 | 49696 | 107.182.129.235 | 192.168.2.4 |
Nov 24, 2022 19:48:09.237809896 CET | 80 | 49696 | 107.182.129.235 | 192.168.2.4 |
Nov 24, 2022 19:48:09.237852097 CET | 80 | 49696 | 107.182.129.235 | 192.168.2.4 |
Nov 24, 2022 19:48:09.237857103 CET | 49696 | 80 | 192.168.2.4 | 107.182.129.235 |
Nov 24, 2022 19:48:09.237857103 CET | 49696 | 80 | 192.168.2.4 | 107.182.129.235 |
Nov 24, 2022 19:48:09.237946987 CET | 49696 | 80 | 192.168.2.4 | 107.182.129.235 |
Nov 24, 2022 19:48:09.304841042 CET | 49697 | 80 | 192.168.2.4 | 171.22.30.106 |
Nov 24, 2022 19:48:09.333726883 CET | 80 | 49697 | 171.22.30.106 | 192.168.2.4 |
Nov 24, 2022 19:48:09.333872080 CET | 49697 | 80 | 192.168.2.4 | 171.22.30.106 |
Nov 24, 2022 19:48:09.336131096 CET | 49697 | 80 | 192.168.2.4 | 171.22.30.106 |
Nov 24, 2022 19:48:09.364183903 CET | 80 | 49697 | 171.22.30.106 | 192.168.2.4 |
Nov 24, 2022 19:48:10.028907061 CET | 80 | 49697 | 171.22.30.106 | 192.168.2.4 |
Nov 24, 2022 19:48:10.029072046 CET | 49697 | 80 | 192.168.2.4 | 171.22.30.106 |
Nov 24, 2022 19:48:12.115895987 CET | 49697 | 80 | 192.168.2.4 | 171.22.30.106 |
Nov 24, 2022 19:48:12.145148039 CET | 80 | 49697 | 171.22.30.106 | 192.168.2.4 |
Nov 24, 2022 19:48:12.800978899 CET | 80 | 49697 | 171.22.30.106 | 192.168.2.4 |
Nov 24, 2022 19:48:12.801157951 CET | 49697 | 80 | 192.168.2.4 | 171.22.30.106 |
Nov 24, 2022 19:48:13.911113024 CET | 80 | 49695 | 45.139.105.171 | 192.168.2.4 |
Nov 24, 2022 19:48:13.911194086 CET | 49695 | 80 | 192.168.2.4 | 45.139.105.171 |
Nov 24, 2022 19:48:14.182928085 CET | 80 | 49696 | 107.182.129.235 | 192.168.2.4 |
Nov 24, 2022 19:48:14.183142900 CET | 49696 | 80 | 192.168.2.4 | 107.182.129.235 |
Nov 24, 2022 19:48:14.908613920 CET | 49697 | 80 | 192.168.2.4 | 171.22.30.106 |
Nov 24, 2022 19:48:14.936326981 CET | 80 | 49697 | 171.22.30.106 | 192.168.2.4 |
Nov 24, 2022 19:48:15.601098061 CET | 80 | 49697 | 171.22.30.106 | 192.168.2.4 |
Nov 24, 2022 19:48:15.601212978 CET | 49697 | 80 | 192.168.2.4 | 171.22.30.106 |
Nov 24, 2022 19:48:18.597897053 CET | 49697 | 80 | 192.168.2.4 | 171.22.30.106 |
Nov 24, 2022 19:48:18.626035929 CET | 80 | 49697 | 171.22.30.106 | 192.168.2.4 |
Nov 24, 2022 19:48:19.259358883 CET | 80 | 49697 | 171.22.30.106 | 192.168.2.4 |
Nov 24, 2022 19:48:19.259587049 CET | 49697 | 80 | 192.168.2.4 | 171.22.30.106 |
Nov 24, 2022 19:48:21.351569891 CET | 49697 | 80 | 192.168.2.4 | 171.22.30.106 |
Nov 24, 2022 19:48:21.379154921 CET | 80 | 49697 | 171.22.30.106 | 192.168.2.4 |
Nov 24, 2022 19:48:22.045455933 CET | 80 | 49697 | 171.22.30.106 | 192.168.2.4 |
Nov 24, 2022 19:48:22.045686007 CET | 49697 | 80 | 192.168.2.4 | 171.22.30.106 |
Nov 24, 2022 19:48:24.116529942 CET | 49697 | 80 | 192.168.2.4 | 171.22.30.106 |
Nov 24, 2022 19:48:24.144288063 CET | 80 | 49697 | 171.22.30.106 | 192.168.2.4 |
Nov 24, 2022 19:48:24.768168926 CET | 80 | 49697 | 171.22.30.106 | 192.168.2.4 |
Nov 24, 2022 19:48:24.768292904 CET | 49697 | 80 | 192.168.2.4 | 171.22.30.106 |
Nov 24, 2022 19:48:26.851084948 CET | 49697 | 80 | 192.168.2.4 | 171.22.30.106 |
Nov 24, 2022 19:48:26.879203081 CET | 80 | 49697 | 171.22.30.106 | 192.168.2.4 |
Nov 24, 2022 19:48:27.498617887 CET | 80 | 49697 | 171.22.30.106 | 192.168.2.4 |
Nov 24, 2022 19:48:27.498812914 CET | 49697 | 80 | 192.168.2.4 | 171.22.30.106 |
Nov 24, 2022 19:48:29.570907116 CET | 49697 | 80 | 192.168.2.4 | 171.22.30.106 |
Nov 24, 2022 19:48:29.599524021 CET | 80 | 49697 | 171.22.30.106 | 192.168.2.4 |
Nov 24, 2022 19:48:30.238043070 CET | 80 | 49697 | 171.22.30.106 | 192.168.2.4 |
Nov 24, 2022 19:48:30.238262892 CET | 49697 | 80 | 192.168.2.4 | 171.22.30.106 |
Nov 24, 2022 19:48:32.322634935 CET | 49697 | 80 | 192.168.2.4 | 171.22.30.106 |
Nov 24, 2022 19:48:32.351133108 CET | 80 | 49697 | 171.22.30.106 | 192.168.2.4 |
Nov 24, 2022 19:48:32.971937895 CET | 80 | 49697 | 171.22.30.106 | 192.168.2.4 |
Nov 24, 2022 19:48:32.972121954 CET | 49697 | 80 | 192.168.2.4 | 171.22.30.106 |
Nov 24, 2022 19:48:35.045825958 CET | 49697 | 80 | 192.168.2.4 | 171.22.30.106 |
Nov 24, 2022 19:48:35.073374033 CET | 80 | 49697 | 171.22.30.106 | 192.168.2.4 |
Nov 24, 2022 19:48:35.706856966 CET | 80 | 49697 | 171.22.30.106 | 192.168.2.4 |
Nov 24, 2022 19:48:35.708753109 CET | 49697 | 80 | 192.168.2.4 | 171.22.30.106 |
Nov 24, 2022 19:48:37.820951939 CET | 49697 | 80 | 192.168.2.4 | 171.22.30.106 |
Nov 24, 2022 19:48:37.848656893 CET | 80 | 49697 | 171.22.30.106 | 192.168.2.4 |
Nov 24, 2022 19:48:38.518667936 CET | 80 | 49697 | 171.22.30.106 | 192.168.2.4 |
Nov 24, 2022 19:48:38.519035101 CET | 49697 | 80 | 192.168.2.4 | 171.22.30.106 |
Nov 24, 2022 19:48:42.028253078 CET | 49696 | 80 | 192.168.2.4 | 107.182.129.235 |
Nov 24, 2022 19:48:42.028724909 CET | 49695 | 80 | 192.168.2.4 | 45.139.105.171 |
Nov 24, 2022 19:48:42.028747082 CET | 49697 | 80 | 192.168.2.4 | 171.22.30.106 |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.4 | 49695 | 45.139.105.171 | 80 | C:\Program Files (x86)\PrintFolders\PrintFolders.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Nov 24, 2022 19:48:08.873241901 CET | 92 | OUT | |
Nov 24, 2022 19:48:08.906027079 CET | 92 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
1 | 192.168.2.4 | 49696 | 107.182.129.235 | 80 | C:\Program Files (x86)\PrintFolders\PrintFolders.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Nov 24, 2022 19:48:08.980861902 CET | 93 | OUT | |
Nov 24, 2022 19:48:09.008464098 CET | 93 | IN | |
Nov 24, 2022 19:48:09.039063931 CET | 93 | OUT | |
Nov 24, 2022 19:48:09.066755056 CET | 95 | IN |