Edit tour
Windows
Analysis Report
file.exe
Overview
General Information
Detection
Nymaim
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Detected unpacking (overwrites its own PE header)
Yara detected Nymaim
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Obfuscated command line found
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Contains functionality to read the PEB
Found evasive API chain checking for process token information
Contains functionality to launch a program with higher privileges
Uses taskkill to terminate processes
Dropped file seen in connection with other malware
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality to detect sandboxes (foreground window change detection)
Creates a process in suspended mode (likely to inject code)
Classification
- System is w10x64
- file.exe (PID: 5860 cmdline:
C:\Users\u ser\Deskto p\file.exe MD5: BC7001AFD99293BF22ADCDF0D30C564A) - file.tmp (PID: 5864 cmdline:
"C:\Users\ user~1\App Data\Local \Temp\is-O VJ5O.tmp\f ile.tmp" / SL5="$702C 6,1650404, 162304,C:\ Users\user \Desktop\f ile.exe" MD5: 7013A53C5472267941844ED17DE4DE3C) - HitFiles134.exe (PID: 1008 cmdline:
"C:\Progra m Files (x 86)\Split Files\HitF iles134.ex e" MD5: FB4704E7F6C63CAEB0D39F48B0792636) - 3JCCsnPwg.exe (PID: 5144 cmdline:
MD5: 3FB36CB0B7172E5298D2992D42984D06) - cmd.exe (PID: 2380 cmdline:
"C:\Window s\System32 \cmd.exe" /c taskkil l /im "Hit Files134.e xe" /f & e rase "C:\P rogram Fil es (x86)\S plit Files \HitFiles1 34.exe" & exit MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 2228 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - taskkill.exe (PID: 5188 cmdline:
taskkill / im "HitFil es134.exe" /f MD5: 15E2E0ACD891510C6268CB8899F2A1A1)
- cleanup
{"C2 addresses": ["45.139.105.1", "85.31.46.167", "107.182.129.235", "171.22.30.106"]}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security | ||
JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security | ||
JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security | ||
JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security | ||
JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security | ||
JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security |
⊘No Sigma rule has matched
Timestamp: | 192.168.2.7107.182.129.23549713802852980 01/08/23-16:11:53.367556 |
SID: | 2852980 |
Source Port: | 49713 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.7107.182.129.23549713802852981 01/08/23-16:11:53.444812 |
SID: | 2852981 |
Source Port: | 49713 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.745.139.105.17149712802041920 01/08/23-16:11:53.219578 |
SID: | 2041920 |
Source Port: | 49712 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 107.182.129.235192.168.2.780497132852925 01/08/23-16:11:53.472106 |
SID: | 2852925 |
Source Port: | 80 |
Destination Port: | 49713 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | URL Reputation: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: |
Source: | ReversingLabs: |
Source: | Joe Sandbox ML: |
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: |
Source: | Malware Configuration Extractor: |
Source: | Code function: | 1_2_0045C298 | |
Source: | Code function: | 1_2_0045C34C | |
Source: | Code function: | 1_2_0045C364 | |
Source: | Code function: | 2_2_00403770 |
Compliance |
---|
Source: | Unpacked PE file: |
Source: | Static PE information: |
Source: | Code function: | 1_2_004738D8 | |
Source: | Code function: | 1_2_00451D34 | |
Source: | Code function: | 1_2_004960EC | |
Source: | Code function: | 1_2_00462DD8 | |
Source: | Code function: | 1_2_00463254 | |
Source: | Code function: | 1_2_0046184C | |
Source: | Code function: | 2_2_00404490 | |
Source: | Code function: | 2_2_00423E2D | |
Source: | Code function: | 2_2_1000959D |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Networking |
---|
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: |
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: |
Source: | ASN Name: |
Source: | IP Address: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Code function: | 2_2_00401B30 |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | Binary or memory string: |
E-Banking Fraud |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Static PE information: |
Source: | Code function: | 0_2_004093A8 | |
Source: | Code function: | 1_2_0045476C |
Source: | Code function: | 0_2_0040836C | |
Source: | Code function: | 1_2_00466480 | |
Source: | Code function: | 1_2_0047E9B0 | |
Source: | Code function: | 1_2_0046F05C | |
Source: | Code function: | 1_2_0043D2FC | |
Source: | Code function: | 1_2_0044401C | |
Source: | Code function: | 1_2_0045E1DC | |
Source: | Code function: | 1_2_0045A284 | |
Source: | Code function: | 1_2_004684F8 | |
Source: | Code function: | 1_2_00444714 | |
Source: | Code function: | 1_2_00434874 | |
Source: | Code function: | 1_2_004849D0 | |
Source: | Code function: | 1_2_00430AB4 | |
Source: | Code function: | 1_2_00444B20 | |
Source: | Code function: | 1_2_00450C90 | |
Source: | Code function: | 1_2_00485904 | |
Source: | Code function: | 1_2_00443A74 | |
Source: | Code function: | 2_2_00404490 | |
Source: | Code function: | 2_2_004096F0 | |
Source: | Code function: | 2_2_004056A0 | |
Source: | Code function: | 2_2_00406800 | |
Source: | Code function: | 2_2_00406AA0 | |
Source: | Code function: | 2_2_00404D40 | |
Source: | Code function: | 2_2_00405F40 | |
Source: | Code function: | 2_2_00402F20 | |
Source: | Code function: | 2_2_004150D3 | |
Source: | Code function: | 2_2_00415305 | |
Source: | Code function: | 2_2_004223A9 | |
Source: | Code function: | 2_2_00419510 | |
Source: | Code function: | 2_2_00404840 | |
Source: | Code function: | 2_2_00426850 | |
Source: | Code function: | 2_2_00410A50 | |
Source: | Code function: | 2_2_0042AB9A | |
Source: | Code function: | 2_2_00421C88 | |
Source: | Code function: | 2_2_0042ACBA | |
Source: | Code function: | 2_2_00447D2D | |
Source: | Code function: | 2_2_00428D39 | |
Source: | Code function: | 2_2_00404F20 | |
Source: | Code function: | 2_2_1000F670 | |
Source: | Code function: | 2_2_1000EC61 |
Source: | Code function: | 1_2_0042F0EC | |
Source: | Code function: | 1_2_00423AF4 | |
Source: | Code function: | 1_2_0045614C | |
Source: | Code function: | 1_2_00412548 | |
Source: | Code function: | 1_2_00476F38 |
Source: | Code function: | 1_2_0042E708 |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Dropped File: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Code function: | 0_2_004093A8 | |
Source: | Code function: | 1_2_0045476C |
Source: | WMI Queries: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | Code function: | 2_2_00401B30 |
Source: | File read: | Jump to behavior |
Source: | Code function: | 1_2_00454F94 |
Source: | Code function: | 2_2_00402BF0 |
Source: | Code function: | 2_2_00405350 |
Source: | Mutant created: |
Source: | Code function: | 0_2_00409B0C |
Source: | File created: | Jump to behavior |
Source: | Command line argument: | 2_2_004096F0 | |
Source: | Command line argument: | 2_2_004096F0 | |
Source: | Command line argument: | 2_2_004096F0 | |
Source: | Command line argument: | 2_2_004096F0 |
Source: | Key value created or modified: | Jump to behavior |
Source: | Key value created or modified: | Jump to behavior |
Source: | Window found: | Jump to behavior |
Source: | Window detected: |
Source: | Static file information: |
Data Obfuscation |
---|
Source: | Unpacked PE file: |
Source: | Unpacked PE file: |
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Code function: | 0_2_0040654D | |
Source: | Code function: | 0_2_00408069 | |
Source: | Code function: | 0_2_004040F1 | |
Source: | Code function: | 0_2_00404389 | |
Source: | Code function: | 0_2_00404389 | |
Source: | Code function: | 0_2_0040C219 | |
Source: | Code function: | 0_2_00404389 | |
Source: | Code function: | 0_2_00404389 | |
Source: | Code function: | 0_2_00408EC3 | |
Source: | Code function: | 1_2_004098E9 | |
Source: | Code function: | 1_2_004062CD | |
Source: | Code function: | 1_2_0045841C | |
Source: | Code function: | 1_2_00410645 | |
Source: | Code function: | 1_2_0040A6D1 | |
Source: | Code function: | 1_2_004128F3 | |
Source: | Code function: | 1_2_004429F0 | |
Source: | Code function: | 1_2_00450AF7 | |
Source: | Code function: | 1_2_00456BA4 | |
Source: | Code function: | 1_2_00492C19 | |
Source: | Code function: | 1_2_00450C95 | |
Source: | Code function: | 1_2_0045EE38 | |
Source: | Code function: | 1_2_0040CF9A | |
Source: | Code function: | 1_2_0048327D | |
Source: | Code function: | 1_2_004054A9 | |
Source: | Code function: | 1_2_0040F4FA | |
Source: | Code function: | 1_2_00405741 | |
Source: | Code function: | 1_2_00405741 | |
Source: | Code function: | 1_2_00405741 | |
Source: | Code function: | 1_2_00405741 | |
Source: | Code function: | 2_2_004311B6 | |
Source: | Code function: | 2_2_0040F4CE |
Source: | Static PE information: |
Source: | Code function: | 1_2_0044AC04 |
Source: | Static PE information: |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | Code function: | 1_2_00423B7C | |
Source: | Code function: | 1_2_00423B7C | |
Source: | Code function: | 1_2_0042414C | |
Source: | Code function: | 1_2_00424104 | |
Source: | Code function: | 1_2_004182F4 | |
Source: | Code function: | 1_2_004227CC | |
Source: | Code function: | 1_2_00417508 | |
Source: | Code function: | 1_2_004815E0 |
Source: | Code function: | 1_2_0044AC04 |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Evasive API call chain: | graph_0-5790 |
Source: | Last function: |
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file |
Source: | Check user administrative privileges: | graph_2-35123 |
Source: | Code function: | 2_2_004056A0 |
Source: | Process information queried: | Jump to behavior |
Source: | Code function: | 0_2_00409A50 |
Source: | Code function: | 1_2_004738D8 | |
Source: | Code function: | 1_2_00451D34 | |
Source: | Code function: | 1_2_004960EC | |
Source: | Code function: | 1_2_00462DD8 | |
Source: | Code function: | 1_2_00463254 | |
Source: | Code function: | 1_2_0046184C | |
Source: | Code function: | 2_2_00404490 | |
Source: | Code function: | 2_2_00423E2D | |
Source: | Code function: | 2_2_1000959D |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: | 2_2_0041336B |
Source: | Code function: | 2_2_00402BF0 |
Source: | Code function: | 1_2_0044AC04 |
Source: | Code function: | 2_2_00402F20 |
Source: | Process token adjusted: | Jump to behavior |
Source: | Code function: | 2_2_0044028F | |
Source: | Code function: | 2_2_0042041F | |
Source: | Code function: | 2_2_004429E7 | |
Source: | Code function: | 2_2_00417BAF | |
Source: | Code function: | 2_2_100091C7 | |
Source: | Code function: | 2_2_10006CE1 |
Source: | Code function: | 2_2_0040F789 | |
Source: | Code function: | 2_2_0041336B | |
Source: | Code function: | 2_2_0040F5F5 | |
Source: | Code function: | 2_2_0040EBD2 | |
Source: | Code function: | 2_2_10006180 | |
Source: | Code function: | 2_2_100035DF | |
Source: | Code function: | 2_2_10003AD4 |
Source: | Code function: | 1_2_0047697C |
Source: | Process created: | Jump to behavior |
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Code function: | 1_2_0042DF24 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: | 0_2_0040515C | |
Source: | Code function: | 0_2_004051A8 | |
Source: | Code function: | 1_2_004084D0 | |
Source: | Code function: | 1_2_0040851C | |
Source: | Code function: | 2_2_00404D40 | |
Source: | Code function: | 2_2_00427041 | |
Source: | Code function: | 2_2_0042708C | |
Source: | Code function: | 2_2_00427127 | |
Source: | Code function: | 2_2_004271B2 | |
Source: | Code function: | 2_2_0041E2FF | |
Source: | Code function: | 2_2_00427405 | |
Source: | Code function: | 2_2_0042752B | |
Source: | Code function: | 2_2_00427631 | |
Source: | Code function: | 2_2_00427700 | |
Source: | Code function: | 2_2_0041E821 | |
Source: | Code function: | 2_2_00426D9F |
Source: | Code function: | 2_2_0040F7F3 |
Source: | Code function: | 1_2_004576D8 |
Source: | Code function: | 0_2_004026C4 |
Source: | Code function: | 0_2_00405C44 |
Source: | Code function: | 1_2_00454724 |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | 1 Windows Management Instrumentation | Path Interception | 1 Exploitation for Privilege Escalation | 1 Disable or Modify Tools | 1 Input Capture | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | Exfiltration Over Other Network Medium | 2 Ingress Tool Transfer | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | 1 System Shutdown/Reboot |
Default Accounts | 3 Native API | Boot or Logon Initialization Scripts | 1 Access Token Manipulation | 11 Deobfuscate/Decode Files or Information | LSASS Memory | 1 Account Discovery | Remote Desktop Protocol | 1 Input Capture | Exfiltration Over Bluetooth | 2 Encrypted Channel | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | 12 Command and Scripting Interpreter | Logon Script (Windows) | 13 Process Injection | 3 Obfuscated Files or Information | Security Account Manager | 3 File and Directory Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | 1 Non-Application Layer Protocol | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | 23 Software Packing | NTDS | 26 System Information Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | 11 Application Layer Protocol | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | 2 Masquerading | LSA Secrets | 141 Security Software Discovery | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | 1 Access Token Manipulation | Cached Domain Credentials | 3 Process Discovery | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | 13 Process Injection | DCSync | 11 Application Window Discovery | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | Indicator Removal from Tools | Proc Filesystem | 3 System Owner/User Discovery | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
5% | ReversingLabs | Win32.Backdoor.Generic |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Joe Sandbox ML | |||
3% | ReversingLabs | |||
3% | ReversingLabs | |||
0% | ReversingLabs | |||
0% | ReversingLabs | |||
0% | ReversingLabs | |||
0% | ReversingLabs | |||
2% | ReversingLabs | |||
60% | ReversingLabs | Win32.Trojan.GenusAgent |
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | TR/Patched.Ren.Gen | Download File | ||
100% | Avira | HEUR/AGEN.1250671 | Download File | ||
100% | Avira | TR/Crypt.XPACK.Gen2 | Download File | ||
100% | Avira | TR/Patched.Ren.Gen | Download File | ||
100% | Avira | HEUR/AGEN.1248792 | Download File | ||
100% | Avira | TR/Patched.Ren.Gen | Download File | ||
100% | Avira | TR/Crypt.XPACK.Gen2 | Download File | ||
100% | Avira | TR/Crypt.XPACK.Gen8 | Download File | ||
100% | Avira | TR/Patched.Ren.Gen | Download File |
⊘No Antivirus matches
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
100% | URL Reputation | malware | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware |
⊘No contacted domains info
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown | |
true |
| unknown | |
true |
| unknown | |
true |
| unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
true |
| unknown | ||
true |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
45.139.105.171 | unknown | Italy | 33657 | CMCSUS | true | |
45.139.105.1 | unknown | Italy | 33657 | CMCSUS | true | |
85.31.46.167 | unknown | Germany | 43659 | CLOUDCOMPUTINGDE | true | |
107.182.129.235 | unknown | Reserved | 11070 | META-ASUS | true | |
171.22.30.106 | unknown | Germany | 33657 | CMCSUS | true |
Joe Sandbox Version: | 36.0.0 Rainbow Opal |
Analysis ID: | 780214 |
Start date and time: | 2023-01-08 16:10:43 +01:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 9m 51s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | file.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 16 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal100.troj.evad.winEXE@12/40@0/5 |
EGA Information: |
|
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
- Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report creation exceeded maximum time and may have missing disassembly code information.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
Time | Type | Description |
---|---|---|
16:11:51 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
45.139.105.171 | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
⊘No context
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
CMCSUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
⊘No context
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
C:\Program Files (x86)\Split Files\is-S7F6P.tmp | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse |
Process: | C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp |
File Type: | |
Category: | modified |
Size (bytes): | 3329876 |
Entropy (8bit): | 5.493602162783093 |
Encrypted: | false |
SSDEEP: | 49152:lyQLPMeFkQhUzWSGRU2eZW6vX7K/mdl85BAsv:3jbKCFSGRxyWau+X85Bpv |
MD5: | FB4704E7F6C63CAEB0D39F48B0792636 |
SHA1: | 1C160A150531A66BD14F954EDE554C09B441A4F5 |
SHA-256: | FD620AFFADCC35DEA8917CEA19136E33BAC41C8F535757BD07947759D012E6BE |
SHA-512: | E581AB41C0219D07A01F88A23578AC521338DC26AA8CC2A7C620A6024F4CC8EE8368A69DFA997BAAE2528DF7BFF188E3F15933A5AEA0F94D71D7CFAA4F13D9EB |
Malicious: | true |
Antivirus: |
|
Reputation: | low |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 2193 |
Entropy (8bit): | 4.702648325021821 |
Encrypted: | false |
SSDEEP: | 24:ElZ5/fnS3LWjwbf2VQZl5HXvbap4qDwGApRAboaGnMAzPelJoEhLifJy:mZ3jwbf2V25HjcwGpbpGMaelXh2g |
MD5: | EA42A2F0D0B4CBE042DE38568E18F1AC |
SHA1: | 58B2B523D4CCB03A07F9B1CB53250F3C6BA0B771 |
SHA-256: | AF9B99F745D2B2F3E688336C68F69C9CADF7E85BF443100DDA4EBB507D86155A |
SHA-512: | 6F202138BE4B009152A72AB671A4C5D3AE5580211EDE11F4E35B89F2F1EF58E8B8DBD35E9DA1D12B7ABDD3BFD4EE342541DE8DE2437D0FCEA77A1C5782AE0E2A |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 2942 |
Entropy (8bit): | 5.0506474169868945 |
Encrypted: | false |
SSDEEP: | 48:mRIjSLoZpLobGyYly6y4cMUNYzLEDa3dMSsXNBIi3Dl0r4k1z9bcX4Xl9asUvn6d:IW7Lob1YEgcMiDa3WN7BW1zLV1mngV4+ |
MD5: | 58D65074A58BC8EAE2D5A3B589399A53 |
SHA1: | 074E7E5BFD52200086309913670D49BA664FB279 |
SHA-256: | 2F2487EDEEEA0D35394FD1C0B72D9C1FBF617DD014ED659083BDB0EFB12F6C90 |
SHA-512: | C0806DFC9DCD2A620693115679057B5374DEA3930E02F2B8DD1390C843D3F7C138CA8576CA35A5BCBEEA68E5CD9F5193C8D564A942C5A179DB9C5E6CAAA00266 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 2193 |
Entropy (8bit): | 4.702648325021821 |
Encrypted: | false |
SSDEEP: | 24:ElZ5/fnS3LWjwbf2VQZl5HXvbap4qDwGApRAboaGnMAzPelJoEhLifJy:mZ3jwbf2V25HjcwGpbpGMaelXh2g |
MD5: | EA42A2F0D0B4CBE042DE38568E18F1AC |
SHA1: | 58B2B523D4CCB03A07F9B1CB53250F3C6BA0B771 |
SHA-256: | AF9B99F745D2B2F3E688336C68F69C9CADF7E85BF443100DDA4EBB507D86155A |
SHA-512: | 6F202138BE4B009152A72AB671A4C5D3AE5580211EDE11F4E35B89F2F1EF58E8B8DBD35E9DA1D12B7ABDD3BFD4EE342541DE8DE2437D0FCEA77A1C5782AE0E2A |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 829726 |
Entropy (8bit): | 6.385004526809536 |
Encrypted: | false |
SSDEEP: | 24576:zN/ac4cUrPN37qzHxA6odmL+tNE70tm8ffINgXEx982:zNSjrPN37qzHxA6odRkymJNVT |
MD5: | 72466399CE62027E57E8EA332EC2BE1B |
SHA1: | 5D91A70C78DB393947AFCACB35A5D82A78A2E9DC |
SHA-256: | C6D9AFBD0C6A415D38F71573FD9B214C927538F53896E0DA3FFE830A991D4485 |
SHA-512: | 2E5ACB1EE57AC29277E8443CDBF94A6938AF9358999FAB2BB7FC91EC5CDD3601E7997650474529ED9D0D43BCA3B6EA1D26009C603BAA89A176B0CCFE8E796AAF |
Malicious: | true |
Antivirus: |
|
Joe Sandbox View: |
|
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 2942 |
Entropy (8bit): | 5.0506474169868945 |
Encrypted: | false |
SSDEEP: | 48:mRIjSLoZpLobGyYly6y4cMUNYzLEDa3dMSsXNBIi3Dl0r4k1z9bcX4Xl9asUvn6d:IW7Lob1YEgcMiDa3WN7BW1zLV1mngV4+ |
MD5: | 58D65074A58BC8EAE2D5A3B589399A53 |
SHA1: | 074E7E5BFD52200086309913670D49BA664FB279 |
SHA-256: | 2F2487EDEEEA0D35394FD1C0B72D9C1FBF617DD014ED659083BDB0EFB12F6C90 |
SHA-512: | C0806DFC9DCD2A620693115679057B5374DEA3930E02F2B8DD1390C843D3F7C138CA8576CA35A5BCBEEA68E5CD9F5193C8D564A942C5A179DB9C5E6CAAA00266 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 97 |
Entropy (8bit): | 5.12302231676258 |
Encrypted: | false |
SSDEEP: | 3:HRAbABGQYm/0S4UEtSNM5LTJOBCBuQpQQXXy:HRYFVm/r4UEtSeVTJuZQplHy |
MD5: | DCD6923B008121BFF4C7C0AA1206286E |
SHA1: | AD4EF16A96A80C8EA5DBC5933229580BC6C332E0 |
SHA-256: | E1E01BFA5E2B5A117A627F7E9E861CF63D852A66BCE0DF88094D59CAF61E4376 |
SHA-512: | EC4A399EB38A1FA64DF8990708168F134ACD0CA793930E57C6D3A260A537B20DFD9F8B7232987F32EC1C1A7CEC7EC91F15A644A63D275104D96588FC3D354B5C |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 3329876 |
Entropy (8bit): | 5.493601539078126 |
Encrypted: | false |
SSDEEP: | 49152:ayQLPMeFkQhUzWSGRU2eZW6vX7K/mdl85BAsv:YjbKCFSGRxyWau+X85Bpv |
MD5: | C2CB0AEC30FDBC7625C37C0A8AEF13BD |
SHA1: | 17FCA7B33467B180C158E452C47346D88D2D2762 |
SHA-256: | 6C2D4B41D32263868461D16B9C81CFBF57CE48ACAFDAA563DCF4CD1362472080 |
SHA-512: | A366A0DC518AD232EF0919FA0E0345D430265FD7578D8274E995E2893909933B5965FD43335A1701F81E710B18CB0F6CC0C796F24D88024652992AE05BC73D0C |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 2266 |
Entropy (8bit): | 5.4593359267896355 |
Encrypted: | false |
SSDEEP: | 48:HG8il+sqirh7zJ9YTHskp1r4phFAqLNnK9h:HGkSkp1r4NTKf |
MD5: | 4ABA9765EB3555788F5706D87A9D2DCA |
SHA1: | 36C0895FBF9F99690CA55C54CC56310E24513113 |
SHA-256: | E99B943206594C04BC0383669D04D4F191A501F46D2474FED08B997F8020B433 |
SHA-512: | 3498485635AFC548663715D22071611BAB10C707E8E24BE0B5143EE4A27727DA7D18A5E6959E3F6DD7D0F615DDFD50CE9FC5CE8AE6DDC5BEE287B5A00A817288 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 2345 |
Entropy (8bit): | 5.847861612631974 |
Encrypted: | false |
SSDEEP: | 48:HGj2lE8qiTh7XJ9zHadtPTTD1n34q1jgun1ITq8K:HG5RDTln34qRgusK |
MD5: | A5C9FEA89EFE8E2162BA477E8EA39B44 |
SHA1: | E6A2042C574D14786891F0C32F92C8292BBB4ACA |
SHA-256: | 8DDFB50DACA491296101BAB3DB9B77C7587127E684D9E22EFD6DC93F84A008FA |
SHA-512: | 3F7944F262717D308A1235982E741536DA6A4DF9ABEE4E2811E1151B53C3D31811EA3EB750ED39F347F7DF14AD20FF981C85CC2DA297BE745547B36D41B8FDB9 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 2687 |
Entropy (8bit): | 5.051567814097503 |
Encrypted: | false |
SSDEEP: | 48:HGgXRVA+sqgh59WJIo4yvHIExBMHkWREHZDNbHBsBOtiSZls5crRMfiE:HGusSgEvMHfREHN9hsoiOUBiE |
MD5: | D2471D35D833E2544D67365E015E6153 |
SHA1: | 497EE8FF9519D025BD10C5AA15DDC34DFB1B334B |
SHA-256: | 4831DDBCFE327E2542F4565E7A948C5828D71003B8444723E1E11BA6BB43ACE7 |
SHA-512: | C82B30D604A679F87B8D0B1670A0D1607E25150FFCFD1C9E631241916BA93CEB5A33AFCAA9080149096ACA1913791384860F5699F2BB302B6CB190AF777EB3CE |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 2594 |
Entropy (8bit): | 5.044497576650396 |
Encrypted: | false |
SSDEEP: | 48:HGgb5l+sqiTh7XJ9oVHo1xx0GHLVQ4ZWGAtDAEQmUDcQdWym:HGdpa1jfHLVQ4AGAtWma8H |
MD5: | 76776746B3CFF1CBD5D56CD44CA2DEF5 |
SHA1: | 2F2ECA50BD7F72232BE84291EF1A7956C24098CC |
SHA-256: | EC647D30931F50607CF745D958AAF0367CCEAB9999346188255CFBFB22301EE3 |
SHA-512: | 202436C708D4F34FFCCDC3D33841246C5CEE073AC270DA547C15F9E995A08D36AE4C00982283BF60D62363046BBEAA0125D59075E4629A9D1934039CBFB00BE5 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 2507 |
Entropy (8bit): | 5.040552699764577 |
Encrypted: | false |
SSDEEP: | 48:HGkOA+sq/W7Yve3EkHaBSDbSljMM+v1/D3H:HGb8hABSDbSJMBD |
MD5: | 336D33F55222F48FBA19EF0911732766 |
SHA1: | E17A78E3B48192361DB540B1E8C9D0548C9A9FFE |
SHA-256: | 0E955453FA27CED0D0521F0F960C7743C2090F06263D33EC8FA978B681123E0C |
SHA-512: | 67EC6B859BCDD66DA59CDB1DC1A4EACFBDA12C57699012EE1573DD88F5AAAB6288E1BD9015C862689F4A1A27E83B28C3A9C99B1895EDF4F47D6F94B0557CDC1F |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 2729 |
Entropy (8bit): | 5.029883215699414 |
Encrypted: | false |
SSDEEP: | 48:HGgS7++sqMsmQYEJK7bHExsA9GZ1MTn6btlOWH6r3zvX5c9WYN:HGjUoR9GXML6RYWH6rDRdYN |
MD5: | 8AFE543CB6791AA250312EBA61BF7C13 |
SHA1: | BFD229D43BE86728A634055AD65860157C2671BD |
SHA-256: | AF5BFB663E715C48C55E24BC3BEA30FCAA9BE8EAF35133FBB75D54C5735696AC |
SHA-512: | 5CF85F84DD6D363B2AAC720CF10C5289350EB706DC2BF5CA824CF220C3607CC7969CDD2F4B2912DC97C7BE50CEDC24A9A01AFC585CE84B6B8CB81419153931A2 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 2299 |
Entropy (8bit): | 5.691502190790686 |
Encrypted: | false |
SSDEEP: | 48:HG9uhjkDYhqGQjsONHiHQgGU9dm6nclk6a1hg22mo6LD:HGnzLIQTUPmcclGsmogD |
MD5: | F9F47FF3D866FFC4F38E315E41356E55 |
SHA1: | EFC313A99993B5FB8A454D4C5197C6F3965B5C89 |
SHA-256: | 3A13CCE54190BF4A679D21F61466A0A18E9340287CAA1AA4EACB38C99C9D4957 |
SHA-512: | 6EC1F1E19921C535A50254500ED01602DA74D3CC9E6DA8B5FC78D89255E42C5968BD294E56F584EE273630B9233C20CAFEBC906354CE393FE1CFFE91528F527A |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 2718 |
Entropy (8bit): | 5.057121428169199 |
Encrypted: | false |
SSDEEP: | 48:HGPWFaxAA+sqKvFYLcunHh3QxXOBp1OB5r70h3CGRsJE0laDwXCqXH5wGF5JoCPa:HGPAPZBAJU1k7Jb245xVfUMG |
MD5: | 21B4D47F5D851271C89310C92777FB70 |
SHA1: | 9D85FF8F7107CFAE3F31993FAF7F249591AFCB27 |
SHA-256: | D88AE9E292EBC4E56767892FD451E2E8278FCE776CAD689731EE7875748D55D7 |
SHA-512: | 46F26B51D6959A36E33266887E39CB98E7E67880052DE8DE741CB93C90ED3B28C87A224CE710E6C698FE648ED8B062E73DEDC253A6C5A8362EB3EF2792AB4FBF |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 2607 |
Entropy (8bit): | 5.234177949162883 |
Encrypted: | false |
SSDEEP: | 48:HGUyjEiB0w3l+sqiTh7XJ9UeHjIDt00AoB/nheSSMpSSSxPYe:HGpNBrkGIDt0qnheS9Sx |
MD5: | E1271E0DDD609CD7F9C2367D32FEBE4B |
SHA1: | 0A420424F1FADE0BFF002E63AAD22B5E94B86CAC |
SHA-256: | AEE6B1EDFFFCE507E2207C7E2AA36DA42B2AC54CEB28B9759B2D05F1012CBA8F |
SHA-512: | 86A11C9E4B59F2437180F56CAD44E69CB29B03B93983EA5E35CBCC5BDD40CFC424EE1EEF519B2E44D67623C79835AF92B4B089AC29890C046CD590C1F8BFA574 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 2594 |
Entropy (8bit): | 5.044497576650396 |
Encrypted: | false |
SSDEEP: | 48:HGgb5l+sqiTh7XJ9oVHo1xx0GHLVQ4ZWGAtDAEQmUDcQdWym:HGdpa1jfHLVQ4AGAtWma8H |
MD5: | 76776746B3CFF1CBD5D56CD44CA2DEF5 |
SHA1: | 2F2ECA50BD7F72232BE84291EF1A7956C24098CC |
SHA-256: | EC647D30931F50607CF745D958AAF0367CCEAB9999346188255CFBFB22301EE3 |
SHA-512: | 202436C708D4F34FFCCDC3D33841246C5CEE073AC270DA547C15F9E995A08D36AE4C00982283BF60D62363046BBEAA0125D59075E4629A9D1934039CBFB00BE5 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 2607 |
Entropy (8bit): | 5.234177949162883 |
Encrypted: | false |
SSDEEP: | 48:HGUyjEiB0w3l+sqiTh7XJ9UeHjIDt00AoB/nheSSMpSSSxPYe:HGpNBrkGIDt0qnheS9Sx |
MD5: | E1271E0DDD609CD7F9C2367D32FEBE4B |
SHA1: | 0A420424F1FADE0BFF002E63AAD22B5E94B86CAC |
SHA-256: | AEE6B1EDFFFCE507E2207C7E2AA36DA42B2AC54CEB28B9759B2D05F1012CBA8F |
SHA-512: | 86A11C9E4B59F2437180F56CAD44E69CB29B03B93983EA5E35CBCC5BDD40CFC424EE1EEF519B2E44D67623C79835AF92B4B089AC29890C046CD590C1F8BFA574 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 2345 |
Entropy (8bit): | 5.847861612631974 |
Encrypted: | false |
SSDEEP: | 48:HGj2lE8qiTh7XJ9zHadtPTTD1n34q1jgun1ITq8K:HG5RDTln34qRgusK |
MD5: | A5C9FEA89EFE8E2162BA477E8EA39B44 |
SHA1: | E6A2042C574D14786891F0C32F92C8292BBB4ACA |
SHA-256: | 8DDFB50DACA491296101BAB3DB9B77C7587127E684D9E22EFD6DC93F84A008FA |
SHA-512: | 3F7944F262717D308A1235982E741536DA6A4DF9ABEE4E2811E1151B53C3D31811EA3EB750ED39F347F7DF14AD20FF981C85CC2DA297BE745547B36D41B8FDB9 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 2507 |
Entropy (8bit): | 5.040552699764577 |
Encrypted: | false |
SSDEEP: | 48:HGkOA+sq/W7Yve3EkHaBSDbSljMM+v1/D3H:HGb8hABSDbSJMBD |
MD5: | 336D33F55222F48FBA19EF0911732766 |
SHA1: | E17A78E3B48192361DB540B1E8C9D0548C9A9FFE |
SHA-256: | 0E955453FA27CED0D0521F0F960C7743C2090F06263D33EC8FA978B681123E0C |
SHA-512: | 67EC6B859BCDD66DA59CDB1DC1A4EACFBDA12C57699012EE1573DD88F5AAAB6288E1BD9015C862689F4A1A27E83B28C3A9C99B1895EDF4F47D6F94B0557CDC1F |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 2266 |
Entropy (8bit): | 5.4593359267896355 |
Encrypted: | false |
SSDEEP: | 48:HG8il+sqirh7zJ9YTHskp1r4phFAqLNnK9h:HGkSkp1r4NTKf |
MD5: | 4ABA9765EB3555788F5706D87A9D2DCA |
SHA1: | 36C0895FBF9F99690CA55C54CC56310E24513113 |
SHA-256: | E99B943206594C04BC0383669D04D4F191A501F46D2474FED08B997F8020B433 |
SHA-512: | 3498485635AFC548663715D22071611BAB10C707E8E24BE0B5143EE4A27727DA7D18A5E6959E3F6DD7D0F615DDFD50CE9FC5CE8AE6DDC5BEE287B5A00A817288 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 2729 |
Entropy (8bit): | 5.029883215699414 |
Encrypted: | false |
SSDEEP: | 48:HGgS7++sqMsmQYEJK7bHExsA9GZ1MTn6btlOWH6r3zvX5c9WYN:HGjUoR9GXML6RYWH6rDRdYN |
MD5: | 8AFE543CB6791AA250312EBA61BF7C13 |
SHA1: | BFD229D43BE86728A634055AD65860157C2671BD |
SHA-256: | AF5BFB663E715C48C55E24BC3BEA30FCAA9BE8EAF35133FBB75D54C5735696AC |
SHA-512: | 5CF85F84DD6D363B2AAC720CF10C5289350EB706DC2BF5CA824CF220C3607CC7969CDD2F4B2912DC97C7BE50CEDC24A9A01AFC585CE84B6B8CB81419153931A2 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 2687 |
Entropy (8bit): | 5.051567814097503 |
Encrypted: | false |
SSDEEP: | 48:HGgXRVA+sqgh59WJIo4yvHIExBMHkWREHZDNbHBsBOtiSZls5crRMfiE:HGusSgEvMHfREHN9hsoiOUBiE |
MD5: | D2471D35D833E2544D67365E015E6153 |
SHA1: | 497EE8FF9519D025BD10C5AA15DDC34DFB1B334B |
SHA-256: | 4831DDBCFE327E2542F4565E7A948C5828D71003B8444723E1E11BA6BB43ACE7 |
SHA-512: | C82B30D604A679F87B8D0B1670A0D1607E25150FFCFD1C9E631241916BA93CEB5A33AFCAA9080149096ACA1913791384860F5699F2BB302B6CB190AF777EB3CE |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 2299 |
Entropy (8bit): | 5.691502190790686 |
Encrypted: | false |
SSDEEP: | 48:HG9uhjkDYhqGQjsONHiHQgGU9dm6nclk6a1hg22mo6LD:HGnzLIQTUPmcclGsmogD |
MD5: | F9F47FF3D866FFC4F38E315E41356E55 |
SHA1: | EFC313A99993B5FB8A454D4C5197C6F3965B5C89 |
SHA-256: | 3A13CCE54190BF4A679D21F61466A0A18E9340287CAA1AA4EACB38C99C9D4957 |
SHA-512: | 6EC1F1E19921C535A50254500ED01602DA74D3CC9E6DA8B5FC78D89255E42C5968BD294E56F584EE273630B9233C20CAFEBC906354CE393FE1CFFE91528F527A |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 2718 |
Entropy (8bit): | 5.057121428169199 |
Encrypted: | false |
SSDEEP: | 48:HGPWFaxAA+sqKvFYLcunHh3QxXOBp1OB5r70h3CGRsJE0laDwXCqXH5wGF5JoCPa:HGPAPZBAJU1k7Jb245xVfUMG |
MD5: | 21B4D47F5D851271C89310C92777FB70 |
SHA1: | 9D85FF8F7107CFAE3F31993FAF7F249591AFCB27 |
SHA-256: | D88AE9E292EBC4E56767892FD451E2E8278FCE776CAD689731EE7875748D55D7 |
SHA-512: | 46F26B51D6959A36E33266887E39CB98E7E67880052DE8DE741CB93C90ED3B28C87A224CE710E6C698FE648ED8B062E73DEDC253A6C5A8362EB3EF2792AB4FBF |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 4866 |
Entropy (8bit): | 4.7415446134648915 |
Encrypted: | false |
SSDEEP: | 96:92wWbD8np1Ayx6QoINFhqwOIhHs7ICSss/LSJh5:92wWbD8npKYbvLEIhCICSsAK7 |
MD5: | A0ABCD32B808D87AB70DEBFEAB943109 |
SHA1: | DC139906C9B0ADDC8EB86E81EB4F6801989FD6D2 |
SHA-256: | DCA87D67E6D6DE812AE1371E1D0FD5EE99BEB6000CC7BCEFE7A904306757BB9E |
SHA-512: | CF7F6F818488653E468DE80550E3ABA95B39617E8616C337ED68F905256F7C61613D4348AA55369FB1FE65BE5CAE847207E393272B34FA5574DD9C6B3D17EA4D |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 829726 |
Entropy (8bit): | 6.385004526809536 |
Encrypted: | false |
SSDEEP: | 24576:zN/ac4cUrPN37qzHxA6odmL+tNE70tm8ffINgXEx982:zNSjrPN37qzHxA6odRkymJNVT |
MD5: | 72466399CE62027E57E8EA332EC2BE1B |
SHA1: | 5D91A70C78DB393947AFCACB35A5D82A78A2E9DC |
SHA-256: | C6D9AFBD0C6A415D38F71573FD9B214C927538F53896E0DA3FFE830A991D4485 |
SHA-512: | 2E5ACB1EE57AC29277E8443CDBF94A6938AF9358999FAB2BB7FC91EC5CDD3601E7997650474529ED9D0D43BCA3B6EA1D26009C603BAA89A176B0CCFE8E796AAF |
Malicious: | true |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 97 |
Entropy (8bit): | 5.12302231676258 |
Encrypted: | false |
SSDEEP: | 3:HRAbABGQYm/0S4UEtSNM5LTJOBCBuQpQQXXy:HRYFVm/r4UEtSeVTJuZQplHy |
MD5: | DCD6923B008121BFF4C7C0AA1206286E |
SHA1: | AD4EF16A96A80C8EA5DBC5933229580BC6C332E0 |
SHA-256: | E1E01BFA5E2B5A117A627F7E9E861CF63D852A66BCE0DF88094D59CAF61E4376 |
SHA-512: | EC4A399EB38A1FA64DF8990708168F134ACD0CA793930E57C6D3A260A537B20DFD9F8B7232987F32EC1C1A7CEC7EC91F15A644A63D275104D96588FC3D354B5C |
Malicious: | false |
Preview: |
Process: | C:\Program Files (x86)\Split Files\HitFiles134.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 17 |
Entropy (8bit): | 3.1751231351134614 |
Encrypted: | false |
SSDEEP: | 3:nCmxEl:Cmc |
MD5: | 064DB2A4C3D31A4DC6AA2538F3FE7377 |
SHA1: | 8F877AE1873C88076D854425221E352CA4178DFA |
SHA-256: | 0A3EC2C4FC062D561F0DC989C6699E06FFF850BBDA7923F14F26135EF42107C0 |
SHA-512: | CA94BC1338FC283C3E5C427065C29BA32C5A12170782E18AA0292722826C5CB4C3B29A5134464FFEB67A77CD85D8E15715C17A049B7AD4E2C890E97385751BEE |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\fuckingdllENCR[1].dll
Download File
Process: | C:\Program Files (x86)\Split Files\HitFiles134.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 94224 |
Entropy (8bit): | 7.998072640845361 |
Encrypted: | true |
SSDEEP: | 1536:NsbI9W6dHdtnEXOxZpPzIUcETzNtXofjmgGTeJduLLt+YBPoJTMRmNXg30:KWW6TZVz9PNtXo8M5OR0 |
MD5: | 418619EA97671304AF80EC60F5A50B62 |
SHA1: | F11DCD709BDE2FC86EBBCCD66E1CE68A8A3F9CB6 |
SHA-256: | EB7ECE66C14849064F462DF4987D6D59073D812C44D81568429614581106E0F4 |
SHA-512: | F2E1AE47B5B0A5D3DD22DD6339E15FEE3D7F04EF03917AE2A7686E73E9F06FB95C8008038C018939BB9925F395D765C9690BF7874DC5E90BC2F77C1E730D3A00 |
Malicious: | false |
Preview: |
Process: | C:\Program Files (x86)\Split Files\HitFiles134.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:V:V |
MD5: | CFCD208495D565EF66E7DFF9F98764DA |
SHA1: | B6589FC6AB0DC82CF12099D1C2D40AB994E8410C |
SHA-256: | 5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9 |
SHA-512: | 31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99 |
Malicious: | false |
Preview: |
Process: | C:\Program Files (x86)\Split Files\HitFiles134.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:V:V |
MD5: | CFCD208495D565EF66E7DFF9F98764DA |
SHA1: | B6589FC6AB0DC82CF12099D1C2D40AB994E8410C |
SHA-256: | 5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9 |
SHA-512: | 31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99 |
Malicious: | false |
Preview: |
Process: | C:\Program Files (x86)\Split Files\HitFiles134.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:V:V |
MD5: | CFCD208495D565EF66E7DFF9F98764DA |
SHA1: | B6589FC6AB0DC82CF12099D1C2D40AB994E8410C |
SHA-256: | 5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9 |
SHA-512: | 31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 4096 |
Entropy (8bit): | 4.026670007889822 |
Encrypted: | false |
SSDEEP: | 48:ivuz1hEU3FR/pmqBl8/QMCBaquEMx5BC+SS4k+bkguj0KHc:bz1eEFNcqBC/Qrex5iSKDkc |
MD5: | 0EE914C6F0BB93996C75941E1AD629C6 |
SHA1: | 12E2CB05506EE3E82046C41510F39A258A5E5549 |
SHA-256: | 4DC09BAC0613590F1FAC8771D18AF5BE25A1E1CB8FDBF4031AA364F3057E74A2 |
SHA-512: | A899519E78125C69DC40F7E371310516CF8FAA69E3B3FF747E0DDF461F34E50A9FF331AB53B4D07BB45465039E8EBA2EE4684B3EE56987977AE8C7721751F5F9 |
Malicious: | true |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 2560 |
Entropy (8bit): | 2.8818118453929262 |
Encrypted: | false |
SSDEEP: | 24:e1GSgDIX566lIB6SXvVmMPUjvhBrDsqZ:SgDKRlVImgUNBsG |
MD5: | A69559718AB506675E907FE49DEB71E9 |
SHA1: | BC8F404FFDB1960B50C12FF9413C893B56F2E36F |
SHA-256: | 2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC |
SHA-512: | E52E0AA7FE3F79E36330C455D944653D449BA05B2F9ABEE0914A0910C3452CFA679A40441F9AC696B3CCF9445CBB85095747E86153402FC362BB30AC08249A63 |
Malicious: | true |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 6144 |
Entropy (8bit): | 4.215994423157539 |
Encrypted: | false |
SSDEEP: | 96:sfkcXegaJ/ZAYNzcld1xaX12pS5SKvkc:sfJEVYlvxaX12EF |
MD5: | 4FF75F505FDDCC6A9AE62216446205D9 |
SHA1: | EFE32D504CE72F32E92DCF01AA2752B04D81A342 |
SHA-256: | A4C86FC4836AC728D7BD96E7915090FD59521A9E74F1D06EF8E5A47C8695FD81 |
SHA-512: | BA0469851438212D19906D6DA8C4AE95FF1C0711A095D9F21F13530A6B8B21C3ACBB0FF55EDB8A35B41C1A9A342F5D3421C00BA395BC13BB1EF5902B979CE824 |
Malicious: | true |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 23312 |
Entropy (8bit): | 4.596242908851566 |
Encrypted: | false |
SSDEEP: | 384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4 |
MD5: | 92DC6EF532FBB4A5C3201469A5B5EB63 |
SHA1: | 3E89FF837147C16B4E41C30D6C796374E0B8E62C |
SHA-256: | 9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87 |
SHA-512: | 9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3 |
Malicious: | false |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\Desktop\file.exe |
File Type: | |
Category: | modified |
Size (bytes): | 819200 |
Entropy (8bit): | 6.374588464353269 |
Encrypted: | false |
SSDEEP: | 24576:7N/ac4cUrPN37qzHxA6odmL+tNE70tm8ffINgXEx98U:7NSjrPN37qzHxA6odRkymJNVd |
MD5: | 7013A53C5472267941844ED17DE4DE3C |
SHA1: | DDA886AA81995DA2ABB763969BBA86E82988DB1A |
SHA-256: | 9897AED9DA44B8A3C7D7CDEAC2FDF2281BCD024846C77D45BC84B973ABDDC81E |
SHA-512: | 6B1E8845FFEDA2A775370A89AAF7E7477CD6264DF15DA3CC7E412C282E0CCFB3719D6B08FC65190E61EC9674F5F527D939D9CD50FF9F29AF37A049D04596060D |
Malicious: | true |
Antivirus: |
|
Preview: |
Process: | C:\Program Files (x86)\Split Files\HitFiles134.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 73728 |
Entropy (8bit): | 6.20389308045717 |
Encrypted: | false |
SSDEEP: | 1536:bvUpDLxyxA14o3/M238r6+XfHAgbqmE8MpKdwuasZLUM7DsWlXcdyZgfmi:WDLZKa/MtXfHAgbqmEtxsfmyZgfmi |
MD5: | 3FB36CB0B7172E5298D2992D42984D06 |
SHA1: | 439827777DF4A337CBB9FA4A4640D0D3FA1738B7 |
SHA-256: | 27AE813CEFF8AA56E9FA68C8E50BB1C6C4A01636015EAC4BD8BF444AFB7020D6 |
SHA-512: | 6B39CB32D77200209A25080AC92BC71B1F468E2946B651023793F3585EE6034ADC70924DBD751CF4A51B5E71377854F1AB43C2DD287D4837E7B544FF886F470C |
Malicious: | true |
Antivirus: |
|
Preview: |
File type: | |
Entropy (8bit): | 7.92977873472751 |
TrID: |
|
File name: | file.exe |
File size: | 1918587 |
MD5: | bc7001afd99293bf22adcdf0d30c564a |
SHA1: | b6f97de078d7a18837811c9773d9cd817eeacaed |
SHA256: | dcb609a85203e7b8da330ad8f658a9b03a5d65170d02995fa6bf4d6e39c33b2a |
SHA512: | 5aba106243fb480200ea3cc56356fd6b29241b943d6d6d6c2cee10547a3ba5c9cea3f26f17891f71eb831fa12989097d39f10da3e0200ac9e6115b774bbd7566 |
SSDEEP: | 49152:y2+yG4BrZ5p7ybafDW69Fdh5Hciwlem+aXI/m/WahOVLH:jJGo5p7EkCSFrCiwAdaH/JhOVLH |
TLSH: | F89511905C6F17A2FCC0FEF03A5B82C956322E1BB4F13D16BF99AA9C46771939901E41 |
File Content Preview: | MZP.....................@...............................................!..L.!..This program must be run under Win32..$7....................................................................................................................................... |
Icon Hash: | 98ccf6dc84f47c00 |
Entrypoint: | 0x409b60 |
Entrypoint Section: | CODE |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI |
DLL Characteristics: | TERMINAL_SERVER_AWARE |
Time Stamp: | 0x2A425E1C [Fri Jun 19 22:22:20 1992 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 1 |
OS Version Minor: | 0 |
File Version Major: | 1 |
File Version Minor: | 0 |
Subsystem Version Major: | 1 |
Subsystem Version Minor: | 0 |
Import Hash: | 884310b1928934402ea6fec1dbd3cf5e |
Instruction |
---|
push ebp |
mov ebp, esp |
add esp, FFFFFFC4h |
push ebx |
push esi |
push edi |
xor eax, eax |
mov dword ptr [ebp-10h], eax |
mov dword ptr [ebp-24h], eax |
call 00007F8CCC96A2CBh |
call 00007F8CCC96B4D2h |
call 00007F8CCC96D6FDh |
call 00007F8CCC96D744h |
call 00007F8CCC970073h |
call 00007F8CCC9701DAh |
xor eax, eax |
push ebp |
push 0040A217h |
push dword ptr fs:[eax] |
mov dword ptr fs:[eax], esp |
xor edx, edx |
push ebp |
push 0040A1E0h |
push dword ptr fs:[edx] |
mov dword ptr fs:[edx], esp |
mov eax, dword ptr [0040C014h] |
call 00007F8CCC970C00h |
call 00007F8CCC970767h |
lea edx, dword ptr [ebp-10h] |
xor eax, eax |
call 00007F8CCC96DD2Dh |
mov edx, dword ptr [ebp-10h] |
mov eax, 0040CDE8h |
call 00007F8CCC96A37Ch |
push 00000002h |
push 00000000h |
push 00000001h |
mov ecx, dword ptr [0040CDE8h] |
mov dl, 01h |
mov eax, 004072ECh |
call 00007F8CCC96E5BCh |
mov dword ptr [0040CDECh], eax |
xor edx, edx |
push ebp |
push 0040A198h |
push dword ptr fs:[edx] |
mov dword ptr fs:[edx], esp |
call 00007F8CCC970C70h |
mov dword ptr [0040CDF4h], eax |
mov eax, dword ptr [0040CDF4h] |
cmp dword ptr [eax+0Ch], 01h |
jne 00007F8CCC970DAAh |
mov eax, dword ptr [0040CDF4h] |
mov edx, 00000028h |
call 00007F8CCC96E9BDh |
mov edx, dword ptr [0040CDF4h] |
cmp eax, dword ptr [edx+00h] |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0xd000 | 0x950 | .idata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x11000 | 0x1d16c | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x10000 | 0x0 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0xf000 | 0x18 | .rdata |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
CODE | 0x1000 | 0x9280 | 0x9400 | False | 0.6105099239864865 | data | 6.538927519566751 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
DATA | 0xb000 | 0x24c | 0x400 | False | 0.30859375 | data | 2.739865898313739 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
BSS | 0xc000 | 0xe4c | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.idata | 0xd000 | 0x950 | 0xa00 | False | 0.414453125 | data | 4.430733069799036 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.tls | 0xe000 | 0x8 | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rdata | 0xf000 | 0x18 | 0x200 | False | 0.052734375 | data | 0.2044881574398449 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ |
.reloc | 0x10000 | 0x8b0 | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ |
.rsrc | 0x11000 | 0x1d16c | 0x1d200 | False | 0.24601830740343347 | data | 4.60805412433192 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_BITMAP | 0x11450 | 0x46a | Device independent bitmap graphic, 45 x 8 x 24, image size 0, resolution 2834 x 2834 px/m | Chinese | China |
RT_ICON | 0x118bc | 0x24d7 | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | English | United States |
RT_ICON | 0x13d94 | 0x10828 | Device independent bitmap graphic, 128 x 256 x 32, image size 0 | English | United States |
RT_ICON | 0x245bc | 0x4228 | Device independent bitmap graphic, 64 x 128 x 32, image size 0 | English | United States |
RT_ICON | 0x287e4 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | English | United States |
RT_ICON | 0x2ad8c | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | English | United States |
RT_ICON | 0x2be34 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 0 | English | United States |
RT_ICON | 0x2c7bc | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | English | United States |
RT_STRING | 0x2cc24 | 0x2f2 | data | ||
RT_STRING | 0x2cf18 | 0x30c | data | ||
RT_STRING | 0x2d224 | 0x2ce | data | ||
RT_STRING | 0x2d4f4 | 0x68 | data | ||
RT_STRING | 0x2d55c | 0xb4 | data | ||
RT_STRING | 0x2d610 | 0xae | data | ||
RT_RCDATA | 0x2d6c0 | 0x2c | data | ||
RT_GROUP_ICON | 0x2d6ec | 0x68 | data | English | United States |
RT_VERSION | 0x2d754 | 0x4b8 | COM executable for DOS | English | United States |
RT_MANIFEST | 0x2dc0c | 0x560 | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States |
DLL | Import |
---|---|
kernel32.dll | DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle |
user32.dll | MessageBoxA |
oleaut32.dll | VariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen |
advapi32.dll | RegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA |
kernel32.dll | WriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SizeofResource, SetLastError, SetFilePointer, SetErrorMode, SetEndOfFile, RemoveDirectoryA, ReadFile, LockResource, LoadResource, LoadLibraryA, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetUserDefaultLangID, GetSystemInfo, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, GetACP, InterlockedExchange, FormatMessageA, FindResourceA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle |
user32.dll | TranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA |
comctl32.dll | InitCommonControls |
advapi32.dll | AdjustTokenPrivileges |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
Chinese | China | |
English | United States |
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
192.168.2.7107.182.129.23549713802852980 01/08/23-16:11:53.367556 | TCP | 2852980 | ETPRO TROJAN Win32/Fabookie.ek CnC Request M1 (GET) | 49713 | 80 | 192.168.2.7 | 107.182.129.235 |
192.168.2.7107.182.129.23549713802852981 01/08/23-16:11:53.444812 | TCP | 2852981 | ETPRO TROJAN Win32/Fabookie.ek CnC Request M3 (GET) | 49713 | 80 | 192.168.2.7 | 107.182.129.235 |
192.168.2.745.139.105.17149712802041920 01/08/23-16:11:53.219578 | TCP | 2041920 | ET TROJAN GCleaner Downloader Activity M8 | 49712 | 80 | 192.168.2.7 | 45.139.105.171 |
107.182.129.235192.168.2.780497132852925 01/08/23-16:11:53.472106 | TCP | 2852925 | ETPRO TROJAN GCleaner Downloader - Payload Response | 80 | 49713 | 107.182.129.235 | 192.168.2.7 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jan 8, 2023 16:11:53.191418886 CET | 49712 | 80 | 192.168.2.7 | 45.139.105.171 |
Jan 8, 2023 16:11:53.218492985 CET | 80 | 49712 | 45.139.105.171 | 192.168.2.7 |
Jan 8, 2023 16:11:53.218791962 CET | 49712 | 80 | 192.168.2.7 | 45.139.105.171 |
Jan 8, 2023 16:11:53.219578028 CET | 49712 | 80 | 192.168.2.7 | 45.139.105.171 |
Jan 8, 2023 16:11:53.246977091 CET | 80 | 49712 | 45.139.105.171 | 192.168.2.7 |
Jan 8, 2023 16:11:53.251513004 CET | 80 | 49712 | 45.139.105.171 | 192.168.2.7 |
Jan 8, 2023 16:11:53.251673937 CET | 49712 | 80 | 192.168.2.7 | 45.139.105.171 |
Jan 8, 2023 16:11:53.338839054 CET | 49713 | 80 | 192.168.2.7 | 107.182.129.235 |
Jan 8, 2023 16:11:53.366535902 CET | 80 | 49713 | 107.182.129.235 | 192.168.2.7 |
Jan 8, 2023 16:11:53.366803885 CET | 49713 | 80 | 192.168.2.7 | 107.182.129.235 |
Jan 8, 2023 16:11:53.367556095 CET | 49713 | 80 | 192.168.2.7 | 107.182.129.235 |
Jan 8, 2023 16:11:53.394515038 CET | 80 | 49713 | 107.182.129.235 | 192.168.2.7 |
Jan 8, 2023 16:11:53.394783020 CET | 80 | 49713 | 107.182.129.235 | 192.168.2.7 |
Jan 8, 2023 16:11:53.395054102 CET | 49713 | 80 | 192.168.2.7 | 107.182.129.235 |
Jan 8, 2023 16:11:53.444812059 CET | 49713 | 80 | 192.168.2.7 | 107.182.129.235 |
Jan 8, 2023 16:11:53.471693993 CET | 80 | 49713 | 107.182.129.235 | 192.168.2.7 |
Jan 8, 2023 16:11:53.472105980 CET | 80 | 49713 | 107.182.129.235 | 192.168.2.7 |
Jan 8, 2023 16:11:53.472151041 CET | 80 | 49713 | 107.182.129.235 | 192.168.2.7 |
Jan 8, 2023 16:11:53.472182035 CET | 80 | 49713 | 107.182.129.235 | 192.168.2.7 |
Jan 8, 2023 16:11:53.472213030 CET | 80 | 49713 | 107.182.129.235 | 192.168.2.7 |
Jan 8, 2023 16:11:53.472229958 CET | 49713 | 80 | 192.168.2.7 | 107.182.129.235 |
Jan 8, 2023 16:11:53.472249031 CET | 80 | 49713 | 107.182.129.235 | 192.168.2.7 |
Jan 8, 2023 16:11:53.472260952 CET | 49713 | 80 | 192.168.2.7 | 107.182.129.235 |
Jan 8, 2023 16:11:53.472285032 CET | 80 | 49713 | 107.182.129.235 | 192.168.2.7 |
Jan 8, 2023 16:11:53.472286940 CET | 49713 | 80 | 192.168.2.7 | 107.182.129.235 |
Jan 8, 2023 16:11:53.472318888 CET | 49713 | 80 | 192.168.2.7 | 107.182.129.235 |
Jan 8, 2023 16:11:53.472328901 CET | 80 | 49713 | 107.182.129.235 | 192.168.2.7 |
Jan 8, 2023 16:11:53.472336054 CET | 49713 | 80 | 192.168.2.7 | 107.182.129.235 |
Jan 8, 2023 16:11:53.472378016 CET | 49713 | 80 | 192.168.2.7 | 107.182.129.235 |
Jan 8, 2023 16:11:53.472379923 CET | 80 | 49713 | 107.182.129.235 | 192.168.2.7 |
Jan 8, 2023 16:11:53.472430944 CET | 49713 | 80 | 192.168.2.7 | 107.182.129.235 |
Jan 8, 2023 16:11:53.472512960 CET | 80 | 49713 | 107.182.129.235 | 192.168.2.7 |
Jan 8, 2023 16:11:53.472558975 CET | 80 | 49713 | 107.182.129.235 | 192.168.2.7 |
Jan 8, 2023 16:11:53.472568989 CET | 49713 | 80 | 192.168.2.7 | 107.182.129.235 |
Jan 8, 2023 16:11:53.472841978 CET | 49713 | 80 | 192.168.2.7 | 107.182.129.235 |
Jan 8, 2023 16:11:53.499299049 CET | 80 | 49713 | 107.182.129.235 | 192.168.2.7 |
Jan 8, 2023 16:11:53.499370098 CET | 80 | 49713 | 107.182.129.235 | 192.168.2.7 |
Jan 8, 2023 16:11:53.499414921 CET | 80 | 49713 | 107.182.129.235 | 192.168.2.7 |
Jan 8, 2023 16:11:53.499475002 CET | 80 | 49713 | 107.182.129.235 | 192.168.2.7 |
Jan 8, 2023 16:11:53.499516010 CET | 80 | 49713 | 107.182.129.235 | 192.168.2.7 |
Jan 8, 2023 16:11:53.499542952 CET | 49713 | 80 | 192.168.2.7 | 107.182.129.235 |
Jan 8, 2023 16:11:53.499555111 CET | 80 | 49713 | 107.182.129.235 | 192.168.2.7 |
Jan 8, 2023 16:11:53.499572992 CET | 49713 | 80 | 192.168.2.7 | 107.182.129.235 |
Jan 8, 2023 16:11:53.499594927 CET | 49713 | 80 | 192.168.2.7 | 107.182.129.235 |
Jan 8, 2023 16:11:53.499622107 CET | 49713 | 80 | 192.168.2.7 | 107.182.129.235 |
Jan 8, 2023 16:11:53.499630928 CET | 80 | 49713 | 107.182.129.235 | 192.168.2.7 |
Jan 8, 2023 16:11:53.499686003 CET | 49713 | 80 | 192.168.2.7 | 107.182.129.235 |
Jan 8, 2023 16:11:53.499788046 CET | 80 | 49713 | 107.182.129.235 | 192.168.2.7 |
Jan 8, 2023 16:11:53.499833107 CET | 80 | 49713 | 107.182.129.235 | 192.168.2.7 |
Jan 8, 2023 16:11:53.499860048 CET | 80 | 49713 | 107.182.129.235 | 192.168.2.7 |
Jan 8, 2023 16:11:53.499886990 CET | 80 | 49713 | 107.182.129.235 | 192.168.2.7 |
Jan 8, 2023 16:11:53.499912977 CET | 80 | 49713 | 107.182.129.235 | 192.168.2.7 |
Jan 8, 2023 16:11:53.499939919 CET | 80 | 49713 | 107.182.129.235 | 192.168.2.7 |
Jan 8, 2023 16:11:53.499969006 CET | 80 | 49713 | 107.182.129.235 | 192.168.2.7 |
Jan 8, 2023 16:11:53.500005960 CET | 80 | 49713 | 107.182.129.235 | 192.168.2.7 |
Jan 8, 2023 16:11:53.500040054 CET | 49713 | 80 | 192.168.2.7 | 107.182.129.235 |
Jan 8, 2023 16:11:53.500049114 CET | 80 | 49713 | 107.182.129.235 | 192.168.2.7 |
Jan 8, 2023 16:11:53.500077963 CET | 49713 | 80 | 192.168.2.7 | 107.182.129.235 |
Jan 8, 2023 16:11:53.500086069 CET | 80 | 49713 | 107.182.129.235 | 192.168.2.7 |
Jan 8, 2023 16:11:53.500102043 CET | 49713 | 80 | 192.168.2.7 | 107.182.129.235 |
Jan 8, 2023 16:11:53.500113010 CET | 80 | 49713 | 107.182.129.235 | 192.168.2.7 |
Jan 8, 2023 16:11:53.500137091 CET | 49713 | 80 | 192.168.2.7 | 107.182.129.235 |
Jan 8, 2023 16:11:53.500139952 CET | 80 | 49713 | 107.182.129.235 | 192.168.2.7 |
Jan 8, 2023 16:11:53.500159025 CET | 49713 | 80 | 192.168.2.7 | 107.182.129.235 |
Jan 8, 2023 16:11:53.500166893 CET | 80 | 49713 | 107.182.129.235 | 192.168.2.7 |
Jan 8, 2023 16:11:53.500186920 CET | 49713 | 80 | 192.168.2.7 | 107.182.129.235 |
Jan 8, 2023 16:11:53.500231028 CET | 49713 | 80 | 192.168.2.7 | 107.182.129.235 |
Jan 8, 2023 16:11:53.527118921 CET | 80 | 49713 | 107.182.129.235 | 192.168.2.7 |
Jan 8, 2023 16:11:53.527157068 CET | 80 | 49713 | 107.182.129.235 | 192.168.2.7 |
Jan 8, 2023 16:11:53.527194023 CET | 80 | 49713 | 107.182.129.235 | 192.168.2.7 |
Jan 8, 2023 16:11:53.527213097 CET | 80 | 49713 | 107.182.129.235 | 192.168.2.7 |
Jan 8, 2023 16:11:53.527232885 CET | 80 | 49713 | 107.182.129.235 | 192.168.2.7 |
Jan 8, 2023 16:11:53.527252913 CET | 80 | 49713 | 107.182.129.235 | 192.168.2.7 |
Jan 8, 2023 16:11:53.527273893 CET | 80 | 49713 | 107.182.129.235 | 192.168.2.7 |
Jan 8, 2023 16:11:53.527283907 CET | 49713 | 80 | 192.168.2.7 | 107.182.129.235 |
Jan 8, 2023 16:11:53.527323961 CET | 80 | 49713 | 107.182.129.235 | 192.168.2.7 |
Jan 8, 2023 16:11:53.527345896 CET | 80 | 49713 | 107.182.129.235 | 192.168.2.7 |
Jan 8, 2023 16:11:53.527345896 CET | 49713 | 80 | 192.168.2.7 | 107.182.129.235 |
Jan 8, 2023 16:11:53.527363062 CET | 49713 | 80 | 192.168.2.7 | 107.182.129.235 |
Jan 8, 2023 16:11:53.527365923 CET | 80 | 49713 | 107.182.129.235 | 192.168.2.7 |
Jan 8, 2023 16:11:53.527388096 CET | 80 | 49713 | 107.182.129.235 | 192.168.2.7 |
Jan 8, 2023 16:11:53.527389050 CET | 49713 | 80 | 192.168.2.7 | 107.182.129.235 |
Jan 8, 2023 16:11:53.527409077 CET | 80 | 49713 | 107.182.129.235 | 192.168.2.7 |
Jan 8, 2023 16:11:53.527410984 CET | 49713 | 80 | 192.168.2.7 | 107.182.129.235 |
Jan 8, 2023 16:11:53.527431965 CET | 80 | 49713 | 107.182.129.235 | 192.168.2.7 |
Jan 8, 2023 16:11:53.527441978 CET | 49713 | 80 | 192.168.2.7 | 107.182.129.235 |
Jan 8, 2023 16:11:53.527451992 CET | 80 | 49713 | 107.182.129.235 | 192.168.2.7 |
Jan 8, 2023 16:11:53.527457952 CET | 49713 | 80 | 192.168.2.7 | 107.182.129.235 |
Jan 8, 2023 16:11:53.527472973 CET | 80 | 49713 | 107.182.129.235 | 192.168.2.7 |
Jan 8, 2023 16:11:53.527479887 CET | 49713 | 80 | 192.168.2.7 | 107.182.129.235 |
Jan 8, 2023 16:11:53.527493954 CET | 80 | 49713 | 107.182.129.235 | 192.168.2.7 |
Jan 8, 2023 16:11:53.527501106 CET | 49713 | 80 | 192.168.2.7 | 107.182.129.235 |
Jan 8, 2023 16:11:53.527513981 CET | 80 | 49713 | 107.182.129.235 | 192.168.2.7 |
Jan 8, 2023 16:11:53.527519941 CET | 49713 | 80 | 192.168.2.7 | 107.182.129.235 |
Jan 8, 2023 16:11:53.527534008 CET | 80 | 49713 | 107.182.129.235 | 192.168.2.7 |
Jan 8, 2023 16:11:53.527539015 CET | 49713 | 80 | 192.168.2.7 | 107.182.129.235 |
Jan 8, 2023 16:11:53.527554989 CET | 80 | 49713 | 107.182.129.235 | 192.168.2.7 |
Jan 8, 2023 16:11:53.527559996 CET | 49713 | 80 | 192.168.2.7 | 107.182.129.235 |
Jan 8, 2023 16:11:53.527574062 CET | 80 | 49713 | 107.182.129.235 | 192.168.2.7 |
Jan 8, 2023 16:11:53.527581930 CET | 49713 | 80 | 192.168.2.7 | 107.182.129.235 |
Jan 8, 2023 16:11:53.527595043 CET | 80 | 49713 | 107.182.129.235 | 192.168.2.7 |
Jan 8, 2023 16:11:53.527601957 CET | 49713 | 80 | 192.168.2.7 | 107.182.129.235 |
Jan 8, 2023 16:11:53.527615070 CET | 80 | 49713 | 107.182.129.235 | 192.168.2.7 |
Jan 8, 2023 16:11:53.527623892 CET | 49713 | 80 | 192.168.2.7 | 107.182.129.235 |
Jan 8, 2023 16:11:53.527637005 CET | 80 | 49713 | 107.182.129.235 | 192.168.2.7 |
Jan 8, 2023 16:11:53.527642965 CET | 49713 | 80 | 192.168.2.7 | 107.182.129.235 |
Jan 8, 2023 16:11:53.527657032 CET | 80 | 49713 | 107.182.129.235 | 192.168.2.7 |
Jan 8, 2023 16:11:53.527662992 CET | 49713 | 80 | 192.168.2.7 | 107.182.129.235 |
Jan 8, 2023 16:11:53.527678013 CET | 80 | 49713 | 107.182.129.235 | 192.168.2.7 |
Jan 8, 2023 16:11:53.527688026 CET | 49713 | 80 | 192.168.2.7 | 107.182.129.235 |
Jan 8, 2023 16:11:53.527698040 CET | 80 | 49713 | 107.182.129.235 | 192.168.2.7 |
Jan 8, 2023 16:11:53.527709961 CET | 49713 | 80 | 192.168.2.7 | 107.182.129.235 |
Jan 8, 2023 16:11:53.527719021 CET | 80 | 49713 | 107.182.129.235 | 192.168.2.7 |
Jan 8, 2023 16:11:53.527739048 CET | 80 | 49713 | 107.182.129.235 | 192.168.2.7 |
Jan 8, 2023 16:11:53.527748108 CET | 49713 | 80 | 192.168.2.7 | 107.182.129.235 |
Jan 8, 2023 16:11:53.527760029 CET | 80 | 49713 | 107.182.129.235 | 192.168.2.7 |
Jan 8, 2023 16:11:53.527781010 CET | 80 | 49713 | 107.182.129.235 | 192.168.2.7 |
Jan 8, 2023 16:11:53.527786970 CET | 49713 | 80 | 192.168.2.7 | 107.182.129.235 |
Jan 8, 2023 16:11:53.527801037 CET | 80 | 49713 | 107.182.129.235 | 192.168.2.7 |
Jan 8, 2023 16:11:53.527811050 CET | 49713 | 80 | 192.168.2.7 | 107.182.129.235 |
Jan 8, 2023 16:11:53.527822018 CET | 80 | 49713 | 107.182.129.235 | 192.168.2.7 |
Jan 8, 2023 16:11:53.527842045 CET | 80 | 49713 | 107.182.129.235 | 192.168.2.7 |
Jan 8, 2023 16:11:53.527852058 CET | 49713 | 80 | 192.168.2.7 | 107.182.129.235 |
Jan 8, 2023 16:11:53.527863026 CET | 80 | 49713 | 107.182.129.235 | 192.168.2.7 |
Jan 8, 2023 16:11:53.527883053 CET | 80 | 49713 | 107.182.129.235 | 192.168.2.7 |
Jan 8, 2023 16:11:53.527889013 CET | 49713 | 80 | 192.168.2.7 | 107.182.129.235 |
Jan 8, 2023 16:11:53.527903080 CET | 80 | 49713 | 107.182.129.235 | 192.168.2.7 |
Jan 8, 2023 16:11:53.527908087 CET | 49713 | 80 | 192.168.2.7 | 107.182.129.235 |
Jan 8, 2023 16:11:53.527921915 CET | 80 | 49713 | 107.182.129.235 | 192.168.2.7 |
Jan 8, 2023 16:11:53.527947903 CET | 49713 | 80 | 192.168.2.7 | 107.182.129.235 |
Jan 8, 2023 16:11:53.527981043 CET | 49713 | 80 | 192.168.2.7 | 107.182.129.235 |
Jan 8, 2023 16:11:53.527995110 CET | 80 | 49713 | 107.182.129.235 | 192.168.2.7 |
Jan 8, 2023 16:11:53.528034925 CET | 80 | 49713 | 107.182.129.235 | 192.168.2.7 |
Jan 8, 2023 16:11:53.528053045 CET | 49713 | 80 | 192.168.2.7 | 107.182.129.235 |
Jan 8, 2023 16:11:53.528055906 CET | 80 | 49713 | 107.182.129.235 | 192.168.2.7 |
Jan 8, 2023 16:11:53.528074980 CET | 49713 | 80 | 192.168.2.7 | 107.182.129.235 |
Jan 8, 2023 16:11:53.528101921 CET | 49713 | 80 | 192.168.2.7 | 107.182.129.235 |
Jan 8, 2023 16:11:53.554969072 CET | 80 | 49713 | 107.182.129.235 | 192.168.2.7 |
Jan 8, 2023 16:11:53.555020094 CET | 80 | 49713 | 107.182.129.235 | 192.168.2.7 |
Jan 8, 2023 16:11:53.555047035 CET | 80 | 49713 | 107.182.129.235 | 192.168.2.7 |
Jan 8, 2023 16:11:53.555073977 CET | 80 | 49713 | 107.182.129.235 | 192.168.2.7 |
Jan 8, 2023 16:11:53.555212021 CET | 49713 | 80 | 192.168.2.7 | 107.182.129.235 |
Jan 8, 2023 16:11:53.555269957 CET | 49713 | 80 | 192.168.2.7 | 107.182.129.235 |
Jan 8, 2023 16:11:53.617386103 CET | 49714 | 80 | 192.168.2.7 | 171.22.30.106 |
Jan 8, 2023 16:11:53.644507885 CET | 80 | 49714 | 171.22.30.106 | 192.168.2.7 |
Jan 8, 2023 16:11:53.644625902 CET | 49714 | 80 | 192.168.2.7 | 171.22.30.106 |
Jan 8, 2023 16:11:53.645319939 CET | 49714 | 80 | 192.168.2.7 | 171.22.30.106 |
Jan 8, 2023 16:11:53.672415972 CET | 80 | 49714 | 171.22.30.106 | 192.168.2.7 |
Jan 8, 2023 16:11:54.082423925 CET | 80 | 49714 | 171.22.30.106 | 192.168.2.7 |
Jan 8, 2023 16:11:54.082561016 CET | 49714 | 80 | 192.168.2.7 | 171.22.30.106 |
Jan 8, 2023 16:11:56.127495050 CET | 49714 | 80 | 192.168.2.7 | 171.22.30.106 |
Jan 8, 2023 16:11:56.154897928 CET | 80 | 49714 | 171.22.30.106 | 192.168.2.7 |
Jan 8, 2023 16:11:56.637835979 CET | 80 | 49714 | 171.22.30.106 | 192.168.2.7 |
Jan 8, 2023 16:11:56.638144970 CET | 49714 | 80 | 192.168.2.7 | 171.22.30.106 |
Jan 8, 2023 16:11:58.253014088 CET | 80 | 49712 | 45.139.105.171 | 192.168.2.7 |
Jan 8, 2023 16:11:58.253138065 CET | 49712 | 80 | 192.168.2.7 | 45.139.105.171 |
Jan 8, 2023 16:11:58.532481909 CET | 80 | 49713 | 107.182.129.235 | 192.168.2.7 |
Jan 8, 2023 16:11:58.532619953 CET | 49713 | 80 | 192.168.2.7 | 107.182.129.235 |
Jan 8, 2023 16:11:58.740329027 CET | 49714 | 80 | 192.168.2.7 | 171.22.30.106 |
Jan 8, 2023 16:11:58.767563105 CET | 80 | 49714 | 171.22.30.106 | 192.168.2.7 |
Jan 8, 2023 16:11:59.151047945 CET | 80 | 49714 | 171.22.30.106 | 192.168.2.7 |
Jan 8, 2023 16:11:59.151151896 CET | 49714 | 80 | 192.168.2.7 | 171.22.30.106 |
Jan 8, 2023 16:12:01.730437040 CET | 49714 | 80 | 192.168.2.7 | 171.22.30.106 |
Jan 8, 2023 16:12:01.757761955 CET | 80 | 49714 | 171.22.30.106 | 192.168.2.7 |
Jan 8, 2023 16:12:02.141336918 CET | 80 | 49714 | 171.22.30.106 | 192.168.2.7 |
Jan 8, 2023 16:12:02.141544104 CET | 49714 | 80 | 192.168.2.7 | 171.22.30.106 |
Jan 8, 2023 16:12:04.209789038 CET | 49714 | 80 | 192.168.2.7 | 171.22.30.106 |
Jan 8, 2023 16:12:04.237472057 CET | 80 | 49714 | 171.22.30.106 | 192.168.2.7 |
Jan 8, 2023 16:12:04.593364000 CET | 80 | 49714 | 171.22.30.106 | 192.168.2.7 |
Jan 8, 2023 16:12:04.593502998 CET | 49714 | 80 | 192.168.2.7 | 171.22.30.106 |
Jan 8, 2023 16:12:06.691756964 CET | 49714 | 80 | 192.168.2.7 | 171.22.30.106 |
Jan 8, 2023 16:12:06.718959093 CET | 80 | 49714 | 171.22.30.106 | 192.168.2.7 |
Jan 8, 2023 16:12:07.140213013 CET | 80 | 49714 | 171.22.30.106 | 192.168.2.7 |
Jan 8, 2023 16:12:07.140393019 CET | 49714 | 80 | 192.168.2.7 | 171.22.30.106 |
Jan 8, 2023 16:12:09.435359955 CET | 49714 | 80 | 192.168.2.7 | 171.22.30.106 |
Jan 8, 2023 16:12:09.462553024 CET | 80 | 49714 | 171.22.30.106 | 192.168.2.7 |
Jan 8, 2023 16:12:09.859667063 CET | 80 | 49714 | 171.22.30.106 | 192.168.2.7 |
Jan 8, 2023 16:12:09.860945940 CET | 49714 | 80 | 192.168.2.7 | 171.22.30.106 |
Jan 8, 2023 16:12:12.003207922 CET | 49714 | 80 | 192.168.2.7 | 171.22.30.106 |
Jan 8, 2023 16:12:12.030476093 CET | 80 | 49714 | 171.22.30.106 | 192.168.2.7 |
Jan 8, 2023 16:12:12.396673918 CET | 80 | 49714 | 171.22.30.106 | 192.168.2.7 |
Jan 8, 2023 16:12:12.396816969 CET | 49714 | 80 | 192.168.2.7 | 171.22.30.106 |
Jan 8, 2023 16:12:14.472335100 CET | 49714 | 80 | 192.168.2.7 | 171.22.30.106 |
Jan 8, 2023 16:12:14.499659061 CET | 80 | 49714 | 171.22.30.106 | 192.168.2.7 |
Jan 8, 2023 16:12:14.943459988 CET | 80 | 49714 | 171.22.30.106 | 192.168.2.7 |
Jan 8, 2023 16:12:14.946469069 CET | 49714 | 80 | 192.168.2.7 | 171.22.30.106 |
Jan 8, 2023 16:12:17.060220957 CET | 49714 | 80 | 192.168.2.7 | 171.22.30.106 |
Jan 8, 2023 16:12:17.087439060 CET | 80 | 49714 | 171.22.30.106 | 192.168.2.7 |
Jan 8, 2023 16:12:17.461776972 CET | 80 | 49714 | 171.22.30.106 | 192.168.2.7 |
Jan 8, 2023 16:12:17.461951017 CET | 49714 | 80 | 192.168.2.7 | 171.22.30.106 |
Jan 8, 2023 16:12:20.207679987 CET | 49714 | 80 | 192.168.2.7 | 171.22.30.106 |
Jan 8, 2023 16:12:20.235049963 CET | 80 | 49714 | 171.22.30.106 | 192.168.2.7 |
Jan 8, 2023 16:12:20.626013994 CET | 80 | 49714 | 171.22.30.106 | 192.168.2.7 |
Jan 8, 2023 16:12:20.626187086 CET | 49714 | 80 | 192.168.2.7 | 171.22.30.106 |
Jan 8, 2023 16:12:24.469057083 CET | 49714 | 80 | 192.168.2.7 | 171.22.30.106 |
Jan 8, 2023 16:12:24.469219923 CET | 49712 | 80 | 192.168.2.7 | 45.139.105.171 |
Jan 8, 2023 16:12:24.469253063 CET | 49713 | 80 | 192.168.2.7 | 107.182.129.235 |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.7 | 49712 | 45.139.105.171 | 80 | C:\Program Files (x86)\Split Files\HitFiles134.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Jan 8, 2023 16:11:53.219578028 CET | 106 | OUT | |
Jan 8, 2023 16:11:53.251513004 CET | 107 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
1 | 192.168.2.7 | 49713 | 107.182.129.235 | 80 | C:\Program Files (x86)\Split Files\HitFiles134.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Jan 8, 2023 16:11:53.367556095 CET | 107 | OUT | |
Jan 8, 2023 16:11:53.394783020 CET | 108 | IN | |
Jan 8, 2023 16:11:53.444812059 CET | 108 | OUT | |
Jan 8, 2023 16:11:53.472105980 CET | 109 | IN |