Edit tour
Windows
Analysis Report
file.exe
Overview
General Information
Detection
Nymaim
Score: | 96 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Detected unpacking (overwrites its own PE header)
Yara detected Nymaim
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Enables debug privileges
PE file does not import any functions
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Found evasive API chain checking for process token information
Uses taskkill to terminate processes
Dropped file seen in connection with other malware
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality to detect sandboxes (foreground window change detection)
Creates a process in suspended mode (likely to inject code)
Classification
- System is w10x64
- file.exe (PID: 3748 cmdline:
C:\Users\u ser\Deskto p\file.exe MD5: 71F3A21CCD6E54F8178D3FB65F4849B9) - is-I19BM.tmp (PID: 5936 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\is-2JD IE.tmp\is- I19BM.tmp" /SL4 $303 66 "C:\Use rs\user\De sktop\file .exe" 2214 542 96256 MD5: 2C3832FDF847813369EC960CD39C8265) - ntFolders.exe (PID: 4824 cmdline:
"C:\Progra m Files (x 86)\PrintF olders\ntF olders.exe " MD5: D9A39F6C4EEDC8F1B89E30D35012D6B4) - karcA17.exe (PID: 412 cmdline:
MD5: 3FB36CB0B7172E5298D2992D42984D06) - cmd.exe (PID: 5776 cmdline:
"C:\Window s\System32 \cmd.exe" /c taskkil l /im "ntF olders.exe " /f & era se "C:\Pro gram Files (x86)\Pri ntFolders\ ntFolders. exe" & exi t MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 4212 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - taskkill.exe (PID: 5920 cmdline:
taskkill / im "ntFold ers.exe" / f MD5: 15E2E0ACD891510C6268CB8899F2A1A1)
- cleanup
{"C2 addresses": ["45.139.105.1", "85.31.46.167", "107.182.129.235", "171.22.30.106"]}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security | ||
JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security | ||
JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security | ||
JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security | ||
JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security | ||
JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security |
⊘No Sigma rule has matched
Timestamp: | 192.168.2.445.139.105.17149691802041920 12/09/22-11:02:15.223774 |
SID: | 2041920 |
Source Port: | 49691 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 107.182.129.235192.168.2.480496922852925 12/09/22-11:02:15.529889 |
SID: | 2852925 |
Source Port: | 80 |
Destination Port: | 49692 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | URL Reputation: | ||
Source: | Avira URL Cloud: |
Source: | ReversingLabs: |
Source: | Joe Sandbox ML: |
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: |
Source: | Malware Configuration Extractor: |
Source: | Code function: | 1_2_10001000 | |
Source: | Code function: | 1_2_10001130 | |
Source: | Code function: | 2_2_00403770 |
Compliance |
---|
Source: | Unpacked PE file: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | Code function: | 1_2_0046C770 | |
Source: | Code function: | 1_2_00474708 | |
Source: | Code function: | 1_2_00451554 | |
Source: | Code function: | 1_2_0048A778 | |
Source: | Code function: | 1_2_004729D4 | |
Source: | Code function: | 1_2_0045CA54 | |
Source: | Code function: | 1_2_00406FEC | |
Source: | Code function: | 1_2_0045DB60 | |
Source: | Code function: | 1_2_0045DEF4 | |
Source: | Code function: | 2_2_00404490 | |
Source: | Code function: | 2_2_00423E2D | |
Source: | Code function: | 2_2_1000959D |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Networking |
---|
Source: | Snort IDS: | ||
Source: | Snort IDS: |
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: |
Source: | ASN Name: | ||
Source: | ASN Name: |
Source: | IP Address: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Code function: | 2_2_00401B30 |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
E-Banking Fraud |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Static PE information: |
Source: | Code function: | 0_2_004081C8 | |
Source: | Code function: | 1_2_00468940 | |
Source: | Code function: | 1_2_00460F30 | |
Source: | Code function: | 1_2_0043DF70 | |
Source: | Code function: | 1_2_004303A4 | |
Source: | Code function: | 1_2_0047A6D8 | |
Source: | Code function: | 1_2_004446E8 | |
Source: | Code function: | 1_2_00434994 | |
Source: | Code function: | 1_2_0045AA90 | |
Source: | Code function: | 1_2_00480BDC | |
Source: | Code function: | 1_2_00444C90 | |
Source: | Code function: | 1_2_00462F38 | |
Source: | Code function: | 1_2_00445388 | |
Source: | Code function: | 1_2_00435698 | |
Source: | Code function: | 1_2_00445794 | |
Source: | Code function: | 1_2_0042F948 | |
Source: | Code function: | 1_2_00457BB4 | |
Source: | Code function: | 2_2_00404490 | |
Source: | Code function: | 2_2_004096F0 | |
Source: | Code function: | 2_2_004056A0 | |
Source: | Code function: | 2_2_00406800 | |
Source: | Code function: | 2_2_00406AA0 | |
Source: | Code function: | 2_2_00404D40 | |
Source: | Code function: | 2_2_00405F40 | |
Source: | Code function: | 2_2_00402F20 | |
Source: | Code function: | 2_2_004150D3 | |
Source: | Code function: | 2_2_00415305 | |
Source: | Code function: | 2_2_004223A9 | |
Source: | Code function: | 2_2_00419510 | |
Source: | Code function: | 2_2_00404840 | |
Source: | Code function: | 2_2_00426850 | |
Source: | Code function: | 2_2_00410A50 | |
Source: | Code function: | 2_2_0042AB9A | |
Source: | Code function: | 2_2_00421C88 | |
Source: | Code function: | 2_2_0042ACBA | |
Source: | Code function: | 2_2_00447D2D | |
Source: | Code function: | 2_2_00428D39 | |
Source: | Code function: | 2_2_00404F20 | |
Source: | Code function: | 2_2_1000F670 | |
Source: | Code function: | 2_2_1000EC61 |
Source: | Code function: | 1_2_00423D9C | |
Source: | Code function: | 1_2_004127F0 | |
Source: | Code function: | 1_2_004551C4 |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Dropped File: |
Source: | Static PE information: |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Code function: | 0_2_00408F74 | |
Source: | Code function: | 1_2_00453A8C |
Source: | WMI Queries: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | Code function: | 2_2_00401B30 |
Source: | File read: | Jump to behavior |
Source: | Code function: | 1_2_00454498 |
Source: | Code function: | 2_2_00402BF0 |
Source: | Code function: | 2_2_00405350 |
Source: | Mutant created: |
Source: | Code function: | 1_2_0040B1E0 |
Source: | File created: | Jump to behavior |
Source: | Command line argument: | 2_2_004096F0 | |
Source: | Command line argument: | 2_2_004096F0 | |
Source: | Command line argument: | 2_2_004096F0 | |
Source: | Command line argument: | 2_2_004096F0 |
Source: | Window found: | Jump to behavior |
Source: | Window detected: |
Source: | Static file information: |
Source: | Binary string: |
Data Obfuscation |
---|
Source: | Unpacked PE file: |
Source: | Unpacked PE file: |
Source: | Code function: | 0_2_004065B9 | |
Source: | Code function: | 0_2_00404195 | |
Source: | Code function: | 0_2_0040442D | |
Source: | Code function: | 0_2_00407E89 | |
Source: | Code function: | 0_2_0040442D | |
Source: | Code function: | 0_2_00408B4F | |
Source: | Code function: | 0_2_0040442D | |
Source: | Code function: | 0_2_0040442D | |
Source: | Code function: | 1_2_00409BA5 | |
Source: | Code function: | 1_2_0040A258 | |
Source: | Code function: | 1_2_004782B3 | |
Source: | Code function: | 1_2_0040A255 | |
Source: | Code function: | 1_2_004063C9 | |
Source: | Code function: | 1_2_004303A9 | |
Source: | Code function: | 1_2_0045A751 | |
Source: | Code function: | 1_2_004108ED | |
Source: | Code function: | 1_2_00412B9B | |
Source: | Code function: | 1_2_00451023 | |
Source: | Code function: | 1_2_0040D242 | |
Source: | Code function: | 1_2_004055F9 | |
Source: | Code function: | 1_2_00443664 | |
Source: | Code function: | 1_2_00405891 | |
Source: | Code function: | 1_2_0047976D | |
Source: | Code function: | 1_2_00405891 | |
Source: | Code function: | 1_2_00405891 | |
Source: | Code function: | 1_2_00405891 | |
Source: | Code function: | 1_2_0040F7A2 | |
Source: | Code function: | 1_2_00419E45 | |
Source: | Code function: | 2_2_004311B6 | |
Source: | Code function: | 2_2_0040F4CE |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | Code function: | 1_2_00423E24 | |
Source: | Code function: | 1_2_00423E24 | |
Source: | Code function: | 1_2_004243F4 | |
Source: | Code function: | 1_2_004243AC | |
Source: | Code function: | 1_2_0041859C | |
Source: | Code function: | 1_2_00422A74 | |
Source: | Code function: | 1_2_004177B0 | |
Source: | Code function: | 1_2_00477D2C | |
Source: | Code function: | 1_2_00417EE6 | |
Source: | Code function: | 1_2_00417EE8 |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Evasive API call chain: | graph_0-5339 |
Source: | Last function: |
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file |
Source: | Check user administrative privileges: | graph_2-35022 |
Source: | Code function: | 2_2_004056A0 |
Source: | Process information queried: | Jump to behavior |
Source: | Code function: | 0_2_004095D0 |
Source: | Code function: | 1_2_0046C770 | |
Source: | Code function: | 1_2_00474708 | |
Source: | Code function: | 1_2_00451554 | |
Source: | Code function: | 1_2_0048A778 | |
Source: | Code function: | 1_2_004729D4 | |
Source: | Code function: | 1_2_0045CA54 | |
Source: | Code function: | 1_2_00406FEC | |
Source: | Code function: | 1_2_0045DB60 | |
Source: | Code function: | 1_2_0045DEF4 | |
Source: | Code function: | 2_2_00404490 | |
Source: | Code function: | 2_2_00423E2D | |
Source: | Code function: | 2_2_1000959D |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: | 2_2_0041336B |
Source: | Code function: | 2_2_00402BF0 |
Source: | Code function: | 2_2_00402F20 |
Source: | Process token adjusted: | Jump to behavior |
Source: | Code function: | 2_2_0044028F | |
Source: | Code function: | 2_2_0042041F | |
Source: | Code function: | 2_2_004429E7 | |
Source: | Code function: | 2_2_00417BAF | |
Source: | Code function: | 2_2_100091C7 | |
Source: | Code function: | 2_2_10006CE1 |
Source: | Code function: | 2_2_0040F789 | |
Source: | Code function: | 2_2_0041336B | |
Source: | Code function: | 2_2_0040F5F5 | |
Source: | Code function: | 2_2_0040EBD2 | |
Source: | Code function: | 2_2_10006180 | |
Source: | Code function: | 2_2_100035DF | |
Source: | Code function: | 2_2_10003AD4 |
Source: | Process created: | Jump to behavior |
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Code function: | 1_2_004593E4 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: | 0_2_004051C8 | |
Source: | Code function: | 0_2_00405214 | |
Source: | Code function: | 1_2_0040874C | |
Source: | Code function: | 1_2_00408798 | |
Source: | Code function: | 2_2_00404D40 | |
Source: | Code function: | 2_2_00427041 | |
Source: | Code function: | 2_2_0042708C | |
Source: | Code function: | 2_2_00427127 | |
Source: | Code function: | 2_2_004271B2 | |
Source: | Code function: | 2_2_0041E2FF | |
Source: | Code function: | 2_2_00427405 | |
Source: | Code function: | 2_2_0042752B | |
Source: | Code function: | 2_2_00427631 | |
Source: | Code function: | 2_2_00427700 | |
Source: | Code function: | 2_2_0041E821 | |
Source: | Code function: | 2_2_00426D9F |
Source: | Code function: | 2_2_0040F7F3 |
Source: | Code function: | 1_2_00455B2C |
Source: | Code function: | 0_2_004026C4 |
Source: | Code function: | 0_2_00405CB0 |
Source: | Code function: | 1_2_00453A24 |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | 1 Windows Management Instrumentation | Path Interception | 1 Access Token Manipulation | 2 Masquerading | OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | Exfiltration Over Other Network Medium | 2 Encrypted Channel | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | 2 Command and Scripting Interpreter | Boot or Logon Initialization Scripts | 13 Process Injection | 1 Disable or Modify Tools | LSASS Memory | 141 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | 2 Ingress Tool Transfer | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | 2 Native API | Logon Script (Windows) | Logon Script (Windows) | 1 Access Token Manipulation | Security Account Manager | 3 Process Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | 1 Non-Application Layer Protocol | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | 13 Process Injection | NTDS | 11 Application Window Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | 11 Application Layer Protocol | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | 1 Deobfuscate/Decode Files or Information | LSA Secrets | 1 Account Discovery | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | 3 Obfuscated Files or Information | Cached Domain Credentials | 1 System Owner/User Discovery | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | 23 Software Packing | DCSync | 3 File and Directory Discovery | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | Indicator Removal from Tools | Proc Filesystem | 26 System Information Discovery | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
⊘No Antivirus matches
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Joe Sandbox ML | |||
0% | ReversingLabs | |||
0% | ReversingLabs | |||
2% | ReversingLabs | |||
0% | ReversingLabs | |||
2% | ReversingLabs | |||
50% | ReversingLabs | Win32.Trojan.Generic |
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | HEUR/AGEN.1250671 | Download File | ||
100% | Avira | TR/Crypt.XPACK.Gen2 | Download File | ||
100% | Avira | TR/Patched.Ren.Gen | Download File | ||
100% | Avira | TR/Crypt.XPACK.Gen2 | Download File | ||
100% | Avira | TR/Crypt.XPACK.Gen8 | Download File | ||
100% | Avira | HEUR/AGEN.1232832 | Download File |
⊘No Antivirus matches
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
100% | URL Reputation | malware | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
100% | Avira URL Cloud | malware |
⊘No contacted domains info
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown | |
true |
| unknown | |
true |
| unknown | |
true |
| unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
true |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| low | ||
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
45.139.105.171 | unknown | Italy | 33657 | CMCSUS | true | |
45.139.105.1 | unknown | Italy | 33657 | CMCSUS | true | |
85.31.46.167 | unknown | Germany | 43659 | CLOUDCOMPUTINGDE | true | |
107.182.129.235 | unknown | Reserved | 11070 | META-ASUS | true | |
171.22.30.106 | unknown | Germany | 33657 | CMCSUS | true |
Joe Sandbox Version: | 36.0.0 Rainbow Opal |
Analysis ID: | 764043 |
Start date and time: | 2022-12-09 11:01:11 +01:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 8m 6s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | file.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 7 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal96.troj.evad.winEXE@12/23@0/5 |
EGA Information: |
|
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
- Not all processes where analyzed, report is missing behavior information
- Report creation exceeded maximum time and may have missing disassembly code information.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
Time | Type | Description |
---|---|---|
11:02:14 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
45.139.105.171 | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
⊘No context
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
CMCSUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
CMCSUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
⊘No context
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
C:\Program Files (x86)\PrintFolders\Russian.dll (copy) | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse |
Process: | C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 118869 |
Entropy (8bit): | 7.933172616287708 |
Encrypted: | false |
SSDEEP: | 1536:a8+b7UxVIBmVQVxSHmIKruCGFkw8dctBJcIFEvSrT3eoxNjT+YL/fe3iWP7:Z+b76wV3hCb86tBJc7SffxNjqO/qiWT |
MD5: | 204A5BF160646F9A55ED70AB6E1A07A6 |
SHA1: | 5404AB219FA01C270ADC36303D447109503C4A4D |
SHA-256: | CACDD2C8BFA4BAE33A16A10ED609F4841AC5C4C2FE481ED0FD8CB04BC8016BBD |
SHA-512: | 6AAFBAF8565BF57BF4CC9E8D5EEF947E32E0D1A962C0BB619A25C35C68B7AA24599C60CB1C1B108FC9F58A1F13FF80B66E1A4DA506BE2FFD2DD05331865DAA15 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 5403 |
Entropy (8bit): | 4.918324842676727 |
Encrypted: | false |
SSDEEP: | 96:uUzxQ0Bz664UbxDcqEVFUz1BDzeRGH+QanjY3ZLBxdfC4INXM/gr53F8EPeHl9j4:uU1QyZ4e9cqEfUz1BD0GH+QGjYJBxdfY |
MD5: | C8B211D81EB7D4F9EBB071A117444D51 |
SHA1: | 43BF57BB0931EBED953FE17F937C1C7FF58A027C |
SHA-256: | AFD6FEA6A792B722E45A6587F70334F30051798017F4A278508C7ED3FEEA80CC |
SHA-512: | C7C558EB666B570A0B03D1E8941217673677A6AF1F7CE4C43BE77D1AA859AD8DF7B212CF778B03678DD451535C7A7B02FEB65F20B744A8E9C969DF633F79A2AB |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 3391 |
Entropy (8bit): | 4.812121234949207 |
Encrypted: | false |
SSDEEP: | 96:FjjD9GrzqpptIaj6JGcnRH7aamJL4zUtWAbakj:FYrrawhbaVFtTuk |
MD5: | A5E8094B0CBADE929AEE07F5DA5E9429 |
SHA1: | 60BB56A380CD9126AC067AE39B262E28A22532CD |
SHA-256: | F3AC2009C96EB3A42AFAEC7FA67D3A14E5E9E30819B543D572C9BEA790CFCAD1 |
SHA-512: | 018D1963A0B45A731687C5811E6447911E9BC7285B25EE3BBAD95D4D9C23718EF4E9714714C8A68617EAE4F840FB3D76BC77B0C49A64346D9605CCF70592356C |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 21504 |
Entropy (8bit): | 4.508743257769972 |
Encrypted: | false |
SSDEEP: | 192:kxsrC3rSQgvlS7pEeHPmIOBaVeFSiLW70ygWr:csvGmIOBa5f |
MD5: | 4FB606EDBDE8EFB6D34E6E1BC5F677F1 |
SHA1: | F8F094064D107384E619DED1139932AA38476272 |
SHA-256: | A960C9DCD1D5C7B79F4FDD38D6F25299F4F7925555E381EA4AB6217681482F62 |
SHA-512: | 5B34ECB87582FFC210CA4EED06C729979D7197191CF74EB3CDB59D0F629603C171D50B6D9351DEB7DD13F6FCBBD79F8A23ED0114BBD991520CA9BFA4EF10A44D |
Malicious: | true |
Antivirus: |
|
Joe Sandbox View: |
|
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 3602504 |
Entropy (8bit): | 5.8368779870150345 |
Encrypted: | false |
SSDEEP: | 98304:Z3O+M+AbmcsW7AfGFVXgMUP31PkZtXEknL1K:sKgaUK |
MD5: | 9DF53593153D2E4306BBD631651FAAA5 |
SHA1: | 1D5BDD8D616DA78DE7873CA5F677AE278A456F52 |
SHA-256: | F56698F56D213A36ACA4D618A7E8D99F8C9D0EA7F35EEA06BBDF5C5B59BFA779 |
SHA-512: | 656E2E7A9B7D6C19DDFEA437FE0866D649DB784081403945A8651B887773073649B73295E468509A6CF1DFC5D1E7D0F787F77A468678F244B4BCAE93FBC0CE42 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 118869 |
Entropy (8bit): | 7.933172616287708 |
Encrypted: | false |
SSDEEP: | 1536:a8+b7UxVIBmVQVxSHmIKruCGFkw8dctBJcIFEvSrT3eoxNjT+YL/fe3iWP7:Z+b76wV3hCb86tBJc7SffxNjqO/qiWT |
MD5: | 204A5BF160646F9A55ED70AB6E1A07A6 |
SHA1: | 5404AB219FA01C270ADC36303D447109503C4A4D |
SHA-256: | CACDD2C8BFA4BAE33A16A10ED609F4841AC5C4C2FE481ED0FD8CB04BC8016BBD |
SHA-512: | 6AAFBAF8565BF57BF4CC9E8D5EEF947E32E0D1A962C0BB619A25C35C68B7AA24599C60CB1C1B108FC9F58A1F13FF80B66E1A4DA506BE2FFD2DD05331865DAA15 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 3391 |
Entropy (8bit): | 4.812121234949207 |
Encrypted: | false |
SSDEEP: | 96:FjjD9GrzqpptIaj6JGcnRH7aamJL4zUtWAbakj:FYrrawhbaVFtTuk |
MD5: | A5E8094B0CBADE929AEE07F5DA5E9429 |
SHA1: | 60BB56A380CD9126AC067AE39B262E28A22532CD |
SHA-256: | F3AC2009C96EB3A42AFAEC7FA67D3A14E5E9E30819B543D572C9BEA790CFCAD1 |
SHA-512: | 018D1963A0B45A731687C5811E6447911E9BC7285B25EE3BBAD95D4D9C23718EF4E9714714C8A68617EAE4F840FB3D76BC77B0C49A64346D9605CCF70592356C |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 714506 |
Entropy (8bit): | 6.488639273564823 |
Encrypted: | false |
SSDEEP: | 12288:Ih5UooqWolrP837JzHvA6izJgnnyFNmayiAZrvo6xOZ:q5NoqWolrP837JzHvA6yknyWFxvVxOZ |
MD5: | F82EF8A460249A7A71B8DA396C651027 |
SHA1: | 1BA036C9860EB581550998DA24980CC63CD7E2C9 |
SHA-256: | B7B477D0DE6348FAEA68869B86782B2859AC302A0DFE5C91B94CE65CFAD31218 |
SHA-512: | F331C2149313896A37AD0F268EB83EFF75B1A65EE1372185F02558F49BB4E0DE2BF9565D93DEF6A0009D37A2CDC297CC14108629CDBE168FDDA202470BEBE31A |
Malicious: | true |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 21504 |
Entropy (8bit): | 4.508743257769972 |
Encrypted: | false |
SSDEEP: | 192:kxsrC3rSQgvlS7pEeHPmIOBaVeFSiLW70ygWr:csvGmIOBa5f |
MD5: | 4FB606EDBDE8EFB6D34E6E1BC5F677F1 |
SHA1: | F8F094064D107384E619DED1139932AA38476272 |
SHA-256: | A960C9DCD1D5C7B79F4FDD38D6F25299F4F7925555E381EA4AB6217681482F62 |
SHA-512: | 5B34ECB87582FFC210CA4EED06C729979D7197191CF74EB3CDB59D0F629603C171D50B6D9351DEB7DD13F6FCBBD79F8A23ED0114BBD991520CA9BFA4EF10A44D |
Malicious: | true |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 5403 |
Entropy (8bit): | 4.918324842676727 |
Encrypted: | false |
SSDEEP: | 96:uUzxQ0Bz664UbxDcqEVFUz1BDzeRGH+QanjY3ZLBxdfC4INXM/gr53F8EPeHl9j4:uU1QyZ4e9cqEfUz1BD0GH+QGjYJBxdfY |
MD5: | C8B211D81EB7D4F9EBB071A117444D51 |
SHA1: | 43BF57BB0931EBED953FE17F937C1C7FF58A027C |
SHA-256: | AFD6FEA6A792B722E45A6587F70334F30051798017F4A278508C7ED3FEEA80CC |
SHA-512: | C7C558EB666B570A0B03D1E8941217673677A6AF1F7CE4C43BE77D1AA859AD8DF7B212CF778B03678DD451535C7A7B02FEB65F20B744A8E9C969DF633F79A2AB |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
File Type: | |
Category: | modified |
Size (bytes): | 3602504 |
Entropy (8bit): | 5.836878591136461 |
Encrypted: | false |
SSDEEP: | 98304:I3O+M+AbmcsW7AfGFVXgMUP31PkZtXEknL1K:BKgaUK |
MD5: | D9A39F6C4EEDC8F1B89E30D35012D6B4 |
SHA1: | 6B995728348DA6F3D77F9D30D8D698C8D9DC58A6 |
SHA-256: | 6ADB7A807679CDB8B473A987BB42253EE9C64D5ED137F58C8E99B1E5314C8607 |
SHA-512: | 3C19F677A2BE3D6E75583D655A3C09DA2F5659A58E17F0A60BB29A1CBB4CBF83B779925103D5F663D1E20C6E6BD23CF7715DA3D226AA07ACA30E4D233EA1458E |
Malicious: | true |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 3804 |
Entropy (8bit): | 4.497837488733423 |
Encrypted: | false |
SSDEEP: | 48:zX8myMHLBv8iD86plmlDFoIN0hqkLVO3471qVToa0zA47bJMuGT:Brp8iD86p4lJoIyhqYOIh0XF |
MD5: | 02B48BE9B78F86E1872D2FD95908AE0B |
SHA1: | C72A4E9BBAA57A03ECF5DD74925394E45F791C47 |
SHA-256: | DE199B6A2F5065AD731A6BD5C9D80050791BA78BCD6963B758FD13FBF647CA84 |
SHA-512: | 68458F599618DB47A15EC15E6537863A980E3443024BD61F649E85FE37A8D4571FB989453B20CCE2384021666EA5876E275E9874172A0A403ACEB7B6232C3950 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 714506 |
Entropy (8bit): | 6.488639273564823 |
Encrypted: | false |
SSDEEP: | 12288:Ih5UooqWolrP837JzHvA6izJgnnyFNmayiAZrvo6xOZ:q5NoqWolrP837JzHvA6yknyWFxvVxOZ |
MD5: | F82EF8A460249A7A71B8DA396C651027 |
SHA1: | 1BA036C9860EB581550998DA24980CC63CD7E2C9 |
SHA-256: | B7B477D0DE6348FAEA68869B86782B2859AC302A0DFE5C91B94CE65CFAD31218 |
SHA-512: | F331C2149313896A37AD0F268EB83EFF75B1A65EE1372185F02558F49BB4E0DE2BF9565D93DEF6A0009D37A2CDC297CC14108629CDBE168FDDA202470BEBE31A |
Malicious: | true |
Preview: |
Process: | C:\Program Files (x86)\PrintFolders\ntFolders.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:V:V |
MD5: | CFCD208495D565EF66E7DFF9F98764DA |
SHA1: | B6589FC6AB0DC82CF12099D1C2D40AB994E8410C |
SHA-256: | 5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9 |
SHA-512: | 31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\fuckingdllENCR[1].dll
Download File
Process: | C:\Program Files (x86)\PrintFolders\ntFolders.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 94224 |
Entropy (8bit): | 7.998072640845361 |
Encrypted: | true |
SSDEEP: | 1536:NsbI9W6dHdtnEXOxZpPzIUcETzNtXofjmgGTeJduLLt+YBPoJTMRmNXg30:KWW6TZVz9PNtXo8M5OR0 |
MD5: | 418619EA97671304AF80EC60F5A50B62 |
SHA1: | F11DCD709BDE2FC86EBBCCD66E1CE68A8A3F9CB6 |
SHA-256: | EB7ECE66C14849064F462DF4987D6D59073D812C44D81568429614581106E0F4 |
SHA-512: | F2E1AE47B5B0A5D3DD22DD6339E15FEE3D7F04EF03917AE2A7686E73E9F06FB95C8008038C018939BB9925F395D765C9690BF7874DC5E90BC2F77C1E730D3A00 |
Malicious: | false |
Preview: |
Process: | C:\Program Files (x86)\PrintFolders\ntFolders.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:V:V |
MD5: | CFCD208495D565EF66E7DFF9F98764DA |
SHA1: | B6589FC6AB0DC82CF12099D1C2D40AB994E8410C |
SHA-256: | 5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9 |
SHA-512: | 31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99 |
Malicious: | false |
Preview: |
Process: | C:\Program Files (x86)\PrintFolders\ntFolders.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 17 |
Entropy (8bit): | 3.1751231351134614 |
Encrypted: | false |
SSDEEP: | 3:nCmxEl:Cmc |
MD5: | 064DB2A4C3D31A4DC6AA2538F3FE7377 |
SHA1: | 8F877AE1873C88076D854425221E352CA4178DFA |
SHA-256: | 0A3EC2C4FC062D561F0DC989C6699E06FFF850BBDA7923F14F26135EF42107C0 |
SHA-512: | CA94BC1338FC283C3E5C427065C29BA32C5A12170782E18AA0292722826C5CB4C3B29A5134464FFEB67A77CD85D8E15715C17A049B7AD4E2C890E97385751BEE |
Malicious: | false |
Preview: |
Process: | C:\Program Files (x86)\PrintFolders\ntFolders.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:V:V |
MD5: | CFCD208495D565EF66E7DFF9F98764DA |
SHA1: | B6589FC6AB0DC82CF12099D1C2D40AB994E8410C |
SHA-256: | 5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9 |
SHA-512: | 31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\file.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 704000 |
Entropy (8bit): | 6.478833170287182 |
Encrypted: | false |
SSDEEP: | 12288:gh5UooqWolrP837JzHvA6izJgnnyFNmayiAZrvo6xOM:y5NoqWolrP837JzHvA6yknyWFxvVxOM |
MD5: | 2C3832FDF847813369EC960CD39C8265 |
SHA1: | 35B24C0B451E987C1E2B07B670A65FBCB02B118C |
SHA-256: | 2820D4BDBD9CAB3EEE82C86B11CFB2B8EC55247BCB975331078ECD182C1471B2 |
SHA-512: | 408A642264E967AAA78CC7B58529AAA152BA85AF12A4DC7DBA0A82E560E08299031CB45D8DE78E5FA26F03FC6DB863344AAA68E010F7DDDA4FC29501365D986A |
Malicious: | true |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 2560 |
Entropy (8bit): | 2.8818118453929262 |
Encrypted: | false |
SSDEEP: | 24:e1GSgDIX566lIB6SXvVmMPUjvhBrDsqZ:SgDKRlVImgUNBsG |
MD5: | A69559718AB506675E907FE49DEB71E9 |
SHA1: | BC8F404FFDB1960B50C12FF9413C893B56F2E36F |
SHA-256: | 2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC |
SHA-512: | E52E0AA7FE3F79E36330C455D944653D449BA05B2F9ABEE0914A0910C3452CFA679A40441F9AC696B3CCF9445CBB85095747E86153402FC362BB30AC08249A63 |
Malicious: | true |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 4608 |
Entropy (8bit): | 4.226829458093667 |
Encrypted: | false |
SSDEEP: | 48:6Q5EWGg69eR+Xl4SH8u09tmRJ/tE/wJI/tZ/P8sB1a:32Gel4NP9tK2/wGXhHa |
MD5: | 9E5BA8A0DB2AE3A955BEE397534D535D |
SHA1: | EF08EF5FAC94F42C276E64765759F8BC71BF88CB |
SHA-256: | 08D2876741F4FD5EDFAE20054081CEF03E41C458AB1C5BBF095A288FA93627FA |
SHA-512: | 229A9C66080D59B7D2E1E651CFF9F00DB0CBDC08703E60D645651AF0664520CA143B088C71AD73813A500A33B48C63CA1795E2162B7620453935A4C26DB96B21 |
Malicious: | true |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 23312 |
Entropy (8bit): | 4.596242908851566 |
Encrypted: | false |
SSDEEP: | 384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4 |
MD5: | 92DC6EF532FBB4A5C3201469A5B5EB63 |
SHA1: | 3E89FF837147C16B4E41C30D6C796374E0B8E62C |
SHA-256: | 9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87 |
SHA-512: | 9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3 |
Malicious: | false |
Antivirus: |
|
Preview: |
Process: | C:\Program Files (x86)\PrintFolders\ntFolders.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 73728 |
Entropy (8bit): | 6.20389308045717 |
Encrypted: | false |
SSDEEP: | 1536:bvUpDLxyxA14o3/M238r6+XfHAgbqmE8MpKdwuasZLUM7DsWlXcdyZgfmi:WDLZKa/MtXfHAgbqmEtxsfmyZgfmi |
MD5: | 3FB36CB0B7172E5298D2992D42984D06 |
SHA1: | 439827777DF4A337CBB9FA4A4640D0D3FA1738B7 |
SHA-256: | 27AE813CEFF8AA56E9FA68C8E50BB1C6C4A01636015EAC4BD8BF444AFB7020D6 |
SHA-512: | 6B39CB32D77200209A25080AC92BC71B1F468E2946B651023793F3585EE6034ADC70924DBD751CF4A51B5E71377854F1AB43C2DD287D4837E7B544FF886F470C |
Malicious: | true |
Antivirus: |
|
Preview: |
File type: | |
Entropy (8bit): | 7.986537727068986 |
TrID: |
|
File name: | file.exe |
File size: | 2460138 |
MD5: | 71f3a21ccd6e54f8178d3fb65f4849b9 |
SHA1: | b24f88c179a8e0777bffbcc4c9f969fb4d32d148 |
SHA256: | 7dbb8aa3f00f0f0d24acf0b1bdb73d05f422e90fd46c2a6fed0b44fe9a0a721a |
SHA512: | e1aaf1fc9dad13243ff435730a215bcd45b8e026e55d9fd38be74cef81b213ce56c33ac00b46c3707e048a1e4b3de788f7f236121406866b0f8786e9ec6c5626 |
SSDEEP: | 49152:aGoOZy1S1FBih4gcjlZZQPTbncg1Gk1QBfEkULNQ69Z3yS8/5csoZBZH:aGoOZcS1FBih4TrYrcg1Z1UfGL2gZiS3 |
TLSH: | 08B533C7F884C63DFD6851745E7BA17100F82CFC2E20582E27ECBF9B5276441695AB29 |
File Content Preview: | MZP.....................@.......................Inno..%.=v..............!..L.!..This program must be run under Win32..$7....................................................................................................................................... |
Icon Hash: | ecccdac6c6c6d464 |
Entrypoint: | 0x40968c |
Entrypoint Section: | CODE |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI |
DLL Characteristics: | |
Time Stamp: | 0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 1 |
OS Version Minor: | 0 |
File Version Major: | 1 |
File Version Minor: | 0 |
Subsystem Version Major: | 1 |
Subsystem Version Minor: | 0 |
Import Hash: | da86ff6d22d7419ae7f10724a403dffd |
Instruction |
---|
push ebp |
mov ebp, esp |
add esp, FFFFFFD4h |
push ebx |
push esi |
push edi |
xor eax, eax |
mov dword ptr [ebp-10h], eax |
mov dword ptr [ebp-1Ch], eax |
call 00007F3280C36F8Fh |
call 00007F3280C3823Ah |
call 00007F3280C3A42Dh |
call 00007F3280C3A474h |
call 00007F3280C3C9C3h |
call 00007F3280C3CAB2h |
mov esi, 0040BDE0h |
xor eax, eax |
push ebp |
push 00409D71h |
push dword ptr fs:[eax] |
mov dword ptr fs:[eax], esp |
xor edx, edx |
push ebp |
push 00409D27h |
push dword ptr fs:[edx] |
mov dword ptr fs:[edx], esp |
mov eax, dword ptr [0040B014h] |
call 00007F3280C3D43Fh |
call 00007F3280C3CFFEh |
lea edx, dword ptr [ebp-10h] |
xor eax, eax |
call 00007F3280C3A8E8h |
mov edx, dword ptr [ebp-10h] |
mov eax, 0040BDD4h |
call 00007F3280C3703Bh |
push 00000002h |
push 00000000h |
push 00000001h |
mov ecx, dword ptr [0040BDD4h] |
mov dl, 01h |
mov eax, 004070C4h |
call 00007F3280C3AF4Bh |
mov dword ptr [0040BDD8h], eax |
xor edx, edx |
push ebp |
push 00409D05h |
push dword ptr fs:[edx] |
mov dword ptr fs:[edx], esp |
lea edx, dword ptr [ebp-18h] |
mov eax, dword ptr [0040BDD8h] |
call 00007F3280C3B023h |
mov ebx, dword ptr [ebp-18h] |
mov edx, 00000030h |
mov eax, dword ptr [0040BDD8h] |
call 00007F3280C3B15Dh |
mov edx, esi |
mov ecx, 0000000Ch |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0xc000 | 0x8c8 | .idata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x10000 | 0xd5a0 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0xf000 | 0x0 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0xe000 | 0x18 | .rdata |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
CODE | 0x1000 | 0x8e00 | 0x8e00 | False | 0.6218364876760564 | data | 6.600437911517656 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
DATA | 0xa000 | 0x248 | 0x400 | False | 0.3115234375 | data | 2.7204325510923035 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
BSS | 0xb000 | 0xe64 | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.idata | 0xc000 | 0x8c8 | 0xa00 | False | 0.389453125 | data | 4.2507970587946735 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.tls | 0xd000 | 0x8 | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rdata | 0xe000 | 0x18 | 0x200 | False | 0.052734375 | data | 0.1991075177871819 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ |
.reloc | 0xf000 | 0x86c | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ |
.rsrc | 0x10000 | 0xd5a0 | 0xd600 | False | 0.2876204731308411 | data | 5.7136247823841 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_ICON | 0x1042c | 0x1628 | Device independent bitmap graphic, 64 x 128 x 8, image size 4608 | English | United States |
RT_ICON | 0x11a54 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 2688 | English | United States |
RT_ICON | 0x128fc | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 1152 | English | United States |
RT_ICON | 0x131a4 | 0x6c8 | Device independent bitmap graphic, 24 x 48 x 8, image size 672 | English | United States |
RT_ICON | 0x1386c | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 320 | English | United States |
RT_ICON | 0x13dd4 | 0x4228 | Device independent bitmap graphic, 64 x 128 x 32, image size 16896 | English | United States |
RT_ICON | 0x17ffc | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | English | United States |
RT_ICON | 0x1a5a4 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | English | United States |
RT_ICON | 0x1b64c | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 2400 | English | United States |
RT_ICON | 0x1bfd4 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | English | United States |
RT_STRING | 0x1c43c | 0x2f2 | data | ||
RT_STRING | 0x1c730 | 0x30c | data | ||
RT_STRING | 0x1ca3c | 0x2ce | data | ||
RT_STRING | 0x1cd0c | 0x68 | data | ||
RT_STRING | 0x1cd74 | 0xb4 | data | ||
RT_STRING | 0x1ce28 | 0xae | data | ||
RT_GROUP_ICON | 0x1ced8 | 0x92 | data | English | United States |
RT_VERSION | 0x1cf6c | 0x3a8 | data | English | United States |
RT_MANIFEST | 0x1d314 | 0x289 | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States |
DLL | Import |
---|---|
kernel32.dll | DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle |
user32.dll | MessageBoxA |
oleaut32.dll | VariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen |
advapi32.dll | RegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA |
kernel32.dll | WriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SetLastError, SetFilePointer, SetEndOfFile, RemoveDirectoryA, ReadFile, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetUserDefaultLangID, GetSystemInfo, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, InterlockedExchange, FormatMessageA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle |
user32.dll | TranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA |
comctl32.dll | InitCommonControls |
advapi32.dll | AdjustTokenPrivileges |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
192.168.2.445.139.105.17149691802041920 12/09/22-11:02:15.223774 | TCP | 2041920 | ET TROJAN GCleaner Downloader Activity M8 | 49691 | 80 | 192.168.2.4 | 45.139.105.171 |
107.182.129.235192.168.2.480496922852925 12/09/22-11:02:15.529889 | TCP | 2852925 | ETPRO TROJAN GCleaner Downloader - Payload Response | 80 | 49692 | 107.182.129.235 | 192.168.2.4 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Dec 9, 2022 11:02:15.195147038 CET | 49691 | 80 | 192.168.2.4 | 45.139.105.171 |
Dec 9, 2022 11:02:15.221927881 CET | 80 | 49691 | 45.139.105.171 | 192.168.2.4 |
Dec 9, 2022 11:02:15.222026110 CET | 49691 | 80 | 192.168.2.4 | 45.139.105.171 |
Dec 9, 2022 11:02:15.223773956 CET | 49691 | 80 | 192.168.2.4 | 45.139.105.171 |
Dec 9, 2022 11:02:15.250996113 CET | 80 | 49691 | 45.139.105.171 | 192.168.2.4 |
Dec 9, 2022 11:02:15.255343914 CET | 80 | 49691 | 45.139.105.171 | 192.168.2.4 |
Dec 9, 2022 11:02:15.255431890 CET | 49691 | 80 | 192.168.2.4 | 45.139.105.171 |
Dec 9, 2022 11:02:15.388844967 CET | 49692 | 80 | 192.168.2.4 | 107.182.129.235 |
Dec 9, 2022 11:02:15.415699005 CET | 80 | 49692 | 107.182.129.235 | 192.168.2.4 |
Dec 9, 2022 11:02:15.415824890 CET | 49692 | 80 | 192.168.2.4 | 107.182.129.235 |
Dec 9, 2022 11:02:15.416578054 CET | 49692 | 80 | 192.168.2.4 | 107.182.129.235 |
Dec 9, 2022 11:02:15.443360090 CET | 80 | 49692 | 107.182.129.235 | 192.168.2.4 |
Dec 9, 2022 11:02:15.443711042 CET | 80 | 49692 | 107.182.129.235 | 192.168.2.4 |
Dec 9, 2022 11:02:15.443802118 CET | 49692 | 80 | 192.168.2.4 | 107.182.129.235 |
Dec 9, 2022 11:02:15.502656937 CET | 49692 | 80 | 192.168.2.4 | 107.182.129.235 |
Dec 9, 2022 11:02:15.529623032 CET | 80 | 49692 | 107.182.129.235 | 192.168.2.4 |
Dec 9, 2022 11:02:15.529889107 CET | 80 | 49692 | 107.182.129.235 | 192.168.2.4 |
Dec 9, 2022 11:02:15.529921055 CET | 80 | 49692 | 107.182.129.235 | 192.168.2.4 |
Dec 9, 2022 11:02:15.529939890 CET | 80 | 49692 | 107.182.129.235 | 192.168.2.4 |
Dec 9, 2022 11:02:15.529963017 CET | 49692 | 80 | 192.168.2.4 | 107.182.129.235 |
Dec 9, 2022 11:02:15.529979944 CET | 49692 | 80 | 192.168.2.4 | 107.182.129.235 |
Dec 9, 2022 11:02:15.529989958 CET | 80 | 49692 | 107.182.129.235 | 192.168.2.4 |
Dec 9, 2022 11:02:15.530008078 CET | 80 | 49692 | 107.182.129.235 | 192.168.2.4 |
Dec 9, 2022 11:02:15.530031919 CET | 80 | 49692 | 107.182.129.235 | 192.168.2.4 |
Dec 9, 2022 11:02:15.530039072 CET | 49692 | 80 | 192.168.2.4 | 107.182.129.235 |
Dec 9, 2022 11:02:15.530055046 CET | 49692 | 80 | 192.168.2.4 | 107.182.129.235 |
Dec 9, 2022 11:02:15.530065060 CET | 80 | 49692 | 107.182.129.235 | 192.168.2.4 |
Dec 9, 2022 11:02:15.530072927 CET | 49692 | 80 | 192.168.2.4 | 107.182.129.235 |
Dec 9, 2022 11:02:15.530088902 CET | 80 | 49692 | 107.182.129.235 | 192.168.2.4 |
Dec 9, 2022 11:02:15.530102015 CET | 49692 | 80 | 192.168.2.4 | 107.182.129.235 |
Dec 9, 2022 11:02:15.530116081 CET | 80 | 49692 | 107.182.129.235 | 192.168.2.4 |
Dec 9, 2022 11:02:15.530126095 CET | 49692 | 80 | 192.168.2.4 | 107.182.129.235 |
Dec 9, 2022 11:02:15.530143023 CET | 80 | 49692 | 107.182.129.235 | 192.168.2.4 |
Dec 9, 2022 11:02:15.530153036 CET | 49692 | 80 | 192.168.2.4 | 107.182.129.235 |
Dec 9, 2022 11:02:15.530181885 CET | 49692 | 80 | 192.168.2.4 | 107.182.129.235 |
Dec 9, 2022 11:02:15.556906939 CET | 80 | 49692 | 107.182.129.235 | 192.168.2.4 |
Dec 9, 2022 11:02:15.556941032 CET | 80 | 49692 | 107.182.129.235 | 192.168.2.4 |
Dec 9, 2022 11:02:15.556961060 CET | 80 | 49692 | 107.182.129.235 | 192.168.2.4 |
Dec 9, 2022 11:02:15.556979895 CET | 80 | 49692 | 107.182.129.235 | 192.168.2.4 |
Dec 9, 2022 11:02:15.556998968 CET | 80 | 49692 | 107.182.129.235 | 192.168.2.4 |
Dec 9, 2022 11:02:15.557018995 CET | 80 | 49692 | 107.182.129.235 | 192.168.2.4 |
Dec 9, 2022 11:02:15.557045937 CET | 49692 | 80 | 192.168.2.4 | 107.182.129.235 |
Dec 9, 2022 11:02:15.557063103 CET | 49692 | 80 | 192.168.2.4 | 107.182.129.235 |
Dec 9, 2022 11:02:15.557070017 CET | 80 | 49692 | 107.182.129.235 | 192.168.2.4 |
Dec 9, 2022 11:02:15.557089090 CET | 80 | 49692 | 107.182.129.235 | 192.168.2.4 |
Dec 9, 2022 11:02:15.557102919 CET | 49692 | 80 | 192.168.2.4 | 107.182.129.235 |
Dec 9, 2022 11:02:15.557116985 CET | 80 | 49692 | 107.182.129.235 | 192.168.2.4 |
Dec 9, 2022 11:02:15.557138920 CET | 49692 | 80 | 192.168.2.4 | 107.182.129.235 |
Dec 9, 2022 11:02:15.557147026 CET | 80 | 49692 | 107.182.129.235 | 192.168.2.4 |
Dec 9, 2022 11:02:15.557168961 CET | 80 | 49692 | 107.182.129.235 | 192.168.2.4 |
Dec 9, 2022 11:02:15.557174921 CET | 49692 | 80 | 192.168.2.4 | 107.182.129.235 |
Dec 9, 2022 11:02:15.557188988 CET | 49692 | 80 | 192.168.2.4 | 107.182.129.235 |
Dec 9, 2022 11:02:15.557203054 CET | 80 | 49692 | 107.182.129.235 | 192.168.2.4 |
Dec 9, 2022 11:02:15.557212114 CET | 49692 | 80 | 192.168.2.4 | 107.182.129.235 |
Dec 9, 2022 11:02:15.557228088 CET | 80 | 49692 | 107.182.129.235 | 192.168.2.4 |
Dec 9, 2022 11:02:15.557238102 CET | 49692 | 80 | 192.168.2.4 | 107.182.129.235 |
Dec 9, 2022 11:02:15.557254076 CET | 80 | 49692 | 107.182.129.235 | 192.168.2.4 |
Dec 9, 2022 11:02:15.557265997 CET | 49692 | 80 | 192.168.2.4 | 107.182.129.235 |
Dec 9, 2022 11:02:15.557281971 CET | 80 | 49692 | 107.182.129.235 | 192.168.2.4 |
Dec 9, 2022 11:02:15.557301998 CET | 80 | 49692 | 107.182.129.235 | 192.168.2.4 |
Dec 9, 2022 11:02:15.557308912 CET | 49692 | 80 | 192.168.2.4 | 107.182.129.235 |
Dec 9, 2022 11:02:15.557320118 CET | 49692 | 80 | 192.168.2.4 | 107.182.129.235 |
Dec 9, 2022 11:02:15.557336092 CET | 49692 | 80 | 192.168.2.4 | 107.182.129.235 |
Dec 9, 2022 11:02:15.557344913 CET | 80 | 49692 | 107.182.129.235 | 192.168.2.4 |
Dec 9, 2022 11:02:15.557370901 CET | 80 | 49692 | 107.182.129.235 | 192.168.2.4 |
Dec 9, 2022 11:02:15.557382107 CET | 49692 | 80 | 192.168.2.4 | 107.182.129.235 |
Dec 9, 2022 11:02:15.557404995 CET | 49692 | 80 | 192.168.2.4 | 107.182.129.235 |
Dec 9, 2022 11:02:15.557419062 CET | 80 | 49692 | 107.182.129.235 | 192.168.2.4 |
Dec 9, 2022 11:02:15.557444096 CET | 80 | 49692 | 107.182.129.235 | 192.168.2.4 |
Dec 9, 2022 11:02:15.557455063 CET | 49692 | 80 | 192.168.2.4 | 107.182.129.235 |
Dec 9, 2022 11:02:15.557491064 CET | 49692 | 80 | 192.168.2.4 | 107.182.129.235 |
Dec 9, 2022 11:02:15.584275961 CET | 80 | 49692 | 107.182.129.235 | 192.168.2.4 |
Dec 9, 2022 11:02:15.584310055 CET | 80 | 49692 | 107.182.129.235 | 192.168.2.4 |
Dec 9, 2022 11:02:15.584326982 CET | 80 | 49692 | 107.182.129.235 | 192.168.2.4 |
Dec 9, 2022 11:02:15.584348917 CET | 49692 | 80 | 192.168.2.4 | 107.182.129.235 |
Dec 9, 2022 11:02:15.584368944 CET | 49692 | 80 | 192.168.2.4 | 107.182.129.235 |
Dec 9, 2022 11:02:15.584376097 CET | 80 | 49692 | 107.182.129.235 | 192.168.2.4 |
Dec 9, 2022 11:02:15.584395885 CET | 80 | 49692 | 107.182.129.235 | 192.168.2.4 |
Dec 9, 2022 11:02:15.584414959 CET | 80 | 49692 | 107.182.129.235 | 192.168.2.4 |
Dec 9, 2022 11:02:15.584425926 CET | 49692 | 80 | 192.168.2.4 | 107.182.129.235 |
Dec 9, 2022 11:02:15.584441900 CET | 49692 | 80 | 192.168.2.4 | 107.182.129.235 |
Dec 9, 2022 11:02:15.584450006 CET | 80 | 49692 | 107.182.129.235 | 192.168.2.4 |
Dec 9, 2022 11:02:15.584460020 CET | 49692 | 80 | 192.168.2.4 | 107.182.129.235 |
Dec 9, 2022 11:02:15.584476948 CET | 80 | 49692 | 107.182.129.235 | 192.168.2.4 |
Dec 9, 2022 11:02:15.584486961 CET | 49692 | 80 | 192.168.2.4 | 107.182.129.235 |
Dec 9, 2022 11:02:15.584505081 CET | 80 | 49692 | 107.182.129.235 | 192.168.2.4 |
Dec 9, 2022 11:02:15.584513903 CET | 49692 | 80 | 192.168.2.4 | 107.182.129.235 |
Dec 9, 2022 11:02:15.584531069 CET | 80 | 49692 | 107.182.129.235 | 192.168.2.4 |
Dec 9, 2022 11:02:15.584539890 CET | 49692 | 80 | 192.168.2.4 | 107.182.129.235 |
Dec 9, 2022 11:02:15.584557056 CET | 80 | 49692 | 107.182.129.235 | 192.168.2.4 |
Dec 9, 2022 11:02:15.584567070 CET | 49692 | 80 | 192.168.2.4 | 107.182.129.235 |
Dec 9, 2022 11:02:15.584583998 CET | 80 | 49692 | 107.182.129.235 | 192.168.2.4 |
Dec 9, 2022 11:02:15.584594011 CET | 49692 | 80 | 192.168.2.4 | 107.182.129.235 |
Dec 9, 2022 11:02:15.584611893 CET | 80 | 49692 | 107.182.129.235 | 192.168.2.4 |
Dec 9, 2022 11:02:15.584620953 CET | 49692 | 80 | 192.168.2.4 | 107.182.129.235 |
Dec 9, 2022 11:02:15.584640026 CET | 80 | 49692 | 107.182.129.235 | 192.168.2.4 |
Dec 9, 2022 11:02:15.584649086 CET | 49692 | 80 | 192.168.2.4 | 107.182.129.235 |
Dec 9, 2022 11:02:15.584665060 CET | 80 | 49692 | 107.182.129.235 | 192.168.2.4 |
Dec 9, 2022 11:02:15.584676981 CET | 49692 | 80 | 192.168.2.4 | 107.182.129.235 |
Dec 9, 2022 11:02:15.584692955 CET | 80 | 49692 | 107.182.129.235 | 192.168.2.4 |
Dec 9, 2022 11:02:15.584711075 CET | 80 | 49692 | 107.182.129.235 | 192.168.2.4 |
Dec 9, 2022 11:02:15.584732056 CET | 80 | 49692 | 107.182.129.235 | 192.168.2.4 |
Dec 9, 2022 11:02:15.584747076 CET | 49692 | 80 | 192.168.2.4 | 107.182.129.235 |
Dec 9, 2022 11:02:15.584747076 CET | 49692 | 80 | 192.168.2.4 | 107.182.129.235 |
Dec 9, 2022 11:02:15.584764004 CET | 49692 | 80 | 192.168.2.4 | 107.182.129.235 |
Dec 9, 2022 11:02:15.584770918 CET | 49692 | 80 | 192.168.2.4 | 107.182.129.235 |
Dec 9, 2022 11:02:15.584778070 CET | 80 | 49692 | 107.182.129.235 | 192.168.2.4 |
Dec 9, 2022 11:02:15.584795952 CET | 80 | 49692 | 107.182.129.235 | 192.168.2.4 |
Dec 9, 2022 11:02:15.584815979 CET | 80 | 49692 | 107.182.129.235 | 192.168.2.4 |
Dec 9, 2022 11:02:15.584830999 CET | 49692 | 80 | 192.168.2.4 | 107.182.129.235 |
Dec 9, 2022 11:02:15.584846020 CET | 49692 | 80 | 192.168.2.4 | 107.182.129.235 |
Dec 9, 2022 11:02:15.584855080 CET | 80 | 49692 | 107.182.129.235 | 192.168.2.4 |
Dec 9, 2022 11:02:15.584867001 CET | 49692 | 80 | 192.168.2.4 | 107.182.129.235 |
Dec 9, 2022 11:02:15.584882021 CET | 80 | 49692 | 107.182.129.235 | 192.168.2.4 |
Dec 9, 2022 11:02:15.584893942 CET | 49692 | 80 | 192.168.2.4 | 107.182.129.235 |
Dec 9, 2022 11:02:15.584908962 CET | 80 | 49692 | 107.182.129.235 | 192.168.2.4 |
Dec 9, 2022 11:02:15.584919930 CET | 49692 | 80 | 192.168.2.4 | 107.182.129.235 |
Dec 9, 2022 11:02:15.584935904 CET | 80 | 49692 | 107.182.129.235 | 192.168.2.4 |
Dec 9, 2022 11:02:15.584944963 CET | 49692 | 80 | 192.168.2.4 | 107.182.129.235 |
Dec 9, 2022 11:02:15.584960938 CET | 80 | 49692 | 107.182.129.235 | 192.168.2.4 |
Dec 9, 2022 11:02:15.584980965 CET | 49692 | 80 | 192.168.2.4 | 107.182.129.235 |
Dec 9, 2022 11:02:15.584988117 CET | 80 | 49692 | 107.182.129.235 | 192.168.2.4 |
Dec 9, 2022 11:02:15.585004091 CET | 49692 | 80 | 192.168.2.4 | 107.182.129.235 |
Dec 9, 2022 11:02:15.585015059 CET | 80 | 49692 | 107.182.129.235 | 192.168.2.4 |
Dec 9, 2022 11:02:15.585026979 CET | 49692 | 80 | 192.168.2.4 | 107.182.129.235 |
Dec 9, 2022 11:02:15.585042000 CET | 80 | 49692 | 107.182.129.235 | 192.168.2.4 |
Dec 9, 2022 11:02:15.585055113 CET | 49692 | 80 | 192.168.2.4 | 107.182.129.235 |
Dec 9, 2022 11:02:15.585067987 CET | 80 | 49692 | 107.182.129.235 | 192.168.2.4 |
Dec 9, 2022 11:02:15.585083008 CET | 49692 | 80 | 192.168.2.4 | 107.182.129.235 |
Dec 9, 2022 11:02:15.585094929 CET | 80 | 49692 | 107.182.129.235 | 192.168.2.4 |
Dec 9, 2022 11:02:15.585108995 CET | 49692 | 80 | 192.168.2.4 | 107.182.129.235 |
Dec 9, 2022 11:02:15.585123062 CET | 80 | 49692 | 107.182.129.235 | 192.168.2.4 |
Dec 9, 2022 11:02:15.585131884 CET | 49692 | 80 | 192.168.2.4 | 107.182.129.235 |
Dec 9, 2022 11:02:15.585149050 CET | 80 | 49692 | 107.182.129.235 | 192.168.2.4 |
Dec 9, 2022 11:02:15.585160971 CET | 49692 | 80 | 192.168.2.4 | 107.182.129.235 |
Dec 9, 2022 11:02:15.585175991 CET | 80 | 49692 | 107.182.129.235 | 192.168.2.4 |
Dec 9, 2022 11:02:15.585185051 CET | 49692 | 80 | 192.168.2.4 | 107.182.129.235 |
Dec 9, 2022 11:02:15.585201979 CET | 80 | 49692 | 107.182.129.235 | 192.168.2.4 |
Dec 9, 2022 11:02:15.585211992 CET | 49692 | 80 | 192.168.2.4 | 107.182.129.235 |
Dec 9, 2022 11:02:15.585227966 CET | 80 | 49692 | 107.182.129.235 | 192.168.2.4 |
Dec 9, 2022 11:02:15.585237026 CET | 49692 | 80 | 192.168.2.4 | 107.182.129.235 |
Dec 9, 2022 11:02:15.585253000 CET | 80 | 49692 | 107.182.129.235 | 192.168.2.4 |
Dec 9, 2022 11:02:15.585266113 CET | 49692 | 80 | 192.168.2.4 | 107.182.129.235 |
Dec 9, 2022 11:02:15.585280895 CET | 80 | 49692 | 107.182.129.235 | 192.168.2.4 |
Dec 9, 2022 11:02:15.585289955 CET | 49692 | 80 | 192.168.2.4 | 107.182.129.235 |
Dec 9, 2022 11:02:15.585306883 CET | 80 | 49692 | 107.182.129.235 | 192.168.2.4 |
Dec 9, 2022 11:02:15.585319042 CET | 49692 | 80 | 192.168.2.4 | 107.182.129.235 |
Dec 9, 2022 11:02:15.585335016 CET | 80 | 49692 | 107.182.129.235 | 192.168.2.4 |
Dec 9, 2022 11:02:15.585345984 CET | 49692 | 80 | 192.168.2.4 | 107.182.129.235 |
Dec 9, 2022 11:02:15.585372925 CET | 49692 | 80 | 192.168.2.4 | 107.182.129.235 |
Dec 9, 2022 11:02:15.612109900 CET | 80 | 49692 | 107.182.129.235 | 192.168.2.4 |
Dec 9, 2022 11:02:15.612163067 CET | 80 | 49692 | 107.182.129.235 | 192.168.2.4 |
Dec 9, 2022 11:02:15.612195015 CET | 80 | 49692 | 107.182.129.235 | 192.168.2.4 |
Dec 9, 2022 11:02:15.612217903 CET | 49692 | 80 | 192.168.2.4 | 107.182.129.235 |
Dec 9, 2022 11:02:15.612243891 CET | 49692 | 80 | 192.168.2.4 | 107.182.129.235 |
Dec 9, 2022 11:02:15.612243891 CET | 49692 | 80 | 192.168.2.4 | 107.182.129.235 |
Dec 9, 2022 11:02:15.612281084 CET | 80 | 49692 | 107.182.129.235 | 192.168.2.4 |
Dec 9, 2022 11:02:15.612323046 CET | 49692 | 80 | 192.168.2.4 | 107.182.129.235 |
Dec 9, 2022 11:02:15.692933083 CET | 49693 | 80 | 192.168.2.4 | 171.22.30.106 |
Dec 9, 2022 11:02:15.719903946 CET | 80 | 49693 | 171.22.30.106 | 192.168.2.4 |
Dec 9, 2022 11:02:15.720097065 CET | 49693 | 80 | 192.168.2.4 | 171.22.30.106 |
Dec 9, 2022 11:02:15.729541063 CET | 49693 | 80 | 192.168.2.4 | 171.22.30.106 |
Dec 9, 2022 11:02:15.756484032 CET | 80 | 49693 | 171.22.30.106 | 192.168.2.4 |
Dec 9, 2022 11:02:16.381613970 CET | 80 | 49693 | 171.22.30.106 | 192.168.2.4 |
Dec 9, 2022 11:02:16.381897926 CET | 49693 | 80 | 192.168.2.4 | 171.22.30.106 |
Dec 9, 2022 11:02:18.472366095 CET | 49693 | 80 | 192.168.2.4 | 171.22.30.106 |
Dec 9, 2022 11:02:18.499205112 CET | 80 | 49693 | 171.22.30.106 | 192.168.2.4 |
Dec 9, 2022 11:02:19.131953955 CET | 80 | 49693 | 171.22.30.106 | 192.168.2.4 |
Dec 9, 2022 11:02:19.132081985 CET | 49693 | 80 | 192.168.2.4 | 171.22.30.106 |
Dec 9, 2022 11:02:20.257761002 CET | 80 | 49691 | 45.139.105.171 | 192.168.2.4 |
Dec 9, 2022 11:02:20.257989883 CET | 49691 | 80 | 192.168.2.4 | 45.139.105.171 |
Dec 9, 2022 11:02:20.586524010 CET | 80 | 49692 | 107.182.129.235 | 192.168.2.4 |
Dec 9, 2022 11:02:20.586755991 CET | 49692 | 80 | 192.168.2.4 | 107.182.129.235 |
Dec 9, 2022 11:02:21.336388111 CET | 49693 | 80 | 192.168.2.4 | 171.22.30.106 |
Dec 9, 2022 11:02:21.363953114 CET | 80 | 49693 | 171.22.30.106 | 192.168.2.4 |
Dec 9, 2022 11:02:21.989541054 CET | 80 | 49693 | 171.22.30.106 | 192.168.2.4 |
Dec 9, 2022 11:02:21.989729881 CET | 49693 | 80 | 192.168.2.4 | 171.22.30.106 |
Dec 9, 2022 11:02:24.980899096 CET | 49693 | 80 | 192.168.2.4 | 171.22.30.106 |
Dec 9, 2022 11:02:25.007520914 CET | 80 | 49693 | 171.22.30.106 | 192.168.2.4 |
Dec 9, 2022 11:02:25.668874979 CET | 80 | 49693 | 171.22.30.106 | 192.168.2.4 |
Dec 9, 2022 11:02:25.669019938 CET | 49693 | 80 | 192.168.2.4 | 171.22.30.106 |
Dec 9, 2022 11:02:27.772023916 CET | 49693 | 80 | 192.168.2.4 | 171.22.30.106 |
Dec 9, 2022 11:02:27.798762083 CET | 80 | 49693 | 171.22.30.106 | 192.168.2.4 |
Dec 9, 2022 11:02:28.423455000 CET | 80 | 49693 | 171.22.30.106 | 192.168.2.4 |
Dec 9, 2022 11:02:28.423580885 CET | 49693 | 80 | 192.168.2.4 | 171.22.30.106 |
Dec 9, 2022 11:02:30.504173040 CET | 49693 | 80 | 192.168.2.4 | 171.22.30.106 |
Dec 9, 2022 11:02:30.531028986 CET | 80 | 49693 | 171.22.30.106 | 192.168.2.4 |
Dec 9, 2022 11:02:31.248997927 CET | 80 | 49693 | 171.22.30.106 | 192.168.2.4 |
Dec 9, 2022 11:02:31.249119043 CET | 49693 | 80 | 192.168.2.4 | 171.22.30.106 |
Dec 9, 2022 11:02:33.347786903 CET | 49693 | 80 | 192.168.2.4 | 171.22.30.106 |
Dec 9, 2022 11:02:33.374604940 CET | 80 | 49693 | 171.22.30.106 | 192.168.2.4 |
Dec 9, 2022 11:02:33.990286112 CET | 80 | 49693 | 171.22.30.106 | 192.168.2.4 |
Dec 9, 2022 11:02:33.990533113 CET | 49693 | 80 | 192.168.2.4 | 171.22.30.106 |
Dec 9, 2022 11:02:36.053276062 CET | 49693 | 80 | 192.168.2.4 | 171.22.30.106 |
Dec 9, 2022 11:02:36.080456018 CET | 80 | 49693 | 171.22.30.106 | 192.168.2.4 |
Dec 9, 2022 11:02:36.730623960 CET | 80 | 49693 | 171.22.30.106 | 192.168.2.4 |
Dec 9, 2022 11:02:36.730906010 CET | 49693 | 80 | 192.168.2.4 | 171.22.30.106 |
Dec 9, 2022 11:02:38.836575031 CET | 49693 | 80 | 192.168.2.4 | 171.22.30.106 |
Dec 9, 2022 11:02:38.863379955 CET | 80 | 49693 | 171.22.30.106 | 192.168.2.4 |
Dec 9, 2022 11:02:39.479506016 CET | 80 | 49693 | 171.22.30.106 | 192.168.2.4 |
Dec 9, 2022 11:02:39.480149984 CET | 49693 | 80 | 192.168.2.4 | 171.22.30.106 |
Dec 9, 2022 11:02:41.611670971 CET | 49693 | 80 | 192.168.2.4 | 171.22.30.106 |
Dec 9, 2022 11:02:41.638495922 CET | 80 | 49693 | 171.22.30.106 | 192.168.2.4 |
Dec 9, 2022 11:02:42.279922962 CET | 80 | 49693 | 171.22.30.106 | 192.168.2.4 |
Dec 9, 2022 11:02:42.280169964 CET | 49693 | 80 | 192.168.2.4 | 171.22.30.106 |
Dec 9, 2022 11:02:44.817219019 CET | 49693 | 80 | 192.168.2.4 | 171.22.30.106 |
Dec 9, 2022 11:02:44.844238043 CET | 80 | 49693 | 171.22.30.106 | 192.168.2.4 |
Dec 9, 2022 11:02:45.463589907 CET | 80 | 49693 | 171.22.30.106 | 192.168.2.4 |
Dec 9, 2022 11:02:45.463800907 CET | 49693 | 80 | 192.168.2.4 | 171.22.30.106 |
Dec 9, 2022 11:02:48.586349964 CET | 49691 | 80 | 192.168.2.4 | 45.139.105.171 |
Dec 9, 2022 11:02:48.586519957 CET | 49692 | 80 | 192.168.2.4 | 107.182.129.235 |
Dec 9, 2022 11:02:48.586520910 CET | 49693 | 80 | 192.168.2.4 | 171.22.30.106 |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.4 | 49691 | 45.139.105.171 | 80 | C:\Program Files (x86)\PrintFolders\ntFolders.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Dec 9, 2022 11:02:15.223773956 CET | 0 | OUT | |
Dec 9, 2022 11:02:15.255343914 CET | 1 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
1 | 192.168.2.4 | 49692 | 107.182.129.235 | 80 | C:\Program Files (x86)\PrintFolders\ntFolders.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Dec 9, 2022 11:02:15.416578054 CET | 1 | OUT | |
Dec 9, 2022 11:02:15.443711042 CET | 2 | IN | |
Dec 9, 2022 11:02:15.502656937 CET | 2 | OUT | |
Dec 9, 2022 11:02:15.529889107 CET | 3 | IN |