Edit tour
Windows
Analysis Report
file.exe
Overview
General Information
Detection
Nymaim
Score: | 96 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Detected unpacking (overwrites its own PE header)
Yara detected Nymaim
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Found evasive API chain checking for process token information
Uses taskkill to terminate processes
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality to detect sandboxes (foreground window change detection)
Creates a process in suspended mode (likely to inject code)
Classification
- System is w10x64
- file.exe (PID: 2148 cmdline:
C:\Users\u ser\Deskto p\file.exe MD5: E0F8085C7CB8EB9CF1C263BB12CFC6DF) - is-DTRND.tmp (PID: 6048 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\is-LME P0.tmp\is- DTRND.tmp" /SL4 $902 D6 "C:\Use rs\user\De sktop\file .exe" 1818 498 170496 MD5: E8176050192FBB976D70238E3C121F4C) - SplitFiles131.exe (PID: 4360 cmdline:
"C:\Progra m Files (x 86)\Split Files\Spli tFiles131. exe" MD5: 361518D6CC3C25EEC2DFC1DE82B055B2) - KN38AzDG.exe (PID: 1960 cmdline:
MD5: 3FB36CB0B7172E5298D2992D42984D06) - cmd.exe (PID: 1876 cmdline:
"C:\Window s\System32 \cmd.exe" /c taskkil l /im "Spl itFiles131 .exe" /f & erase "C: \Program F iles (x86) \Split Fil es\SplitFi les131.exe " & exit MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 5272 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - taskkill.exe (PID: 5224 cmdline:
taskkill / im "SplitF iles131.ex e" /f MD5: 15E2E0ACD891510C6268CB8899F2A1A1)
- cleanup
{"C2 addresses": ["45.139.105.1", "85.31.46.167", "107.182.129.235", "171.22.30.106"]}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security | ||
JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security | ||
JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security | ||
JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security | ||
JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security | ||
JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security |
⊘No Sigma rule has matched
Timestamp: | 107.182.129.235192.168.2.580497062852925 01/05/23-08:47:10.017687 |
SID: | 2852925 |
Source Port: | 80 |
Destination Port: | 49706 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.545.139.105.17149705802041920 01/05/23-08:47:09.800462 |
SID: | 2041920 |
Source Port: | 49705 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.5107.182.129.23549706802852981 01/05/23-08:47:09.990287 |
SID: | 2852981 |
Source Port: | 49706 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.5107.182.129.23549706802852980 01/05/23-08:47:09.925610 |
SID: | 2852980 |
Source Port: | 49706 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | URL Reputation: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: |
Source: | ReversingLabs: |
Source: | Joe Sandbox ML: |
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: |
Source: | Malware Configuration Extractor: |
Source: | Code function: | 4_2_10001000 | |
Source: | Code function: | 4_2_10001130 | |
Source: | Code function: | 5_2_00403770 |
Compliance |
---|
Source: | Unpacked PE file: |
Source: | Static PE information: |
Source: | Code function: | 4_2_0046CA68 | |
Source: | Code function: | 4_2_00474A14 | |
Source: | Code function: | 4_2_0045157C | |
Source: | Code function: | 4_2_0045E244 | |
Source: | Code function: | 4_2_0048AC5C | |
Source: | Code function: | 4_2_00472CD4 | |
Source: | Code function: | 4_2_0045CDA4 | |
Source: | Code function: | 4_2_0045DEB0 | |
Source: | Code function: | 5_2_00404490 | |
Source: | Code function: | 5_2_00423E2D | |
Source: | Code function: | 5_2_1000959D | |
Source: | Code function: | 6_2_00104A1A |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Networking |
---|
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: |
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: |
Source: | ASN Name: | ||
Source: | ASN Name: |
Source: | IP Address: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Code function: | 5_2_00401B30 |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | Binary or memory string: |
E-Banking Fraud |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Static PE information: |
Source: | Code function: | 1_2_00408280 | |
Source: | Code function: | 4_2_00468C28 | |
Source: | Code function: | 4_2_00461280 | |
Source: | Code function: | 4_2_0043DE40 | |
Source: | Code function: | 4_2_004302D0 | |
Source: | Code function: | 4_2_004445B8 | |
Source: | Code function: | 4_2_00434864 | |
Source: | Code function: | 4_2_0047AA90 | |
Source: | Code function: | 4_2_00444B60 | |
Source: | Code function: | 4_2_0045ADE0 | |
Source: | Code function: | 4_2_00480F94 | |
Source: | Code function: | 4_2_00445258 | |
Source: | Code function: | 4_2_004132E1 | |
Source: | Code function: | 4_2_00463288 | |
Source: | Code function: | 4_2_00435568 | |
Source: | Code function: | 4_2_00445664 | |
Source: | Code function: | 4_2_0042F874 | |
Source: | Code function: | 4_2_00457F04 | |
Source: | Code function: | 5_2_00404490 | |
Source: | Code function: | 5_2_004096F0 | |
Source: | Code function: | 5_2_004056A0 | |
Source: | Code function: | 5_2_00406800 | |
Source: | Code function: | 5_2_00406AA0 | |
Source: | Code function: | 5_2_00404D40 | |
Source: | Code function: | 5_2_00405F40 | |
Source: | Code function: | 5_2_00402F20 | |
Source: | Code function: | 5_2_004150D3 | |
Source: | Code function: | 5_2_00415305 | |
Source: | Code function: | 5_2_004223A9 | |
Source: | Code function: | 5_2_00419510 | |
Source: | Code function: | 5_2_00404840 | |
Source: | Code function: | 5_2_00426850 | |
Source: | Code function: | 5_2_00410A50 | |
Source: | Code function: | 5_2_0042AB9A | |
Source: | Code function: | 5_2_00421C88 | |
Source: | Code function: | 5_2_0042ACBA | |
Source: | Code function: | 5_2_00447D2D | |
Source: | Code function: | 5_2_00428D39 | |
Source: | Code function: | 5_2_00404F20 | |
Source: | Code function: | 5_2_1000F670 | |
Source: | Code function: | 5_2_1000EC61 | |
Source: | Code function: | 6_2_0010AE8D |
Source: | Code function: | 4_2_00423C4C | |
Source: | Code function: | 4_2_004126A0 | |
Source: | Code function: | 4_2_00455514 |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Dropped File: |
Source: | Static PE information: |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Code function: | 1_2_0040910C | |
Source: | Code function: | 4_2_00453D80 |
Source: | WMI Queries: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | Code function: | 5_2_00401B30 |
Source: | File read: | Jump to behavior |
Source: | Code function: | 4_2_004547A0 |
Source: | Code function: | 5_2_00402BF0 |
Source: | Code function: | 5_2_00405350 |
Source: | Mutant created: |
Source: | Code function: | 4_2_0040B090 |
Source: | File created: | Jump to behavior |
Source: | Command line argument: | 5_2_004096F0 | |
Source: | Command line argument: | 5_2_004096F0 | |
Source: | Command line argument: | 5_2_004096F0 | |
Source: | Command line argument: | 5_2_004096F0 |
Source: | Window found: | Jump to behavior |
Source: | Window detected: |
Source: | Static file information: |
Data Obfuscation |
---|
Source: | Unpacked PE file: |
Source: | Unpacked PE file: |
Source: | Code function: | 1_2_004065C9 | |
Source: | Code function: | 1_2_00404195 | |
Source: | Code function: | 1_2_0040442D | |
Source: | Code function: | 1_2_0040442D | |
Source: | Code function: | 1_2_0040442D | |
Source: | Code function: | 1_2_00408C07 | |
Source: | Code function: | 1_2_0040442D | |
Source: | Code function: | 1_2_00407F41 | |
Source: | Code function: | 4_2_00409A55 | |
Source: | Code function: | 4_2_0040A108 | |
Source: | Code function: | 4_2_004302D5 | |
Source: | Code function: | 4_2_004063C1 | |
Source: | Code function: | 4_2_0047866B | |
Source: | Code function: | 4_2_0041079D | |
Source: | Code function: | 4_2_00412A4B | |
Source: | Code function: | 4_2_0045AAA1 | |
Source: | Code function: | 4_2_00450EDF | |
Source: | Code function: | 4_2_0040D0F2 | |
Source: | Code function: | 4_2_00443534 | |
Source: | Code function: | 4_2_004055F9 | |
Source: | Code function: | 4_2_0040F652 | |
Source: | Code function: | 4_2_00405891 | |
Source: | Code function: | 4_2_00405891 | |
Source: | Code function: | 4_2_00405891 | |
Source: | Code function: | 4_2_00405891 | |
Source: | Code function: | 4_2_00479B25 | |
Source: | Code function: | 4_2_00419CF5 | |
Source: | Code function: | 5_2_004311B6 | |
Source: | Code function: | 5_2_0040F4CE |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | Code function: | 4_2_00423CD4 | |
Source: | Code function: | 4_2_00423CD4 | |
Source: | Code function: | 4_2_00478118 | |
Source: | Code function: | 4_2_0042425C | |
Source: | Code function: | 4_2_004242A4 | |
Source: | Code function: | 4_2_0041844C | |
Source: | Code function: | 4_2_00422924 | |
Source: | Code function: | 4_2_00417660 | |
Source: | Code function: | 4_2_00417D96 | |
Source: | Code function: | 4_2_00417D98 |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Thread sleep count: | Jump to behavior |
Source: | Evasive API call chain: | graph_1-5522 |
Source: | Last function: |
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file |
Source: | Check user administrative privileges: | graph_5-35022 |
Source: | API coverage: |
Source: | Code function: | 5_2_004056A0 |
Source: | Process information queried: | Jump to behavior |
Source: | Code function: | 1_2_00409764 |
Source: | Code function: | 4_2_0046CA68 | |
Source: | Code function: | 4_2_00474A14 | |
Source: | Code function: | 4_2_0045157C | |
Source: | Code function: | 4_2_0045E244 | |
Source: | Code function: | 4_2_0048AC5C | |
Source: | Code function: | 4_2_00472CD4 | |
Source: | Code function: | 4_2_0045CDA4 | |
Source: | Code function: | 4_2_0045DEB0 | |
Source: | Code function: | 5_2_00404490 | |
Source: | Code function: | 5_2_00423E2D | |
Source: | Code function: | 5_2_1000959D | |
Source: | Code function: | 6_2_00104A1A |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | Code function: | 5_2_0041336B |
Source: | Code function: | 5_2_00402BF0 |
Source: | Code function: | 5_2_00402F20 |
Source: | Process token adjusted: | Jump to behavior |
Source: | Code function: | 5_2_0044028F | |
Source: | Code function: | 5_2_0042041F | |
Source: | Code function: | 5_2_004429E7 | |
Source: | Code function: | 5_2_00417BAF | |
Source: | Code function: | 5_2_100091C7 | |
Source: | Code function: | 5_2_10006CE1 | |
Source: | Code function: | 6_2_00105B47 | |
Source: | Code function: | 6_2_001033EF |
Source: | Code function: | 5_2_0040F789 | |
Source: | Code function: | 5_2_0041336B | |
Source: | Code function: | 5_2_0040F5F5 | |
Source: | Code function: | 5_2_0040EBD2 | |
Source: | Code function: | 5_2_10006180 | |
Source: | Code function: | 5_2_100035DF | |
Source: | Code function: | 5_2_10003AD4 | |
Source: | Code function: | 6_2_00101889 | |
Source: | Code function: | 6_2_00101269 | |
Source: | Code function: | 6_2_001016F5 | |
Source: | Code function: | 6_2_00104362 |
Source: | Process created: | Jump to behavior |
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Code function: | 4_2_00459734 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: | 1_2_004051D8 | |
Source: | Code function: | 1_2_00405224 | |
Source: | Code function: | 4_2_004085FC | |
Source: | Code function: | 4_2_00408648 | |
Source: | Code function: | 5_2_00404D40 | |
Source: | Code function: | 5_2_00427041 | |
Source: | Code function: | 5_2_0042708C | |
Source: | Code function: | 5_2_00427127 | |
Source: | Code function: | 5_2_004271B2 | |
Source: | Code function: | 5_2_0041E2FF | |
Source: | Code function: | 5_2_00427405 | |
Source: | Code function: | 5_2_0042752B | |
Source: | Code function: | 5_2_00427631 | |
Source: | Code function: | 5_2_00427700 | |
Source: | Code function: | 5_2_0041E821 | |
Source: | Code function: | 5_2_00426D9F |
Source: | Code function: | 5_2_0040F7F3 |
Source: | Code function: | 4_2_00455E7C |
Source: | Code function: | 1_2_004026C4 |
Source: | Code function: | 1_2_00405CC0 |
Source: | Code function: | 4_2_00453D18 |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | 1 Windows Management Instrumentation | Path Interception | 1 Access Token Manipulation | 1 Disable or Modify Tools | 1 Input Capture | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | Exfiltration Over Other Network Medium | 2 Ingress Tool Transfer | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | 2 Native API | Boot or Logon Initialization Scripts | 13 Process Injection | 1 Deobfuscate/Decode Files or Information | LSASS Memory | 1 Account Discovery | Remote Desktop Protocol | 1 Input Capture | Exfiltration Over Bluetooth | 2 Encrypted Channel | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | 2 Command and Scripting Interpreter | Logon Script (Windows) | Logon Script (Windows) | 3 Obfuscated Files or Information | Security Account Manager | 3 File and Directory Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | 1 Non-Application Layer Protocol | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | 23 Software Packing | NTDS | 26 System Information Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | 11 Application Layer Protocol | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | 2 Masquerading | LSA Secrets | 14 Security Software Discovery | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | 1 Virtualization/Sandbox Evasion | Cached Domain Credentials | 1 Virtualization/Sandbox Evasion | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | 1 Access Token Manipulation | DCSync | 3 Process Discovery | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | 13 Process Injection | Proc Filesystem | 11 Application Window Discovery | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue | |
Exploit Public-Facing Application | PowerShell | At (Linux) | At (Linux) | Masquerading | /etc/passwd and /etc/shadow | 1 System Owner/User Discovery | Software Deployment Tools | Data Staged | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Web Protocols | Rogue Cellular Base Station | Data Destruction |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
⊘No Antivirus matches
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Joe Sandbox ML | |||
0% | ReversingLabs | |||
0% | ReversingLabs | |||
0% | ReversingLabs | |||
50% | ReversingLabs | Win32.Trojan.Generic |
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | TR/Crypt.XPACK.Gen8 | Download File | ||
100% | Avira | TR/Crypt.XPACK.Gen2 | Download File | ||
100% | Avira | HEUR/AGEN.1250671 | Download File | ||
100% | Avira | HEUR/AGEN.1248792 | Download File | ||
100% | Avira | TR/Crypt.XPACK.Gen2 | Download File |
⊘No Antivirus matches
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
100% | URL Reputation | malware | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
2% | Virustotal | Browse | ||
100% | Avira URL Cloud | malware | ||
0% | Avira URL Cloud | safe | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware |
⊘No contacted domains info
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown | |
true |
| unknown | |
true |
| unknown | |
true |
| unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown | ||
true |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
true |
| unknown | ||
true |
| unknown | ||
false |
| low | ||
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
45.139.105.171 | unknown | Italy | 33657 | CMCSUS | true | |
45.139.105.1 | unknown | Italy | 33657 | CMCSUS | true | |
85.31.46.167 | unknown | Germany | 43659 | CLOUDCOMPUTINGDE | true | |
107.182.129.235 | unknown | Reserved | 11070 | META-ASUS | true | |
171.22.30.106 | unknown | Germany | 33657 | CMCSUS | true |
Joe Sandbox Version: | 36.0.0 Rainbow Opal |
Analysis ID: | 778228 |
Start date and time: | 2023-01-05 08:46:10 +01:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 7m 19s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | file.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 14 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal96.troj.evad.winEXE@12/39@0/5 |
EGA Information: |
|
HDC Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, conhost.exe, svchost.exe
- Excluded domains from analysis (whitelisted): client.wns.windows.com, ctldl.windowsupdate.com
- Not all processes where analyzed, report is missing behavior information
- Report size exceeded maximum capacity and may have missing behavior information.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
Time | Type | Description |
---|---|---|
08:47:09 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
45.139.105.171 | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
⊘No context
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
CMCSUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
CMCSUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
⊘No context
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
C:\Program Files (x86)\Split Files\is-AGVDF.tmp | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse |
Process: | C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 2193 |
Entropy (8bit): | 4.702648325021821 |
Encrypted: | false |
SSDEEP: | 24:ElZ5/fnS3LWjwbf2VQZl5HXvbap4qDwGApRAboaGnMAzPelJoEhLifJy:mZ3jwbf2V25HjcwGpbpGMaelXh2g |
MD5: | EA42A2F0D0B4CBE042DE38568E18F1AC |
SHA1: | 58B2B523D4CCB03A07F9B1CB53250F3C6BA0B771 |
SHA-256: | AF9B99F745D2B2F3E688336C68F69C9CADF7E85BF443100DDA4EBB507D86155A |
SHA-512: | 6F202138BE4B009152A72AB671A4C5D3AE5580211EDE11F4E35B89F2F1EF58E8B8DBD35E9DA1D12B7ABDD3BFD4EE342541DE8DE2437D0FCEA77A1C5782AE0E2A |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 2942 |
Entropy (8bit): | 5.0506474169868945 |
Encrypted: | false |
SSDEEP: | 48:mRIjSLoZpLobGyYly6y4cMUNYzLEDa3dMSsXNBIi3Dl0r4k1z9bcX4Xl9asUvn6d:IW7Lob1YEgcMiDa3WN7BW1zLV1mngV4+ |
MD5: | 58D65074A58BC8EAE2D5A3B589399A53 |
SHA1: | 074E7E5BFD52200086309913670D49BA664FB279 |
SHA-256: | 2F2487EDEEEA0D35394FD1C0B72D9C1FBF617DD014ED659083BDB0EFB12F6C90 |
SHA-512: | C0806DFC9DCD2A620693115679057B5374DEA3930E02F2B8DD1390C843D3F7C138CA8576CA35A5BCBEEA68E5CD9F5193C8D564A942C5A179DB9C5E6CAAA00266 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp |
File Type: | |
Category: | modified |
Size (bytes): | 3491315 |
Entropy (8bit): | 5.600225128146387 |
Encrypted: | false |
SSDEEP: | 24576:8kvs+hjRbEtvgIyhbpegN4X94JFlWchs9F4AyM1n6iuAdsGR0A2O3DyLaYtBlecd:8VQj5EtvSpZvJFIp9IM1ft22mHBldXXL |
MD5: | 361518D6CC3C25EEC2DFC1DE82B055B2 |
SHA1: | 5B298ED47BDEFA0BB953F277649CCB7C3A308C3C |
SHA-256: | 616BB3AC1AE4651819FCD80CB8357940061AF64A21401C33E8C84CFF41679211 |
SHA-512: | 4EFAC7D2D772FDD8D3DAC80CE7874D5E85957D39B8F1392E00CF8969F87076A1146363990212ED79E63ADEF92427514E3E7D957B2E3E3D056E5A6741D57FA030 |
Malicious: | true |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 2942 |
Entropy (8bit): | 5.0506474169868945 |
Encrypted: | false |
SSDEEP: | 48:mRIjSLoZpLobGyYly6y4cMUNYzLEDa3dMSsXNBIi3Dl0r4k1z9bcX4Xl9asUvn6d:IW7Lob1YEgcMiDa3WN7BW1zLV1mngV4+ |
MD5: | 58D65074A58BC8EAE2D5A3B589399A53 |
SHA1: | 074E7E5BFD52200086309913670D49BA664FB279 |
SHA-256: | 2F2487EDEEEA0D35394FD1C0B72D9C1FBF617DD014ED659083BDB0EFB12F6C90 |
SHA-512: | C0806DFC9DCD2A620693115679057B5374DEA3930E02F2B8DD1390C843D3F7C138CA8576CA35A5BCBEEA68E5CD9F5193C8D564A942C5A179DB9C5E6CAAA00266 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 3491315 |
Entropy (8bit): | 5.600224518949536 |
Encrypted: | false |
SSDEEP: | 24576:3kvs+hjRbEtvgIyhbpegN4X94JFlWchs9F4AyM1n6iuAdsGR0A2O3DyLaYtBlecd:3VQj5EtvSpZvJFIp9IM1ft22mHBldXXL |
MD5: | F488A4815DE52F915E37E40EA88B011F |
SHA1: | 16F9954F5E9FE6CB50125396B7DB524218D01237 |
SHA-256: | E13C9E749995269A3C45C6464B2F0BF55283288FD020FE4D0F1CA811142CC2AC |
SHA-512: | 04262ADC77B3126FCB9A8991612DDCFC35DF7F35988D108079A0BACF04350C57E829CA8E8C74833D0A0D9D9CD1DD480B9F4FA7145051AECF85D23C85A90667E2 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 789258 |
Entropy (8bit): | 6.369988626022893 |
Encrypted: | false |
SSDEEP: | 12288:EpmOmg1k2bfrP437QzH/A6A40lG77NzknuGyJOxOU:emt2bfrP437QzH/A6A7E7dVPUxOU |
MD5: | D3BA43B9E1B3838F28AFC558F2991D5B |
SHA1: | 1132F1C76760281A591F7DF99D592283103FCC87 |
SHA-256: | 1E95FE5D06884DF82D2BEAEDA09434ECAC2A347AEC5F03E71F20E39FB6C9E0E9 |
SHA-512: | 870371843F59B91D75B6C4D4C637075235D25CF3ABB059B58E39F9CD2833533A8F434307E7AD1175FD45082D3B4E4F0ED79F303ED77DEF553587E2819C092022 |
Malicious: | true |
Joe Sandbox View: |
|
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 97 |
Entropy (8bit): | 5.12302231676258 |
Encrypted: | false |
SSDEEP: | 3:HRAbABGQYm/0S4UEtSNM5LTJOBCBuQpQQXXy:HRYFVm/r4UEtSeVTJuZQplHy |
MD5: | DCD6923B008121BFF4C7C0AA1206286E |
SHA1: | AD4EF16A96A80C8EA5DBC5933229580BC6C332E0 |
SHA-256: | E1E01BFA5E2B5A117A627F7E9E861CF63D852A66BCE0DF88094D59CAF61E4376 |
SHA-512: | EC4A399EB38A1FA64DF8990708168F134ACD0CA793930E57C6D3A260A537B20DFD9F8B7232987F32EC1C1A7CEC7EC91F15A644A63D275104D96588FC3D354B5C |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 2193 |
Entropy (8bit): | 4.702648325021821 |
Encrypted: | false |
SSDEEP: | 24:ElZ5/fnS3LWjwbf2VQZl5HXvbap4qDwGApRAboaGnMAzPelJoEhLifJy:mZ3jwbf2V25HjcwGpbpGMaelXh2g |
MD5: | EA42A2F0D0B4CBE042DE38568E18F1AC |
SHA1: | 58B2B523D4CCB03A07F9B1CB53250F3C6BA0B771 |
SHA-256: | AF9B99F745D2B2F3E688336C68F69C9CADF7E85BF443100DDA4EBB507D86155A |
SHA-512: | 6F202138BE4B009152A72AB671A4C5D3AE5580211EDE11F4E35B89F2F1EF58E8B8DBD35E9DA1D12B7ABDD3BFD4EE342541DE8DE2437D0FCEA77A1C5782AE0E2A |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 2266 |
Entropy (8bit): | 5.4593359267896355 |
Encrypted: | false |
SSDEEP: | 48:HG8il+sqirh7zJ9YTHskp1r4phFAqLNnK9h:HGkSkp1r4NTKf |
MD5: | 4ABA9765EB3555788F5706D87A9D2DCA |
SHA1: | 36C0895FBF9F99690CA55C54CC56310E24513113 |
SHA-256: | E99B943206594C04BC0383669D04D4F191A501F46D2474FED08B997F8020B433 |
SHA-512: | 3498485635AFC548663715D22071611BAB10C707E8E24BE0B5143EE4A27727DA7D18A5E6959E3F6DD7D0F615DDFD50CE9FC5CE8AE6DDC5BEE287B5A00A817288 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 2345 |
Entropy (8bit): | 5.847861612631974 |
Encrypted: | false |
SSDEEP: | 48:HGj2lE8qiTh7XJ9zHadtPTTD1n34q1jgun1ITq8K:HG5RDTln34qRgusK |
MD5: | A5C9FEA89EFE8E2162BA477E8EA39B44 |
SHA1: | E6A2042C574D14786891F0C32F92C8292BBB4ACA |
SHA-256: | 8DDFB50DACA491296101BAB3DB9B77C7587127E684D9E22EFD6DC93F84A008FA |
SHA-512: | 3F7944F262717D308A1235982E741536DA6A4DF9ABEE4E2811E1151B53C3D31811EA3EB750ED39F347F7DF14AD20FF981C85CC2DA297BE745547B36D41B8FDB9 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 2687 |
Entropy (8bit): | 5.051567814097503 |
Encrypted: | false |
SSDEEP: | 48:HGgXRVA+sqgh59WJIo4yvHIExBMHkWREHZDNbHBsBOtiSZls5crRMfiE:HGusSgEvMHfREHN9hsoiOUBiE |
MD5: | D2471D35D833E2544D67365E015E6153 |
SHA1: | 497EE8FF9519D025BD10C5AA15DDC34DFB1B334B |
SHA-256: | 4831DDBCFE327E2542F4565E7A948C5828D71003B8444723E1E11BA6BB43ACE7 |
SHA-512: | C82B30D604A679F87B8D0B1670A0D1607E25150FFCFD1C9E631241916BA93CEB5A33AFCAA9080149096ACA1913791384860F5699F2BB302B6CB190AF777EB3CE |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 2594 |
Entropy (8bit): | 5.044497576650396 |
Encrypted: | false |
SSDEEP: | 48:HGgb5l+sqiTh7XJ9oVHo1xx0GHLVQ4ZWGAtDAEQmUDcQdWym:HGdpa1jfHLVQ4AGAtWma8H |
MD5: | 76776746B3CFF1CBD5D56CD44CA2DEF5 |
SHA1: | 2F2ECA50BD7F72232BE84291EF1A7956C24098CC |
SHA-256: | EC647D30931F50607CF745D958AAF0367CCEAB9999346188255CFBFB22301EE3 |
SHA-512: | 202436C708D4F34FFCCDC3D33841246C5CEE073AC270DA547C15F9E995A08D36AE4C00982283BF60D62363046BBEAA0125D59075E4629A9D1934039CBFB00BE5 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 2507 |
Entropy (8bit): | 5.040552699764577 |
Encrypted: | false |
SSDEEP: | 48:HGkOA+sq/W7Yve3EkHaBSDbSljMM+v1/D3H:HGb8hABSDbSJMBD |
MD5: | 336D33F55222F48FBA19EF0911732766 |
SHA1: | E17A78E3B48192361DB540B1E8C9D0548C9A9FFE |
SHA-256: | 0E955453FA27CED0D0521F0F960C7743C2090F06263D33EC8FA978B681123E0C |
SHA-512: | 67EC6B859BCDD66DA59CDB1DC1A4EACFBDA12C57699012EE1573DD88F5AAAB6288E1BD9015C862689F4A1A27E83B28C3A9C99B1895EDF4F47D6F94B0557CDC1F |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 2729 |
Entropy (8bit): | 5.029883215699414 |
Encrypted: | false |
SSDEEP: | 48:HGgS7++sqMsmQYEJK7bHExsA9GZ1MTn6btlOWH6r3zvX5c9WYN:HGjUoR9GXML6RYWH6rDRdYN |
MD5: | 8AFE543CB6791AA250312EBA61BF7C13 |
SHA1: | BFD229D43BE86728A634055AD65860157C2671BD |
SHA-256: | AF5BFB663E715C48C55E24BC3BEA30FCAA9BE8EAF35133FBB75D54C5735696AC |
SHA-512: | 5CF85F84DD6D363B2AAC720CF10C5289350EB706DC2BF5CA824CF220C3607CC7969CDD2F4B2912DC97C7BE50CEDC24A9A01AFC585CE84B6B8CB81419153931A2 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 2299 |
Entropy (8bit): | 5.691502190790686 |
Encrypted: | false |
SSDEEP: | 48:HG9uhjkDYhqGQjsONHiHQgGU9dm6nclk6a1hg22mo6LD:HGnzLIQTUPmcclGsmogD |
MD5: | F9F47FF3D866FFC4F38E315E41356E55 |
SHA1: | EFC313A99993B5FB8A454D4C5197C6F3965B5C89 |
SHA-256: | 3A13CCE54190BF4A679D21F61466A0A18E9340287CAA1AA4EACB38C99C9D4957 |
SHA-512: | 6EC1F1E19921C535A50254500ED01602DA74D3CC9E6DA8B5FC78D89255E42C5968BD294E56F584EE273630B9233C20CAFEBC906354CE393FE1CFFE91528F527A |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 2718 |
Entropy (8bit): | 5.057121428169199 |
Encrypted: | false |
SSDEEP: | 48:HGPWFaxAA+sqKvFYLcunHh3QxXOBp1OB5r70h3CGRsJE0laDwXCqXH5wGF5JoCPa:HGPAPZBAJU1k7Jb245xVfUMG |
MD5: | 21B4D47F5D851271C89310C92777FB70 |
SHA1: | 9D85FF8F7107CFAE3F31993FAF7F249591AFCB27 |
SHA-256: | D88AE9E292EBC4E56767892FD451E2E8278FCE776CAD689731EE7875748D55D7 |
SHA-512: | 46F26B51D6959A36E33266887E39CB98E7E67880052DE8DE741CB93C90ED3B28C87A224CE710E6C698FE648ED8B062E73DEDC253A6C5A8362EB3EF2792AB4FBF |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 2607 |
Entropy (8bit): | 5.234177949162883 |
Encrypted: | false |
SSDEEP: | 48:HGUyjEiB0w3l+sqiTh7XJ9UeHjIDt00AoB/nheSSMpSSSxPYe:HGpNBrkGIDt0qnheS9Sx |
MD5: | E1271E0DDD609CD7F9C2367D32FEBE4B |
SHA1: | 0A420424F1FADE0BFF002E63AAD22B5E94B86CAC |
SHA-256: | AEE6B1EDFFFCE507E2207C7E2AA36DA42B2AC54CEB28B9759B2D05F1012CBA8F |
SHA-512: | 86A11C9E4B59F2437180F56CAD44E69CB29B03B93983EA5E35CBCC5BDD40CFC424EE1EEF519B2E44D67623C79835AF92B4B089AC29890C046CD590C1F8BFA574 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 2718 |
Entropy (8bit): | 5.057121428169199 |
Encrypted: | false |
SSDEEP: | 48:HGPWFaxAA+sqKvFYLcunHh3QxXOBp1OB5r70h3CGRsJE0laDwXCqXH5wGF5JoCPa:HGPAPZBAJU1k7Jb245xVfUMG |
MD5: | 21B4D47F5D851271C89310C92777FB70 |
SHA1: | 9D85FF8F7107CFAE3F31993FAF7F249591AFCB27 |
SHA-256: | D88AE9E292EBC4E56767892FD451E2E8278FCE776CAD689731EE7875748D55D7 |
SHA-512: | 46F26B51D6959A36E33266887E39CB98E7E67880052DE8DE741CB93C90ED3B28C87A224CE710E6C698FE648ED8B062E73DEDC253A6C5A8362EB3EF2792AB4FBF |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 2345 |
Entropy (8bit): | 5.847861612631974 |
Encrypted: | false |
SSDEEP: | 48:HGj2lE8qiTh7XJ9zHadtPTTD1n34q1jgun1ITq8K:HG5RDTln34qRgusK |
MD5: | A5C9FEA89EFE8E2162BA477E8EA39B44 |
SHA1: | E6A2042C574D14786891F0C32F92C8292BBB4ACA |
SHA-256: | 8DDFB50DACA491296101BAB3DB9B77C7587127E684D9E22EFD6DC93F84A008FA |
SHA-512: | 3F7944F262717D308A1235982E741536DA6A4DF9ABEE4E2811E1151B53C3D31811EA3EB750ED39F347F7DF14AD20FF981C85CC2DA297BE745547B36D41B8FDB9 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 2729 |
Entropy (8bit): | 5.029883215699414 |
Encrypted: | false |
SSDEEP: | 48:HGgS7++sqMsmQYEJK7bHExsA9GZ1MTn6btlOWH6r3zvX5c9WYN:HGjUoR9GXML6RYWH6rDRdYN |
MD5: | 8AFE543CB6791AA250312EBA61BF7C13 |
SHA1: | BFD229D43BE86728A634055AD65860157C2671BD |
SHA-256: | AF5BFB663E715C48C55E24BC3BEA30FCAA9BE8EAF35133FBB75D54C5735696AC |
SHA-512: | 5CF85F84DD6D363B2AAC720CF10C5289350EB706DC2BF5CA824CF220C3607CC7969CDD2F4B2912DC97C7BE50CEDC24A9A01AFC585CE84B6B8CB81419153931A2 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 2687 |
Entropy (8bit): | 5.051567814097503 |
Encrypted: | false |
SSDEEP: | 48:HGgXRVA+sqgh59WJIo4yvHIExBMHkWREHZDNbHBsBOtiSZls5crRMfiE:HGusSgEvMHfREHN9hsoiOUBiE |
MD5: | D2471D35D833E2544D67365E015E6153 |
SHA1: | 497EE8FF9519D025BD10C5AA15DDC34DFB1B334B |
SHA-256: | 4831DDBCFE327E2542F4565E7A948C5828D71003B8444723E1E11BA6BB43ACE7 |
SHA-512: | C82B30D604A679F87B8D0B1670A0D1607E25150FFCFD1C9E631241916BA93CEB5A33AFCAA9080149096ACA1913791384860F5699F2BB302B6CB190AF777EB3CE |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 2594 |
Entropy (8bit): | 5.044497576650396 |
Encrypted: | false |
SSDEEP: | 48:HGgb5l+sqiTh7XJ9oVHo1xx0GHLVQ4ZWGAtDAEQmUDcQdWym:HGdpa1jfHLVQ4AGAtWma8H |
MD5: | 76776746B3CFF1CBD5D56CD44CA2DEF5 |
SHA1: | 2F2ECA50BD7F72232BE84291EF1A7956C24098CC |
SHA-256: | EC647D30931F50607CF745D958AAF0367CCEAB9999346188255CFBFB22301EE3 |
SHA-512: | 202436C708D4F34FFCCDC3D33841246C5CEE073AC270DA547C15F9E995A08D36AE4C00982283BF60D62363046BBEAA0125D59075E4629A9D1934039CBFB00BE5 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 2607 |
Entropy (8bit): | 5.234177949162883 |
Encrypted: | false |
SSDEEP: | 48:HGUyjEiB0w3l+sqiTh7XJ9UeHjIDt00AoB/nheSSMpSSSxPYe:HGpNBrkGIDt0qnheS9Sx |
MD5: | E1271E0DDD609CD7F9C2367D32FEBE4B |
SHA1: | 0A420424F1FADE0BFF002E63AAD22B5E94B86CAC |
SHA-256: | AEE6B1EDFFFCE507E2207C7E2AA36DA42B2AC54CEB28B9759B2D05F1012CBA8F |
SHA-512: | 86A11C9E4B59F2437180F56CAD44E69CB29B03B93983EA5E35CBCC5BDD40CFC424EE1EEF519B2E44D67623C79835AF92B4B089AC29890C046CD590C1F8BFA574 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 2299 |
Entropy (8bit): | 5.691502190790686 |
Encrypted: | false |
SSDEEP: | 48:HG9uhjkDYhqGQjsONHiHQgGU9dm6nclk6a1hg22mo6LD:HGnzLIQTUPmcclGsmogD |
MD5: | F9F47FF3D866FFC4F38E315E41356E55 |
SHA1: | EFC313A99993B5FB8A454D4C5197C6F3965B5C89 |
SHA-256: | 3A13CCE54190BF4A679D21F61466A0A18E9340287CAA1AA4EACB38C99C9D4957 |
SHA-512: | 6EC1F1E19921C535A50254500ED01602DA74D3CC9E6DA8B5FC78D89255E42C5968BD294E56F584EE273630B9233C20CAFEBC906354CE393FE1CFFE91528F527A |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 2266 |
Entropy (8bit): | 5.4593359267896355 |
Encrypted: | false |
SSDEEP: | 48:HG8il+sqirh7zJ9YTHskp1r4phFAqLNnK9h:HGkSkp1r4NTKf |
MD5: | 4ABA9765EB3555788F5706D87A9D2DCA |
SHA1: | 36C0895FBF9F99690CA55C54CC56310E24513113 |
SHA-256: | E99B943206594C04BC0383669D04D4F191A501F46D2474FED08B997F8020B433 |
SHA-512: | 3498485635AFC548663715D22071611BAB10C707E8E24BE0B5143EE4A27727DA7D18A5E6959E3F6DD7D0F615DDFD50CE9FC5CE8AE6DDC5BEE287B5A00A817288 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 2507 |
Entropy (8bit): | 5.040552699764577 |
Encrypted: | false |
SSDEEP: | 48:HGkOA+sq/W7Yve3EkHaBSDbSljMM+v1/D3H:HGb8hABSDbSJMBD |
MD5: | 336D33F55222F48FBA19EF0911732766 |
SHA1: | E17A78E3B48192361DB540B1E8C9D0548C9A9FFE |
SHA-256: | 0E955453FA27CED0D0521F0F960C7743C2090F06263D33EC8FA978B681123E0C |
SHA-512: | 67EC6B859BCDD66DA59CDB1DC1A4EACFBDA12C57699012EE1573DD88F5AAAB6288E1BD9015C862689F4A1A27E83B28C3A9C99B1895EDF4F47D6F94B0557CDC1F |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 4441 |
Entropy (8bit): | 4.697339464808845 |
Encrypted: | false |
SSDEEP: | 48:kHED69yMlLBv8rD85pPmUIrBdcoINLFhqkLVO3471hD5WpPLDfDxLDvvDHD1DoDs:k7VZp8rD85pPmaoINFhqYOIhHeSk9WI |
MD5: | 35B9424FD3C02A2403561DA3E5D80E26 |
SHA1: | B944DC166C6A5BE77937B09B3E67175C422B4337 |
SHA-256: | B430632DBF9232BCC488DFD294297D1A197A832FB83333C6C601D7E41A587DBE |
SHA-512: | 1028FFD68185DA62C2A64B1D699733F89116AA8006CBB93B80609D675E02A80E9ACC2190E22F00CCE6B1F1168875354F855DBE750B67DC4DE8F2853FA9C8D0E7 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 789258 |
Entropy (8bit): | 6.369988626022893 |
Encrypted: | false |
SSDEEP: | 12288:EpmOmg1k2bfrP437QzH/A6A40lG77NzknuGyJOxOU:emt2bfrP437QzH/A6A7E7dVPUxOU |
MD5: | D3BA43B9E1B3838F28AFC558F2991D5B |
SHA1: | 1132F1C76760281A591F7DF99D592283103FCC87 |
SHA-256: | 1E95FE5D06884DF82D2BEAEDA09434ECAC2A347AEC5F03E71F20E39FB6C9E0E9 |
SHA-512: | 870371843F59B91D75B6C4D4C637075235D25CF3ABB059B58E39F9CD2833533A8F434307E7AD1175FD45082D3B4E4F0ED79F303ED77DEF553587E2819C092022 |
Malicious: | true |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 97 |
Entropy (8bit): | 5.12302231676258 |
Encrypted: | false |
SSDEEP: | 3:HRAbABGQYm/0S4UEtSNM5LTJOBCBuQpQQXXy:HRYFVm/r4UEtSeVTJuZQplHy |
MD5: | DCD6923B008121BFF4C7C0AA1206286E |
SHA1: | AD4EF16A96A80C8EA5DBC5933229580BC6C332E0 |
SHA-256: | E1E01BFA5E2B5A117A627F7E9E861CF63D852A66BCE0DF88094D59CAF61E4376 |
SHA-512: | EC4A399EB38A1FA64DF8990708168F134ACD0CA793930E57C6D3A260A537B20DFD9F8B7232987F32EC1C1A7CEC7EC91F15A644A63D275104D96588FC3D354B5C |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\fuckingdllENCR[1].dll
Download File
Process: | C:\Program Files (x86)\Split Files\SplitFiles131.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 94224 |
Entropy (8bit): | 7.998072640845361 |
Encrypted: | true |
SSDEEP: | 1536:NsbI9W6dHdtnEXOxZpPzIUcETzNtXofjmgGTeJduLLt+YBPoJTMRmNXg30:KWW6TZVz9PNtXo8M5OR0 |
MD5: | 418619EA97671304AF80EC60F5A50B62 |
SHA1: | F11DCD709BDE2FC86EBBCCD66E1CE68A8A3F9CB6 |
SHA-256: | EB7ECE66C14849064F462DF4987D6D59073D812C44D81568429614581106E0F4 |
SHA-512: | F2E1AE47B5B0A5D3DD22DD6339E15FEE3D7F04EF03917AE2A7686E73E9F06FB95C8008038C018939BB9925F395D765C9690BF7874DC5E90BC2F77C1E730D3A00 |
Malicious: | false |
Preview: |
Process: | C:\Program Files (x86)\Split Files\SplitFiles131.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:V:V |
MD5: | CFCD208495D565EF66E7DFF9F98764DA |
SHA1: | B6589FC6AB0DC82CF12099D1C2D40AB994E8410C |
SHA-256: | 5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9 |
SHA-512: | 31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99 |
Malicious: | false |
Preview: |
Process: | C:\Program Files (x86)\Split Files\SplitFiles131.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:V:V |
MD5: | CFCD208495D565EF66E7DFF9F98764DA |
SHA1: | B6589FC6AB0DC82CF12099D1C2D40AB994E8410C |
SHA-256: | 5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9 |
SHA-512: | 31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99 |
Malicious: | false |
Preview: |
Process: | C:\Program Files (x86)\Split Files\SplitFiles131.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:V:V |
MD5: | CFCD208495D565EF66E7DFF9F98764DA |
SHA1: | B6589FC6AB0DC82CF12099D1C2D40AB994E8410C |
SHA-256: | 5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9 |
SHA-512: | 31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99 |
Malicious: | false |
Preview: |
Process: | C:\Program Files (x86)\Split Files\SplitFiles131.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 17 |
Entropy (8bit): | 3.1751231351134614 |
Encrypted: | false |
SSDEEP: | 3:nCmxEl:Cmc |
MD5: | 064DB2A4C3D31A4DC6AA2538F3FE7377 |
SHA1: | 8F877AE1873C88076D854425221E352CA4178DFA |
SHA-256: | 0A3EC2C4FC062D561F0DC989C6699E06FFF850BBDA7923F14F26135EF42107C0 |
SHA-512: | CA94BC1338FC283C3E5C427065C29BA32C5A12170782E18AA0292722826C5CB4C3B29A5134464FFEB67A77CD85D8E15715C17A049B7AD4E2C890E97385751BEE |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 2560 |
Entropy (8bit): | 2.8818118453929262 |
Encrypted: | false |
SSDEEP: | 24:e1GSgDIX566lIB6SXvVmMPUjvhBrDsqZ:SgDKRlVImgUNBsG |
MD5: | A69559718AB506675E907FE49DEB71E9 |
SHA1: | BC8F404FFDB1960B50C12FF9413C893B56F2E36F |
SHA-256: | 2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC |
SHA-512: | E52E0AA7FE3F79E36330C455D944653D449BA05B2F9ABEE0914A0910C3452CFA679A40441F9AC696B3CCF9445CBB85095747E86153402FC362BB30AC08249A63 |
Malicious: | true |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 4608 |
Entropy (8bit): | 4.226829458093667 |
Encrypted: | false |
SSDEEP: | 48:6Q5EWGg69eR+Xl4SH8u09tmRJ/tE/wJI/tZ/P8sB1a:32Gel4NP9tK2/wGXhHa |
MD5: | 9E5BA8A0DB2AE3A955BEE397534D535D |
SHA1: | EF08EF5FAC94F42C276E64765759F8BC71BF88CB |
SHA-256: | 08D2876741F4FD5EDFAE20054081CEF03E41C458AB1C5BBF095A288FA93627FA |
SHA-512: | 229A9C66080D59B7D2E1E651CFF9F00DB0CBDC08703E60D645651AF0664520CA143B088C71AD73813A500A33B48C63CA1795E2162B7620453935A4C26DB96B21 |
Malicious: | true |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 23312 |
Entropy (8bit): | 4.596242908851566 |
Encrypted: | false |
SSDEEP: | 384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4 |
MD5: | 92DC6EF532FBB4A5C3201469A5B5EB63 |
SHA1: | 3E89FF837147C16B4E41C30D6C796374E0B8E62C |
SHA-256: | 9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87 |
SHA-512: | 9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3 |
Malicious: | false |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\Desktop\file.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 778752 |
Entropy (8bit): | 6.357908612813808 |
Encrypted: | false |
SSDEEP: | 12288:cpmOmg1k2bfrP437QzH/A6A40lG77NzknuGyJOxOG:2mt2bfrP437QzH/A6A7E7dVPUxOG |
MD5: | E8176050192FBB976D70238E3C121F4C |
SHA1: | 2F1FD24EFE1F3F3FEE775CC3F5255B32F8880900 |
SHA-256: | AB4FE42A7B708DDB648BB2088216FF47B877AE599FD52FF50359FC1DB8E11EF7 |
SHA-512: | 27EDF7A71C6546F1AB52E7EF97E404975DDD237D6C2D1038D24A49EAB724971884510F00F427C713ADB105857A0B12C7D57CA1CA1C70A6CEFED4BE619C345F4C |
Malicious: | true |
Preview: |
Process: | C:\Program Files (x86)\Split Files\SplitFiles131.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 73728 |
Entropy (8bit): | 6.20389308045717 |
Encrypted: | false |
SSDEEP: | 1536:bvUpDLxyxA14o3/M238r6+XfHAgbqmE8MpKdwuasZLUM7DsWlXcdyZgfmi:WDLZKa/MtXfHAgbqmEtxsfmyZgfmi |
MD5: | 3FB36CB0B7172E5298D2992D42984D06 |
SHA1: | 439827777DF4A337CBB9FA4A4640D0D3FA1738B7 |
SHA-256: | 27AE813CEFF8AA56E9FA68C8E50BB1C6C4A01636015EAC4BD8BF444AFB7020D6 |
SHA-512: | 6B39CB32D77200209A25080AC92BC71B1F468E2946B651023793F3585EE6034ADC70924DBD751CF4A51B5E71377854F1AB43C2DD287D4837E7B544FF886F470C |
Malicious: | true |
Antivirus: |
|
Preview: |
File type: | |
Entropy (8bit): | 7.9318000564899 |
TrID: |
|
File name: | file.exe |
File size: | 2094367 |
MD5: | e0f8085c7cb8eb9cf1c263bb12cfc6df |
SHA1: | a109ebcf251a1e69923c60330994190e40ab466c |
SHA256: | a28fb531e91695081ac9a3a08bd9be333462f84a3b1e9de81dda94869fd3d32a |
SHA512: | 11f39030a9e5f5a095c85aa087fe949ed7e83e1a53a3df487baab09a38d5e744150a8d4e7b34eaec28678561861e640cb34231b893a7f38751f143d0ea1305d1 |
SSDEEP: | 49152:XirWlOmsJ8sSNd3HEKBqd0yLaS1vNf+8UkqBx:XiClONJu3HEKBqd0yLaGFfvqH |
TLSH: | 9FA51232715472EEFCE369B0584F426D66236FB3A1A87E2E310A37365A61331F115F1A |
File Content Preview: | MZP.....................@.......................Inno....................!..L.!..This program must be run under Win32..$7....................................................................................................................................... |
Icon Hash: | b8ba6cc880e1f204 |
Entrypoint: | 0x409820 |
Entrypoint Section: | CODE |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI |
DLL Characteristics: | |
Time Stamp: | 0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 1 |
OS Version Minor: | 0 |
File Version Major: | 1 |
File Version Minor: | 0 |
Subsystem Version Major: | 1 |
Subsystem Version Minor: | 0 |
Import Hash: | e92b45c54aa05ec107d5ef90662e6b33 |
Instruction |
---|
push ebp |
mov ebp, esp |
add esp, FFFFFFD4h |
push ebx |
push esi |
push edi |
xor eax, eax |
mov dword ptr [ebp-10h], eax |
mov dword ptr [ebp-1Ch], eax |
call 00007FC5F939961Bh |
call 00007FC5F939A8C6h |
call 00007FC5F939CAC9h |
call 00007FC5F939CB10h |
call 00007FC5F939F107h |
call 00007FC5F939F26Eh |
mov esi, 0040BDE0h |
xor eax, eax |
push ebp |
push 00409F05h |
push dword ptr fs:[eax] |
mov dword ptr fs:[eax], esp |
xor edx, edx |
push ebp |
push 00409EBBh |
push dword ptr fs:[edx] |
mov dword ptr fs:[edx], esp |
mov eax, dword ptr [0040B014h] |
call 00007FC5F939FC5Fh |
call 00007FC5F939F81Eh |
lea edx, dword ptr [ebp-10h] |
xor eax, eax |
call 00007FC5F939CF84h |
mov edx, dword ptr [ebp-10h] |
mov eax, 0040BDD4h |
call 00007FC5F93996C7h |
push 00000002h |
push 00000000h |
push 00000001h |
mov ecx, dword ptr [0040BDD4h] |
mov dl, 01h |
mov eax, 00407158h |
call 00007FC5F939D66Bh |
mov dword ptr [0040BDD8h], eax |
xor edx, edx |
push ebp |
push 00409E99h |
push dword ptr fs:[edx] |
mov dword ptr fs:[edx], esp |
lea edx, dword ptr [ebp-18h] |
mov eax, dword ptr [0040BDD8h] |
call 00007FC5F939D767h |
mov ebx, dword ptr [ebp-18h] |
mov edx, 00000030h |
mov eax, dword ptr [0040BDD8h] |
call 00007FC5F939D8A1h |
mov edx, esi |
mov ecx, 0000000Ch |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0xc000 | 0x8f0 | .idata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x10000 | 0x1f558 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0xf000 | 0x0 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0xe000 | 0x18 | .rdata |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
CODE | 0x1000 | 0x8f94 | 0x9000 | False | 0.6195203993055556 | data | 6.591638965772245 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
DATA | 0xa000 | 0x248 | 0x400 | False | 0.306640625 | data | 2.7093261929320986 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
BSS | 0xb000 | 0xe64 | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.idata | 0xc000 | 0x8f0 | 0xa00 | False | 0.3953125 | data | 4.294209855544776 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.tls | 0xd000 | 0x8 | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rdata | 0xe000 | 0x18 | 0x200 | False | 0.052734375 | data | 0.1991075177871819 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ |
.reloc | 0xf000 | 0x884 | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ |
.rsrc | 0x10000 | 0x1f558 | 0x1f600 | False | 0.37483659113545814 | data | 4.9335056025106585 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_ICON | 0x1039c | 0x51f3 | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | English | United States |
RT_ICON | 0x15590 | 0x10828 | Device independent bitmap graphic, 128 x 256 x 32, image size 0 | English | United States |
RT_ICON | 0x25db8 | 0x4228 | Device independent bitmap graphic, 64 x 128 x 32, image size 0 | English | United States |
RT_ICON | 0x29fe0 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | English | United States |
RT_ICON | 0x2c588 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | English | United States |
RT_ICON | 0x2d630 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 0 | English | United States |
RT_ICON | 0x2dfb8 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | English | United States |
RT_STRING | 0x2e420 | 0x2f2 | data | ||
RT_STRING | 0x2e714 | 0x30c | data | ||
RT_STRING | 0x2ea20 | 0x2ce | data | ||
RT_STRING | 0x2ecf0 | 0x68 | data | ||
RT_STRING | 0x2ed58 | 0xb4 | data | ||
RT_STRING | 0x2ee0c | 0xae | data | ||
RT_GROUP_ICON | 0x2eebc | 0x68 | data | English | United States |
RT_VERSION | 0x2ef24 | 0x3a8 | data | English | United States |
RT_MANIFEST | 0x2f2cc | 0x289 | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States |
DLL | Import |
---|---|
kernel32.dll | DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle |
user32.dll | MessageBoxA |
oleaut32.dll | VariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen |
advapi32.dll | RegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA |
kernel32.dll | WriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SetLastError, SetFilePointer, SetErrorMode, SetEndOfFile, RemoveDirectoryA, ReadFile, LoadLibraryA, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetUserDefaultLangID, GetSystemInfo, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, InterlockedExchange, FormatMessageA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle |
user32.dll | TranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA |
comctl32.dll | InitCommonControls |
advapi32.dll | AdjustTokenPrivileges |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
107.182.129.235192.168.2.580497062852925 01/05/23-08:47:10.017687 | TCP | 2852925 | ETPRO TROJAN GCleaner Downloader - Payload Response | 80 | 49706 | 107.182.129.235 | 192.168.2.5 |
192.168.2.545.139.105.17149705802041920 01/05/23-08:47:09.800462 | TCP | 2041920 | ET TROJAN GCleaner Downloader Activity M8 | 49705 | 80 | 192.168.2.5 | 45.139.105.171 |
192.168.2.5107.182.129.23549706802852981 01/05/23-08:47:09.990287 | TCP | 2852981 | ETPRO TROJAN Win32/Fabookie.ek CnC Request M3 (GET) | 49706 | 80 | 192.168.2.5 | 107.182.129.235 |
192.168.2.5107.182.129.23549706802852980 01/05/23-08:47:09.925610 | TCP | 2852980 | ETPRO TROJAN Win32/Fabookie.ek CnC Request M1 (GET) | 49706 | 80 | 192.168.2.5 | 107.182.129.235 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jan 5, 2023 08:47:09.771787882 CET | 49705 | 80 | 192.168.2.5 | 45.139.105.171 |
Jan 5, 2023 08:47:09.799809933 CET | 80 | 49705 | 45.139.105.171 | 192.168.2.5 |
Jan 5, 2023 08:47:09.799943924 CET | 49705 | 80 | 192.168.2.5 | 45.139.105.171 |
Jan 5, 2023 08:47:09.800462008 CET | 49705 | 80 | 192.168.2.5 | 45.139.105.171 |
Jan 5, 2023 08:47:09.827680111 CET | 80 | 49705 | 45.139.105.171 | 192.168.2.5 |
Jan 5, 2023 08:47:09.836986065 CET | 80 | 49705 | 45.139.105.171 | 192.168.2.5 |
Jan 5, 2023 08:47:09.837126970 CET | 49705 | 80 | 192.168.2.5 | 45.139.105.171 |
Jan 5, 2023 08:47:09.897756100 CET | 49706 | 80 | 192.168.2.5 | 107.182.129.235 |
Jan 5, 2023 08:47:09.924849987 CET | 80 | 49706 | 107.182.129.235 | 192.168.2.5 |
Jan 5, 2023 08:47:09.925086021 CET | 49706 | 80 | 192.168.2.5 | 107.182.129.235 |
Jan 5, 2023 08:47:09.925610065 CET | 49706 | 80 | 192.168.2.5 | 107.182.129.235 |
Jan 5, 2023 08:47:09.952578068 CET | 80 | 49706 | 107.182.129.235 | 192.168.2.5 |
Jan 5, 2023 08:47:09.952980042 CET | 80 | 49706 | 107.182.129.235 | 192.168.2.5 |
Jan 5, 2023 08:47:09.953092098 CET | 49706 | 80 | 192.168.2.5 | 107.182.129.235 |
Jan 5, 2023 08:47:09.990287066 CET | 49706 | 80 | 192.168.2.5 | 107.182.129.235 |
Jan 5, 2023 08:47:10.017482042 CET | 80 | 49706 | 107.182.129.235 | 192.168.2.5 |
Jan 5, 2023 08:47:10.017687082 CET | 80 | 49706 | 107.182.129.235 | 192.168.2.5 |
Jan 5, 2023 08:47:10.017736912 CET | 80 | 49706 | 107.182.129.235 | 192.168.2.5 |
Jan 5, 2023 08:47:10.017781973 CET | 80 | 49706 | 107.182.129.235 | 192.168.2.5 |
Jan 5, 2023 08:47:10.017790079 CET | 49706 | 80 | 192.168.2.5 | 107.182.129.235 |
Jan 5, 2023 08:47:10.017816067 CET | 80 | 49706 | 107.182.129.235 | 192.168.2.5 |
Jan 5, 2023 08:47:10.017849922 CET | 80 | 49706 | 107.182.129.235 | 192.168.2.5 |
Jan 5, 2023 08:47:10.017884970 CET | 80 | 49706 | 107.182.129.235 | 192.168.2.5 |
Jan 5, 2023 08:47:10.017935991 CET | 80 | 49706 | 107.182.129.235 | 192.168.2.5 |
Jan 5, 2023 08:47:10.017944098 CET | 49706 | 80 | 192.168.2.5 | 107.182.129.235 |
Jan 5, 2023 08:47:10.017982960 CET | 49706 | 80 | 192.168.2.5 | 107.182.129.235 |
Jan 5, 2023 08:47:10.017983913 CET | 80 | 49706 | 107.182.129.235 | 192.168.2.5 |
Jan 5, 2023 08:47:10.018007994 CET | 49706 | 80 | 192.168.2.5 | 107.182.129.235 |
Jan 5, 2023 08:47:10.018030882 CET | 49706 | 80 | 192.168.2.5 | 107.182.129.235 |
Jan 5, 2023 08:47:10.018032074 CET | 80 | 49706 | 107.182.129.235 | 192.168.2.5 |
Jan 5, 2023 08:47:10.018080950 CET | 80 | 49706 | 107.182.129.235 | 192.168.2.5 |
Jan 5, 2023 08:47:10.018090963 CET | 49706 | 80 | 192.168.2.5 | 107.182.129.235 |
Jan 5, 2023 08:47:10.018136024 CET | 49706 | 80 | 192.168.2.5 | 107.182.129.235 |
Jan 5, 2023 08:47:10.045037031 CET | 80 | 49706 | 107.182.129.235 | 192.168.2.5 |
Jan 5, 2023 08:47:10.045104027 CET | 80 | 49706 | 107.182.129.235 | 192.168.2.5 |
Jan 5, 2023 08:47:10.045137882 CET | 49706 | 80 | 192.168.2.5 | 107.182.129.235 |
Jan 5, 2023 08:47:10.045152903 CET | 80 | 49706 | 107.182.129.235 | 192.168.2.5 |
Jan 5, 2023 08:47:10.045172930 CET | 49706 | 80 | 192.168.2.5 | 107.182.129.235 |
Jan 5, 2023 08:47:10.045201063 CET | 80 | 49706 | 107.182.129.235 | 192.168.2.5 |
Jan 5, 2023 08:47:10.045212984 CET | 49706 | 80 | 192.168.2.5 | 107.182.129.235 |
Jan 5, 2023 08:47:10.045250893 CET | 80 | 49706 | 107.182.129.235 | 192.168.2.5 |
Jan 5, 2023 08:47:10.045254946 CET | 49706 | 80 | 192.168.2.5 | 107.182.129.235 |
Jan 5, 2023 08:47:10.045298100 CET | 80 | 49706 | 107.182.129.235 | 192.168.2.5 |
Jan 5, 2023 08:47:10.045305014 CET | 49706 | 80 | 192.168.2.5 | 107.182.129.235 |
Jan 5, 2023 08:47:10.045345068 CET | 80 | 49706 | 107.182.129.235 | 192.168.2.5 |
Jan 5, 2023 08:47:10.045346975 CET | 49706 | 80 | 192.168.2.5 | 107.182.129.235 |
Jan 5, 2023 08:47:10.045392990 CET | 80 | 49706 | 107.182.129.235 | 192.168.2.5 |
Jan 5, 2023 08:47:10.045394897 CET | 49706 | 80 | 192.168.2.5 | 107.182.129.235 |
Jan 5, 2023 08:47:10.045439959 CET | 49706 | 80 | 192.168.2.5 | 107.182.129.235 |
Jan 5, 2023 08:47:10.045439959 CET | 80 | 49706 | 107.182.129.235 | 192.168.2.5 |
Jan 5, 2023 08:47:10.045488119 CET | 80 | 49706 | 107.182.129.235 | 192.168.2.5 |
Jan 5, 2023 08:47:10.045490026 CET | 49706 | 80 | 192.168.2.5 | 107.182.129.235 |
Jan 5, 2023 08:47:10.045533895 CET | 80 | 49706 | 107.182.129.235 | 192.168.2.5 |
Jan 5, 2023 08:47:10.045536995 CET | 49706 | 80 | 192.168.2.5 | 107.182.129.235 |
Jan 5, 2023 08:47:10.045581102 CET | 80 | 49706 | 107.182.129.235 | 192.168.2.5 |
Jan 5, 2023 08:47:10.045583010 CET | 49706 | 80 | 192.168.2.5 | 107.182.129.235 |
Jan 5, 2023 08:47:10.045628071 CET | 49706 | 80 | 192.168.2.5 | 107.182.129.235 |
Jan 5, 2023 08:47:10.045628071 CET | 80 | 49706 | 107.182.129.235 | 192.168.2.5 |
Jan 5, 2023 08:47:10.045677900 CET | 80 | 49706 | 107.182.129.235 | 192.168.2.5 |
Jan 5, 2023 08:47:10.045680046 CET | 49706 | 80 | 192.168.2.5 | 107.182.129.235 |
Jan 5, 2023 08:47:10.045723915 CET | 80 | 49706 | 107.182.129.235 | 192.168.2.5 |
Jan 5, 2023 08:47:10.045728922 CET | 49706 | 80 | 192.168.2.5 | 107.182.129.235 |
Jan 5, 2023 08:47:10.045772076 CET | 80 | 49706 | 107.182.129.235 | 192.168.2.5 |
Jan 5, 2023 08:47:10.045772076 CET | 49706 | 80 | 192.168.2.5 | 107.182.129.235 |
Jan 5, 2023 08:47:10.045819998 CET | 80 | 49706 | 107.182.129.235 | 192.168.2.5 |
Jan 5, 2023 08:47:10.045825005 CET | 49706 | 80 | 192.168.2.5 | 107.182.129.235 |
Jan 5, 2023 08:47:10.045865059 CET | 80 | 49706 | 107.182.129.235 | 192.168.2.5 |
Jan 5, 2023 08:47:10.045869112 CET | 49706 | 80 | 192.168.2.5 | 107.182.129.235 |
Jan 5, 2023 08:47:10.045916080 CET | 80 | 49706 | 107.182.129.235 | 192.168.2.5 |
Jan 5, 2023 08:47:10.045917034 CET | 49706 | 80 | 192.168.2.5 | 107.182.129.235 |
Jan 5, 2023 08:47:10.045964003 CET | 80 | 49706 | 107.182.129.235 | 192.168.2.5 |
Jan 5, 2023 08:47:10.045968056 CET | 49706 | 80 | 192.168.2.5 | 107.182.129.235 |
Jan 5, 2023 08:47:10.046013117 CET | 49706 | 80 | 192.168.2.5 | 107.182.129.235 |
Jan 5, 2023 08:47:10.072890043 CET | 80 | 49706 | 107.182.129.235 | 192.168.2.5 |
Jan 5, 2023 08:47:10.073029995 CET | 49706 | 80 | 192.168.2.5 | 107.182.129.235 |
Jan 5, 2023 08:47:10.073051929 CET | 80 | 49706 | 107.182.129.235 | 192.168.2.5 |
Jan 5, 2023 08:47:10.073117971 CET | 80 | 49706 | 107.182.129.235 | 192.168.2.5 |
Jan 5, 2023 08:47:10.073136091 CET | 49706 | 80 | 192.168.2.5 | 107.182.129.235 |
Jan 5, 2023 08:47:10.073177099 CET | 80 | 49706 | 107.182.129.235 | 192.168.2.5 |
Jan 5, 2023 08:47:10.073189974 CET | 49706 | 80 | 192.168.2.5 | 107.182.129.235 |
Jan 5, 2023 08:47:10.073235989 CET | 80 | 49706 | 107.182.129.235 | 192.168.2.5 |
Jan 5, 2023 08:47:10.073251963 CET | 49706 | 80 | 192.168.2.5 | 107.182.129.235 |
Jan 5, 2023 08:47:10.073295116 CET | 80 | 49706 | 107.182.129.235 | 192.168.2.5 |
Jan 5, 2023 08:47:10.073312998 CET | 49706 | 80 | 192.168.2.5 | 107.182.129.235 |
Jan 5, 2023 08:47:10.073354006 CET | 49706 | 80 | 192.168.2.5 | 107.182.129.235 |
Jan 5, 2023 08:47:10.073359966 CET | 80 | 49706 | 107.182.129.235 | 192.168.2.5 |
Jan 5, 2023 08:47:10.073417902 CET | 49706 | 80 | 192.168.2.5 | 107.182.129.235 |
Jan 5, 2023 08:47:10.073420048 CET | 80 | 49706 | 107.182.129.235 | 192.168.2.5 |
Jan 5, 2023 08:47:10.073477030 CET | 80 | 49706 | 107.182.129.235 | 192.168.2.5 |
Jan 5, 2023 08:47:10.073477030 CET | 49706 | 80 | 192.168.2.5 | 107.182.129.235 |
Jan 5, 2023 08:47:10.073535919 CET | 80 | 49706 | 107.182.129.235 | 192.168.2.5 |
Jan 5, 2023 08:47:10.073538065 CET | 49706 | 80 | 192.168.2.5 | 107.182.129.235 |
Jan 5, 2023 08:47:10.073592901 CET | 80 | 49706 | 107.182.129.235 | 192.168.2.5 |
Jan 5, 2023 08:47:10.073592901 CET | 49706 | 80 | 192.168.2.5 | 107.182.129.235 |
Jan 5, 2023 08:47:10.073649883 CET | 80 | 49706 | 107.182.129.235 | 192.168.2.5 |
Jan 5, 2023 08:47:10.073651075 CET | 49706 | 80 | 192.168.2.5 | 107.182.129.235 |
Jan 5, 2023 08:47:10.073707104 CET | 49706 | 80 | 192.168.2.5 | 107.182.129.235 |
Jan 5, 2023 08:47:10.073707104 CET | 80 | 49706 | 107.182.129.235 | 192.168.2.5 |
Jan 5, 2023 08:47:10.073762894 CET | 49706 | 80 | 192.168.2.5 | 107.182.129.235 |
Jan 5, 2023 08:47:10.073765039 CET | 80 | 49706 | 107.182.129.235 | 192.168.2.5 |
Jan 5, 2023 08:47:10.073822021 CET | 80 | 49706 | 107.182.129.235 | 192.168.2.5 |
Jan 5, 2023 08:47:10.073822021 CET | 49706 | 80 | 192.168.2.5 | 107.182.129.235 |
Jan 5, 2023 08:47:10.073880911 CET | 80 | 49706 | 107.182.129.235 | 192.168.2.5 |
Jan 5, 2023 08:47:10.073883057 CET | 49706 | 80 | 192.168.2.5 | 107.182.129.235 |
Jan 5, 2023 08:47:10.073937893 CET | 49706 | 80 | 192.168.2.5 | 107.182.129.235 |
Jan 5, 2023 08:47:10.073940992 CET | 80 | 49706 | 107.182.129.235 | 192.168.2.5 |
Jan 5, 2023 08:47:10.073998928 CET | 80 | 49706 | 107.182.129.235 | 192.168.2.5 |
Jan 5, 2023 08:47:10.074003935 CET | 49706 | 80 | 192.168.2.5 | 107.182.129.235 |
Jan 5, 2023 08:47:10.074055910 CET | 80 | 49706 | 107.182.129.235 | 192.168.2.5 |
Jan 5, 2023 08:47:10.074055910 CET | 49706 | 80 | 192.168.2.5 | 107.182.129.235 |
Jan 5, 2023 08:47:10.074120998 CET | 49706 | 80 | 192.168.2.5 | 107.182.129.235 |
Jan 5, 2023 08:47:10.074141026 CET | 80 | 49706 | 107.182.129.235 | 192.168.2.5 |
Jan 5, 2023 08:47:10.074198961 CET | 80 | 49706 | 107.182.129.235 | 192.168.2.5 |
Jan 5, 2023 08:47:10.074201107 CET | 49706 | 80 | 192.168.2.5 | 107.182.129.235 |
Jan 5, 2023 08:47:10.074255943 CET | 80 | 49706 | 107.182.129.235 | 192.168.2.5 |
Jan 5, 2023 08:47:10.074258089 CET | 49706 | 80 | 192.168.2.5 | 107.182.129.235 |
Jan 5, 2023 08:47:10.074311972 CET | 80 | 49706 | 107.182.129.235 | 192.168.2.5 |
Jan 5, 2023 08:47:10.074312925 CET | 49706 | 80 | 192.168.2.5 | 107.182.129.235 |
Jan 5, 2023 08:47:10.074368000 CET | 49706 | 80 | 192.168.2.5 | 107.182.129.235 |
Jan 5, 2023 08:47:10.074368954 CET | 80 | 49706 | 107.182.129.235 | 192.168.2.5 |
Jan 5, 2023 08:47:10.074425936 CET | 49706 | 80 | 192.168.2.5 | 107.182.129.235 |
Jan 5, 2023 08:47:10.074426889 CET | 80 | 49706 | 107.182.129.235 | 192.168.2.5 |
Jan 5, 2023 08:47:10.074491978 CET | 80 | 49706 | 107.182.129.235 | 192.168.2.5 |
Jan 5, 2023 08:47:10.074493885 CET | 49706 | 80 | 192.168.2.5 | 107.182.129.235 |
Jan 5, 2023 08:47:10.074548006 CET | 49706 | 80 | 192.168.2.5 | 107.182.129.235 |
Jan 5, 2023 08:47:10.074548960 CET | 80 | 49706 | 107.182.129.235 | 192.168.2.5 |
Jan 5, 2023 08:47:10.074605942 CET | 80 | 49706 | 107.182.129.235 | 192.168.2.5 |
Jan 5, 2023 08:47:10.074608088 CET | 49706 | 80 | 192.168.2.5 | 107.182.129.235 |
Jan 5, 2023 08:47:10.074661016 CET | 49706 | 80 | 192.168.2.5 | 107.182.129.235 |
Jan 5, 2023 08:47:10.074661970 CET | 80 | 49706 | 107.182.129.235 | 192.168.2.5 |
Jan 5, 2023 08:47:10.074733973 CET | 49706 | 80 | 192.168.2.5 | 107.182.129.235 |
Jan 5, 2023 08:47:10.074769974 CET | 80 | 49706 | 107.182.129.235 | 192.168.2.5 |
Jan 5, 2023 08:47:10.074827909 CET | 80 | 49706 | 107.182.129.235 | 192.168.2.5 |
Jan 5, 2023 08:47:10.074831009 CET | 49706 | 80 | 192.168.2.5 | 107.182.129.235 |
Jan 5, 2023 08:47:10.074883938 CET | 80 | 49706 | 107.182.129.235 | 192.168.2.5 |
Jan 5, 2023 08:47:10.074892044 CET | 49706 | 80 | 192.168.2.5 | 107.182.129.235 |
Jan 5, 2023 08:47:10.074944019 CET | 80 | 49706 | 107.182.129.235 | 192.168.2.5 |
Jan 5, 2023 08:47:10.074947119 CET | 49706 | 80 | 192.168.2.5 | 107.182.129.235 |
Jan 5, 2023 08:47:10.075001001 CET | 49706 | 80 | 192.168.2.5 | 107.182.129.235 |
Jan 5, 2023 08:47:10.075006008 CET | 80 | 49706 | 107.182.129.235 | 192.168.2.5 |
Jan 5, 2023 08:47:10.075064898 CET | 80 | 49706 | 107.182.129.235 | 192.168.2.5 |
Jan 5, 2023 08:47:10.075066090 CET | 49706 | 80 | 192.168.2.5 | 107.182.129.235 |
Jan 5, 2023 08:47:10.075122118 CET | 80 | 49706 | 107.182.129.235 | 192.168.2.5 |
Jan 5, 2023 08:47:10.075125933 CET | 49706 | 80 | 192.168.2.5 | 107.182.129.235 |
Jan 5, 2023 08:47:10.075181961 CET | 80 | 49706 | 107.182.129.235 | 192.168.2.5 |
Jan 5, 2023 08:47:10.075184107 CET | 49706 | 80 | 192.168.2.5 | 107.182.129.235 |
Jan 5, 2023 08:47:10.075237989 CET | 80 | 49706 | 107.182.129.235 | 192.168.2.5 |
Jan 5, 2023 08:47:10.075237989 CET | 49706 | 80 | 192.168.2.5 | 107.182.129.235 |
Jan 5, 2023 08:47:10.075295925 CET | 80 | 49706 | 107.182.129.235 | 192.168.2.5 |
Jan 5, 2023 08:47:10.075298071 CET | 49706 | 80 | 192.168.2.5 | 107.182.129.235 |
Jan 5, 2023 08:47:10.075352907 CET | 49706 | 80 | 192.168.2.5 | 107.182.129.235 |
Jan 5, 2023 08:47:10.075354099 CET | 80 | 49706 | 107.182.129.235 | 192.168.2.5 |
Jan 5, 2023 08:47:10.075409889 CET | 49706 | 80 | 192.168.2.5 | 107.182.129.235 |
Jan 5, 2023 08:47:10.102828026 CET | 80 | 49706 | 107.182.129.235 | 192.168.2.5 |
Jan 5, 2023 08:47:10.102950096 CET | 80 | 49706 | 107.182.129.235 | 192.168.2.5 |
Jan 5, 2023 08:47:10.102956057 CET | 49706 | 80 | 192.168.2.5 | 107.182.129.235 |
Jan 5, 2023 08:47:10.103014946 CET | 80 | 49706 | 107.182.129.235 | 192.168.2.5 |
Jan 5, 2023 08:47:10.103024006 CET | 49706 | 80 | 192.168.2.5 | 107.182.129.235 |
Jan 5, 2023 08:47:10.103070021 CET | 49706 | 80 | 192.168.2.5 | 107.182.129.235 |
Jan 5, 2023 08:47:10.103070021 CET | 80 | 49706 | 107.182.129.235 | 192.168.2.5 |
Jan 5, 2023 08:47:10.103127956 CET | 49706 | 80 | 192.168.2.5 | 107.182.129.235 |
Jan 5, 2023 08:47:10.156533957 CET | 49707 | 80 | 192.168.2.5 | 171.22.30.106 |
Jan 5, 2023 08:47:10.183954954 CET | 80 | 49707 | 171.22.30.106 | 192.168.2.5 |
Jan 5, 2023 08:47:10.184079885 CET | 49707 | 80 | 192.168.2.5 | 171.22.30.106 |
Jan 5, 2023 08:47:10.184628010 CET | 49707 | 80 | 192.168.2.5 | 171.22.30.106 |
Jan 5, 2023 08:47:10.211810112 CET | 80 | 49707 | 171.22.30.106 | 192.168.2.5 |
Jan 5, 2023 08:47:10.635227919 CET | 80 | 49707 | 171.22.30.106 | 192.168.2.5 |
Jan 5, 2023 08:47:10.635335922 CET | 49707 | 80 | 192.168.2.5 | 171.22.30.106 |
Jan 5, 2023 08:47:12.711500883 CET | 49707 | 80 | 192.168.2.5 | 171.22.30.106 |
Jan 5, 2023 08:47:12.738816023 CET | 80 | 49707 | 171.22.30.106 | 192.168.2.5 |
Jan 5, 2023 08:47:13.094685078 CET | 80 | 49707 | 171.22.30.106 | 192.168.2.5 |
Jan 5, 2023 08:47:13.094835997 CET | 49707 | 80 | 192.168.2.5 | 171.22.30.106 |
Jan 5, 2023 08:47:14.841079950 CET | 80 | 49705 | 45.139.105.171 | 192.168.2.5 |
Jan 5, 2023 08:47:14.841185093 CET | 49705 | 80 | 192.168.2.5 | 45.139.105.171 |
Jan 5, 2023 08:47:15.078236103 CET | 80 | 49706 | 107.182.129.235 | 192.168.2.5 |
Jan 5, 2023 08:47:15.078341961 CET | 49706 | 80 | 192.168.2.5 | 107.182.129.235 |
Jan 5, 2023 08:47:15.194849014 CET | 49707 | 80 | 192.168.2.5 | 171.22.30.106 |
Jan 5, 2023 08:47:15.222347975 CET | 80 | 49707 | 171.22.30.106 | 192.168.2.5 |
Jan 5, 2023 08:47:15.582741022 CET | 80 | 49707 | 171.22.30.106 | 192.168.2.5 |
Jan 5, 2023 08:47:15.582932949 CET | 49707 | 80 | 192.168.2.5 | 171.22.30.106 |
Jan 5, 2023 08:47:18.399646997 CET | 49707 | 80 | 192.168.2.5 | 171.22.30.106 |
Jan 5, 2023 08:47:18.426881075 CET | 80 | 49707 | 171.22.30.106 | 192.168.2.5 |
Jan 5, 2023 08:47:18.811140060 CET | 80 | 49707 | 171.22.30.106 | 192.168.2.5 |
Jan 5, 2023 08:47:18.811424017 CET | 49707 | 80 | 192.168.2.5 | 171.22.30.106 |
Jan 5, 2023 08:47:20.899158001 CET | 49707 | 80 | 192.168.2.5 | 171.22.30.106 |
Jan 5, 2023 08:47:20.929702997 CET | 80 | 49707 | 171.22.30.106 | 192.168.2.5 |
Jan 5, 2023 08:47:21.282871008 CET | 80 | 49707 | 171.22.30.106 | 192.168.2.5 |
Jan 5, 2023 08:47:21.282958984 CET | 49707 | 80 | 192.168.2.5 | 171.22.30.106 |
Jan 5, 2023 08:47:23.423401117 CET | 49707 | 80 | 192.168.2.5 | 171.22.30.106 |
Jan 5, 2023 08:47:23.451078892 CET | 80 | 49707 | 171.22.30.106 | 192.168.2.5 |
Jan 5, 2023 08:47:23.864329100 CET | 80 | 49707 | 171.22.30.106 | 192.168.2.5 |
Jan 5, 2023 08:47:23.864563942 CET | 49707 | 80 | 192.168.2.5 | 171.22.30.106 |
Jan 5, 2023 08:47:25.946579933 CET | 49707 | 80 | 192.168.2.5 | 171.22.30.106 |
Jan 5, 2023 08:47:25.973993063 CET | 80 | 49707 | 171.22.30.106 | 192.168.2.5 |
Jan 5, 2023 08:47:26.442823887 CET | 80 | 49707 | 171.22.30.106 | 192.168.2.5 |
Jan 5, 2023 08:47:26.443020105 CET | 49707 | 80 | 192.168.2.5 | 171.22.30.106 |
Jan 5, 2023 08:47:28.517307997 CET | 49707 | 80 | 192.168.2.5 | 171.22.30.106 |
Jan 5, 2023 08:47:28.544837952 CET | 80 | 49707 | 171.22.30.106 | 192.168.2.5 |
Jan 5, 2023 08:47:28.903182030 CET | 80 | 49707 | 171.22.30.106 | 192.168.2.5 |
Jan 5, 2023 08:47:28.903363943 CET | 49707 | 80 | 192.168.2.5 | 171.22.30.106 |
Jan 5, 2023 08:47:30.978315115 CET | 49707 | 80 | 192.168.2.5 | 171.22.30.106 |
Jan 5, 2023 08:47:31.005625010 CET | 80 | 49707 | 171.22.30.106 | 192.168.2.5 |
Jan 5, 2023 08:47:31.374718904 CET | 80 | 49707 | 171.22.30.106 | 192.168.2.5 |
Jan 5, 2023 08:47:31.374835014 CET | 49707 | 80 | 192.168.2.5 | 171.22.30.106 |
Jan 5, 2023 08:47:33.465759993 CET | 49707 | 80 | 192.168.2.5 | 171.22.30.106 |
Jan 5, 2023 08:47:33.493500948 CET | 80 | 49707 | 171.22.30.106 | 192.168.2.5 |
Jan 5, 2023 08:47:33.858603001 CET | 80 | 49707 | 171.22.30.106 | 192.168.2.5 |
Jan 5, 2023 08:47:33.858731031 CET | 49707 | 80 | 192.168.2.5 | 171.22.30.106 |
Jan 5, 2023 08:47:36.415440083 CET | 49707 | 80 | 192.168.2.5 | 171.22.30.106 |
Jan 5, 2023 08:47:36.443062067 CET | 80 | 49707 | 171.22.30.106 | 192.168.2.5 |
Jan 5, 2023 08:47:36.810410976 CET | 80 | 49707 | 171.22.30.106 | 192.168.2.5 |
Jan 5, 2023 08:47:36.812172890 CET | 49707 | 80 | 192.168.2.5 | 171.22.30.106 |
Jan 5, 2023 08:47:40.281857967 CET | 49705 | 80 | 192.168.2.5 | 45.139.105.171 |
Jan 5, 2023 08:47:40.281939983 CET | 49706 | 80 | 192.168.2.5 | 107.182.129.235 |
Jan 5, 2023 08:47:40.282066107 CET | 49707 | 80 | 192.168.2.5 | 171.22.30.106 |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.5 | 49705 | 45.139.105.171 | 80 | C:\Program Files (x86)\Split Files\SplitFiles131.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Jan 5, 2023 08:47:09.800462008 CET | 93 | OUT | |
Jan 5, 2023 08:47:09.836986065 CET | 93 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
1 | 192.168.2.5 | 49706 | 107.182.129.235 | 80 | C:\Program Files (x86)\Split Files\SplitFiles131.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Jan 5, 2023 08:47:09.925610065 CET | 94 | OUT | |
Jan 5, 2023 08:47:09.952980042 CET | 94 | IN | |
Jan 5, 2023 08:47:09.990287066 CET | 95 | OUT | |
Jan 5, 2023 08:47:10.017687082 CET | 96 | IN |