Edit tour
Windows
Analysis Report
1ibwQtrqNy.exe
Overview
General Information
| Sample Name: | 1ibwQtrqNy.exe |
| Original Sample Name: | 65dd3ed482f22906e70dd004a73e5cef.exe |
| Analysis ID: | 877011 |
| MD5: | 65dd3ed482f22906e70dd004a73e5cef |
| SHA1: | ffe8496a9d3f0a2f5571e683b466d3f3d2092172 |
| SHA256: | 15f5d9cd2cb95efaecbf0bc1a455cd6cc301848a5ba71cc4788e4b68c327382d |
| Tags: | 32exetrojan |
| Infos: |  |
 | |
Detection
Nymaim
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Multi AV Scanner detection for submitted file
Detected unpacking (overwrites its own PE header)
Yara detected Nymaim
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Found evasive API chain checking for process token information
Uses taskkill to terminate processes
Dropped file seen in connection with other malware
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality to detect sandboxes (foreground window change detection)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Classification
- System is w10x64
1ibwQtrqNy.exe (PID: 4080 cmdline: C:\Users\u ser\Deskto p\1ibwQtrq Ny.exe MD5: 65DD3ED482F22906E70DD004A73E5CEF) - is-2H2P0.tmp (PID: 4944 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\is-50V JD.tmp\is- 2H2P0.tmp" /SL4 $204 8E "C:\Use rs\user\De sktop\1ibw QtrqNy.exe " 1911253 52224 MD5: 1F2BC482C99F55A713CF6CA3C1FF04F8) 
Rec528.exe (PID: 2576 cmdline: "C:\Progra m Files (x 86)\FLSCov er\Rec528\ Rec528.exe " MD5: 9D3532E4DB1BBBCCA78E0D2DC8AE2572) 
IFLIjCfKSqd.exe (PID: 7052 cmdline: MD5: 3FB36CB0B7172E5298D2992D42984D06) 
cmd.exe (PID: 5924 cmdline: "C:\Window s\System32 \cmd.exe" /c taskkil l /im "Rec 528.exe" / f & erase "C:\Progra m Files (x 86)\FLSCov er\Rec528\ Rec528.exe " & exit MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 5972 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - taskkill.exe (PID: 2288 cmdline:
taskkill / im "Rec528 .exe" /f MD5: 15E2E0ACD891510C6268CB8899F2A1A1)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Nymaim | Nymaim is a trojan downloader. It downloads (and runs) other malware on affected systems and was one of the primary malware families hosted on Avalanche. Nymaim is different in that it displays a localized lockscreen while it downloads additional malware. Nymaim is usually delivered by exploit kits and malvertising. | No Attribution |
{"C2 addresses": ["45.12.253.56", "45.12.253.72", "45.12.253.98", "45.12.253.75"]}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security | ||
| JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security | ||
| JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security | ||
| JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security | ||
| JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security |
⊘No Sigma rule has matched
| Timestamp: | 192.168.2.345.12.253.7249698802044031 05/28/23-14:31:02.886782 |
| SID: | 2044031 |
| Source Port: | 49698 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.345.12.253.7549699802044033 05/28/23-14:31:35.542564 |
| SID: | 2044033 |
| Source Port: | 49699 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.345.12.253.7249698802044032 05/28/23-14:31:02.924623 |
| SID: | 2044032 |
| Source Port: | 49698 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 45.12.253.72192.168.2.380496982044037 05/28/23-14:31:02.950793 |
| SID: | 2044037 |
| Source Port: | 80 |
| Destination Port: | 49698 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.345.12.253.5649697802044034 05/28/23-14:31:02.810921 |
| SID: | 2044034 |
| Source Port: | 49697 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Malware Configuration Extractor: | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira: | ||
| Source: | ReversingLabs: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Code function: | 1_2_10001000 | |
| Source: | Code function: | 1_2_10001130 | |
| Source: | Code function: | 2_2_00403770 | |
Compliance | |
|---|
| Source: | Unpacked PE file: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 1_2_0046CA68 | |
| Source: | Code function: | 1_2_00474A14 | |
| Source: | Code function: | 1_2_0045157C | |
| Source: | Code function: | 1_2_0045E244 | |
| Source: | Code function: | 1_2_0048AC5C | |
| Source: | Code function: | 1_2_00472CD4 | |
| Source: | Code function: | 1_2_0045CDA4 | |
| Source: | Code function: | 1_2_0045DEB0 | |
| Source: | Code function: | 2_2_00404490 | |
| Source: | Code function: | 2_2_00423DAD | |
| Source: | Code function: | 2_2_10007E39 | |
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
Networking | |
|---|
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | ASN Name: | ||
| Source: | ASN Name: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Code function: | 2_2_00401B40 | |
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | Binary or memory string: | ||
E-Banking Fraud | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00408280 | |
| Source: | Code function: | 1_2_00468C28 | |
| Source: | Code function: | 1_2_00461280 | |
| Source: | Code function: | 1_2_0043DE40 | |
| Source: | Code function: | 1_2_004302D0 | |
| Source: | Code function: | 1_2_004445B8 | |
| Source: | Code function: | 1_2_00434864 | |
| Source: | Code function: | 1_2_0047AA90 | |
| Source: | Code function: | 1_2_00444B60 | |
| Source: | Code function: | 1_2_0045ADE0 | |
| Source: | Code function: | 1_2_00480F94 | |
| Source: | Code function: | 1_2_00445258 | |
| Source: | Code function: | 1_2_004132E1 | |
| Source: | Code function: | 1_2_00463288 | |
| Source: | Code function: | 1_2_00435568 | |
| Source: | Code function: | 1_2_00445664 | |
| Source: | Code function: | 1_2_0042F874 | |
| Source: | Code function: | 1_2_00457F04 | |
| Source: | Code function: | 2_2_00404490 | |
| Source: | Code function: | 2_2_00409670 | |
| Source: | Code function: | 2_2_004056A0 | |
| Source: | Code function: | 2_2_00406800 | |
| Source: | Code function: | 2_2_00406AA0 | |
| Source: | Code function: | 2_2_00404D40 | |
| Source: | Code function: | 2_2_00405F40 | |
| Source: | Code function: | 2_2_00402F20 | |
| Source: | Code function: | 2_2_00415053 | |
| Source: | Code function: | 2_2_00415285 | |
| Source: | Code function: | 2_2_00422329 | |
| Source: | Code function: | 2_2_00419490 | |
| Source: | Code function: | 2_2_004267D0 | |
| Source: | Code function: | 2_2_00404840 | |
| Source: | Code function: | 2_2_004109D0 | |
| Source: | Code function: | 2_2_0042AB1A | |
| Source: | Code function: | 2_2_0040CBC0 | |
| Source: | Code function: | 2_2_00421C08 | |
| Source: | Code function: | 2_2_0042AC3A | |
| Source: | Code function: | 2_2_00428CB9 | |
| Source: | Code function: | 2_2_00447D2D | |
| Source: | Code function: | 2_2_00404F20 | |
| Source: | Code function: | 2_2_1000E111 | |
| Source: | Code function: | 2_2_1000FAC0 | |
| Source: | Code function: | 1_2_00423C4C | |
| Source: | Code function: | 1_2_004126A0 | |
| Source: | Code function: | 1_2_00455514 | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Dropped File: | ||
| Source: | Static PE information: | ||
| Source: | Virustotal: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Code function: | 0_2_0040910C | |
| Source: | Code function: | 1_2_00453D80 | |
| Source: | WMI Queries: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Classification label: | ||
| Source: | Code function: | 2_2_00401B40 | |
| Source: | File read: | Jump to behavior | ||
| Source: | Code function: | 1_2_004547A0 | |
| Source: | Code function: | 2_2_00402C00 | |
| Source: | Code function: | 2_2_00405350 | |
| Source: | Mutant created: | ||
| Source: | Code function: | 1_2_0040B090 | |
| Source: | File created: | Jump to behavior | ||
| Source: | Command line argument: | 2_2_00409670 | |
| Source: | Command line argument: | 2_2_00409670 | |
| Source: | Command line argument: | 2_2_00409670 | |
| Source: | Command line argument: | 2_2_00409670 | |
| Source: | Window found: | Jump to behavior | ||
| Source: | Window detected: | ||
| Source: | Static file information: | ||
Data Obfuscation | |
|---|
| Source: | Unpacked PE file: | ||
| Source: | Unpacked PE file: | ||
| Source: | Code function: | 0_2_004065C9 | |
| Source: | Code function: | 0_2_00404195 | |
| Source: | Code function: | 0_2_0040442D | |
| Source: | Code function: | 0_2_0040442D | |
| Source: | Code function: | 0_2_0040442D | |
| Source: | Code function: | 0_2_00408C07 | |
| Source: | Code function: | 0_2_0040442D | |
| Source: | Code function: | 0_2_00407F41 | |
| Source: | Code function: | 1_2_00409A55 | |
| Source: | Code function: | 1_2_0040A108 | |
| Source: | Code function: | 1_2_004302D5 | |
| Source: | Code function: | 1_2_004063C1 | |
| Source: | Code function: | 1_2_0047866B | |
| Source: | Code function: | 1_2_0041079D | |
| Source: | Code function: | 1_2_00412A4B | |
| Source: | Code function: | 1_2_0045AAA1 | |
| Source: | Code function: | 1_2_00450EDF | |
| Source: | Code function: | 1_2_0040D0F2 | |
| Source: | Code function: | 1_2_00443534 | |
| Source: | Code function: | 1_2_004055F9 | |
| Source: | Code function: | 1_2_0040F652 | |
| Source: | Code function: | 1_2_00405891 | |
| Source: | Code function: | 1_2_00405891 | |
| Source: | Code function: | 1_2_00405891 | |
| Source: | Code function: | 1_2_00405891 | |
| Source: | Code function: | 1_2_00479B25 | |
| Source: | Code function: | 1_2_00419CF5 | |
| Source: | Code function: | 2_2_004311B6 | |
| Source: | Code function: | 2_2_0040F44D | |
| Source: | Code function: | 2_2_1000E836 | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | Code function: | 1_2_00423CD4 | |
| Source: | Code function: | 1_2_00423CD4 | |
| Source: | Code function: | 1_2_00478118 | |
| Source: | Code function: | 1_2_0042425C | |
| Source: | Code function: | 1_2_004242A4 | |
| Source: | Code function: | 1_2_0041844C | |
| Source: | Code function: | 1_2_00422924 | |
| Source: | Code function: | 1_2_00417660 | |
| Source: | Code function: | 1_2_00417D96 | |
| Source: | Code function: | 1_2_00417D98 | |
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Evasive API call chain: | graph_0-5522 | ||
| Source: | Last function: | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Check user administrative privileges: | graph_2-35562 | ||
| Source: | Code function: | 2_2_004056A0 | |
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 0_2_00409764 | |
| Source: | Code function: | 1_2_0046CA68 | |
| Source: | Code function: | 1_2_00474A14 | |
| Source: | Code function: | 1_2_0045157C | |
| Source: | Code function: | 1_2_0045E244 | |
| Source: | Code function: | 1_2_0048AC5C | |
| Source: | Code function: | 1_2_00472CD4 | |
| Source: | Code function: | 1_2_0045CDA4 | |
| Source: | Code function: | 1_2_0045DEB0 | |
| Source: | Code function: | 2_2_00404490 | |
| Source: | Code function: | 2_2_00423DAD | |
| Source: | Code function: | 2_2_10007E39 | |
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 2_2_004132EB | |
| Source: | Code function: | 2_2_00402C00 | |
| Source: | Code function: | 2_2_00402F20 | |
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Code function: | 2_2_0044028F | |
| Source: | Code function: | 2_2_0042039F | |
| Source: | Code function: | 2_2_004429E7 | |
| Source: | Code function: | 2_2_00417B2F | |
| Source: | Code function: | 2_2_10007A06 | |
| Source: | Code function: | 2_2_10005EB5 | |
| Source: | Code function: | 2_2_0040F2B4 | |
| Source: | Code function: | 2_2_0040F709 | |
| Source: | Code function: | 2_2_004132EB | |
| Source: | Code function: | 2_2_0040F575 | |
| Source: | Code function: | 2_2_0040EB52 | |
| Source: | Code function: | 2_2_10005630 | |
| Source: | Code function: | 2_2_10002A85 | |
| Source: | Code function: | 2_2_10002F80 | |
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Code function: | 1_2_00459734 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 0_2_004051D8 | |
| Source: | Code function: | 0_2_00405224 | |
| Source: | Code function: | 1_2_004085FC | |
| Source: | Code function: | 1_2_00408648 | |
| Source: | Code function: | 2_2_00404D40 | |
| Source: | Code function: | 2_2_0042700C | |
| Source: | Code function: | 2_2_004270A7 | |
| Source: | Code function: | 2_2_00427132 | |
| Source: | Code function: | 2_2_0041E27F | |
| Source: | Code function: | 2_2_00427385 | |
| Source: | Code function: | 2_2_004274AB | |
| Source: | Code function: | 2_2_004275B1 | |
| Source: | Code function: | 2_2_00427680 | |
| Source: | Code function: | 2_2_0041E7A1 | |
| Source: | Code function: | 2_2_00426D1F | |
| Source: | Code function: | 2_2_00426FC1 | |
| Source: | Code function: | 2_2_0040F773 | |
| Source: | Code function: | 1_2_00455E7C | |
| Source: | Code function: | 0_2_004026C4 | |
| Source: | Code function: | 0_2_00405CC0 | |
| Source: | Code function: | 1_2_00453D18 | |
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Valid Accounts | 1 Windows Management Instrumentation | Path Interception | 1 Access Token Manipulation | 1 Disable or Modify Tools | 1 Input Capture | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | Exfiltration Over Other Network Medium | 2 Ingress Tool Transfer | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
| Default Accounts | 2 Native API | Boot or Logon Initialization Scripts | 13 Process Injection | 1 Deobfuscate/Decode Files or Information | LSASS Memory | 1 Account Discovery | Remote Desktop Protocol | 1 Input Capture | Exfiltration Over Bluetooth | 2 Encrypted Channel | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
| Domain Accounts | 2 Command and Scripting Interpreter | Logon Script (Windows) | Logon Script (Windows) | 3 Obfuscated Files or Information | Security Account Manager | 3 File and Directory Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | 1 Non-Application Layer Protocol | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
| Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | 22 Software Packing | NTDS | 26 System Information Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | 11 Application Layer Protocol | SIM Card Swap | Carrier Billing Fraud | |
| Cloud Accounts | Cron | Network Logon Script | Network Logon Script | 2 Masquerading | LSA Secrets | 141 Security Software Discovery | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
| Replication Through Removable Media | Launchd | Rc.common | Rc.common | 1 Virtualization/Sandbox Evasion | Cached Domain Credentials | 1 Virtualization/Sandbox Evasion | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
| External Remote Services | Scheduled Task | Startup Items | Startup Items | 1 Access Token Manipulation | DCSync | 3 Process Discovery | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
| Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | 13 Process Injection | Proc Filesystem | 11 Application Window Discovery | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue | |
| Exploit Public-Facing Application | PowerShell | At (Linux) | At (Linux) | Masquerading | /etc/passwd and /etc/shadow | 1 System Owner/User Discovery | Software Deployment Tools | Data Staged | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Web Protocols | Rogue Cellular Base Station | Data Destruction |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 20% | Virustotal | Browse |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 100% | Avira | HEUR/AGEN.1314978 | ||
| 100% | Joe Sandbox ML | |||
| 0% | ReversingLabs | |||
| 0% | ReversingLabs | |||
| 3% | ReversingLabs | |||
| 3% | ReversingLabs | |||
| 3% | ReversingLabs | |||
| 0% | ReversingLabs | |||
| 0% | ReversingLabs | |||
| 0% | ReversingLabs | |||
| 62% | ReversingLabs | Win32.Trojan.GenusAgent |
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 0% | Avira URL Cloud | safe | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware |
⊘No contacted domains info
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| low | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | unknown | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | unknown | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | unknown | |||
| false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 45.12.253.72 | unknown | Germany | 33657 | CMCSUS | true | |
| 45.12.253.75 | unknown | Germany | 33657 | CMCSUS | true | |
| 45.12.253.98 | unknown | Germany | 33657 | CMCSUS | true | |
| 45.12.253.56 | unknown | Germany | 33657 | CMCSUS | true |
| Joe Sandbox Version: | 37.1.0 Beryl |
| Analysis ID: | 877011 |
| Start date and time: | 2023-05-28 14:30:06 +02:00 |
| Joe Sandbox Product: | CloudBasic |
| Overall analysis duration: | 0h 8m 1s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
| Number of analysed new started processes analysed: | 9 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample file name: | 1ibwQtrqNy.exe |
| Original Sample Name: | 65dd3ed482f22906e70dd004a73e5cef.exe |
| Detection: | MAL |
| Classification: | mal100.troj.evad.winEXE@12/23@0/4 |
| EGA Information: |
|
| HDC Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, conhost.exe
- Not all processes where analyzed, report is missing behavior information
- Report creation exceeded maximum time and may have missing disassembly code information.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
| Time | Type | Description |
|---|---|---|
| 14:31:01 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 45.12.253.72 | Get hash | malicious | Nymaim | Browse |
| |
| Get hash | malicious | Nymaim | Browse |
| ||
| Get hash | malicious | Nymaim | Browse |
| ||
| Get hash | malicious | Nymaim | Browse |
| ||
| Get hash | malicious | Nymaim | Browse |
| ||
| Get hash | malicious | Nymaim | Browse |
| ||
| Get hash | malicious | Nymaim | Browse |
| ||
| Get hash | malicious | Nymaim | Browse |
| ||
| Get hash | malicious | Nymaim | Browse |
| ||
| Get hash | malicious | Nymaim | Browse |
| ||
| Get hash | malicious | Nymaim | Browse |
| ||
| Get hash | malicious | Nymaim | Browse |
| ||
| Get hash | malicious | Nymaim | Browse |
| ||
| Get hash | malicious | Nymaim | Browse |
| ||
| Get hash | malicious | Nymaim | Browse |
| ||
| Get hash | malicious | Nymaim | Browse |
| ||
| Get hash | malicious | Nymaim | Browse |
| ||
| Get hash | malicious | Nymaim | Browse |
| ||
| Get hash | malicious | Nymaim | Browse |
| ||
| Get hash | malicious | Nymaim | Browse |
|
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| CMCSUS | Get hash | malicious | Nymaim | Browse |
| |
| Get hash | malicious | Nymaim | Browse |
| ||
| Get hash | malicious | Nymaim, RedLine, SmokeLoader, Vidar | Browse |
| ||
| Get hash | malicious | Nymaim | Browse |
| ||
| Get hash | malicious | Nymaim | Browse |
| ||
| Get hash | malicious | Nymaim | Browse |
| ||
| Get hash | malicious | Nymaim | Browse |
| ||
| Get hash | malicious | Nymaim | Browse |
| ||
| Get hash | malicious | RedLine | Browse |
| ||
| Get hash | malicious | Nymaim | Browse |
| ||
| Get hash | malicious | Nymaim | Browse |
| ||
| Get hash | malicious | Nymaim | Browse |
| ||
| Get hash | malicious | Lokibot | Browse |
| ||
| Get hash | malicious | Lokibot | Browse |
| ||
| Get hash | malicious | Lokibot | Browse |
| ||
| Get hash | malicious | Nymaim | Browse |
| ||
| Get hash | malicious | Nymaim | Browse |
| ||
| Get hash | malicious | Nymaim | Browse |
| ||
| Get hash | malicious | WSHRAT | Browse |
| ||
| Get hash | malicious | Amadey, Fabookie, Nymaim, PrivateLoader, RedLine, SmokeLoader, Stealc | Browse |
| ||
| CMCSUS | Get hash | malicious | Nymaim | Browse |
| |
| Get hash | malicious | Nymaim | Browse |
| ||
| Get hash | malicious | Nymaim, RedLine, SmokeLoader, Vidar | Browse |
| ||
| Get hash | malicious | Nymaim | Browse |
| ||
| Get hash | malicious | Nymaim | Browse |
| ||
| Get hash | malicious | Nymaim | Browse |
| ||
| Get hash | malicious | Nymaim | Browse |
| ||
| Get hash | malicious | Nymaim | Browse |
| ||
| Get hash | malicious | RedLine | Browse |
| ||
| Get hash | malicious | Nymaim | Browse |
| ||
| Get hash | malicious | Nymaim | Browse |
| ||
| Get hash | malicious | Nymaim | Browse |
| ||
| Get hash | malicious | Lokibot | Browse |
| ||
| Get hash | malicious | Lokibot | Browse |
| ||
| Get hash | malicious | Lokibot | Browse |
| ||
| Get hash | malicious | Nymaim | Browse |
| ||
| Get hash | malicious | Nymaim | Browse |
| ||
| Get hash | malicious | Nymaim | Browse |
| ||
| Get hash | malicious | WSHRAT | Browse |
| ||
| Get hash | malicious | Amadey, Fabookie, Nymaim, PrivateLoader, RedLine, SmokeLoader, Stealc | Browse |
|
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| C:\Program Files (x86)\FLSCover\Rec528\Preview.exe (copy) | Get hash | malicious | Nymaim | Browse | ||
| Get hash | malicious | Nymaim | Browse | |||
| Get hash | malicious | Nymaim | Browse | |||
| Get hash | malicious | Amadey, Fabookie, Nymaim, PrivateLoader, RedLine, SmokeLoader, Stealc | Browse | |||
| Get hash | malicious | Nymaim | Browse | |||
| Get hash | malicious | Nymaim | Browse | |||
| Get hash | malicious | Nymaim | Browse | |||
| Get hash | malicious | Nymaim | Browse | |||
| Get hash | malicious | Fabookie, Nymaim, PrivateLoader, RedLine, SmokeLoader | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Nymaim | Browse | |||
| Get hash | malicious | Fabookie, Nymaim, PrivateLoader, RedLine, SmokeLoader | Browse | |||
| Get hash | malicious | Fabookie, Nymaim, PrivateLoader, RedLine, SmokeLoader | Browse | |||
| Get hash | malicious | Fabookie, Nymaim, PrivateLoader, RedLine, SmokeLoader | Browse | |||
| Get hash | malicious | Fabookie, Nymaim, PrivateLoader, RedLine | Browse | |||
| Get hash | malicious | Nymaim | Browse | |||
| Get hash | malicious | Nymaim | Browse | |||
| Get hash | malicious | Nymaim | Browse | |||
| Get hash | malicious | MinerDownloader, RedLine, Vidar, Xmrig | Browse | |||
| Get hash | malicious | Nymaim | Browse |
| Process: | C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 791040 |
| Entropy (8bit): | 6.608982798504157 |
| Encrypted: | false |
| SSDEEP: | 24576:pvfBdvyjNf8cbMtMJjLKRfwaNSkxtkNkYzSYcj0oHyxdpVhNZFGv+56nBb/ExWyt:pBC4rTQnC1QaX4+I |
| MD5: | 5C2FE7D4DDE65810152054F3C93C1815 |
| SHA1: | 2A19F3FAA78A5072068F7902DB19A248F11FA69B |
| SHA-256: | 233D846FEB73A38141BDF6C813C7476FA3F66DCD3548338607F3B7CB61CAC730 |
| SHA-512: | 2C01AE918044829FC649F0775BF3FFDB417B1524B47CDABFF0C06B6382B6578A742D9C1D036090D7AD1FC3A8B7D563D28C0CDB94DE572BF883389825F73FD654 |
| Malicious: | true |
| Antivirus: |
|
| Joe Sandbox View: |
|
| Reputation: | high, very likely benign file |
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1949 |
| Entropy (8bit): | 4.915453283427292 |
| Encrypted: | false |
| SSDEEP: | 48:Sik3C0nGTAFE3blB/aMO0Mk2fLXVn7K+eq9hb6Suf:pkvGTAFELlB/A4GXVnWU9BNuf |
| MD5: | C0AE85DB30FE9027DBBF3BA758FA78BE |
| SHA1: | 95E69DB95504A9F61D090690F32FB5D2F685C604 |
| SHA-256: | CF63BBFD735C18757AC2AA6CB8A14C82745B6158F9FD299BD189D9CA3E7A2DE7 |
| SHA-512: | DA53177074E79F96C1C7E477E0E7B63CD1D2B836DB9E8066F20B60897FC5770D2B16594A84A953A9CD56BD4C0DDB7D5EFBDDF881EEA840D6B106552C5AC6815E |
| Malicious: | false |
| Reputation: | high, very likely benign file |
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp |
| File Type: | |
| Category: | modified |
| Size (bytes): | 2491753 |
| Entropy (8bit): | 6.2535337137307625 |
| Encrypted: | false |
| SSDEEP: | 24576:TzyEzyqd/zyCzytzy3ozyikzy3DKzyH1cuu7hhyGW1G4dPApP8Xv+MysNKt19crT:PTIxvnu7byGx4Ff+MyOe19UuRDy |
| MD5: | 9D3532E4DB1BBBCCA78E0D2DC8AE2572 |
| SHA1: | E6F4EE6D2AEF36909CA0330BA03798AB76493CA8 |
| SHA-256: | A9BAEFA9E8C28E5E028E19691EF04E5C85E94F0F81B4CF6844A9C63D9A22F3A1 |
| SHA-512: | 21B6265DF422B7F61D2FF8E5F87AFEBD4B0642806A3E88F50B39211AD4315349137C7CC2AD2441CE870CE09CF1A1790043C668BFF564C90C01775C04981ECBA7 |
| Malicious: | true |
| Antivirus: |
|
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 6452 |
| Entropy (8bit): | 4.734154041089812 |
| Encrypted: | false |
| SSDEEP: | 96:EonMpdbxw/+9MjLKJ9+LsxS/wV2iderMRyLjQ1WsL+9w/SxEDz8bONAPujBUTjkv:E7nb |
| MD5: | 247D3A0C3B0C53CA33D032A561619495 |
| SHA1: | F30570C48749FE427FACCBDF925048B149D22460 |
| SHA-256: | 783AC8FBA1DD88291A4F331EC2459DDE4005CF70FAFB4F19F9061713FFD580EB |
| SHA-512: | 9D18FDC8A32C86A0F8C2BB408A33A71645632289CA0D684B58B98862AA1A67E75258D39C621F4E647753A1480D50444756D125C273B16323A757270CD94B7BBD |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 6452 |
| Entropy (8bit): | 4.734154041089812 |
| Encrypted: | false |
| SSDEEP: | 96:EonMpdbxw/+9MjLKJ9+LsxS/wV2iderMRyLjQ1WsL+9w/SxEDz8bONAPujBUTjkv:E7nb |
| MD5: | 247D3A0C3B0C53CA33D032A561619495 |
| SHA1: | F30570C48749FE427FACCBDF925048B149D22460 |
| SHA-256: | 783AC8FBA1DD88291A4F331EC2459DDE4005CF70FAFB4F19F9061713FFD580EB |
| SHA-512: | 9D18FDC8A32C86A0F8C2BB408A33A71645632289CA0D684B58B98862AA1A67E75258D39C621F4E647753A1480D50444756D125C273B16323A757270CD94B7BBD |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 553405 |
| Entropy (8bit): | 7.979175020825392 |
| Encrypted: | false |
| SSDEEP: | 12288:G8kCp81IkXlwDvsttKcoKRWqZPP4owP1G2uQeDyXwaWt:HJp3kXlDvKwRWg4owdGueDiwaWt |
| MD5: | 37E6EEA8C4E469F6439F3790166815DD |
| SHA1: | E0A3768F291CC7FCE178A001F0356D4FBA29D81F |
| SHA-256: | 606D66026DA226D1AA1C1A4CA6416F3B9F6C66791F4116EB3FFF9E8E28E6B113 |
| SHA-512: | 68D3DA77F272A382D800EBB07F02156957CB14C96728896BBB5F6A1E9AEA9A1A5DA4EFCCB09D49096E986A3FCE3F86685B5AFD790887DB28F8F9F5C76D9435A9 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1949 |
| Entropy (8bit): | 4.915453283427292 |
| Encrypted: | false |
| SSDEEP: | 48:Sik3C0nGTAFE3blB/aMO0Mk2fLXVn7K+eq9hb6Suf:pkvGTAFELlB/A4GXVnWU9BNuf |
| MD5: | C0AE85DB30FE9027DBBF3BA758FA78BE |
| SHA1: | 95E69DB95504A9F61D090690F32FB5D2F685C604 |
| SHA-256: | CF63BBFD735C18757AC2AA6CB8A14C82745B6158F9FD299BD189D9CA3E7A2DE7 |
| SHA-512: | DA53177074E79F96C1C7E477E0E7B63CD1D2B836DB9E8066F20B60897FC5770D2B16594A84A953A9CD56BD4C0DDB7D5EFBDDF881EEA840D6B106552C5AC6815E |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 553405 |
| Entropy (8bit): | 7.979175020825392 |
| Encrypted: | false |
| SSDEEP: | 12288:G8kCp81IkXlwDvsttKcoKRWqZPP4owP1G2uQeDyXwaWt:HJp3kXlDvKwRWg4owdGueDiwaWt |
| MD5: | 37E6EEA8C4E469F6439F3790166815DD |
| SHA1: | E0A3768F291CC7FCE178A001F0356D4FBA29D81F |
| SHA-256: | 606D66026DA226D1AA1C1A4CA6416F3B9F6C66791F4116EB3FFF9E8E28E6B113 |
| SHA-512: | 68D3DA77F272A382D800EBB07F02156957CB14C96728896BBB5F6A1E9AEA9A1A5DA4EFCCB09D49096E986A3FCE3F86685B5AFD790887DB28F8F9F5C76D9435A9 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 2491753 |
| Entropy (8bit): | 6.2535333299603195 |
| Encrypted: | false |
| SSDEEP: | 24576:mzyEzyqd/zyCzytzy3ozyikzy3DKzyH1cuu7hhyGW1G4dPApP8Xv+MysNKt19crT:wTIxvnu7byGx4Ff+MyOe19UuRDy |
| MD5: | AAE2F1475E852D41D371B6CB7F9813EF |
| SHA1: | E5C9DB852CA1268A076259E03E9C0DCF15EB22DA |
| SHA-256: | EAD63B2C168FC3984B0B8B8A948EB15062E2FDBB722BB974FCE8610D2D8EB50A |
| SHA-512: | C1DFABC1EE689C70FED3C825ABF86F9E3A76D8102B1EF3FBCFBDC87185E9640A875341ED1CAC31063005A0FB942623746A00E70DFE5E20B7A61202432AA66312 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 791040 |
| Entropy (8bit): | 6.608982798504157 |
| Encrypted: | false |
| SSDEEP: | 24576:pvfBdvyjNf8cbMtMJjLKRfwaNSkxtkNkYzSYcj0oHyxdpVhNZFGv+56nBb/ExWyt:pBC4rTQnC1QaX4+I |
| MD5: | 5C2FE7D4DDE65810152054F3C93C1815 |
| SHA1: | 2A19F3FAA78A5072068F7902DB19A248F11FA69B |
| SHA-256: | 233D846FEB73A38141BDF6C813C7476FA3F66DCD3548338607F3B7CB61CAC730 |
| SHA-512: | 2C01AE918044829FC649F0775BF3FFDB417B1524B47CDABFF0C06B6382B6578A742D9C1D036090D7AD1FC3A8B7D563D28C0CDB94DE572BF883389825F73FD654 |
| Malicious: | true |
| Antivirus: |
|
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 670474 |
| Entropy (8bit): | 6.480362295801881 |
| Encrypted: | false |
| SSDEEP: | 12288:spmOmg1k2bfrP437QzH/A6A40lG77Nzkn9Gymxpp:mmt2bfrP437QzH/A6A7E7dmPmxpp |
| MD5: | 9ED3858F4C066125A0A6B9FADCD95DCE |
| SHA1: | BEE9B47A0EF101F1784B65A0B3DB6C6518C7520F |
| SHA-256: | 8EFE36858B9E1CDF3B5D901A4EC17E4EEC148707F526264F35A2BCDA5E139A13 |
| SHA-512: | A460EF220E126D8406F7603ABF697379928E7983C8DAD8A070125E1C205F269702B173FC1B10E18B622B51C6FB081A3E30200E0A7F342FEA41147132C4D270E9 |
| Malicious: | true |
| Antivirus: |
|
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 3674 |
| Entropy (8bit): | 4.378368790525658 |
| Encrypted: | false |
| SSDEEP: | 48:K4zyMuLBv8Ra0VpifrDWQNtahqqLVO3471N7nuRxWZv1rUczddv:72p8supAWQahqWOIhpnuqTv |
| MD5: | 2FB7EF6747A75C8A0126D2B35C9A8254 |
| SHA1: | 3ADA72747D895F9F1AE603064C16830D91369846 |
| SHA-256: | 672A704DD5482DF3153A9DB796F784C83A8AD76F25364F4D652BE5AF5D7DE672 |
| SHA-512: | 66C6D7FDC8C49F8935929BCCE04F41729E194C6CB181C4B7A9BE352774EB0E05FF35770EDA90526C4BEFBF1CE2750CF7B05D094204250DF7F21D2FF96FF0CD86 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 670474 |
| Entropy (8bit): | 6.480362295801881 |
| Encrypted: | false |
| SSDEEP: | 12288:spmOmg1k2bfrP437QzH/A6A40lG77Nzkn9Gymxpp:mmt2bfrP437QzH/A6A7E7dmPmxpp |
| MD5: | 9ED3858F4C066125A0A6B9FADCD95DCE |
| SHA1: | BEE9B47A0EF101F1784B65A0B3DB6C6518C7520F |
| SHA-256: | 8EFE36858B9E1CDF3B5D901A4EC17E4EEC148707F526264F35A2BCDA5E139A13 |
| SHA-512: | A460EF220E126D8406F7603ABF697379928E7983C8DAD8A070125E1C205F269702B173FC1B10E18B622B51C6FB081A3E30200E0A7F342FEA41147132C4D270E9 |
| Malicious: | true |
| Antivirus: |
|
| Preview: |
| Process: | C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 21 |
| Entropy (8bit): | 3.975418017913833 |
| Encrypted: | false |
| SSDEEP: | 3:iIxcsJE:iyE |
| MD5: | C0236A8F8EB0411CC373CD432E252990 |
| SHA1: | 49CA519830FADD97FA7BFB7C3404ED2DB29DF4E0 |
| SHA-256: | 375CD2A305050C0ECDC8EF9A417194DB2955F3C99B04C76F1B2CD5A88369A242 |
| SHA-512: | 3EDFDF13D9AE53C3DC77B299137C7F318B689F4880D72E50CF037F5A4F5C2A6CBC24CB5FE557C10F458CD1658B65E27EF994794FAB2D8E1562694E7DE5039E7E |
| Malicious: | false |
| Preview: |
| Process: | C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1 |
| Entropy (8bit): | 0.0 |
| Encrypted: | false |
| SSDEEP: | 3:V:V |
| MD5: | CFCD208495D565EF66E7DFF9F98764DA |
| SHA1: | B6589FC6AB0DC82CF12099D1C2D40AB994E8410C |
| SHA-256: | 5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9 |
| SHA-512: | 31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99 |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\fuckingdllENCR[1].dll 
Download File
| Process: | C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 95248 |
| Entropy (8bit): | 7.998277474001343 |
| Encrypted: | true |
| SSDEEP: | 1536:1ajIVNDkCngyeaL3ZC7cjgn35QgjaeiPr6idOZAkOLfTRCaLQhAboaAkepTXnkY5:1vVpj3ZC72gnJQg2eikik4FC9/RX+f6 |
| MD5: | 636E3CA21F2541B5EE3AB9922A183C79 |
| SHA1: | 4B98C5432E534AF5FA17424C907E61CCFA6880D9 |
| SHA-256: | 9B97BF40465ACFBAB5D61EE45ECAC1E485A988ADC66E1A859F950605DC5677B9 |
| SHA-512: | 6AA99DFAB439063332383EBA737F34A5929353794245E8E4469EAEB2F7055889891D5A3F3CD3C9F20E37DCDEBFA78C5B5749F3BFDF40263970C880F047A0BDBB |
| Malicious: | false |
| Preview: |
| Process: | C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1 |
| Entropy (8bit): | 0.0 |
| Encrypted: | false |
| SSDEEP: | 3:V:V |
| MD5: | CFCD208495D565EF66E7DFF9F98764DA |
| SHA1: | B6589FC6AB0DC82CF12099D1C2D40AB994E8410C |
| SHA-256: | 5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9 |
| SHA-512: | 31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99 |
| Malicious: | false |
| Preview: |
| Process: | C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1 |
| Entropy (8bit): | 0.0 |
| Encrypted: | false |
| SSDEEP: | 3:V:V |
| MD5: | CFCD208495D565EF66E7DFF9F98764DA |
| SHA1: | B6589FC6AB0DC82CF12099D1C2D40AB994E8410C |
| SHA-256: | 5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9 |
| SHA-512: | 31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\1ibwQtrqNy.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 659968 |
| Entropy (8bit): | 6.470646344307062 |
| Encrypted: | false |
| SSDEEP: | 12288:0pmOmg1k2bfrP437QzH/A6A40lG77Nzkn9Gymxp:umt2bfrP437QzH/A6A7E7dmPmxp |
| MD5: | 1F2BC482C99F55A713CF6CA3C1FF04F8 |
| SHA1: | 852BACEF61B885AA31AFC7F615DE6C6AF0F715F4 |
| SHA-256: | 0A0D0B1916549CF997E2110A768D5BD088F5D1390960C22CB9609FE722779DCF |
| SHA-512: | A0ECE5740FADBDB08F8A9EFDB5E72B56198CFB35981835E03DAFD2AD09D61BC592E602887D7CF65C58FC19B26CAEA653C1B5E5D4F35A85EBDC784300AA6948E9 |
| Malicious: | true |
| Antivirus: |
|
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 2560 |
| Entropy (8bit): | 2.8818118453929262 |
| Encrypted: | false |
| SSDEEP: | 24:e1GSgDIX566lIB6SXvVmMPUjvhBrDsqZ:SgDKRlVImgUNBsG |
| MD5: | A69559718AB506675E907FE49DEB71E9 |
| SHA1: | BC8F404FFDB1960B50C12FF9413C893B56F2E36F |
| SHA-256: | 2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC |
| SHA-512: | E52E0AA7FE3F79E36330C455D944653D449BA05B2F9ABEE0914A0910C3452CFA679A40441F9AC696B3CCF9445CBB85095747E86153402FC362BB30AC08249A63 |
| Malicious: | true |
| Antivirus: |
|
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4608 |
| Entropy (8bit): | 4.226829458093667 |
| Encrypted: | false |
| SSDEEP: | 48:6Q5EWGg69eR+Xl4SH8u09tmRJ/tE/wJI/tZ/P8sB1a:32Gel4NP9tK2/wGXhHa |
| MD5: | 9E5BA8A0DB2AE3A955BEE397534D535D |
| SHA1: | EF08EF5FAC94F42C276E64765759F8BC71BF88CB |
| SHA-256: | 08D2876741F4FD5EDFAE20054081CEF03E41C458AB1C5BBF095A288FA93627FA |
| SHA-512: | 229A9C66080D59B7D2E1E651CFF9F00DB0CBDC08703E60D645651AF0664520CA143B088C71AD73813A500A33B48C63CA1795E2162B7620453935A4C26DB96B21 |
| Malicious: | true |
| Antivirus: |
|
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 23312 |
| Entropy (8bit): | 4.596242908851566 |
| Encrypted: | false |
| SSDEEP: | 384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4 |
| MD5: | 92DC6EF532FBB4A5C3201469A5B5EB63 |
| SHA1: | 3E89FF837147C16B4E41C30D6C796374E0B8E62C |
| SHA-256: | 9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87 |
| SHA-512: | 9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3 |
| Malicious: | false |
| Antivirus: |
|
| Preview: |
| Process: | C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 73728 |
| Entropy (8bit): | 6.20389308045717 |
| Encrypted: | false |
| SSDEEP: | 1536:bvUpDLxyxA14o3/M238r6+XfHAgbqmE8MpKdwuasZLUM7DsWlXcdyZgfmi:WDLZKa/MtXfHAgbqmEtxsfmyZgfmi |
| MD5: | 3FB36CB0B7172E5298D2992D42984D06 |
| SHA1: | 439827777DF4A337CBB9FA4A4640D0D3FA1738B7 |
| SHA-256: | 27AE813CEFF8AA56E9FA68C8E50BB1C6C4A01636015EAC4BD8BF444AFB7020D6 |
| SHA-512: | 6B39CB32D77200209A25080AC92BC71B1F468E2946B651023793F3585EE6034ADC70924DBD751CF4A51B5E71377854F1AB43C2DD287D4837E7B544FF886F470C |
| Malicious: | true |
| Antivirus: |
|
| Preview: |
| File type: | |
| Entropy (8bit): | 7.994995673189032 |
| TrID: |
|
| File name: | 1ibwQtrqNy.exe |
| File size: | 2146015 |
| MD5: | 65dd3ed482f22906e70dd004a73e5cef |
| SHA1: | ffe8496a9d3f0a2f5571e683b466d3f3d2092172 |
| SHA256: | 15f5d9cd2cb95efaecbf0bc1a455cd6cc301848a5ba71cc4788e4b68c327382d |
| SHA512: | 762707faeacb8f9e17a2e084fa3345961325a7fd061f72a50e6136a890cf07f6832d514c2c30ff6538c31b98427c301b6fdbffdfcfd2d0290c3620627e3118e1 |
| SSDEEP: | 49152:Sii/UTUrr4aL/bmKCAnjHtY4pxw2XZs8wux:Si4W64aWKC6NYGnXmc |
| TLSH: | C1A5337192B54276E1C2C5BB6EB2CB705576FEB80660718C326DFC794E32242DC6A31A |
| File Content Preview: | MZP.....................@.......................Inno.. .HA..............!..L.!..This program must be run under Win32..$7....................................................................................................................................... |
 | |
| Icon Hash: | 2d2e3797b32b2b99 |
| Entrypoint: | 0x409820 |
| Entrypoint Section: | CODE |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI |
| DLL Characteristics: | |
| Time Stamp: | 0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 1 |
| OS Version Minor: | 0 |
| File Version Major: | 1 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 1 |
| Subsystem Version Minor: | 0 |
| Import Hash: | e92b45c54aa05ec107d5ef90662e6b33 |
| Instruction |
|---|
| push ebp |
| mov ebp, esp |
| add esp, FFFFFFD4h |
| push ebx |
| push esi |
| push edi |
| xor eax, eax |
| mov dword ptr [ebp-10h], eax |
| mov dword ptr [ebp-1Ch], eax |
| call 00007F3D6C693D7Bh |
| call 00007F3D6C695026h |
| call 00007F3D6C697229h |
| call 00007F3D6C697270h |
| call 00007F3D6C699867h |
| call 00007F3D6C6999CEh |
| mov esi, 0040BDE0h |
| xor eax, eax |
| push ebp |
| push 00409F05h |
| push dword ptr fs:[eax] |
| mov dword ptr fs:[eax], esp |
| xor edx, edx |
| push ebp |
| push 00409EBBh |
| push dword ptr fs:[edx] |
| mov dword ptr fs:[edx], esp |
| mov eax, dword ptr [0040B014h] |
| call 00007F3D6C69A3BFh |
| call 00007F3D6C699F7Eh |
| lea edx, dword ptr [ebp-10h] |
| xor eax, eax |
| call 00007F3D6C6976E4h |
| mov edx, dword ptr [ebp-10h] |
| mov eax, 0040BDD4h |
| call 00007F3D6C693E27h |
| push 00000002h |
| push 00000000h |
| push 00000001h |
| mov ecx, dword ptr [0040BDD4h] |
| mov dl, 01h |
| mov eax, 00407158h |
| call 00007F3D6C697DCBh |
| mov dword ptr [0040BDD8h], eax |
| xor edx, edx |
| push ebp |
| push 00409E99h |
| push dword ptr fs:[edx] |
| mov dword ptr fs:[edx], esp |
| lea edx, dword ptr [ebp-18h] |
| mov eax, dword ptr [0040BDD8h] |
| call 00007F3D6C697EC7h |
| mov ebx, dword ptr [ebp-18h] |
| mov edx, 00000030h |
| mov eax, dword ptr [0040BDD8h] |
| call 00007F3D6C698001h |
| mov edx, esi |
| mov ecx, 0000000Ch |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0xc000 | 0x8f0 | .idata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x10000 | 0x2800 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0xe000 | 0x18 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|
| CODE | 0x1000 | 0x8f94 | 0x9000 | False | 0.6195203993055556 | data | 6.591638965772245 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| DATA | 0xa000 | 0x248 | 0x400 | False | 0.306640625 | data | 2.7093261929320986 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| BSS | 0xb000 | 0xe64 | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .idata | 0xc000 | 0x8f0 | 0xa00 | False | 0.3953125 | data | 4.294209855544776 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .tls | 0xd000 | 0x8 | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rdata | 0xe000 | 0x18 | 0x200 | False | 0.052734375 | data | 0.1991075177871819 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ |
| .reloc | 0xf000 | 0x884 | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ |
| .rsrc | 0x10000 | 0x2800 | 0x2800 | False | 0.32021484375 | data | 4.282044854754233 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country |
|---|---|---|---|---|---|
| RT_ICON | 0x1030c | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 192 | Dutch | Netherlands |
| RT_ICON | 0x10434 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 320 | Dutch | Netherlands |
| RT_ICON | 0x1099c | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 640 | Dutch | Netherlands |
| RT_ICON | 0x10c84 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 1152 | Dutch | Netherlands |
| RT_STRING | 0x1152c | 0x2f2 | data | ||
| RT_STRING | 0x11820 | 0x30c | data | ||
| RT_STRING | 0x11b2c | 0x2ce | data | ||
| RT_STRING | 0x11dfc | 0x68 | data | ||
| RT_STRING | 0x11e64 | 0xb4 | data | ||
| RT_STRING | 0x11f18 | 0xae | data | ||
| RT_GROUP_ICON | 0x11fc8 | 0x3e | data | English | United States |
| RT_VERSION | 0x12008 | 0x3a8 | data | English | United States |
| RT_MANIFEST | 0x123b0 | 0x289 | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States |
| DLL | Import |
|---|---|
| kernel32.dll | DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle |
| user32.dll | MessageBoxA |
| oleaut32.dll | VariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen |
| advapi32.dll | RegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA |
| kernel32.dll | WriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SetLastError, SetFilePointer, SetErrorMode, SetEndOfFile, RemoveDirectoryA, ReadFile, LoadLibraryA, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetUserDefaultLangID, GetSystemInfo, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, InterlockedExchange, FormatMessageA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle |
| user32.dll | TranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA |
| comctl32.dll | InitCommonControls |
| advapi32.dll | AdjustTokenPrivileges |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| Dutch | Netherlands |  |
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|---|---|---|
| 192.168.2.345.12.253.7249698802044031 05/28/23-14:31:02.886782 | TCP | 2044031 | ET TROJAN GCleaner CnC Checkin M1 | 49698 | 80 | 192.168.2.3 | 45.12.253.72 |
| 192.168.2.345.12.253.7549699802044033 05/28/23-14:31:35.542564 | TCP | 2044033 | ET TROJAN GCleaner CnC Checkin M2 | 49699 | 80 | 192.168.2.3 | 45.12.253.75 |
| 192.168.2.345.12.253.7249698802044032 05/28/23-14:31:02.924623 | TCP | 2044032 | ET TROJAN GCleaner Payload Retrieval Attempt | 49698 | 80 | 192.168.2.3 | 45.12.253.72 |
| 45.12.253.72192.168.2.380496982044037 05/28/23-14:31:02.950793 | TCP | 2044037 | ET TROJAN GCleaner Downloader - Payload Response | 80 | 49698 | 45.12.253.72 | 192.168.2.3 |
| 192.168.2.345.12.253.5649697802044034 05/28/23-14:31:02.810921 | TCP | 2044034 | ET TROJAN Potential GCleaner CnC Checkin | 49697 | 80 | 192.168.2.3 | 45.12.253.56 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| May 28, 2023 14:31:02.783644915 CEST | 49697 | 80 | 192.168.2.3 | 45.12.253.56 |
| May 28, 2023 14:31:02.810148954 CEST | 80 | 49697 | 45.12.253.56 | 192.168.2.3 |
| May 28, 2023 14:31:02.810333967 CEST | 49697 | 80 | 192.168.2.3 | 45.12.253.56 |
| May 28, 2023 14:31:02.810920954 CEST | 49697 | 80 | 192.168.2.3 | 45.12.253.56 |
| May 28, 2023 14:31:02.836796045 CEST | 80 | 49697 | 45.12.253.56 | 192.168.2.3 |
| May 28, 2023 14:31:02.841438055 CEST | 80 | 49697 | 45.12.253.56 | 192.168.2.3 |
| May 28, 2023 14:31:02.841593027 CEST | 49697 | 80 | 192.168.2.3 | 45.12.253.56 |
| May 28, 2023 14:31:02.860186100 CEST | 49698 | 80 | 192.168.2.3 | 45.12.253.72 |
| May 28, 2023 14:31:02.885916948 CEST | 80 | 49698 | 45.12.253.72 | 192.168.2.3 |
| May 28, 2023 14:31:02.886037111 CEST | 49698 | 80 | 192.168.2.3 | 45.12.253.72 |
| May 28, 2023 14:31:02.886781931 CEST | 49698 | 80 | 192.168.2.3 | 45.12.253.72 |
| May 28, 2023 14:31:02.912609100 CEST | 80 | 49698 | 45.12.253.72 | 192.168.2.3 |
| May 28, 2023 14:31:02.913141966 CEST | 80 | 49698 | 45.12.253.72 | 192.168.2.3 |
| May 28, 2023 14:31:02.913265944 CEST | 49698 | 80 | 192.168.2.3 | 45.12.253.72 |
| May 28, 2023 14:31:02.924623013 CEST | 49698 | 80 | 192.168.2.3 | 45.12.253.72 |
| May 28, 2023 14:31:02.950473070 CEST | 80 | 49698 | 45.12.253.72 | 192.168.2.3 |
| May 28, 2023 14:31:02.950793028 CEST | 80 | 49698 | 45.12.253.72 | 192.168.2.3 |
| May 28, 2023 14:31:02.950850964 CEST | 80 | 49698 | 45.12.253.72 | 192.168.2.3 |
| May 28, 2023 14:31:02.950901985 CEST | 80 | 49698 | 45.12.253.72 | 192.168.2.3 |
| May 28, 2023 14:31:02.950948954 CEST | 80 | 49698 | 45.12.253.72 | 192.168.2.3 |
| May 28, 2023 14:31:02.950980902 CEST | 49698 | 80 | 192.168.2.3 | 45.12.253.72 |
| May 28, 2023 14:31:02.950980902 CEST | 49698 | 80 | 192.168.2.3 | 45.12.253.72 |
| May 28, 2023 14:31:02.950995922 CEST | 80 | 49698 | 45.12.253.72 | 192.168.2.3 |
| May 28, 2023 14:31:02.951025963 CEST | 49698 | 80 | 192.168.2.3 | 45.12.253.72 |
| May 28, 2023 14:31:02.951025963 CEST | 49698 | 80 | 192.168.2.3 | 45.12.253.72 |
| May 28, 2023 14:31:02.951042891 CEST | 80 | 49698 | 45.12.253.72 | 192.168.2.3 |
| May 28, 2023 14:31:02.951090097 CEST | 49698 | 80 | 192.168.2.3 | 45.12.253.72 |
| May 28, 2023 14:31:02.951092005 CEST | 80 | 49698 | 45.12.253.72 | 192.168.2.3 |
| May 28, 2023 14:31:02.951121092 CEST | 49698 | 80 | 192.168.2.3 | 45.12.253.72 |
| May 28, 2023 14:31:02.951138973 CEST | 80 | 49698 | 45.12.253.72 | 192.168.2.3 |
| May 28, 2023 14:31:02.951155901 CEST | 49698 | 80 | 192.168.2.3 | 45.12.253.72 |
| May 28, 2023 14:31:02.951205969 CEST | 80 | 49698 | 45.12.253.72 | 192.168.2.3 |
| May 28, 2023 14:31:02.951215982 CEST | 49698 | 80 | 192.168.2.3 | 45.12.253.72 |
| May 28, 2023 14:31:02.951253891 CEST | 80 | 49698 | 45.12.253.72 | 192.168.2.3 |
| May 28, 2023 14:31:02.951263905 CEST | 49698 | 80 | 192.168.2.3 | 45.12.253.72 |
| May 28, 2023 14:31:02.951309919 CEST | 49698 | 80 | 192.168.2.3 | 45.12.253.72 |
| May 28, 2023 14:31:02.976932049 CEST | 80 | 49698 | 45.12.253.72 | 192.168.2.3 |
| May 28, 2023 14:31:02.977011919 CEST | 80 | 49698 | 45.12.253.72 | 192.168.2.3 |
| May 28, 2023 14:31:02.977057934 CEST | 80 | 49698 | 45.12.253.72 | 192.168.2.3 |
| May 28, 2023 14:31:02.977104902 CEST | 80 | 49698 | 45.12.253.72 | 192.168.2.3 |
| May 28, 2023 14:31:02.977150917 CEST | 80 | 49698 | 45.12.253.72 | 192.168.2.3 |
| May 28, 2023 14:31:02.977179050 CEST | 49698 | 80 | 192.168.2.3 | 45.12.253.72 |
| May 28, 2023 14:31:02.977205992 CEST | 80 | 49698 | 45.12.253.72 | 192.168.2.3 |
| May 28, 2023 14:31:02.977246046 CEST | 49698 | 80 | 192.168.2.3 | 45.12.253.72 |
| May 28, 2023 14:31:02.977253914 CEST | 80 | 49698 | 45.12.253.72 | 192.168.2.3 |
| May 28, 2023 14:31:02.977303028 CEST | 80 | 49698 | 45.12.253.72 | 192.168.2.3 |
| May 28, 2023 14:31:02.977307081 CEST | 49698 | 80 | 192.168.2.3 | 45.12.253.72 |
| May 28, 2023 14:31:02.977327108 CEST | 49698 | 80 | 192.168.2.3 | 45.12.253.72 |
| May 28, 2023 14:31:02.977356911 CEST | 80 | 49698 | 45.12.253.72 | 192.168.2.3 |
| May 28, 2023 14:31:02.977379084 CEST | 49698 | 80 | 192.168.2.3 | 45.12.253.72 |
| May 28, 2023 14:31:02.977404118 CEST | 80 | 49698 | 45.12.253.72 | 192.168.2.3 |
| May 28, 2023 14:31:02.977417946 CEST | 49698 | 80 | 192.168.2.3 | 45.12.253.72 |
| May 28, 2023 14:31:02.977449894 CEST | 80 | 49698 | 45.12.253.72 | 192.168.2.3 |
| May 28, 2023 14:31:02.977473021 CEST | 49698 | 80 | 192.168.2.3 | 45.12.253.72 |
| May 28, 2023 14:31:02.977510929 CEST | 80 | 49698 | 45.12.253.72 | 192.168.2.3 |
| May 28, 2023 14:31:02.977519035 CEST | 49698 | 80 | 192.168.2.3 | 45.12.253.72 |
| May 28, 2023 14:31:02.977559090 CEST | 80 | 49698 | 45.12.253.72 | 192.168.2.3 |
| May 28, 2023 14:31:02.977572918 CEST | 49698 | 80 | 192.168.2.3 | 45.12.253.72 |
| May 28, 2023 14:31:02.977606058 CEST | 80 | 49698 | 45.12.253.72 | 192.168.2.3 |
| May 28, 2023 14:31:02.977617979 CEST | 49698 | 80 | 192.168.2.3 | 45.12.253.72 |
| May 28, 2023 14:31:02.977652073 CEST | 80 | 49698 | 45.12.253.72 | 192.168.2.3 |
| May 28, 2023 14:31:02.977667093 CEST | 49698 | 80 | 192.168.2.3 | 45.12.253.72 |
| May 28, 2023 14:31:02.977699041 CEST | 80 | 49698 | 45.12.253.72 | 192.168.2.3 |
| May 28, 2023 14:31:02.977713108 CEST | 49698 | 80 | 192.168.2.3 | 45.12.253.72 |
| May 28, 2023 14:31:02.977746964 CEST | 80 | 49698 | 45.12.253.72 | 192.168.2.3 |
| May 28, 2023 14:31:02.977761030 CEST | 49698 | 80 | 192.168.2.3 | 45.12.253.72 |
| May 28, 2023 14:31:02.977794886 CEST | 80 | 49698 | 45.12.253.72 | 192.168.2.3 |
| May 28, 2023 14:31:02.977809906 CEST | 49698 | 80 | 192.168.2.3 | 45.12.253.72 |
| May 28, 2023 14:31:02.977840900 CEST | 80 | 49698 | 45.12.253.72 | 192.168.2.3 |
| May 28, 2023 14:31:02.977875948 CEST | 49698 | 80 | 192.168.2.3 | 45.12.253.72 |
| May 28, 2023 14:31:02.977889061 CEST | 80 | 49698 | 45.12.253.72 | 192.168.2.3 |
| May 28, 2023 14:31:02.977914095 CEST | 49698 | 80 | 192.168.2.3 | 45.12.253.72 |
| May 28, 2023 14:31:02.977956057 CEST | 49698 | 80 | 192.168.2.3 | 45.12.253.72 |
| May 28, 2023 14:31:03.003834009 CEST | 80 | 49698 | 45.12.253.72 | 192.168.2.3 |
| May 28, 2023 14:31:03.003909111 CEST | 80 | 49698 | 45.12.253.72 | 192.168.2.3 |
| May 28, 2023 14:31:03.003957987 CEST | 80 | 49698 | 45.12.253.72 | 192.168.2.3 |
| May 28, 2023 14:31:03.004005909 CEST | 80 | 49698 | 45.12.253.72 | 192.168.2.3 |
| May 28, 2023 14:31:03.004053116 CEST | 80 | 49698 | 45.12.253.72 | 192.168.2.3 |
| May 28, 2023 14:31:03.004056931 CEST | 49698 | 80 | 192.168.2.3 | 45.12.253.72 |
| May 28, 2023 14:31:03.004100084 CEST | 80 | 49698 | 45.12.253.72 | 192.168.2.3 |
| May 28, 2023 14:31:03.004117012 CEST | 49698 | 80 | 192.168.2.3 | 45.12.253.72 |
| May 28, 2023 14:31:03.004148960 CEST | 80 | 49698 | 45.12.253.72 | 192.168.2.3 |
| May 28, 2023 14:31:03.004157066 CEST | 49698 | 80 | 192.168.2.3 | 45.12.253.72 |
| May 28, 2023 14:31:03.004195929 CEST | 80 | 49698 | 45.12.253.72 | 192.168.2.3 |
| May 28, 2023 14:31:03.004216909 CEST | 49698 | 80 | 192.168.2.3 | 45.12.253.72 |
| May 28, 2023 14:31:03.004244089 CEST | 80 | 49698 | 45.12.253.72 | 192.168.2.3 |
| May 28, 2023 14:31:03.004291058 CEST | 49698 | 80 | 192.168.2.3 | 45.12.253.72 |
| May 28, 2023 14:31:03.004317999 CEST | 80 | 49698 | 45.12.253.72 | 192.168.2.3 |
| May 28, 2023 14:31:03.004326105 CEST | 49698 | 80 | 192.168.2.3 | 45.12.253.72 |
| May 28, 2023 14:31:03.004383087 CEST | 49698 | 80 | 192.168.2.3 | 45.12.253.72 |
| May 28, 2023 14:31:03.004395962 CEST | 80 | 49698 | 45.12.253.72 | 192.168.2.3 |
| May 28, 2023 14:31:03.004442930 CEST | 80 | 49698 | 45.12.253.72 | 192.168.2.3 |
| May 28, 2023 14:31:03.004456043 CEST | 49698 | 80 | 192.168.2.3 | 45.12.253.72 |
| May 28, 2023 14:31:03.004491091 CEST | 80 | 49698 | 45.12.253.72 | 192.168.2.3 |
| May 28, 2023 14:31:03.004503965 CEST | 49698 | 80 | 192.168.2.3 | 45.12.253.72 |
| May 28, 2023 14:31:03.004539013 CEST | 80 | 49698 | 45.12.253.72 | 192.168.2.3 |
| May 28, 2023 14:31:03.004549980 CEST | 49698 | 80 | 192.168.2.3 | 45.12.253.72 |
| May 28, 2023 14:31:03.004585981 CEST | 80 | 49698 | 45.12.253.72 | 192.168.2.3 |
| May 28, 2023 14:31:03.004602909 CEST | 49698 | 80 | 192.168.2.3 | 45.12.253.72 |
| May 28, 2023 14:31:03.004652977 CEST | 80 | 49698 | 45.12.253.72 | 192.168.2.3 |
| May 28, 2023 14:31:03.004667997 CEST | 49698 | 80 | 192.168.2.3 | 45.12.253.72 |
| May 28, 2023 14:31:03.004700899 CEST | 80 | 49698 | 45.12.253.72 | 192.168.2.3 |
| May 28, 2023 14:31:03.004714966 CEST | 49698 | 80 | 192.168.2.3 | 45.12.253.72 |
| May 28, 2023 14:31:03.004748106 CEST | 80 | 49698 | 45.12.253.72 | 192.168.2.3 |
| May 28, 2023 14:31:03.004761934 CEST | 49698 | 80 | 192.168.2.3 | 45.12.253.72 |
| May 28, 2023 14:31:03.004793882 CEST | 80 | 49698 | 45.12.253.72 | 192.168.2.3 |
| May 28, 2023 14:31:03.004806995 CEST | 49698 | 80 | 192.168.2.3 | 45.12.253.72 |
| May 28, 2023 14:31:03.004839897 CEST | 80 | 49698 | 45.12.253.72 | 192.168.2.3 |
| May 28, 2023 14:31:03.004861116 CEST | 49698 | 80 | 192.168.2.3 | 45.12.253.72 |
| May 28, 2023 14:31:03.004887104 CEST | 80 | 49698 | 45.12.253.72 | 192.168.2.3 |
| May 28, 2023 14:31:03.004925966 CEST | 49698 | 80 | 192.168.2.3 | 45.12.253.72 |
| May 28, 2023 14:31:03.004931927 CEST | 80 | 49698 | 45.12.253.72 | 192.168.2.3 |
| May 28, 2023 14:31:03.004951954 CEST | 49698 | 80 | 192.168.2.3 | 45.12.253.72 |
| May 28, 2023 14:31:03.004977942 CEST | 80 | 49698 | 45.12.253.72 | 192.168.2.3 |
| May 28, 2023 14:31:03.004992008 CEST | 49698 | 80 | 192.168.2.3 | 45.12.253.72 |
| May 28, 2023 14:31:03.005024910 CEST | 80 | 49698 | 45.12.253.72 | 192.168.2.3 |
| May 28, 2023 14:31:03.005040884 CEST | 49698 | 80 | 192.168.2.3 | 45.12.253.72 |
| May 28, 2023 14:31:03.005073071 CEST | 80 | 49698 | 45.12.253.72 | 192.168.2.3 |
| May 28, 2023 14:31:03.005086899 CEST | 49698 | 80 | 192.168.2.3 | 45.12.253.72 |
| May 28, 2023 14:31:03.005119085 CEST | 80 | 49698 | 45.12.253.72 | 192.168.2.3 |
| May 28, 2023 14:31:03.005132914 CEST | 49698 | 80 | 192.168.2.3 | 45.12.253.72 |
| May 28, 2023 14:31:03.005165100 CEST | 80 | 49698 | 45.12.253.72 | 192.168.2.3 |
| May 28, 2023 14:31:03.005177021 CEST | 49698 | 80 | 192.168.2.3 | 45.12.253.72 |
| May 28, 2023 14:31:03.005212069 CEST | 80 | 49698 | 45.12.253.72 | 192.168.2.3 |
| May 28, 2023 14:31:03.005227089 CEST | 49698 | 80 | 192.168.2.3 | 45.12.253.72 |
| May 28, 2023 14:31:03.005259037 CEST | 80 | 49698 | 45.12.253.72 | 192.168.2.3 |
| May 28, 2023 14:31:03.005273104 CEST | 49698 | 80 | 192.168.2.3 | 45.12.253.72 |
| May 28, 2023 14:31:03.005306005 CEST | 80 | 49698 | 45.12.253.72 | 192.168.2.3 |
| May 28, 2023 14:31:03.005325079 CEST | 49698 | 80 | 192.168.2.3 | 45.12.253.72 |
| May 28, 2023 14:31:03.005354881 CEST | 80 | 49698 | 45.12.253.72 | 192.168.2.3 |
| May 28, 2023 14:31:03.005367041 CEST | 49698 | 80 | 192.168.2.3 | 45.12.253.72 |
| May 28, 2023 14:31:03.005399942 CEST | 80 | 49698 | 45.12.253.72 | 192.168.2.3 |
| May 28, 2023 14:31:03.005414009 CEST | 49698 | 80 | 192.168.2.3 | 45.12.253.72 |
| May 28, 2023 14:31:03.005446911 CEST | 80 | 49698 | 45.12.253.72 | 192.168.2.3 |
| May 28, 2023 14:31:03.005460024 CEST | 49698 | 80 | 192.168.2.3 | 45.12.253.72 |
| May 28, 2023 14:31:03.005492926 CEST | 80 | 49698 | 45.12.253.72 | 192.168.2.3 |
| May 28, 2023 14:31:03.005511999 CEST | 49698 | 80 | 192.168.2.3 | 45.12.253.72 |
| May 28, 2023 14:31:03.005539894 CEST | 80 | 49698 | 45.12.253.72 | 192.168.2.3 |
| May 28, 2023 14:31:03.005556107 CEST | 49698 | 80 | 192.168.2.3 | 45.12.253.72 |
| May 28, 2023 14:31:03.005587101 CEST | 80 | 49698 | 45.12.253.72 | 192.168.2.3 |
| May 28, 2023 14:31:03.005599976 CEST | 49698 | 80 | 192.168.2.3 | 45.12.253.72 |
| May 28, 2023 14:31:03.005635023 CEST | 80 | 49698 | 45.12.253.72 | 192.168.2.3 |
| May 28, 2023 14:31:03.005649090 CEST | 49698 | 80 | 192.168.2.3 | 45.12.253.72 |
| May 28, 2023 14:31:03.005682945 CEST | 80 | 49698 | 45.12.253.72 | 192.168.2.3 |
| May 28, 2023 14:31:03.005696058 CEST | 49698 | 80 | 192.168.2.3 | 45.12.253.72 |
| May 28, 2023 14:31:03.005728006 CEST | 80 | 49698 | 45.12.253.72 | 192.168.2.3 |
| May 28, 2023 14:31:03.005740881 CEST | 49698 | 80 | 192.168.2.3 | 45.12.253.72 |
| May 28, 2023 14:31:03.005778074 CEST | 80 | 49698 | 45.12.253.72 | 192.168.2.3 |
| May 28, 2023 14:31:03.005788088 CEST | 49698 | 80 | 192.168.2.3 | 45.12.253.72 |
| May 28, 2023 14:31:03.005857944 CEST | 49698 | 80 | 192.168.2.3 | 45.12.253.72 |
| May 28, 2023 14:31:03.032593012 CEST | 80 | 49698 | 45.12.253.72 | 192.168.2.3 |
| May 28, 2023 14:31:03.032670021 CEST | 80 | 49698 | 45.12.253.72 | 192.168.2.3 |
| May 28, 2023 14:31:03.032717943 CEST | 80 | 49698 | 45.12.253.72 | 192.168.2.3 |
| May 28, 2023 14:31:03.032767057 CEST | 80 | 49698 | 45.12.253.72 | 192.168.2.3 |
| May 28, 2023 14:31:03.032808065 CEST | 80 | 49698 | 45.12.253.72 | 192.168.2.3 |
| May 28, 2023 14:31:03.032845020 CEST | 49698 | 80 | 192.168.2.3 | 45.12.253.72 |
| May 28, 2023 14:31:03.032918930 CEST | 49698 | 80 | 192.168.2.3 | 45.12.253.72 |
| May 28, 2023 14:31:03.079823971 CEST | 49699 | 80 | 192.168.2.3 | 45.12.253.75 |
| May 28, 2023 14:31:03.105977058 CEST | 80 | 49699 | 45.12.253.75 | 192.168.2.3 |
| May 28, 2023 14:31:03.106215954 CEST | 49699 | 80 | 192.168.2.3 | 45.12.253.75 |
| May 28, 2023 14:31:03.107307911 CEST | 49699 | 80 | 192.168.2.3 | 45.12.253.75 |
| May 28, 2023 14:31:03.133431911 CEST | 80 | 49699 | 45.12.253.75 | 192.168.2.3 |
| May 28, 2023 14:31:04.113198042 CEST | 80 | 49699 | 45.12.253.75 | 192.168.2.3 |
| May 28, 2023 14:31:04.113322020 CEST | 49699 | 80 | 192.168.2.3 | 45.12.253.75 |
| May 28, 2023 14:31:06.164664030 CEST | 49699 | 80 | 192.168.2.3 | 45.12.253.75 |
| May 28, 2023 14:31:06.190685034 CEST | 80 | 49699 | 45.12.253.75 | 192.168.2.3 |
| May 28, 2023 14:31:07.180497885 CEST | 80 | 49699 | 45.12.253.75 | 192.168.2.3 |
| May 28, 2023 14:31:07.180774927 CEST | 49699 | 80 | 192.168.2.3 | 45.12.253.75 |
| May 28, 2023 14:31:07.842361927 CEST | 80 | 49697 | 45.12.253.56 | 192.168.2.3 |
| May 28, 2023 14:31:07.842453003 CEST | 49697 | 80 | 192.168.2.3 | 45.12.253.56 |
| May 28, 2023 14:31:08.009016037 CEST | 80 | 49698 | 45.12.253.72 | 192.168.2.3 |
| May 28, 2023 14:31:08.009108067 CEST | 49698 | 80 | 192.168.2.3 | 45.12.253.72 |
| May 28, 2023 14:31:09.243110895 CEST | 49699 | 80 | 192.168.2.3 | 45.12.253.75 |
| May 28, 2023 14:31:09.268908978 CEST | 80 | 49699 | 45.12.253.75 | 192.168.2.3 |
| May 28, 2023 14:31:10.275702000 CEST | 80 | 49699 | 45.12.253.75 | 192.168.2.3 |
| May 28, 2023 14:31:10.275810003 CEST | 49699 | 80 | 192.168.2.3 | 45.12.253.75 |
| May 28, 2023 14:31:12.347346067 CEST | 49699 | 80 | 192.168.2.3 | 45.12.253.75 |
| May 28, 2023 14:31:12.376040936 CEST | 80 | 49699 | 45.12.253.75 | 192.168.2.3 |
| May 28, 2023 14:31:13.336638927 CEST | 80 | 49699 | 45.12.253.75 | 192.168.2.3 |
| May 28, 2023 14:31:13.336817980 CEST | 49699 | 80 | 192.168.2.3 | 45.12.253.75 |
| May 28, 2023 14:31:16.196873903 CEST | 49699 | 80 | 192.168.2.3 | 45.12.253.75 |
| May 28, 2023 14:31:16.223571062 CEST | 80 | 49699 | 45.12.253.75 | 192.168.2.3 |
| May 28, 2023 14:31:17.181067944 CEST | 80 | 49699 | 45.12.253.75 | 192.168.2.3 |
| May 28, 2023 14:31:17.181188107 CEST | 49699 | 80 | 192.168.2.3 | 45.12.253.75 |
| May 28, 2023 14:31:19.244203091 CEST | 49699 | 80 | 192.168.2.3 | 45.12.253.75 |
| May 28, 2023 14:31:19.270076036 CEST | 80 | 49699 | 45.12.253.75 | 192.168.2.3 |
| May 28, 2023 14:31:20.223187923 CEST | 80 | 49699 | 45.12.253.75 | 192.168.2.3 |
| May 28, 2023 14:31:20.223443985 CEST | 49699 | 80 | 192.168.2.3 | 45.12.253.75 |
| May 28, 2023 14:31:22.302320004 CEST | 49699 | 80 | 192.168.2.3 | 45.12.253.75 |
| May 28, 2023 14:31:22.330377102 CEST | 80 | 49699 | 45.12.253.75 | 192.168.2.3 |
| May 28, 2023 14:31:23.346162081 CEST | 80 | 49699 | 45.12.253.75 | 192.168.2.3 |
| May 28, 2023 14:31:23.347248077 CEST | 49699 | 80 | 192.168.2.3 | 45.12.253.75 |
| May 28, 2023 14:31:25.402549982 CEST | 49699 | 80 | 192.168.2.3 | 45.12.253.75 |
| May 28, 2023 14:31:25.428615093 CEST | 80 | 49699 | 45.12.253.75 | 192.168.2.3 |
| May 28, 2023 14:31:26.400597095 CEST | 80 | 49699 | 45.12.253.75 | 192.168.2.3 |
| May 28, 2023 14:31:26.400727034 CEST | 49699 | 80 | 192.168.2.3 | 45.12.253.75 |
| May 28, 2023 14:31:28.479499102 CEST | 49699 | 80 | 192.168.2.3 | 45.12.253.75 |
| May 28, 2023 14:31:28.505573988 CEST | 80 | 49699 | 45.12.253.75 | 192.168.2.3 |
| May 28, 2023 14:31:29.528879881 CEST | 80 | 49699 | 45.12.253.75 | 192.168.2.3 |
| May 28, 2023 14:31:29.529088020 CEST | 49699 | 80 | 192.168.2.3 | 45.12.253.75 |
| May 28, 2023 14:31:32.466677904 CEST | 49699 | 80 | 192.168.2.3 | 45.12.253.75 |
| May 28, 2023 14:31:32.492986917 CEST | 80 | 49699 | 45.12.253.75 | 192.168.2.3 |
| May 28, 2023 14:31:33.490919113 CEST | 80 | 49699 | 45.12.253.75 | 192.168.2.3 |
| May 28, 2023 14:31:33.491096020 CEST | 49699 | 80 | 192.168.2.3 | 45.12.253.75 |
| May 28, 2023 14:31:35.542563915 CEST | 49699 | 80 | 192.168.2.3 | 45.12.253.75 |
| May 28, 2023 14:31:35.571194887 CEST | 80 | 49699 | 45.12.253.75 | 192.168.2.3 |
| May 28, 2023 14:31:36.600250006 CEST | 80 | 49699 | 45.12.253.75 | 192.168.2.3 |
| May 28, 2023 14:31:36.600434065 CEST | 49699 | 80 | 192.168.2.3 | 45.12.253.75 |
| May 28, 2023 14:31:40.025571108 CEST | 49697 | 80 | 192.168.2.3 | 45.12.253.56 |
| May 28, 2023 14:31:40.025640965 CEST | 49698 | 80 | 192.168.2.3 | 45.12.253.72 |
| May 28, 2023 14:31:40.025651932 CEST | 49699 | 80 | 192.168.2.3 | 45.12.253.75 |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
|---|---|---|---|---|---|
| 0 | 192.168.2.3 | 49697 | 45.12.253.56 | 80 | C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe |
| Timestamp | kBytes transferred | Direction | Data |
|---|---|---|---|
| May 28, 2023 14:31:02.810920954 CEST | 91 | OUT | |
| May 28, 2023 14:31:02.841438055 CEST | 91 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
|---|---|---|---|---|---|
| 1 | 192.168.2.3 | 49698 | 45.12.253.72 | 80 | C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe |
| Timestamp | kBytes transferred | Direction | Data |
|---|---|---|---|
| May 28, 2023 14:31:02.886781931 CEST | 92 | OUT | |
| May 28, 2023 14:31:02.913141966 CEST | 92 | IN | |
| May 28, 2023 14:31:02.924623013 CEST | 93 | OUT | |
| May 28, 2023 14:31:02.950793028 CEST | 94 | IN |