Edit tour
Windows
Analysis Report
file.exe
Overview
General Information
Detection
Nymaim
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Detected unpacking (overwrites its own PE header)
Yara detected Nymaim
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Found evasive API chain checking for process token information
Uses taskkill to terminate processes
Dropped file seen in connection with other malware
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality to detect sandboxes (foreground window change detection)
Creates a process in suspended mode (likely to inject code)
Classification
- System is w10x64
- file.exe (PID: 1968 cmdline:
C:\Users\u ser\Deskto p\file.exe MD5: 4206F8B371294F11B01592ACC7BB338D) - is-EPSRP.tmp (PID: 3132 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\is-GA3 71.tmp\is- EPSRP.tmp" /SL4 $502 DC "C:\Use rs\user\De sktop\file .exe" 1694 939 170496 MD5: E8176050192FBB976D70238E3C121F4C) - SplitFiles131.exe (PID: 4948 cmdline:
"C:\Progra m Files (x 86)\Split Files\Spli tFiles131. exe" MD5: D26C02425FA67FBDC0E4B4D5D6FA6088) - rf6CwnLa.exe (PID: 588 cmdline:
MD5: 3FB36CB0B7172E5298D2992D42984D06) - cmd.exe (PID: 2264 cmdline:
"C:\Window s\System32 \cmd.exe" /c taskkil l /im "Spl itFiles131 .exe" /f & erase "C: \Program F iles (x86) \Split Fil es\SplitFi les131.exe " & exit MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 4788 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - taskkill.exe (PID: 6076 cmdline:
taskkill / im "SplitF iles131.ex e" /f MD5: 15E2E0ACD891510C6268CB8899F2A1A1)
- cleanup
{"C2 addresses": ["45.139.105.1", "85.31.46.167"]}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security | ||
JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security | ||
JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security | ||
JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security | ||
JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security | ||
JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security |
⊘No Sigma rule has matched
Timestamp: | 192.168.2.445.139.105.17149696802041920 01/05/23-09:17:07.792702 |
SID: | 2041920 |
Source Port: | 49696 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.4107.182.129.23549697802852981 01/05/23-09:17:07.993654 |
SID: | 2852981 |
Source Port: | 49697 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 107.182.129.235192.168.2.480496972852925 01/05/23-09:17:08.021859 |
SID: | 2852925 |
Source Port: | 80 |
Destination Port: | 49697 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.4107.182.129.23549697802852980 01/05/23-09:17:07.923264 |
SID: | 2852980 |
Source Port: | 49697 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | URL Reputation: | ||
Source: | Avira URL Cloud: |
Source: | Virustotal: | Perma Link |
Source: | ReversingLabs: |
Source: | Joe Sandbox ML: |
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: |
Source: | Malware Configuration Extractor: |
Source: | Code function: | 1_2_10001000 | |
Source: | Code function: | 1_2_10001130 | |
Source: | Code function: | 2_2_00403770 |
Compliance |
---|
Source: | Unpacked PE file: |
Source: | Static PE information: |
Source: | Code function: | 1_2_0046CA68 | |
Source: | Code function: | 1_2_00474A14 | |
Source: | Code function: | 1_2_0045157C | |
Source: | Code function: | 1_2_0045E244 | |
Source: | Code function: | 1_2_0048AC5C | |
Source: | Code function: | 1_2_00472CD4 | |
Source: | Code function: | 1_2_0045CDA4 | |
Source: | Code function: | 1_2_0045DEB0 | |
Source: | Code function: | 2_2_00404490 | |
Source: | Code function: | 2_2_00423E2D | |
Source: | Code function: | 2_2_1000959D |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Networking |
---|
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: |
Source: | IPs: | ||
Source: | IPs: |
Source: | ASN Name: | ||
Source: | ASN Name: |
Source: | IP Address: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Code function: | 2_2_00401B30 |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | Binary or memory string: |
E-Banking Fraud |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Static PE information: |
Source: | Code function: | 0_2_00408280 | |
Source: | Code function: | 1_2_00468C28 | |
Source: | Code function: | 1_2_00461280 | |
Source: | Code function: | 1_2_0043DE40 | |
Source: | Code function: | 1_2_004302D0 | |
Source: | Code function: | 1_2_004445B8 | |
Source: | Code function: | 1_2_00434864 | |
Source: | Code function: | 1_2_0047AA90 | |
Source: | Code function: | 1_2_00444B60 | |
Source: | Code function: | 1_2_0045ADE0 | |
Source: | Code function: | 1_2_00480F94 | |
Source: | Code function: | 1_2_00445258 | |
Source: | Code function: | 1_2_004132E1 | |
Source: | Code function: | 1_2_00463288 | |
Source: | Code function: | 1_2_00435568 | |
Source: | Code function: | 1_2_00445664 | |
Source: | Code function: | 1_2_0042F874 | |
Source: | Code function: | 1_2_00457F04 | |
Source: | Code function: | 2_2_00404490 | |
Source: | Code function: | 2_2_004096F0 | |
Source: | Code function: | 2_2_004056A0 | |
Source: | Code function: | 2_2_00406800 | |
Source: | Code function: | 2_2_00406AA0 | |
Source: | Code function: | 2_2_00404D40 | |
Source: | Code function: | 2_2_00405F40 | |
Source: | Code function: | 2_2_00402F20 | |
Source: | Code function: | 2_2_004150D3 | |
Source: | Code function: | 2_2_00415305 | |
Source: | Code function: | 2_2_004223A9 | |
Source: | Code function: | 2_2_00419510 | |
Source: | Code function: | 2_2_00404840 | |
Source: | Code function: | 2_2_00426850 | |
Source: | Code function: | 2_2_00410A50 | |
Source: | Code function: | 2_2_0042AB9A | |
Source: | Code function: | 2_2_00421C88 | |
Source: | Code function: | 2_2_0042ACBA | |
Source: | Code function: | 2_2_00447D2D | |
Source: | Code function: | 2_2_00428D39 | |
Source: | Code function: | 2_2_00404F20 | |
Source: | Code function: | 2_2_1000F670 | |
Source: | Code function: | 2_2_1000EC61 |
Source: | Code function: | 1_2_00423C4C | |
Source: | Code function: | 1_2_004126A0 | |
Source: | Code function: | 1_2_00455514 |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Dropped File: |
Source: | Static PE information: |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Code function: | 0_2_0040910C | |
Source: | Code function: | 1_2_00453D80 |
Source: | WMI Queries: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | Code function: | 2_2_00401B30 |
Source: | File read: | Jump to behavior |
Source: | Code function: | 1_2_004547A0 |
Source: | Code function: | 2_2_00402BF0 |
Source: | Code function: | 2_2_00405350 |
Source: | Mutant created: |
Source: | Code function: | 1_2_0040B090 |
Source: | File created: | Jump to behavior |
Source: | Command line argument: | 2_2_004096F0 | |
Source: | Command line argument: | 2_2_004096F0 | |
Source: | Command line argument: | 2_2_004096F0 | |
Source: | Command line argument: | 2_2_004096F0 |
Source: | Window found: | Jump to behavior |
Source: | Window detected: |
Source: | Static file information: |
Data Obfuscation |
---|
Source: | Unpacked PE file: |
Source: | Unpacked PE file: |
Source: | Code function: | 0_2_004065C9 | |
Source: | Code function: | 0_2_00404195 | |
Source: | Code function: | 0_2_0040442D | |
Source: | Code function: | 0_2_0040442D | |
Source: | Code function: | 0_2_0040442D | |
Source: | Code function: | 0_2_00408C07 | |
Source: | Code function: | 0_2_0040442D | |
Source: | Code function: | 0_2_00407F41 | |
Source: | Code function: | 1_2_00409A55 | |
Source: | Code function: | 1_2_0040A108 | |
Source: | Code function: | 1_2_004302D5 | |
Source: | Code function: | 1_2_004063C1 | |
Source: | Code function: | 1_2_0047866B | |
Source: | Code function: | 1_2_0041079D | |
Source: | Code function: | 1_2_00412A4B | |
Source: | Code function: | 1_2_0045AAA1 | |
Source: | Code function: | 1_2_00450EDF | |
Source: | Code function: | 1_2_0040D0F2 | |
Source: | Code function: | 1_2_00443534 | |
Source: | Code function: | 1_2_004055F9 | |
Source: | Code function: | 1_2_0040F652 | |
Source: | Code function: | 1_2_00405891 | |
Source: | Code function: | 1_2_00405891 | |
Source: | Code function: | 1_2_00405891 | |
Source: | Code function: | 1_2_00405891 | |
Source: | Code function: | 1_2_00479B25 | |
Source: | Code function: | 1_2_00419CF5 | |
Source: | Code function: | 2_2_004311B6 | |
Source: | Code function: | 2_2_0040F4CE |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | Code function: | 1_2_00423CD4 | |
Source: | Code function: | 1_2_00423CD4 | |
Source: | Code function: | 1_2_00478118 | |
Source: | Code function: | 1_2_0042425C | |
Source: | Code function: | 1_2_004242A4 | |
Source: | Code function: | 1_2_0041844C | |
Source: | Code function: | 1_2_00422924 | |
Source: | Code function: | 1_2_00417660 | |
Source: | Code function: | 1_2_00417D96 | |
Source: | Code function: | 1_2_00417D98 |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Evasive API call chain: | graph_0-5522 |
Source: | Last function: |
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file |
Source: | Check user administrative privileges: | graph_2-35022 |
Source: | Code function: | 2_2_004056A0 |
Source: | Process information queried: | Jump to behavior |
Source: | Code function: | 0_2_00409764 |
Source: | Code function: | 1_2_0046CA68 | |
Source: | Code function: | 1_2_00474A14 | |
Source: | Code function: | 1_2_0045157C | |
Source: | Code function: | 1_2_0045E244 | |
Source: | Code function: | 1_2_0048AC5C | |
Source: | Code function: | 1_2_00472CD4 | |
Source: | Code function: | 1_2_0045CDA4 | |
Source: | Code function: | 1_2_0045DEB0 | |
Source: | Code function: | 2_2_00404490 | |
Source: | Code function: | 2_2_00423E2D | |
Source: | Code function: | 2_2_1000959D |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: | 2_2_0041336B |
Source: | Code function: | 2_2_00402BF0 |
Source: | Code function: | 2_2_00402F20 |
Source: | Process token adjusted: | Jump to behavior |
Source: | Code function: | 2_2_0044028F | |
Source: | Code function: | 2_2_0042041F | |
Source: | Code function: | 2_2_004429E7 | |
Source: | Code function: | 2_2_00417BAF | |
Source: | Code function: | 2_2_100091C7 | |
Source: | Code function: | 2_2_10006CE1 |
Source: | Code function: | 2_2_0040F789 | |
Source: | Code function: | 2_2_0041336B | |
Source: | Code function: | 2_2_0040F5F5 | |
Source: | Code function: | 2_2_0040EBD2 | |
Source: | Code function: | 2_2_10006180 | |
Source: | Code function: | 2_2_100035DF | |
Source: | Code function: | 2_2_10003AD4 |
Source: | Process created: | Jump to behavior |
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Code function: | 1_2_00459734 |
Source: | Code function: | 0_2_004051D8 | |
Source: | Code function: | 0_2_00405224 | |
Source: | Code function: | 1_2_004085FC | |
Source: | Code function: | 1_2_00408648 | |
Source: | Code function: | 2_2_00404D40 | |
Source: | Code function: | 2_2_00427041 | |
Source: | Code function: | 2_2_0042708C | |
Source: | Code function: | 2_2_00427127 | |
Source: | Code function: | 2_2_004271B2 | |
Source: | Code function: | 2_2_0041E2FF | |
Source: | Code function: | 2_2_00427405 | |
Source: | Code function: | 2_2_0042752B | |
Source: | Code function: | 2_2_00427631 | |
Source: | Code function: | 2_2_00427700 | |
Source: | Code function: | 2_2_0041E821 | |
Source: | Code function: | 2_2_00426D9F |
Source: | Code function: | 2_2_0040F7F3 |
Source: | Code function: | 1_2_00455E7C |
Source: | Code function: | 0_2_004026C4 |
Source: | Code function: | 0_2_00405CC0 |
Source: | Code function: | 1_2_00453D18 |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | 1 Windows Management Instrumentation | Path Interception | 1 Access Token Manipulation | 2 Masquerading | 1 Input Capture | 1 System Time Discovery | Remote Services | 1 Input Capture | Exfiltration Over Other Network Medium | 2 Encrypted Channel | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | 2 Command and Scripting Interpreter | Boot or Logon Initialization Scripts | 12 Process Injection | 1 Disable or Modify Tools | LSASS Memory | 141 Security Software Discovery | Remote Desktop Protocol | 1 Archive Collected Data | Exfiltration Over Bluetooth | 2 Ingress Tool Transfer | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | 2 Native API | Logon Script (Windows) | Logon Script (Windows) | 1 Access Token Manipulation | Security Account Manager | 2 Process Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | 1 Non-Application Layer Protocol | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | 12 Process Injection | NTDS | 11 Application Window Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | 11 Application Layer Protocol | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | 1 Deobfuscate/Decode Files or Information | LSA Secrets | 1 Account Discovery | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | 3 Obfuscated Files or Information | Cached Domain Credentials | 1 System Owner/User Discovery | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | 23 Software Packing | DCSync | 3 File and Directory Discovery | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | Indicator Removal from Tools | Proc Filesystem | 26 System Information Discovery | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
⊘No Antivirus matches
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Joe Sandbox ML | |||
0% | ReversingLabs | |||
0% | ReversingLabs | |||
0% | ReversingLabs | |||
50% | ReversingLabs | Win32.Trojan.Generic |
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | TR/Crypt.XPACK.Gen8 | Download File | ||
100% | Avira | TR/Crypt.XPACK.Gen2 | Download File | ||
100% | Avira | HEUR/AGEN.1248792 | Download File | ||
100% | Avira | HEUR/AGEN.1250671 | Download File | ||
100% | Avira | TR/Crypt.XPACK.Gen2 | Download File |
⊘No Antivirus matches
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
100% | URL Reputation | malware | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
2% | Virustotal | Browse | ||
13% | Virustotal | Browse | ||
100% | Avira URL Cloud | malware |
⊘No contacted domains info
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown | |
true |
| unknown | |
true |
| unknown | |
true |
| unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| low | ||
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
45.139.105.171 | unknown | Italy | 33657 | CMCSUS | true | |
45.139.105.1 | unknown | Italy | 33657 | CMCSUS | true | |
85.31.46.167 | unknown | Germany | 43659 | CLOUDCOMPUTINGDE | true | |
107.182.129.235 | unknown | Reserved | 11070 | META-ASUS | true | |
171.22.30.106 | unknown | Germany | 33657 | CMCSUS | false |
Joe Sandbox Version: | 36.0.0 Rainbow Opal |
Analysis ID: | 778239 |
Start date and time: | 2023-01-05 09:16:09 +01:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 6m 48s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | file.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 7 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal100.troj.evad.winEXE@12/39@0/5 |
EGA Information: |
|
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Not all processes where analyzed, report is missing behavior information
- Report creation exceeded maximum time and may have missing disassembly code information.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
Time | Type | Description |
---|---|---|
09:17:06 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
45.139.105.171 | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
⊘No context
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
CMCSUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
CMCSUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
⊘No context
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
C:\Program Files (x86)\Split Files\is-5V8K4.tmp | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse |
Process: | C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 2193 |
Entropy (8bit): | 4.702648325021821 |
Encrypted: | false |
SSDEEP: | 24:ElZ5/fnS3LWjwbf2VQZl5HXvbap4qDwGApRAboaGnMAzPelJoEhLifJy:mZ3jwbf2V25HjcwGpbpGMaelXh2g |
MD5: | EA42A2F0D0B4CBE042DE38568E18F1AC |
SHA1: | 58B2B523D4CCB03A07F9B1CB53250F3C6BA0B771 |
SHA-256: | AF9B99F745D2B2F3E688336C68F69C9CADF7E85BF443100DDA4EBB507D86155A |
SHA-512: | 6F202138BE4B009152A72AB671A4C5D3AE5580211EDE11F4E35B89F2F1EF58E8B8DBD35E9DA1D12B7ABDD3BFD4EE342541DE8DE2437D0FCEA77A1C5782AE0E2A |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 2942 |
Entropy (8bit): | 5.0506474169868945 |
Encrypted: | false |
SSDEEP: | 48:mRIjSLoZpLobGyYly6y4cMUNYzLEDa3dMSsXNBIi3Dl0r4k1z9bcX4Xl9asUvn6d:IW7Lob1YEgcMiDa3WN7BW1zLV1mngV4+ |
MD5: | 58D65074A58BC8EAE2D5A3B589399A53 |
SHA1: | 074E7E5BFD52200086309913670D49BA664FB279 |
SHA-256: | 2F2487EDEEEA0D35394FD1C0B72D9C1FBF617DD014ED659083BDB0EFB12F6C90 |
SHA-512: | C0806DFC9DCD2A620693115679057B5374DEA3930E02F2B8DD1390C843D3F7C138CA8576CA35A5BCBEEA68E5CD9F5193C8D564A942C5A179DB9C5E6CAAA00266 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp |
File Type: | |
Category: | modified |
Size (bytes): | 3299023 |
Entropy (8bit): | 5.539173858681708 |
Encrypted: | false |
SSDEEP: | 98304:ipRn32Afxm8quBv68VsFryIBHB2+/sAO8:aBps+8 |
MD5: | D26C02425FA67FBDC0E4B4D5D6FA6088 |
SHA1: | 09D22E65BFF61FB7BC43FB680D5E6EC3A942E9B0 |
SHA-256: | 01CCE9B495FE88280525F44AA8A6A5417CC4081D0CC6CAD384CE42649673E677 |
SHA-512: | ED887FDFACAB2CAC118BE458B546E55CC473EF3DDA815EBAEBE5B01799F41976E80E03D649BCBA3D532C37CC05EDA3C34A1FF0841A3B3AD2F3935BB5B2189B38 |
Malicious: | true |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 789258 |
Entropy (8bit): | 6.369988626022893 |
Encrypted: | false |
SSDEEP: | 12288:EpmOmg1k2bfrP437QzH/A6A40lG77NzknuGyJOxOU:emt2bfrP437QzH/A6A7E7dVPUxOU |
MD5: | D3BA43B9E1B3838F28AFC558F2991D5B |
SHA1: | 1132F1C76760281A591F7DF99D592283103FCC87 |
SHA-256: | 1E95FE5D06884DF82D2BEAEDA09434ECAC2A347AEC5F03E71F20E39FB6C9E0E9 |
SHA-512: | 870371843F59B91D75B6C4D4C637075235D25CF3ABB059B58E39F9CD2833533A8F434307E7AD1175FD45082D3B4E4F0ED79F303ED77DEF553587E2819C092022 |
Malicious: | true |
Joe Sandbox View: |
|
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 2193 |
Entropy (8bit): | 4.702648325021821 |
Encrypted: | false |
SSDEEP: | 24:ElZ5/fnS3LWjwbf2VQZl5HXvbap4qDwGApRAboaGnMAzPelJoEhLifJy:mZ3jwbf2V25HjcwGpbpGMaelXh2g |
MD5: | EA42A2F0D0B4CBE042DE38568E18F1AC |
SHA1: | 58B2B523D4CCB03A07F9B1CB53250F3C6BA0B771 |
SHA-256: | AF9B99F745D2B2F3E688336C68F69C9CADF7E85BF443100DDA4EBB507D86155A |
SHA-512: | 6F202138BE4B009152A72AB671A4C5D3AE5580211EDE11F4E35B89F2F1EF58E8B8DBD35E9DA1D12B7ABDD3BFD4EE342541DE8DE2437D0FCEA77A1C5782AE0E2A |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 97 |
Entropy (8bit): | 5.12302231676258 |
Encrypted: | false |
SSDEEP: | 3:HRAbABGQYm/0S4UEtSNM5LTJOBCBuQpQQXXy:HRYFVm/r4UEtSeVTJuZQplHy |
MD5: | DCD6923B008121BFF4C7C0AA1206286E |
SHA1: | AD4EF16A96A80C8EA5DBC5933229580BC6C332E0 |
SHA-256: | E1E01BFA5E2B5A117A627F7E9E861CF63D852A66BCE0DF88094D59CAF61E4376 |
SHA-512: | EC4A399EB38A1FA64DF8990708168F134ACD0CA793930E57C6D3A260A537B20DFD9F8B7232987F32EC1C1A7CEC7EC91F15A644A63D275104D96588FC3D354B5C |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 3299023 |
Entropy (8bit): | 5.53917302973062 |
Encrypted: | false |
SSDEEP: | 98304:vpRn32Afxm8quBv68VsFryIBHB2+/sAO8:BBps+8 |
MD5: | 2A4BCD07D4B6930C0F71167C15B0688B |
SHA1: | 5B07D7BED299AA5E483D5432483E21FB85DCA51F |
SHA-256: | 311DBADCEAF02ADAFE066C6221A9ECC92253F6C1980FC9AF16DC1514D6D77E6B |
SHA-512: | 43BC67CB935DA4CCD63773BB81490179150A65C18AF6E9B9E32BDD7A74904FD4D43FA8F095B0086B772225A6A3EEF5677C71FF64863557FC2F7E82EC2E5E0267 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 2942 |
Entropy (8bit): | 5.0506474169868945 |
Encrypted: | false |
SSDEEP: | 48:mRIjSLoZpLobGyYly6y4cMUNYzLEDa3dMSsXNBIi3Dl0r4k1z9bcX4Xl9asUvn6d:IW7Lob1YEgcMiDa3WN7BW1zLV1mngV4+ |
MD5: | 58D65074A58BC8EAE2D5A3B589399A53 |
SHA1: | 074E7E5BFD52200086309913670D49BA664FB279 |
SHA-256: | 2F2487EDEEEA0D35394FD1C0B72D9C1FBF617DD014ED659083BDB0EFB12F6C90 |
SHA-512: | C0806DFC9DCD2A620693115679057B5374DEA3930E02F2B8DD1390C843D3F7C138CA8576CA35A5BCBEEA68E5CD9F5193C8D564A942C5A179DB9C5E6CAAA00266 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 2266 |
Entropy (8bit): | 5.4593359267896355 |
Encrypted: | false |
SSDEEP: | 48:HG8il+sqirh7zJ9YTHskp1r4phFAqLNnK9h:HGkSkp1r4NTKf |
MD5: | 4ABA9765EB3555788F5706D87A9D2DCA |
SHA1: | 36C0895FBF9F99690CA55C54CC56310E24513113 |
SHA-256: | E99B943206594C04BC0383669D04D4F191A501F46D2474FED08B997F8020B433 |
SHA-512: | 3498485635AFC548663715D22071611BAB10C707E8E24BE0B5143EE4A27727DA7D18A5E6959E3F6DD7D0F615DDFD50CE9FC5CE8AE6DDC5BEE287B5A00A817288 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 2345 |
Entropy (8bit): | 5.847861612631974 |
Encrypted: | false |
SSDEEP: | 48:HGj2lE8qiTh7XJ9zHadtPTTD1n34q1jgun1ITq8K:HG5RDTln34qRgusK |
MD5: | A5C9FEA89EFE8E2162BA477E8EA39B44 |
SHA1: | E6A2042C574D14786891F0C32F92C8292BBB4ACA |
SHA-256: | 8DDFB50DACA491296101BAB3DB9B77C7587127E684D9E22EFD6DC93F84A008FA |
SHA-512: | 3F7944F262717D308A1235982E741536DA6A4DF9ABEE4E2811E1151B53C3D31811EA3EB750ED39F347F7DF14AD20FF981C85CC2DA297BE745547B36D41B8FDB9 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 2687 |
Entropy (8bit): | 5.051567814097503 |
Encrypted: | false |
SSDEEP: | 48:HGgXRVA+sqgh59WJIo4yvHIExBMHkWREHZDNbHBsBOtiSZls5crRMfiE:HGusSgEvMHfREHN9hsoiOUBiE |
MD5: | D2471D35D833E2544D67365E015E6153 |
SHA1: | 497EE8FF9519D025BD10C5AA15DDC34DFB1B334B |
SHA-256: | 4831DDBCFE327E2542F4565E7A948C5828D71003B8444723E1E11BA6BB43ACE7 |
SHA-512: | C82B30D604A679F87B8D0B1670A0D1607E25150FFCFD1C9E631241916BA93CEB5A33AFCAA9080149096ACA1913791384860F5699F2BB302B6CB190AF777EB3CE |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 2594 |
Entropy (8bit): | 5.044497576650396 |
Encrypted: | false |
SSDEEP: | 48:HGgb5l+sqiTh7XJ9oVHo1xx0GHLVQ4ZWGAtDAEQmUDcQdWym:HGdpa1jfHLVQ4AGAtWma8H |
MD5: | 76776746B3CFF1CBD5D56CD44CA2DEF5 |
SHA1: | 2F2ECA50BD7F72232BE84291EF1A7956C24098CC |
SHA-256: | EC647D30931F50607CF745D958AAF0367CCEAB9999346188255CFBFB22301EE3 |
SHA-512: | 202436C708D4F34FFCCDC3D33841246C5CEE073AC270DA547C15F9E995A08D36AE4C00982283BF60D62363046BBEAA0125D59075E4629A9D1934039CBFB00BE5 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 2507 |
Entropy (8bit): | 5.040552699764577 |
Encrypted: | false |
SSDEEP: | 48:HGkOA+sq/W7Yve3EkHaBSDbSljMM+v1/D3H:HGb8hABSDbSJMBD |
MD5: | 336D33F55222F48FBA19EF0911732766 |
SHA1: | E17A78E3B48192361DB540B1E8C9D0548C9A9FFE |
SHA-256: | 0E955453FA27CED0D0521F0F960C7743C2090F06263D33EC8FA978B681123E0C |
SHA-512: | 67EC6B859BCDD66DA59CDB1DC1A4EACFBDA12C57699012EE1573DD88F5AAAB6288E1BD9015C862689F4A1A27E83B28C3A9C99B1895EDF4F47D6F94B0557CDC1F |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 2729 |
Entropy (8bit): | 5.029883215699414 |
Encrypted: | false |
SSDEEP: | 48:HGgS7++sqMsmQYEJK7bHExsA9GZ1MTn6btlOWH6r3zvX5c9WYN:HGjUoR9GXML6RYWH6rDRdYN |
MD5: | 8AFE543CB6791AA250312EBA61BF7C13 |
SHA1: | BFD229D43BE86728A634055AD65860157C2671BD |
SHA-256: | AF5BFB663E715C48C55E24BC3BEA30FCAA9BE8EAF35133FBB75D54C5735696AC |
SHA-512: | 5CF85F84DD6D363B2AAC720CF10C5289350EB706DC2BF5CA824CF220C3607CC7969CDD2F4B2912DC97C7BE50CEDC24A9A01AFC585CE84B6B8CB81419153931A2 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 2299 |
Entropy (8bit): | 5.691502190790686 |
Encrypted: | false |
SSDEEP: | 48:HG9uhjkDYhqGQjsONHiHQgGU9dm6nclk6a1hg22mo6LD:HGnzLIQTUPmcclGsmogD |
MD5: | F9F47FF3D866FFC4F38E315E41356E55 |
SHA1: | EFC313A99993B5FB8A454D4C5197C6F3965B5C89 |
SHA-256: | 3A13CCE54190BF4A679D21F61466A0A18E9340287CAA1AA4EACB38C99C9D4957 |
SHA-512: | 6EC1F1E19921C535A50254500ED01602DA74D3CC9E6DA8B5FC78D89255E42C5968BD294E56F584EE273630B9233C20CAFEBC906354CE393FE1CFFE91528F527A |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 2718 |
Entropy (8bit): | 5.057121428169199 |
Encrypted: | false |
SSDEEP: | 48:HGPWFaxAA+sqKvFYLcunHh3QxXOBp1OB5r70h3CGRsJE0laDwXCqXH5wGF5JoCPa:HGPAPZBAJU1k7Jb245xVfUMG |
MD5: | 21B4D47F5D851271C89310C92777FB70 |
SHA1: | 9D85FF8F7107CFAE3F31993FAF7F249591AFCB27 |
SHA-256: | D88AE9E292EBC4E56767892FD451E2E8278FCE776CAD689731EE7875748D55D7 |
SHA-512: | 46F26B51D6959A36E33266887E39CB98E7E67880052DE8DE741CB93C90ED3B28C87A224CE710E6C698FE648ED8B062E73DEDC253A6C5A8362EB3EF2792AB4FBF |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 2607 |
Entropy (8bit): | 5.234177949162883 |
Encrypted: | false |
SSDEEP: | 48:HGUyjEiB0w3l+sqiTh7XJ9UeHjIDt00AoB/nheSSMpSSSxPYe:HGpNBrkGIDt0qnheS9Sx |
MD5: | E1271E0DDD609CD7F9C2367D32FEBE4B |
SHA1: | 0A420424F1FADE0BFF002E63AAD22B5E94B86CAC |
SHA-256: | AEE6B1EDFFFCE507E2207C7E2AA36DA42B2AC54CEB28B9759B2D05F1012CBA8F |
SHA-512: | 86A11C9E4B59F2437180F56CAD44E69CB29B03B93983EA5E35CBCC5BDD40CFC424EE1EEF519B2E44D67623C79835AF92B4B089AC29890C046CD590C1F8BFA574 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 2594 |
Entropy (8bit): | 5.044497576650396 |
Encrypted: | false |
SSDEEP: | 48:HGgb5l+sqiTh7XJ9oVHo1xx0GHLVQ4ZWGAtDAEQmUDcQdWym:HGdpa1jfHLVQ4AGAtWma8H |
MD5: | 76776746B3CFF1CBD5D56CD44CA2DEF5 |
SHA1: | 2F2ECA50BD7F72232BE84291EF1A7956C24098CC |
SHA-256: | EC647D30931F50607CF745D958AAF0367CCEAB9999346188255CFBFB22301EE3 |
SHA-512: | 202436C708D4F34FFCCDC3D33841246C5CEE073AC270DA547C15F9E995A08D36AE4C00982283BF60D62363046BBEAA0125D59075E4629A9D1934039CBFB00BE5 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 2607 |
Entropy (8bit): | 5.234177949162883 |
Encrypted: | false |
SSDEEP: | 48:HGUyjEiB0w3l+sqiTh7XJ9UeHjIDt00AoB/nheSSMpSSSxPYe:HGpNBrkGIDt0qnheS9Sx |
MD5: | E1271E0DDD609CD7F9C2367D32FEBE4B |
SHA1: | 0A420424F1FADE0BFF002E63AAD22B5E94B86CAC |
SHA-256: | AEE6B1EDFFFCE507E2207C7E2AA36DA42B2AC54CEB28B9759B2D05F1012CBA8F |
SHA-512: | 86A11C9E4B59F2437180F56CAD44E69CB29B03B93983EA5E35CBCC5BDD40CFC424EE1EEF519B2E44D67623C79835AF92B4B089AC29890C046CD590C1F8BFA574 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 2266 |
Entropy (8bit): | 5.4593359267896355 |
Encrypted: | false |
SSDEEP: | 48:HG8il+sqirh7zJ9YTHskp1r4phFAqLNnK9h:HGkSkp1r4NTKf |
MD5: | 4ABA9765EB3555788F5706D87A9D2DCA |
SHA1: | 36C0895FBF9F99690CA55C54CC56310E24513113 |
SHA-256: | E99B943206594C04BC0383669D04D4F191A501F46D2474FED08B997F8020B433 |
SHA-512: | 3498485635AFC548663715D22071611BAB10C707E8E24BE0B5143EE4A27727DA7D18A5E6959E3F6DD7D0F615DDFD50CE9FC5CE8AE6DDC5BEE287B5A00A817288 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 2718 |
Entropy (8bit): | 5.057121428169199 |
Encrypted: | false |
SSDEEP: | 48:HGPWFaxAA+sqKvFYLcunHh3QxXOBp1OB5r70h3CGRsJE0laDwXCqXH5wGF5JoCPa:HGPAPZBAJU1k7Jb245xVfUMG |
MD5: | 21B4D47F5D851271C89310C92777FB70 |
SHA1: | 9D85FF8F7107CFAE3F31993FAF7F249591AFCB27 |
SHA-256: | D88AE9E292EBC4E56767892FD451E2E8278FCE776CAD689731EE7875748D55D7 |
SHA-512: | 46F26B51D6959A36E33266887E39CB98E7E67880052DE8DE741CB93C90ED3B28C87A224CE710E6C698FE648ED8B062E73DEDC253A6C5A8362EB3EF2792AB4FBF |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 2729 |
Entropy (8bit): | 5.029883215699414 |
Encrypted: | false |
SSDEEP: | 48:HGgS7++sqMsmQYEJK7bHExsA9GZ1MTn6btlOWH6r3zvX5c9WYN:HGjUoR9GXML6RYWH6rDRdYN |
MD5: | 8AFE543CB6791AA250312EBA61BF7C13 |
SHA1: | BFD229D43BE86728A634055AD65860157C2671BD |
SHA-256: | AF5BFB663E715C48C55E24BC3BEA30FCAA9BE8EAF35133FBB75D54C5735696AC |
SHA-512: | 5CF85F84DD6D363B2AAC720CF10C5289350EB706DC2BF5CA824CF220C3607CC7969CDD2F4B2912DC97C7BE50CEDC24A9A01AFC585CE84B6B8CB81419153931A2 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 2299 |
Entropy (8bit): | 5.691502190790686 |
Encrypted: | false |
SSDEEP: | 48:HG9uhjkDYhqGQjsONHiHQgGU9dm6nclk6a1hg22mo6LD:HGnzLIQTUPmcclGsmogD |
MD5: | F9F47FF3D866FFC4F38E315E41356E55 |
SHA1: | EFC313A99993B5FB8A454D4C5197C6F3965B5C89 |
SHA-256: | 3A13CCE54190BF4A679D21F61466A0A18E9340287CAA1AA4EACB38C99C9D4957 |
SHA-512: | 6EC1F1E19921C535A50254500ED01602DA74D3CC9E6DA8B5FC78D89255E42C5968BD294E56F584EE273630B9233C20CAFEBC906354CE393FE1CFFE91528F527A |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 2345 |
Entropy (8bit): | 5.847861612631974 |
Encrypted: | false |
SSDEEP: | 48:HGj2lE8qiTh7XJ9zHadtPTTD1n34q1jgun1ITq8K:HG5RDTln34qRgusK |
MD5: | A5C9FEA89EFE8E2162BA477E8EA39B44 |
SHA1: | E6A2042C574D14786891F0C32F92C8292BBB4ACA |
SHA-256: | 8DDFB50DACA491296101BAB3DB9B77C7587127E684D9E22EFD6DC93F84A008FA |
SHA-512: | 3F7944F262717D308A1235982E741536DA6A4DF9ABEE4E2811E1151B53C3D31811EA3EB750ED39F347F7DF14AD20FF981C85CC2DA297BE745547B36D41B8FDB9 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 2507 |
Entropy (8bit): | 5.040552699764577 |
Encrypted: | false |
SSDEEP: | 48:HGkOA+sq/W7Yve3EkHaBSDbSljMM+v1/D3H:HGb8hABSDbSJMBD |
MD5: | 336D33F55222F48FBA19EF0911732766 |
SHA1: | E17A78E3B48192361DB540B1E8C9D0548C9A9FFE |
SHA-256: | 0E955453FA27CED0D0521F0F960C7743C2090F06263D33EC8FA978B681123E0C |
SHA-512: | 67EC6B859BCDD66DA59CDB1DC1A4EACFBDA12C57699012EE1573DD88F5AAAB6288E1BD9015C862689F4A1A27E83B28C3A9C99B1895EDF4F47D6F94B0557CDC1F |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 2687 |
Entropy (8bit): | 5.051567814097503 |
Encrypted: | false |
SSDEEP: | 48:HGgXRVA+sqgh59WJIo4yvHIExBMHkWREHZDNbHBsBOtiSZls5crRMfiE:HGusSgEvMHfREHN9hsoiOUBiE |
MD5: | D2471D35D833E2544D67365E015E6153 |
SHA1: | 497EE8FF9519D025BD10C5AA15DDC34DFB1B334B |
SHA-256: | 4831DDBCFE327E2542F4565E7A948C5828D71003B8444723E1E11BA6BB43ACE7 |
SHA-512: | C82B30D604A679F87B8D0B1670A0D1607E25150FFCFD1C9E631241916BA93CEB5A33AFCAA9080149096ACA1913791384860F5699F2BB302B6CB190AF777EB3CE |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 4440 |
Entropy (8bit): | 4.694474322424776 |
Encrypted: | false |
SSDEEP: | 48:kYm+aDkyMlLBv8rD85pPmUIrBdcoINLFhqkLVO3471hD5WpPLDfDxLDvvDHD1Doh:k6jZp8rD85pPmaoINFhqYOIhHeSk9Wh |
MD5: | 53C436BD0D2549BA1258A77A841B5A9A |
SHA1: | 5F7B0A6634430337111FA045E4F2E0128A8DB7CB |
SHA-256: | A358BD2018A9F35635AF323C85172C5B9850FDCCC8F952C49D38D842328C3C86 |
SHA-512: | BD64AB964DAF92C20189970BB5C26813315BAA552473E65CC8386D83C7E0100519184CA276BE75E02381837E53ED726CF3B46BAB16CD22240B1641D2879846A9 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 789258 |
Entropy (8bit): | 6.369988626022893 |
Encrypted: | false |
SSDEEP: | 12288:EpmOmg1k2bfrP437QzH/A6A40lG77NzknuGyJOxOU:emt2bfrP437QzH/A6A7E7dVPUxOU |
MD5: | D3BA43B9E1B3838F28AFC558F2991D5B |
SHA1: | 1132F1C76760281A591F7DF99D592283103FCC87 |
SHA-256: | 1E95FE5D06884DF82D2BEAEDA09434ECAC2A347AEC5F03E71F20E39FB6C9E0E9 |
SHA-512: | 870371843F59B91D75B6C4D4C637075235D25CF3ABB059B58E39F9CD2833533A8F434307E7AD1175FD45082D3B4E4F0ED79F303ED77DEF553587E2819C092022 |
Malicious: | true |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 97 |
Entropy (8bit): | 5.12302231676258 |
Encrypted: | false |
SSDEEP: | 3:HRAbABGQYm/0S4UEtSNM5LTJOBCBuQpQQXXy:HRYFVm/r4UEtSeVTJuZQplHy |
MD5: | DCD6923B008121BFF4C7C0AA1206286E |
SHA1: | AD4EF16A96A80C8EA5DBC5933229580BC6C332E0 |
SHA-256: | E1E01BFA5E2B5A117A627F7E9E861CF63D852A66BCE0DF88094D59CAF61E4376 |
SHA-512: | EC4A399EB38A1FA64DF8990708168F134ACD0CA793930E57C6D3A260A537B20DFD9F8B7232987F32EC1C1A7CEC7EC91F15A644A63D275104D96588FC3D354B5C |
Malicious: | false |
Preview: |
Process: | C:\Program Files (x86)\Split Files\SplitFiles131.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:V:V |
MD5: | CFCD208495D565EF66E7DFF9F98764DA |
SHA1: | B6589FC6AB0DC82CF12099D1C2D40AB994E8410C |
SHA-256: | 5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9 |
SHA-512: | 31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\fuckingdllENCR[1].dll
Download File
Process: | C:\Program Files (x86)\Split Files\SplitFiles131.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 94224 |
Entropy (8bit): | 7.998072640845361 |
Encrypted: | true |
SSDEEP: | 1536:NsbI9W6dHdtnEXOxZpPzIUcETzNtXofjmgGTeJduLLt+YBPoJTMRmNXg30:KWW6TZVz9PNtXo8M5OR0 |
MD5: | 418619EA97671304AF80EC60F5A50B62 |
SHA1: | F11DCD709BDE2FC86EBBCCD66E1CE68A8A3F9CB6 |
SHA-256: | EB7ECE66C14849064F462DF4987D6D59073D812C44D81568429614581106E0F4 |
SHA-512: | F2E1AE47B5B0A5D3DD22DD6339E15FEE3D7F04EF03917AE2A7686E73E9F06FB95C8008038C018939BB9925F395D765C9690BF7874DC5E90BC2F77C1E730D3A00 |
Malicious: | false |
Preview: |
Process: | C:\Program Files (x86)\Split Files\SplitFiles131.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:V:V |
MD5: | CFCD208495D565EF66E7DFF9F98764DA |
SHA1: | B6589FC6AB0DC82CF12099D1C2D40AB994E8410C |
SHA-256: | 5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9 |
SHA-512: | 31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99 |
Malicious: | false |
Preview: |
Process: | C:\Program Files (x86)\Split Files\SplitFiles131.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 17 |
Entropy (8bit): | 3.1751231351134614 |
Encrypted: | false |
SSDEEP: | 3:nCmxEl:Cmc |
MD5: | 064DB2A4C3D31A4DC6AA2538F3FE7377 |
SHA1: | 8F877AE1873C88076D854425221E352CA4178DFA |
SHA-256: | 0A3EC2C4FC062D561F0DC989C6699E06FFF850BBDA7923F14F26135EF42107C0 |
SHA-512: | CA94BC1338FC283C3E5C427065C29BA32C5A12170782E18AA0292722826C5CB4C3B29A5134464FFEB67A77CD85D8E15715C17A049B7AD4E2C890E97385751BEE |
Malicious: | false |
Preview: |
Process: | C:\Program Files (x86)\Split Files\SplitFiles131.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:V:V |
MD5: | CFCD208495D565EF66E7DFF9F98764DA |
SHA1: | B6589FC6AB0DC82CF12099D1C2D40AB994E8410C |
SHA-256: | 5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9 |
SHA-512: | 31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\file.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 778752 |
Entropy (8bit): | 6.357908612813808 |
Encrypted: | false |
SSDEEP: | 12288:cpmOmg1k2bfrP437QzH/A6A40lG77NzknuGyJOxOG:2mt2bfrP437QzH/A6A7E7dVPUxOG |
MD5: | E8176050192FBB976D70238E3C121F4C |
SHA1: | 2F1FD24EFE1F3F3FEE775CC3F5255B32F8880900 |
SHA-256: | AB4FE42A7B708DDB648BB2088216FF47B877AE599FD52FF50359FC1DB8E11EF7 |
SHA-512: | 27EDF7A71C6546F1AB52E7EF97E404975DDD237D6C2D1038D24A49EAB724971884510F00F427C713ADB105857A0B12C7D57CA1CA1C70A6CEFED4BE619C345F4C |
Malicious: | true |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 2560 |
Entropy (8bit): | 2.8818118453929262 |
Encrypted: | false |
SSDEEP: | 24:e1GSgDIX566lIB6SXvVmMPUjvhBrDsqZ:SgDKRlVImgUNBsG |
MD5: | A69559718AB506675E907FE49DEB71E9 |
SHA1: | BC8F404FFDB1960B50C12FF9413C893B56F2E36F |
SHA-256: | 2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC |
SHA-512: | E52E0AA7FE3F79E36330C455D944653D449BA05B2F9ABEE0914A0910C3452CFA679A40441F9AC696B3CCF9445CBB85095747E86153402FC362BB30AC08249A63 |
Malicious: | true |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 4608 |
Entropy (8bit): | 4.226829458093667 |
Encrypted: | false |
SSDEEP: | 48:6Q5EWGg69eR+Xl4SH8u09tmRJ/tE/wJI/tZ/P8sB1a:32Gel4NP9tK2/wGXhHa |
MD5: | 9E5BA8A0DB2AE3A955BEE397534D535D |
SHA1: | EF08EF5FAC94F42C276E64765759F8BC71BF88CB |
SHA-256: | 08D2876741F4FD5EDFAE20054081CEF03E41C458AB1C5BBF095A288FA93627FA |
SHA-512: | 229A9C66080D59B7D2E1E651CFF9F00DB0CBDC08703E60D645651AF0664520CA143B088C71AD73813A500A33B48C63CA1795E2162B7620453935A4C26DB96B21 |
Malicious: | true |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 23312 |
Entropy (8bit): | 4.596242908851566 |
Encrypted: | false |
SSDEEP: | 384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4 |
MD5: | 92DC6EF532FBB4A5C3201469A5B5EB63 |
SHA1: | 3E89FF837147C16B4E41C30D6C796374E0B8E62C |
SHA-256: | 9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87 |
SHA-512: | 9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3 |
Malicious: | false |
Antivirus: |
|
Preview: |
Process: | C:\Program Files (x86)\Split Files\SplitFiles131.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 73728 |
Entropy (8bit): | 6.20389308045717 |
Encrypted: | false |
SSDEEP: | 1536:bvUpDLxyxA14o3/M238r6+XfHAgbqmE8MpKdwuasZLUM7DsWlXcdyZgfmi:WDLZKa/MtXfHAgbqmEtxsfmyZgfmi |
MD5: | 3FB36CB0B7172E5298D2992D42984D06 |
SHA1: | 439827777DF4A337CBB9FA4A4640D0D3FA1738B7 |
SHA-256: | 27AE813CEFF8AA56E9FA68C8E50BB1C6C4A01636015EAC4BD8BF444AFB7020D6 |
SHA-512: | 6B39CB32D77200209A25080AC92BC71B1F468E2946B651023793F3585EE6034ADC70924DBD751CF4A51B5E71377854F1AB43C2DD287D4837E7B544FF886F470C |
Malicious: | true |
Antivirus: |
|
Preview: |
File type: | |
Entropy (8bit): | 7.9253810174103325 |
TrID: |
|
File name: | file.exe |
File size: | 1970815 |
MD5: | 4206f8b371294f11b01592acc7bb338d |
SHA1: | 9383a82b185715c4b42b23ef730acb53f17dfcfb |
SHA256: | 5f5252d8963550284ca23188a6ee8a5b9aa85c3d1ce1f5983ee7dcc7e60f8b33 |
SHA512: | 4396f5199bf5fb4fd62b3b4b652801161f5cc19dec17b0cc7ce0700e314f478dd06750a9c3fb53eb1d688f0bf0d5132331f8b821cfb75255d1e49c80609fca7b |
SSDEEP: | 24576:lpniVajDB1ubGd/qd5o37sEPfU2kCchDvfDBPNtbVWiY/Q6PmFNggJoHOVgcF93o:3ikj9k2k7TpNgPmFJN3T6t7gZ8UkqBi |
TLSH: | 17951235B09071EEF8F35AB0040F456C6A672F7369A8BE2E251AB3395932371F516F24 |
File Content Preview: | MZP.....................@.......................InnoW...................!..L.!..This program must be run under Win32..$7....................................................................................................................................... |
Icon Hash: | b8ba6cc880e1f204 |
Entrypoint: | 0x409820 |
Entrypoint Section: | CODE |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI |
DLL Characteristics: | |
Time Stamp: | 0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 1 |
OS Version Minor: | 0 |
File Version Major: | 1 |
File Version Minor: | 0 |
Subsystem Version Major: | 1 |
Subsystem Version Minor: | 0 |
Import Hash: | e92b45c54aa05ec107d5ef90662e6b33 |
Instruction |
---|
push ebp |
mov ebp, esp |
add esp, FFFFFFD4h |
push ebx |
push esi |
push edi |
xor eax, eax |
mov dword ptr [ebp-10h], eax |
mov dword ptr [ebp-1Ch], eax |
call 00007F90A86E9FDBh |
call 00007F90A86EB286h |
call 00007F90A86ED489h |
call 00007F90A86ED4D0h |
call 00007F90A86EFAC7h |
call 00007F90A86EFC2Eh |
mov esi, 0040BDE0h |
xor eax, eax |
push ebp |
push 00409F05h |
push dword ptr fs:[eax] |
mov dword ptr fs:[eax], esp |
xor edx, edx |
push ebp |
push 00409EBBh |
push dword ptr fs:[edx] |
mov dword ptr fs:[edx], esp |
mov eax, dword ptr [0040B014h] |
call 00007F90A86F061Fh |
call 00007F90A86F01DEh |
lea edx, dword ptr [ebp-10h] |
xor eax, eax |
call 00007F90A86ED944h |
mov edx, dword ptr [ebp-10h] |
mov eax, 0040BDD4h |
call 00007F90A86EA087h |
push 00000002h |
push 00000000h |
push 00000001h |
mov ecx, dword ptr [0040BDD4h] |
mov dl, 01h |
mov eax, 00407158h |
call 00007F90A86EE02Bh |
mov dword ptr [0040BDD8h], eax |
xor edx, edx |
push ebp |
push 00409E99h |
push dword ptr fs:[edx] |
mov dword ptr fs:[edx], esp |
lea edx, dword ptr [ebp-18h] |
mov eax, dword ptr [0040BDD8h] |
call 00007F90A86EE127h |
mov ebx, dword ptr [ebp-18h] |
mov edx, 00000030h |
mov eax, dword ptr [0040BDD8h] |
call 00007F90A86EE261h |
mov edx, esi |
mov ecx, 0000000Ch |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0xc000 | 0x8f0 | .idata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x10000 | 0x1f558 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0xf000 | 0x0 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0xe000 | 0x18 | .rdata |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
CODE | 0x1000 | 0x8f94 | 0x9000 | False | 0.6195203993055556 | data | 6.591638965772245 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
DATA | 0xa000 | 0x248 | 0x400 | False | 0.306640625 | data | 2.7093261929320986 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
BSS | 0xb000 | 0xe64 | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.idata | 0xc000 | 0x8f0 | 0xa00 | False | 0.3953125 | data | 4.294209855544776 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.tls | 0xd000 | 0x8 | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rdata | 0xe000 | 0x18 | 0x200 | False | 0.052734375 | data | 0.1991075177871819 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ |
.reloc | 0xf000 | 0x884 | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ |
.rsrc | 0x10000 | 0x1f558 | 0x1f600 | False | 0.37483659113545814 | data | 4.9335056025106585 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_ICON | 0x1039c | 0x51f3 | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | English | United States |
RT_ICON | 0x15590 | 0x10828 | Device independent bitmap graphic, 128 x 256 x 32, image size 0 | English | United States |
RT_ICON | 0x25db8 | 0x4228 | Device independent bitmap graphic, 64 x 128 x 32, image size 0 | English | United States |
RT_ICON | 0x29fe0 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | English | United States |
RT_ICON | 0x2c588 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | English | United States |
RT_ICON | 0x2d630 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 0 | English | United States |
RT_ICON | 0x2dfb8 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | English | United States |
RT_STRING | 0x2e420 | 0x2f2 | data | ||
RT_STRING | 0x2e714 | 0x30c | data | ||
RT_STRING | 0x2ea20 | 0x2ce | data | ||
RT_STRING | 0x2ecf0 | 0x68 | data | ||
RT_STRING | 0x2ed58 | 0xb4 | data | ||
RT_STRING | 0x2ee0c | 0xae | data | ||
RT_GROUP_ICON | 0x2eebc | 0x68 | data | English | United States |
RT_VERSION | 0x2ef24 | 0x3a8 | data | English | United States |
RT_MANIFEST | 0x2f2cc | 0x289 | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States |
DLL | Import |
---|---|
kernel32.dll | DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle |
user32.dll | MessageBoxA |
oleaut32.dll | VariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen |
advapi32.dll | RegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA |
kernel32.dll | WriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SetLastError, SetFilePointer, SetErrorMode, SetEndOfFile, RemoveDirectoryA, ReadFile, LoadLibraryA, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetUserDefaultLangID, GetSystemInfo, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, InterlockedExchange, FormatMessageA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle |
user32.dll | TranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA |
comctl32.dll | InitCommonControls |
advapi32.dll | AdjustTokenPrivileges |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
192.168.2.445.139.105.17149696802041920 01/05/23-09:17:07.792702 | TCP | 2041920 | ET TROJAN GCleaner Downloader Activity M8 | 49696 | 80 | 192.168.2.4 | 45.139.105.171 |
192.168.2.4107.182.129.23549697802852981 01/05/23-09:17:07.993654 | TCP | 2852981 | ETPRO TROJAN Win32/Fabookie.ek CnC Request M3 (GET) | 49697 | 80 | 192.168.2.4 | 107.182.129.235 |
107.182.129.235192.168.2.480496972852925 01/05/23-09:17:08.021859 | TCP | 2852925 | ETPRO TROJAN GCleaner Downloader - Payload Response | 80 | 49697 | 107.182.129.235 | 192.168.2.4 |
192.168.2.4107.182.129.23549697802852980 01/05/23-09:17:07.923264 | TCP | 2852980 | ETPRO TROJAN Win32/Fabookie.ek CnC Request M1 (GET) | 49697 | 80 | 192.168.2.4 | 107.182.129.235 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jan 5, 2023 09:17:07.767301083 CET | 49696 | 80 | 192.168.2.4 | 45.139.105.171 |
Jan 5, 2023 09:17:07.791863918 CET | 80 | 49696 | 45.139.105.171 | 192.168.2.4 |
Jan 5, 2023 09:17:07.792061090 CET | 49696 | 80 | 192.168.2.4 | 45.139.105.171 |
Jan 5, 2023 09:17:07.792701960 CET | 49696 | 80 | 192.168.2.4 | 45.139.105.171 |
Jan 5, 2023 09:17:07.816838980 CET | 80 | 49696 | 45.139.105.171 | 192.168.2.4 |
Jan 5, 2023 09:17:07.824846983 CET | 80 | 49696 | 45.139.105.171 | 192.168.2.4 |
Jan 5, 2023 09:17:07.825201988 CET | 49696 | 80 | 192.168.2.4 | 45.139.105.171 |
Jan 5, 2023 09:17:07.895375013 CET | 49697 | 80 | 192.168.2.4 | 107.182.129.235 |
Jan 5, 2023 09:17:07.922629118 CET | 80 | 49697 | 107.182.129.235 | 192.168.2.4 |
Jan 5, 2023 09:17:07.922785044 CET | 49697 | 80 | 192.168.2.4 | 107.182.129.235 |
Jan 5, 2023 09:17:07.923264027 CET | 49697 | 80 | 192.168.2.4 | 107.182.129.235 |
Jan 5, 2023 09:17:07.950546980 CET | 80 | 49697 | 107.182.129.235 | 192.168.2.4 |
Jan 5, 2023 09:17:07.950826883 CET | 80 | 49697 | 107.182.129.235 | 192.168.2.4 |
Jan 5, 2023 09:17:07.950993061 CET | 49697 | 80 | 192.168.2.4 | 107.182.129.235 |
Jan 5, 2023 09:17:07.993654013 CET | 49697 | 80 | 192.168.2.4 | 107.182.129.235 |
Jan 5, 2023 09:17:08.021770954 CET | 80 | 49697 | 107.182.129.235 | 192.168.2.4 |
Jan 5, 2023 09:17:08.021858931 CET | 80 | 49697 | 107.182.129.235 | 192.168.2.4 |
Jan 5, 2023 09:17:08.021920919 CET | 80 | 49697 | 107.182.129.235 | 192.168.2.4 |
Jan 5, 2023 09:17:08.021958113 CET | 49697 | 80 | 192.168.2.4 | 107.182.129.235 |
Jan 5, 2023 09:17:08.021982908 CET | 49697 | 80 | 192.168.2.4 | 107.182.129.235 |
Jan 5, 2023 09:17:08.022022963 CET | 80 | 49697 | 107.182.129.235 | 192.168.2.4 |
Jan 5, 2023 09:17:08.022089005 CET | 80 | 49697 | 107.182.129.235 | 192.168.2.4 |
Jan 5, 2023 09:17:08.022104025 CET | 49697 | 80 | 192.168.2.4 | 107.182.129.235 |
Jan 5, 2023 09:17:08.022141933 CET | 49697 | 80 | 192.168.2.4 | 107.182.129.235 |
Jan 5, 2023 09:17:08.022177935 CET | 80 | 49697 | 107.182.129.235 | 192.168.2.4 |
Jan 5, 2023 09:17:08.022231102 CET | 49697 | 80 | 192.168.2.4 | 107.182.129.235 |
Jan 5, 2023 09:17:08.022253036 CET | 80 | 49697 | 107.182.129.235 | 192.168.2.4 |
Jan 5, 2023 09:17:08.022308111 CET | 80 | 49697 | 107.182.129.235 | 192.168.2.4 |
Jan 5, 2023 09:17:08.022329092 CET | 49697 | 80 | 192.168.2.4 | 107.182.129.235 |
Jan 5, 2023 09:17:08.022372007 CET | 49697 | 80 | 192.168.2.4 | 107.182.129.235 |
Jan 5, 2023 09:17:08.022401094 CET | 80 | 49697 | 107.182.129.235 | 192.168.2.4 |
Jan 5, 2023 09:17:08.022454977 CET | 49697 | 80 | 192.168.2.4 | 107.182.129.235 |
Jan 5, 2023 09:17:08.022476912 CET | 80 | 49697 | 107.182.129.235 | 192.168.2.4 |
Jan 5, 2023 09:17:08.022533894 CET | 49697 | 80 | 192.168.2.4 | 107.182.129.235 |
Jan 5, 2023 09:17:08.022552013 CET | 80 | 49697 | 107.182.129.235 | 192.168.2.4 |
Jan 5, 2023 09:17:08.022604942 CET | 49697 | 80 | 192.168.2.4 | 107.182.129.235 |
Jan 5, 2023 09:17:08.049844980 CET | 80 | 49697 | 107.182.129.235 | 192.168.2.4 |
Jan 5, 2023 09:17:08.049933910 CET | 80 | 49697 | 107.182.129.235 | 192.168.2.4 |
Jan 5, 2023 09:17:08.049982071 CET | 49697 | 80 | 192.168.2.4 | 107.182.129.235 |
Jan 5, 2023 09:17:08.050013065 CET | 49697 | 80 | 192.168.2.4 | 107.182.129.235 |
Jan 5, 2023 09:17:08.050044060 CET | 80 | 49697 | 107.182.129.235 | 192.168.2.4 |
Jan 5, 2023 09:17:08.050091028 CET | 49697 | 80 | 192.168.2.4 | 107.182.129.235 |
Jan 5, 2023 09:17:08.050122976 CET | 80 | 49697 | 107.182.129.235 | 192.168.2.4 |
Jan 5, 2023 09:17:08.050167084 CET | 49697 | 80 | 192.168.2.4 | 107.182.129.235 |
Jan 5, 2023 09:17:08.050198078 CET | 80 | 49697 | 107.182.129.235 | 192.168.2.4 |
Jan 5, 2023 09:17:08.050245047 CET | 49697 | 80 | 192.168.2.4 | 107.182.129.235 |
Jan 5, 2023 09:17:08.050272942 CET | 80 | 49697 | 107.182.129.235 | 192.168.2.4 |
Jan 5, 2023 09:17:08.050329924 CET | 49697 | 80 | 192.168.2.4 | 107.182.129.235 |
Jan 5, 2023 09:17:08.050348997 CET | 80 | 49697 | 107.182.129.235 | 192.168.2.4 |
Jan 5, 2023 09:17:08.050398111 CET | 49697 | 80 | 192.168.2.4 | 107.182.129.235 |
Jan 5, 2023 09:17:08.050425053 CET | 80 | 49697 | 107.182.129.235 | 192.168.2.4 |
Jan 5, 2023 09:17:08.050476074 CET | 49697 | 80 | 192.168.2.4 | 107.182.129.235 |
Jan 5, 2023 09:17:08.050504923 CET | 80 | 49697 | 107.182.129.235 | 192.168.2.4 |
Jan 5, 2023 09:17:08.050556898 CET | 49697 | 80 | 192.168.2.4 | 107.182.129.235 |
Jan 5, 2023 09:17:08.050580025 CET | 80 | 49697 | 107.182.129.235 | 192.168.2.4 |
Jan 5, 2023 09:17:08.050632000 CET | 49697 | 80 | 192.168.2.4 | 107.182.129.235 |
Jan 5, 2023 09:17:08.050658941 CET | 80 | 49697 | 107.182.129.235 | 192.168.2.4 |
Jan 5, 2023 09:17:08.050760031 CET | 80 | 49697 | 107.182.129.235 | 192.168.2.4 |
Jan 5, 2023 09:17:08.050781012 CET | 49697 | 80 | 192.168.2.4 | 107.182.129.235 |
Jan 5, 2023 09:17:08.050812006 CET | 49697 | 80 | 192.168.2.4 | 107.182.129.235 |
Jan 5, 2023 09:17:08.050853014 CET | 80 | 49697 | 107.182.129.235 | 192.168.2.4 |
Jan 5, 2023 09:17:08.050905943 CET | 49697 | 80 | 192.168.2.4 | 107.182.129.235 |
Jan 5, 2023 09:17:08.050928116 CET | 80 | 49697 | 107.182.129.235 | 192.168.2.4 |
Jan 5, 2023 09:17:08.050978899 CET | 49697 | 80 | 192.168.2.4 | 107.182.129.235 |
Jan 5, 2023 09:17:08.051002026 CET | 80 | 49697 | 107.182.129.235 | 192.168.2.4 |
Jan 5, 2023 09:17:08.051053047 CET | 49697 | 80 | 192.168.2.4 | 107.182.129.235 |
Jan 5, 2023 09:17:08.051074028 CET | 80 | 49697 | 107.182.129.235 | 192.168.2.4 |
Jan 5, 2023 09:17:08.051125050 CET | 49697 | 80 | 192.168.2.4 | 107.182.129.235 |
Jan 5, 2023 09:17:08.051150084 CET | 80 | 49697 | 107.182.129.235 | 192.168.2.4 |
Jan 5, 2023 09:17:08.051206112 CET | 49697 | 80 | 192.168.2.4 | 107.182.129.235 |
Jan 5, 2023 09:17:08.051224947 CET | 80 | 49697 | 107.182.129.235 | 192.168.2.4 |
Jan 5, 2023 09:17:08.051280022 CET | 49697 | 80 | 192.168.2.4 | 107.182.129.235 |
Jan 5, 2023 09:17:08.051300049 CET | 80 | 49697 | 107.182.129.235 | 192.168.2.4 |
Jan 5, 2023 09:17:08.051362991 CET | 80 | 49697 | 107.182.129.235 | 192.168.2.4 |
Jan 5, 2023 09:17:08.051378965 CET | 49697 | 80 | 192.168.2.4 | 107.182.129.235 |
Jan 5, 2023 09:17:08.051413059 CET | 49697 | 80 | 192.168.2.4 | 107.182.129.235 |
Jan 5, 2023 09:17:08.078811884 CET | 80 | 49697 | 107.182.129.235 | 192.168.2.4 |
Jan 5, 2023 09:17:08.078901052 CET | 80 | 49697 | 107.182.129.235 | 192.168.2.4 |
Jan 5, 2023 09:17:08.078959942 CET | 80 | 49697 | 107.182.129.235 | 192.168.2.4 |
Jan 5, 2023 09:17:08.079025984 CET | 80 | 49697 | 107.182.129.235 | 192.168.2.4 |
Jan 5, 2023 09:17:08.079044104 CET | 49697 | 80 | 192.168.2.4 | 107.182.129.235 |
Jan 5, 2023 09:17:08.079073906 CET | 49697 | 80 | 192.168.2.4 | 107.182.129.235 |
Jan 5, 2023 09:17:08.079087973 CET | 49697 | 80 | 192.168.2.4 | 107.182.129.235 |
Jan 5, 2023 09:17:08.079133034 CET | 80 | 49697 | 107.182.129.235 | 192.168.2.4 |
Jan 5, 2023 09:17:08.079194069 CET | 80 | 49697 | 107.182.129.235 | 192.168.2.4 |
Jan 5, 2023 09:17:08.079214096 CET | 49697 | 80 | 192.168.2.4 | 107.182.129.235 |
Jan 5, 2023 09:17:08.079255104 CET | 49697 | 80 | 192.168.2.4 | 107.182.129.235 |
Jan 5, 2023 09:17:08.079288006 CET | 80 | 49697 | 107.182.129.235 | 192.168.2.4 |
Jan 5, 2023 09:17:08.079345942 CET | 49697 | 80 | 192.168.2.4 | 107.182.129.235 |
Jan 5, 2023 09:17:08.079364061 CET | 80 | 49697 | 107.182.129.235 | 192.168.2.4 |
Jan 5, 2023 09:17:08.079415083 CET | 49697 | 80 | 192.168.2.4 | 107.182.129.235 |
Jan 5, 2023 09:17:08.079448938 CET | 80 | 49697 | 107.182.129.235 | 192.168.2.4 |
Jan 5, 2023 09:17:08.079504967 CET | 49697 | 80 | 192.168.2.4 | 107.182.129.235 |
Jan 5, 2023 09:17:08.079524040 CET | 80 | 49697 | 107.182.129.235 | 192.168.2.4 |
Jan 5, 2023 09:17:08.079579115 CET | 49697 | 80 | 192.168.2.4 | 107.182.129.235 |
Jan 5, 2023 09:17:08.079598904 CET | 80 | 49697 | 107.182.129.235 | 192.168.2.4 |
Jan 5, 2023 09:17:08.079653978 CET | 49697 | 80 | 192.168.2.4 | 107.182.129.235 |
Jan 5, 2023 09:17:08.079674959 CET | 80 | 49697 | 107.182.129.235 | 192.168.2.4 |
Jan 5, 2023 09:17:08.079725027 CET | 49697 | 80 | 192.168.2.4 | 107.182.129.235 |
Jan 5, 2023 09:17:08.079749107 CET | 80 | 49697 | 107.182.129.235 | 192.168.2.4 |
Jan 5, 2023 09:17:08.079797029 CET | 49697 | 80 | 192.168.2.4 | 107.182.129.235 |
Jan 5, 2023 09:17:08.079823971 CET | 80 | 49697 | 107.182.129.235 | 192.168.2.4 |
Jan 5, 2023 09:17:08.079871893 CET | 49697 | 80 | 192.168.2.4 | 107.182.129.235 |
Jan 5, 2023 09:17:08.079900026 CET | 80 | 49697 | 107.182.129.235 | 192.168.2.4 |
Jan 5, 2023 09:17:08.079952955 CET | 49697 | 80 | 192.168.2.4 | 107.182.129.235 |
Jan 5, 2023 09:17:08.079976082 CET | 80 | 49697 | 107.182.129.235 | 192.168.2.4 |
Jan 5, 2023 09:17:08.080024004 CET | 49697 | 80 | 192.168.2.4 | 107.182.129.235 |
Jan 5, 2023 09:17:08.080049992 CET | 80 | 49697 | 107.182.129.235 | 192.168.2.4 |
Jan 5, 2023 09:17:08.080099106 CET | 49697 | 80 | 192.168.2.4 | 107.182.129.235 |
Jan 5, 2023 09:17:08.080125093 CET | 80 | 49697 | 107.182.129.235 | 192.168.2.4 |
Jan 5, 2023 09:17:08.080172062 CET | 49697 | 80 | 192.168.2.4 | 107.182.129.235 |
Jan 5, 2023 09:17:08.080200911 CET | 80 | 49697 | 107.182.129.235 | 192.168.2.4 |
Jan 5, 2023 09:17:08.080252886 CET | 49697 | 80 | 192.168.2.4 | 107.182.129.235 |
Jan 5, 2023 09:17:08.080280066 CET | 80 | 49697 | 107.182.129.235 | 192.168.2.4 |
Jan 5, 2023 09:17:08.080327034 CET | 49697 | 80 | 192.168.2.4 | 107.182.129.235 |
Jan 5, 2023 09:17:08.080354929 CET | 80 | 49697 | 107.182.129.235 | 192.168.2.4 |
Jan 5, 2023 09:17:08.080400944 CET | 49697 | 80 | 192.168.2.4 | 107.182.129.235 |
Jan 5, 2023 09:17:08.080429077 CET | 80 | 49697 | 107.182.129.235 | 192.168.2.4 |
Jan 5, 2023 09:17:08.080490112 CET | 49697 | 80 | 192.168.2.4 | 107.182.129.235 |
Jan 5, 2023 09:17:08.080512047 CET | 80 | 49697 | 107.182.129.235 | 192.168.2.4 |
Jan 5, 2023 09:17:08.080558062 CET | 49697 | 80 | 192.168.2.4 | 107.182.129.235 |
Jan 5, 2023 09:17:08.080585957 CET | 80 | 49697 | 107.182.129.235 | 192.168.2.4 |
Jan 5, 2023 09:17:08.080632925 CET | 49697 | 80 | 192.168.2.4 | 107.182.129.235 |
Jan 5, 2023 09:17:08.080660105 CET | 80 | 49697 | 107.182.129.235 | 192.168.2.4 |
Jan 5, 2023 09:17:08.080708981 CET | 49697 | 80 | 192.168.2.4 | 107.182.129.235 |
Jan 5, 2023 09:17:08.080737114 CET | 80 | 49697 | 107.182.129.235 | 192.168.2.4 |
Jan 5, 2023 09:17:08.080801010 CET | 80 | 49697 | 107.182.129.235 | 192.168.2.4 |
Jan 5, 2023 09:17:08.080816031 CET | 49697 | 80 | 192.168.2.4 | 107.182.129.235 |
Jan 5, 2023 09:17:08.080853939 CET | 49697 | 80 | 192.168.2.4 | 107.182.129.235 |
Jan 5, 2023 09:17:08.080887079 CET | 80 | 49697 | 107.182.129.235 | 192.168.2.4 |
Jan 5, 2023 09:17:08.080934048 CET | 49697 | 80 | 192.168.2.4 | 107.182.129.235 |
Jan 5, 2023 09:17:08.080964088 CET | 80 | 49697 | 107.182.129.235 | 192.168.2.4 |
Jan 5, 2023 09:17:08.081015110 CET | 49697 | 80 | 192.168.2.4 | 107.182.129.235 |
Jan 5, 2023 09:17:08.081041098 CET | 80 | 49697 | 107.182.129.235 | 192.168.2.4 |
Jan 5, 2023 09:17:08.081096888 CET | 80 | 49697 | 107.182.129.235 | 192.168.2.4 |
Jan 5, 2023 09:17:08.081115007 CET | 49697 | 80 | 192.168.2.4 | 107.182.129.235 |
Jan 5, 2023 09:17:08.081150055 CET | 49697 | 80 | 192.168.2.4 | 107.182.129.235 |
Jan 5, 2023 09:17:08.081187963 CET | 80 | 49697 | 107.182.129.235 | 192.168.2.4 |
Jan 5, 2023 09:17:08.081238031 CET | 49697 | 80 | 192.168.2.4 | 107.182.129.235 |
Jan 5, 2023 09:17:08.081263065 CET | 80 | 49697 | 107.182.129.235 | 192.168.2.4 |
Jan 5, 2023 09:17:08.081310987 CET | 49697 | 80 | 192.168.2.4 | 107.182.129.235 |
Jan 5, 2023 09:17:08.081338882 CET | 80 | 49697 | 107.182.129.235 | 192.168.2.4 |
Jan 5, 2023 09:17:08.081389904 CET | 49697 | 80 | 192.168.2.4 | 107.182.129.235 |
Jan 5, 2023 09:17:08.081413984 CET | 80 | 49697 | 107.182.129.235 | 192.168.2.4 |
Jan 5, 2023 09:17:08.081460953 CET | 49697 | 80 | 192.168.2.4 | 107.182.129.235 |
Jan 5, 2023 09:17:08.081492901 CET | 80 | 49697 | 107.182.129.235 | 192.168.2.4 |
Jan 5, 2023 09:17:08.081541061 CET | 49697 | 80 | 192.168.2.4 | 107.182.129.235 |
Jan 5, 2023 09:17:08.081571102 CET | 80 | 49697 | 107.182.129.235 | 192.168.2.4 |
Jan 5, 2023 09:17:08.081623077 CET | 49697 | 80 | 192.168.2.4 | 107.182.129.235 |
Jan 5, 2023 09:17:08.081644058 CET | 80 | 49697 | 107.182.129.235 | 192.168.2.4 |
Jan 5, 2023 09:17:08.081692934 CET | 49697 | 80 | 192.168.2.4 | 107.182.129.235 |
Jan 5, 2023 09:17:08.081718922 CET | 80 | 49697 | 107.182.129.235 | 192.168.2.4 |
Jan 5, 2023 09:17:08.081767082 CET | 49697 | 80 | 192.168.2.4 | 107.182.129.235 |
Jan 5, 2023 09:17:08.081794977 CET | 80 | 49697 | 107.182.129.235 | 192.168.2.4 |
Jan 5, 2023 09:17:08.081841946 CET | 49697 | 80 | 192.168.2.4 | 107.182.129.235 |
Jan 5, 2023 09:17:08.109040022 CET | 80 | 49697 | 107.182.129.235 | 192.168.2.4 |
Jan 5, 2023 09:17:08.109132051 CET | 80 | 49697 | 107.182.129.235 | 192.168.2.4 |
Jan 5, 2023 09:17:08.109164000 CET | 49697 | 80 | 192.168.2.4 | 107.182.129.235 |
Jan 5, 2023 09:17:08.109193087 CET | 49697 | 80 | 192.168.2.4 | 107.182.129.235 |
Jan 5, 2023 09:17:08.109232903 CET | 80 | 49697 | 107.182.129.235 | 192.168.2.4 |
Jan 5, 2023 09:17:08.109287024 CET | 49697 | 80 | 192.168.2.4 | 107.182.129.235 |
Jan 5, 2023 09:17:08.109308004 CET | 80 | 49697 | 107.182.129.235 | 192.168.2.4 |
Jan 5, 2023 09:17:08.109358072 CET | 49697 | 80 | 192.168.2.4 | 107.182.129.235 |
Jan 5, 2023 09:17:08.175538063 CET | 49698 | 80 | 192.168.2.4 | 171.22.30.106 |
Jan 5, 2023 09:17:08.203053951 CET | 80 | 49698 | 171.22.30.106 | 192.168.2.4 |
Jan 5, 2023 09:17:08.203175068 CET | 49698 | 80 | 192.168.2.4 | 171.22.30.106 |
Jan 5, 2023 09:17:08.203704119 CET | 49698 | 80 | 192.168.2.4 | 171.22.30.106 |
Jan 5, 2023 09:17:08.231539011 CET | 80 | 49698 | 171.22.30.106 | 192.168.2.4 |
Jan 5, 2023 09:17:08.625149965 CET | 80 | 49698 | 171.22.30.106 | 192.168.2.4 |
Jan 5, 2023 09:17:08.625339985 CET | 49698 | 80 | 192.168.2.4 | 171.22.30.106 |
Jan 5, 2023 09:17:10.677651882 CET | 49698 | 80 | 192.168.2.4 | 171.22.30.106 |
Jan 5, 2023 09:17:10.705209970 CET | 80 | 49698 | 171.22.30.106 | 192.168.2.4 |
Jan 5, 2023 09:17:11.076914072 CET | 80 | 49698 | 171.22.30.106 | 192.168.2.4 |
Jan 5, 2023 09:17:11.077158928 CET | 49698 | 80 | 192.168.2.4 | 171.22.30.106 |
Jan 5, 2023 09:17:12.828742981 CET | 80 | 49696 | 45.139.105.171 | 192.168.2.4 |
Jan 5, 2023 09:17:12.828979015 CET | 49696 | 80 | 192.168.2.4 | 45.139.105.171 |
Jan 5, 2023 09:17:13.083828926 CET | 80 | 49697 | 107.182.129.235 | 192.168.2.4 |
Jan 5, 2023 09:17:13.083900928 CET | 49697 | 80 | 192.168.2.4 | 107.182.129.235 |
Jan 5, 2023 09:17:13.262497902 CET | 49698 | 80 | 192.168.2.4 | 171.22.30.106 |
Jan 5, 2023 09:17:13.290186882 CET | 80 | 49698 | 171.22.30.106 | 192.168.2.4 |
Jan 5, 2023 09:17:13.819993019 CET | 80 | 49698 | 171.22.30.106 | 192.168.2.4 |
Jan 5, 2023 09:17:13.820241928 CET | 49698 | 80 | 192.168.2.4 | 171.22.30.106 |
Jan 5, 2023 09:17:16.058675051 CET | 49698 | 80 | 192.168.2.4 | 171.22.30.106 |
Jan 5, 2023 09:17:16.086177111 CET | 80 | 49698 | 171.22.30.106 | 192.168.2.4 |
Jan 5, 2023 09:17:16.468780994 CET | 80 | 49698 | 171.22.30.106 | 192.168.2.4 |
Jan 5, 2023 09:17:16.469041109 CET | 49698 | 80 | 192.168.2.4 | 171.22.30.106 |
Jan 5, 2023 09:17:18.724560022 CET | 49698 | 80 | 192.168.2.4 | 171.22.30.106 |
Jan 5, 2023 09:17:18.751890898 CET | 80 | 49698 | 171.22.30.106 | 192.168.2.4 |
Jan 5, 2023 09:17:19.153582096 CET | 80 | 49698 | 171.22.30.106 | 192.168.2.4 |
Jan 5, 2023 09:17:19.153767109 CET | 49698 | 80 | 192.168.2.4 | 171.22.30.106 |
Jan 5, 2023 09:17:21.240864992 CET | 49698 | 80 | 192.168.2.4 | 171.22.30.106 |
Jan 5, 2023 09:17:21.268558025 CET | 80 | 49698 | 171.22.30.106 | 192.168.2.4 |
Jan 5, 2023 09:17:21.631026983 CET | 80 | 49698 | 171.22.30.106 | 192.168.2.4 |
Jan 5, 2023 09:17:21.631170988 CET | 49698 | 80 | 192.168.2.4 | 171.22.30.106 |
Jan 5, 2023 09:17:23.727087975 CET | 49698 | 80 | 192.168.2.4 | 171.22.30.106 |
Jan 5, 2023 09:17:23.754395962 CET | 80 | 49698 | 171.22.30.106 | 192.168.2.4 |
Jan 5, 2023 09:17:24.112123013 CET | 80 | 49698 | 171.22.30.106 | 192.168.2.4 |
Jan 5, 2023 09:17:24.112345934 CET | 49698 | 80 | 192.168.2.4 | 171.22.30.106 |
Jan 5, 2023 09:17:26.255681038 CET | 49698 | 80 | 192.168.2.4 | 171.22.30.106 |
Jan 5, 2023 09:17:26.283298016 CET | 80 | 49698 | 171.22.30.106 | 192.168.2.4 |
Jan 5, 2023 09:17:26.649538994 CET | 80 | 49698 | 171.22.30.106 | 192.168.2.4 |
Jan 5, 2023 09:17:26.649684906 CET | 49698 | 80 | 192.168.2.4 | 171.22.30.106 |
Jan 5, 2023 09:17:28.724584103 CET | 49698 | 80 | 192.168.2.4 | 171.22.30.106 |
Jan 5, 2023 09:17:28.752091885 CET | 80 | 49698 | 171.22.30.106 | 192.168.2.4 |
Jan 5, 2023 09:17:29.133501053 CET | 80 | 49698 | 171.22.30.106 | 192.168.2.4 |
Jan 5, 2023 09:17:29.133737087 CET | 49698 | 80 | 192.168.2.4 | 171.22.30.106 |
Jan 5, 2023 09:17:31.215807915 CET | 49698 | 80 | 192.168.2.4 | 171.22.30.106 |
Jan 5, 2023 09:17:31.243266106 CET | 80 | 49698 | 171.22.30.106 | 192.168.2.4 |
Jan 5, 2023 09:17:31.612318039 CET | 80 | 49698 | 171.22.30.106 | 192.168.2.4 |
Jan 5, 2023 09:17:31.612595081 CET | 49698 | 80 | 192.168.2.4 | 171.22.30.106 |
Jan 5, 2023 09:17:33.695225954 CET | 49698 | 80 | 192.168.2.4 | 171.22.30.106 |
Jan 5, 2023 09:17:33.722840071 CET | 80 | 49698 | 171.22.30.106 | 192.168.2.4 |
Jan 5, 2023 09:17:34.113982916 CET | 80 | 49698 | 171.22.30.106 | 192.168.2.4 |
Jan 5, 2023 09:17:34.114202976 CET | 49698 | 80 | 192.168.2.4 | 171.22.30.106 |
Jan 5, 2023 09:17:37.439244032 CET | 49696 | 80 | 192.168.2.4 | 45.139.105.171 |
Jan 5, 2023 09:17:37.439388990 CET | 49697 | 80 | 192.168.2.4 | 107.182.129.235 |
Jan 5, 2023 09:17:37.439399958 CET | 49698 | 80 | 192.168.2.4 | 171.22.30.106 |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.4 | 49696 | 45.139.105.171 | 80 | C:\Program Files (x86)\Split Files\SplitFiles131.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Jan 5, 2023 09:17:07.792701960 CET | 91 | OUT | |
Jan 5, 2023 09:17:07.824846983 CET | 92 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
1 | 192.168.2.4 | 49697 | 107.182.129.235 | 80 | C:\Program Files (x86)\Split Files\SplitFiles131.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Jan 5, 2023 09:17:07.923264027 CET | 92 | OUT | |
Jan 5, 2023 09:17:07.950826883 CET | 93 | IN | |
Jan 5, 2023 09:17:07.993654013 CET | 93 | OUT | |
Jan 5, 2023 09:17:08.021858931 CET | 95 | IN |