Edit tour
Windows
Analysis Report
file.exe
Overview
General Information
| Sample Name: | file.exe |
| Analysis ID: | 734353 |
| MD5: | ba5cb5cabbcefb36996bd213b8c1d284 |
| SHA1: | 80a62facd7b8d19817b6ee1d45036bf67953f61b |
| SHA256: | c360868055519b145bf9169b913787cd1f6533995e4d8a8556f94676a6129f96 |
| Tags: | exe |
| Infos: |  |
 | |
Detection
Nymaim
| Score: | 88 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Detected unpacking (overwrites its own PE header)
Yara detected Nymaim
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Contains functionality to read the PEB
Found evasive API chain checking for process token information
Uses taskkill to terminate processes
Dropped file seen in connection with other malware
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality to detect sandboxes (foreground window change detection)
Creates a process in suspended mode (likely to inject code)
Classification
- System is w10x64
file.exe (PID: 5504 cmdline: C:\Users\u ser\Deskto p\file.exe MD5: BA5CB5CABBCEFB36996BD213B8C1D284) - is-L5RJL.tmp (PID: 5980 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\is-VIR RO.tmp\is- L5RJL.tmp" /SL4 $204 2C "C:\Use rs\user\De sktop\file .exe" 2325 944 52736 MD5: 7CD12C54A9751CA6EEE6AB0C85FB68F5) 
fhsearcher65.exe (PID: 6124 cmdline: "C:\Progra m Files (x 86)\fhSear cher\fhsea rcher65.ex e" MD5: 92872B286EA229891C32DECA72ACBBAC) 
qFUx6kqeb.exe (PID: 4368 cmdline: MD5: 3FB36CB0B7172E5298D2992D42984D06) 
cmd.exe (PID: 784 cmdline: "C:\Window s\System32 \cmd.exe" /c taskkil l /im "fhs earcher65. exe" /f & erase "C:\ Program Fi les (x86)\ fhSearcher \fhsearche r65.exe" & exit MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 4728 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - taskkill.exe (PID: 4092 cmdline:
taskkill / im "fhsear cher65.exe " /f MD5: 15E2E0ACD891510C6268CB8899F2A1A1)
- cleanup
{"C2 addresses": ["45.139.105.1", "85.31.46.167", "107.182.129.235", "171.22.30.106"]}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security | ||
| JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security | ||
| JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security | ||
| JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security | ||
| JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security |
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | URL Reputation: | ||
| Source: | URL Reputation: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | ReversingLabs: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | Code function: | 1_2_0045A060 | |
| Source: | Code function: | 1_2_0045A114 | |
| Source: | Code function: | 1_2_0045A12C | |
| Source: | Code function: | 1_2_10001000 | |
| Source: | Code function: | 1_2_10001130 | |
| Source: | Code function: | 2_2_00403770 | |
Compliance | |
|---|
| Source: | Unpacked PE file: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 1_2_0046E2D4 | |
| Source: | Code function: | 1_2_0047694C | |
| Source: | Code function: | 1_2_00450EA4 | |
| Source: | Code function: | 1_2_0045E738 | |
| Source: | Code function: | 1_2_00474BD0 | |
| Source: | Code function: | 1_2_0045EBB4 | |
| Source: | Code function: | 1_2_0045D1B4 | |
| Source: | Code function: | 1_2_0048D260 | |
| Source: | Code function: | 2_2_00404490 | |
| Source: | Code function: | 2_2_004241DD | |
| Source: | Code function: | 2_2_1000959D | |
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
Networking | |
|---|
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | ASN Name: | ||
| Source: | IP Address: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Code function: | 2_2_00401B30 | |
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | Binary or memory string: | ||
E-Banking Fraud | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_0040914C | |
| Source: | Code function: | 0_2_00409180 | |
| Source: | Code function: | 1_2_004536F0 | |
| Source: | Code function: | 0_2_004081A8 | |
| Source: | Code function: | 1_2_0043D2D0 | |
| Source: | Code function: | 1_2_004777A8 | |
| Source: | Code function: | 1_2_00461C80 | |
| Source: | Code function: | 1_2_00469F50 | |
| Source: | Code function: | 1_2_00458180 | |
| Source: | Code function: | 1_2_00430454 | |
| Source: | Code function: | 1_2_004446E8 | |
| Source: | Code function: | 1_2_004348B0 | |
| Source: | Code function: | 1_2_00444AF4 | |
| Source: | Code function: | 1_2_0047CC54 | |
| Source: | Code function: | 1_2_0045B078 | |
| Source: | Code function: | 1_2_00413202 | |
| Source: | Code function: | 1_2_004832E4 | |
| Source: | Code function: | 1_2_0042F9F8 | |
| Source: | Code function: | 1_2_00443A48 | |
| Source: | Code function: | 1_2_00433BAC | |
| Source: | Code function: | 1_2_00463C84 | |
| Source: | Code function: | 1_2_00443FF0 | |
| Source: | Code function: | 2_2_00404490 | |
| Source: | Code function: | 2_2_004056A0 | |
| Source: | Code function: | 2_2_00406800 | |
| Source: | Code function: | 2_2_00409A10 | |
| Source: | Code function: | 2_2_00406AA0 | |
| Source: | Code function: | 2_2_00404D40 | |
| Source: | Code function: | 2_2_00405F40 | |
| Source: | Code function: | 2_2_00402F20 | |
| Source: | Code function: | 2_2_0042B06A | |
| Source: | Code function: | 2_2_00422038 | |
| Source: | Code function: | 2_2_004290E9 | |
| Source: | Code function: | 2_2_00415486 | |
| Source: | Code function: | 2_2_004156B8 | |
| Source: | Code function: | 2_2_00422759 | |
| Source: | Code function: | 2_2_00404840 | |
| Source: | Code function: | 2_2_004198C0 | |
| Source: | Code function: | 2_2_00426C00 | |
| Source: | Code function: | 2_2_00447D2D | |
| Source: | Code function: | 2_2_00410E00 | |
| Source: | Code function: | 2_2_0042AF4A | |
| Source: | Code function: | 2_2_00404F20 | |
| Source: | Code function: | 2_2_1000F670 | |
| Source: | Code function: | 2_2_1000EC61 | |
| Source: | Code function: | 1_2_0042EBCC | |
| Source: | Code function: | 1_2_00423B68 | |
| Source: | Code function: | 1_2_004125BC | |
| Source: | Code function: | 1_2_00454CF8 | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Dropped File: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Code function: | 0_2_0040914C | |
| Source: | Code function: | 0_2_00409180 | |
| Source: | Code function: | 1_2_004536F0 | |
| Source: | WMI Queries: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Classification label: | ||
| Source: | Code function: | 2_2_00401B30 | |
| Source: | File read: | Jump to behavior | ||
| Source: | Code function: | 1_2_00453F20 | |
| Source: | Code function: | 2_2_00402BF0 | |
| Source: | Code function: | 2_2_00405350 | |
| Source: | Mutant created: | ||
| Source: | Code function: | 0_2_004098C8 | |
| Source: | File created: | Jump to behavior | ||
| Source: | Command line argument: | 2_2_00409A10 | |
| Source: | Command line argument: | 2_2_00409A10 | |
| Source: | Command line argument: | 2_2_00409A10 | |
| Source: | Command line argument: | 2_2_00409A10 | |
| Source: | Key value created or modified: | Jump to behavior | ||
| Source: | Key value created or modified: | Jump to behavior | ||
| Source: | Window found: | Jump to behavior | ||
| Source: | Window detected: | ||
| Source: | Static file information: | ||
Data Obfuscation | |
|---|
| Source: | Unpacked PE file: | ||
| Source: | Unpacked PE file: | ||
| Source: | Code function: | 0_2_0040654D | |
| Source: | Code function: | 0_2_004040F1 | |
| Source: | Code function: | 0_2_00404389 | |
| Source: | Code function: | 0_2_00404389 | |
| Source: | Code function: | 0_2_0040C219 | |
| Source: | Code function: | 0_2_00404389 | |
| Source: | Code function: | 0_2_00404389 | |
| Source: | Code function: | 0_2_00408C7B | |
| Source: | Code function: | 0_2_00407EA5 | |
| Source: | Code function: | 1_2_00409919 | |
| Source: | Code function: | 1_2_0040A024 | |
| Source: | Code function: | 1_2_004062C5 | |
| Source: | Code function: | 1_2_00430459 | |
| Source: | Code function: | 1_2_0047A7A2 | |
| Source: | Code function: | 1_2_004106B9 | |
| Source: | Code function: | 1_2_0045076B | |
| Source: | Code function: | 1_2_00412967 | |
| Source: | Code function: | 1_2_004429C4 | |
| Source: | Code function: | 1_2_00456DAC | |
| Source: | Code function: | 1_2_0045AD75 | |
| Source: | Code function: | 1_2_0040D00E | |
| Source: | Code function: | 1_2_004054C1 | |
| Source: | Code function: | 1_2_00405759 | |
| Source: | Code function: | 1_2_0040F56E | |
| Source: | Code function: | 1_2_00405759 | |
| Source: | Code function: | 1_2_00405759 | |
| Source: | Code function: | 1_2_00405759 | |
| Source: | Code function: | 1_2_0047BC5D | |
| Source: | Code function: | 1_2_00419C11 | |
| Source: | Code function: | 1_2_0040A021 | |
| Source: | Code function: | 2_2_004311B6 | |
| Source: | Static PE information: | ||
| Source: | Code function: | 1_2_0044A890 | |
| Source: | Static PE information: | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | Code function: | 1_2_00423BF0 | |
| Source: | Code function: | 1_2_00423BF0 | |
| Source: | Code function: | 1_2_0047A09C | |
| Source: | Code function: | 1_2_00424178 | |
| Source: | Code function: | 1_2_004241C0 | |
| Source: | Code function: | 1_2_00418368 | |
| Source: | Code function: | 1_2_00422840 | |
| Source: | Code function: | 1_2_0041757C | |
| Source: | Code function: | 1_2_00417CB2 | |
| Source: | Code function: | 1_2_00417CB4 | |
| Source: | Code function: | 1_2_0044A890 | |
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Evasive API call chain: | graph_0-4950 | ||
| Source: | Last function: | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Check user administrative privileges: | graph_2-35259 | ||
| Source: | Code function: | 2_2_004056A0 | |
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 0_2_0040980C | |
| Source: | Code function: | 1_2_0046E2D4 | |
| Source: | Code function: | 1_2_0047694C | |
| Source: | Code function: | 1_2_00450EA4 | |
| Source: | Code function: | 1_2_0045E738 | |
| Source: | Code function: | 1_2_00474BD0 | |
| Source: | Code function: | 1_2_0045EBB4 | |
| Source: | Code function: | 1_2_0045D1B4 | |
| Source: | Code function: | 1_2_0048D260 | |
| Source: | Code function: | 2_2_00404490 | |
| Source: | Code function: | 2_2_004241DD | |
| Source: | Code function: | 2_2_1000959D | |
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 2_2_0041371B | |
| Source: | Code function: | 2_2_00402BF0 | |
| Source: | Code function: | 1_2_0044A890 | |
| Source: | Code function: | 2_2_00402F20 | |
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Code function: | 2_2_0044028F | |
| Source: | Code function: | 2_2_004207CF | |
| Source: | Code function: | 2_2_004429E7 | |
| Source: | Code function: | 2_2_00417F5F | |
| Source: | Code function: | 2_2_100091C7 | |
| Source: | Code function: | 2_2_10006CE1 | |
| Source: | Code function: | 2_2_0040FB39 | |
| Source: | Code function: | 2_2_0041371B | |
| Source: | Code function: | 2_2_0040F9A5 | |
| Source: | Code function: | 2_2_0040EF82 | |
| Source: | Code function: | 2_2_10006180 | |
| Source: | Code function: | 2_2_100035DF | |
| Source: | Code function: | 2_2_10003AD4 | |
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Code function: | 1_2_00459ACC | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 0_2_0040515C | |
| Source: | Code function: | 0_2_004051A8 | |
| Source: | Code function: | 1_2_00408500 | |
| Source: | Code function: | 1_2_0040854C | |
| Source: | Code function: | 2_2_00404D40 | |
| Source: | Code function: | 2_2_0042714F | |
| Source: | Code function: | 2_2_004273F1 | |
| Source: | Code function: | 2_2_0042743C | |
| Source: | Code function: | 2_2_004274D7 | |
| Source: | Code function: | 2_2_00427562 | |
| Source: | Code function: | 2_2_0041E6AF | |
| Source: | Code function: | 2_2_004277B5 | |
| Source: | Code function: | 2_2_004278DB | |
| Source: | Code function: | 2_2_004279E1 | |
| Source: | Code function: | 2_2_00427AB0 | |
| Source: | Code function: | 2_2_0041EBD1 | |
| Source: | Code function: | 2_2_0043E835 | |
| Source: | Code function: | 1_2_0045604C | |
| Source: | Code function: | 0_2_004026C4 | |
| Source: | Code function: | 0_2_00405C44 | |
| Source: | Code function: | 1_2_00453688 | |
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Valid Accounts | 1 Windows Management Instrumentation | Path Interception | 1 Access Token Manipulation | 1 Disable or Modify Tools | 1 Input Capture | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | Exfiltration Over Other Network Medium | 2 Ingress Tool Transfer | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | 1 System Shutdown/Reboot |
| Default Accounts | 3 Native API | Boot or Logon Initialization Scripts | 13 Process Injection | 1 Deobfuscate/Decode Files or Information | LSASS Memory | 1 Account Discovery | Remote Desktop Protocol | 1 Input Capture | Exfiltration Over Bluetooth | 2 Encrypted Channel | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
| Domain Accounts | 2 Command and Scripting Interpreter | Logon Script (Windows) | Logon Script (Windows) | 3 Obfuscated Files or Information | Security Account Manager | 3 File and Directory Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | 1 Non-Application Layer Protocol | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
| Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | 23 Software Packing | NTDS | 26 System Information Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | 11 Application Layer Protocol | SIM Card Swap | Carrier Billing Fraud | |
| Cloud Accounts | Cron | Network Logon Script | Network Logon Script | 2 Masquerading | LSA Secrets | 141 Security Software Discovery | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
| Replication Through Removable Media | Launchd | Rc.common | Rc.common | 1 Virtualization/Sandbox Evasion | Cached Domain Credentials | 1 Virtualization/Sandbox Evasion | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
| External Remote Services | Scheduled Task | Startup Items | Startup Items | 1 Access Token Manipulation | DCSync | 3 Process Discovery | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
| Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | 13 Process Injection | Proc Filesystem | 11 Application Window Discovery | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue | |
| Exploit Public-Facing Application | PowerShell | At (Linux) | At (Linux) | Masquerading | /etc/passwd and /etc/shadow | 3 System Owner/User Discovery | Software Deployment Tools | Data Staged | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Web Protocols | Rogue Cellular Base Station | Data Destruction |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 100% | Joe Sandbox ML | |||
| 2% | ReversingLabs | |||
| 2% | ReversingLabs | |||
| 0% | ReversingLabs | |||
| 0% | Metadefender | Browse | ||
| 2% | ReversingLabs | |||
| 3% | Metadefender | Browse | ||
| 0% | ReversingLabs | |||
| 0% | Metadefender | Browse | ||
| 2% | ReversingLabs | |||
| 4% | Metadefender | Browse | ||
| 8% | ReversingLabs | |||
| 3% | Metadefender | Browse | ||
| 38% | ReversingLabs | Win32.Trojan.Generic |
| Source | Detection | Scanner | Label | Link | Download |
|---|---|---|---|---|---|
| 100% | Avira | TR/Dropper.Gen | Download File | ||
| 100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
| 100% | Avira | TR/Dropper.Gen | Download File | ||
| 100% | Avira | TR/Crypt.XPACK.Gen8 | Download File | ||
| 100% | Avira | HEUR/AGEN.1250671 | Download File |
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 100% | URL Reputation | malware | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 100% | URL Reputation | malware | ||
| 0% | URL Reputation | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 100% | Avira URL Cloud | malware | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 100% | Avira URL Cloud | malware |
⊘No contacted domains info
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false |
| unknown | |
| true |
| unknown | |
| false |
| unknown | |
| true |
| unknown | |
| true |
| unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| unknown | ||
| true |
| unknown | ||
| true |
| unknown | ||
| true |
| unknown | ||
| false |
| unknown | ||
| true |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| true |
| unknown | ||
| false |
| unknown | ||
| true |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| true |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| true |
| unknown | ||
| false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 45.139.105.171 | unknown | Italy | 33657 | CMCSUS | false | |
| 45.139.105.1 | unknown | Italy | 33657 | CMCSUS | true | |
| 85.31.46.167 | unknown | Germany | 43659 | CLOUDCOMPUTINGDE | true | |
| 107.182.129.235 | unknown | Reserved | 11070 | META-ASUS | true | |
| 171.22.30.106 | unknown | Germany | 33657 | CMCSUS | true |
| Joe Sandbox Version: | 36.0.0 Rainbow Opal |
| Analysis ID: | 734353 |
| Start date and time: | 2022-10-31 14:16:10 +01:00 |
| Joe Sandbox Product: | CloudBasic |
| Overall analysis duration: | 0h 9m 26s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Sample file name: | file.exe |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
| Number of analysed new started processes analysed: | 18 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Detection: | MAL |
| Classification: | mal88.troj.evad.winEXE@12/31@0/5 |
| EGA Information: |
|
| HDC Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
- Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, ctldl.windowsupdate.com
- Not all processes where analyzed, report is missing behavior information
- Report creation exceeded maximum time and may have missing disassembly code information.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
| Time | Type | Description |
|---|---|---|
| 14:17:16 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| 45.139.105.171 | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
|
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| CMCSUS | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| CMCSUS | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
|
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| C:\Program Files (x86)\fhSearcher\is-GCUFF.tmp | Get hash | malicious | Browse | ||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse |
| Process: | C:\Users\user\AppData\Local\Temp\is-VIRRO.tmp\is-L5RJL.tmp |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 356 |
| Entropy (8bit): | 4.884558011565004 |
| Encrypted: | false |
| SSDEEP: | 6:AySGO4KS/x4L8ThcSRFLk6XDuwOyoExvWmFuQUqvJrdt6YAhlAjyIDHAUXV4:Ayf3WPSPLkP/fEFWm/5v3t/byGgH |
| MD5: | 461D6293779BDEF19493C351344F2B71 |
| SHA1: | C441B7DAA5ABF8A2872D55F47585657147451C72 |
| SHA-256: | 0C2BD3D1AEB04523291BC72424C802E36C1733E0B72FA775B9DD0A4E9CADE263 |
| SHA-512: | D41DBDF10A61CEDE90D68F1F7E351D9DA441026F7CF9C12AB6ADA017B185455DDBFED74760A3DD3D67ED10A9B1915E79F6ACFF70850B626C68CB1E2B22FC9C25 |
| Malicious: | false |
| Reputation: | moderate, very likely benign file |
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\is-VIRRO.tmp\is-L5RJL.tmp |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 272134 |
| Entropy (8bit): | 6.156729185977344 |
| Encrypted: | false |
| SSDEEP: | 6144:TNKofL3cEjxCryOOYJH+8a1anwxrcSOQmlBkO+kKo:TNNzsEjxCryOOYvbnwxrcewf+1o |
| MD5: | 8E46BE5A4155710361181E3B67373404 |
| SHA1: | 18A19A04DD6E4BFE6731E6978F2CB295E1C52174 |
| SHA-256: | 32AB0D1DF26B0DCFE78D393A1F2534D1DAA5BABC6980017303ED925682CE19D0 |
| SHA-512: | 5497EEF00048125D67551FBF22747654D97903F0622830299792159DC8532013191FB006A832E7CE2B4383EE2EC67B7B7C1D06C25CF34EEB118D050AC89DC3B7 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\is-VIRRO.tmp\is-L5RJL.tmp |
| File Type: | |
| Category: | modified |
| Size (bytes): | 3809238 |
| Entropy (8bit): | 5.78139053185094 |
| Encrypted: | false |
| SSDEEP: | 49152:kU1f0AHLQq2OqzAzW/32mn8ERPczOd+aW:kU1fFHzWv2mn8ERPcz3/ |
| MD5: | 92872B286EA229891C32DECA72ACBBAC |
| SHA1: | 7255903781C81C2466274884BF929694418EE5F0 |
| SHA-256: | C6D3D6FA4C3D7D827C390956A467D37784819AA83A7B066C95869DACA0387AE2 |
| SHA-512: | 8938510D0BAC5A376385C9C2B7C9F12E7FC2E93A360E35F9D51545673D3CD4EDE2CF7FF015D9D687E751454CFFF549DA019414409B8A1BE9875558649F12207F |
| Malicious: | true |
| Antivirus: |
|
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\is-VIRRO.tmp\is-L5RJL.tmp |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 44381 |
| Entropy (8bit): | 4.886111144563166 |
| Encrypted: | false |
| SSDEEP: | 384:zDkO4WdW2OTYn/akuhSm9eDAmWZJ6Sr82Zeo75Y3kpTBLRA6AlEayr:zDEDhSm9aHZ/6A92 |
| MD5: | 1BFCDE2B3D557CFB8B9004055D3A90F5 |
| SHA1: | 678353ADC2CACD12555EF12F5D94FC03CD07707E |
| SHA-256: | A8FBA72D4B1FB03EE40A9472430275499E361BBD74144D9956232EF2FDA0407A |
| SHA-512: | DF9FDB20B2054328431AA5F0D0014D949AF4BE3BFC0CB1E3D77BEDD4626DEEA83FDA259352765C04985087E260EB03FF7B337C1D4D54878EC210EFBEA6A36AD1 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\is-VIRRO.tmp\is-L5RJL.tmp |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 3809238 |
| Entropy (8bit): | 5.7813898980836 |
| Encrypted: | false |
| SSDEEP: | 49152:7U1f0AHLQq2OqzAzW/32mn8ERPczOd+aW:7U1fFHzWv2mn8ERPcz3/ |
| MD5: | F338B8964181F0C1019B6495503D176B |
| SHA1: | D159E8A637F4783C862E9141D66B2E8B5EF2C868 |
| SHA-256: | 53AA8BF1FD9762A47A0C0659FA4F8A354554759A3CC5E0824A988F05BEE6426E |
| SHA-512: | 59ADAB42E1C98F54461972D534815CFFF6D7CB5DF078BFCAD12A136A0468F088F31582FCB853319A8125F284E921DC76106FF902F2AB572A075044A16F64057E |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\is-VIRRO.tmp\is-L5RJL.tmp |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 44011 |
| Entropy (8bit): | 5.026565347530582 |
| Encrypted: | false |
| SSDEEP: | 384:em3cWBnPz+p/zWFHQ1QDGteo75Y3kpTBLRA6AlEayF:emsuQ1WGIZ/6A9U |
| MD5: | 1AE62F00FC368364A2DE668B3299D793 |
| SHA1: | E4E32C3EDC269987E39FDC0883F589CECF9604B4 |
| SHA-256: | F9FF5B54BB1EBEECCC4104A62E32CAB4556DD75A5F76260E720485D5CC39D7E8 |
| SHA-512: | 844F4116FD8FF13B144D6D16DE695F7600283DC0B573CAAB5AE74573301B235AC234CE59D1D30BE8FB8ABBA3DFD27EDF8C53A7E0CD5320C23008B5F354377527 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\is-VIRRO.tmp\is-L5RJL.tmp |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 44381 |
| Entropy (8bit): | 4.886111144563166 |
| Encrypted: | false |
| SSDEEP: | 384:zDkO4WdW2OTYn/akuhSm9eDAmWZJ6Sr82Zeo75Y3kpTBLRA6AlEayr:zDEDhSm9aHZ/6A92 |
| MD5: | 1BFCDE2B3D557CFB8B9004055D3A90F5 |
| SHA1: | 678353ADC2CACD12555EF12F5D94FC03CD07707E |
| SHA-256: | A8FBA72D4B1FB03EE40A9472430275499E361BBD74144D9956232EF2FDA0407A |
| SHA-512: | DF9FDB20B2054328431AA5F0D0014D949AF4BE3BFC0CB1E3D77BEDD4626DEEA83FDA259352765C04985087E260EB03FF7B337C1D4D54878EC210EFBEA6A36AD1 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\is-VIRRO.tmp\is-L5RJL.tmp |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 51922 |
| Entropy (8bit): | 4.912794307456054 |
| Encrypted: | false |
| SSDEEP: | 384:eA3cWBnPz+p/zWFHQ1Qp0SEW5FRLU+cB9nGog4jy6XFsa0eo75Y3kpTBLRA6AlE8:eAsuQ1IV75knFBV6ahZ/6A9r |
| MD5: | FE7C9C6F6E8F720F886BCC65FA2D9B20 |
| SHA1: | 2775F12A0BABDEE5CEEDB08452EF72732E49F13C |
| SHA-256: | B3F54F1D0C3EA747CC52BAD1B363815B9297088CACDF1398C8CFD7F8054CE2BB |
| SHA-512: | ABBFE43FBE4827C9CEDA8D1FDD3DB3B344E99E0CDC3512E4EF84F965F882BA5E3822A407AC1F974D1986F1CDA645A20C1D00CD16262200FE39574AEFF12F6A1A |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\is-VIRRO.tmp\is-L5RJL.tmp |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 683801 |
| Entropy (8bit): | 6.4662372357428515 |
| Encrypted: | false |
| SSDEEP: | 12288:akxzRCUn4rP/37YzHXA6/YUKsGjQNw4qpRRpDWowphIxzb:RFRCUn4rP/37YzHXA6QJsoPtIpqxzb |
| MD5: | 9E3B7671A9A6D2B4E8F76ED1A56B85E3 |
| SHA1: | 57668EA771CF7CB069335AD487F0E775A9DB054B |
| SHA-256: | 07BC7383ACBE75BC37F3CBDEA92FBE047FAA371173FEF57A7A082A0D9F7C93CF |
| SHA-512: | 0768FF201EB680929D943F69EFEF89F5D1372CF408CC98C25E9DF7F2AB7650708F9E32E7501B9C81137D43130F102C7D1BE06F852D03952C5AC41C2D692FAB4F |
| Malicious: | true |
| Antivirus: |
|
| Joe Sandbox View: |
|
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\is-VIRRO.tmp\is-L5RJL.tmp |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 356 |
| Entropy (8bit): | 4.884558011565004 |
| Encrypted: | false |
| SSDEEP: | 6:AySGO4KS/x4L8ThcSRFLk6XDuwOyoExvWmFuQUqvJrdt6YAhlAjyIDHAUXV4:Ayf3WPSPLkP/fEFWm/5v3t/byGgH |
| MD5: | 461D6293779BDEF19493C351344F2B71 |
| SHA1: | C441B7DAA5ABF8A2872D55F47585657147451C72 |
| SHA-256: | 0C2BD3D1AEB04523291BC72424C802E36C1733E0B72FA775B9DD0A4E9CADE263 |
| SHA-512: | D41DBDF10A61CEDE90D68F1F7E351D9DA441026F7CF9C12AB6ADA017B185455DDBFED74760A3DD3D67ED10A9B1915E79F6ACFF70850B626C68CB1E2B22FC9C25 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\is-VIRRO.tmp\is-L5RJL.tmp |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 134921 |
| Entropy (8bit): | 6.105680271090377 |
| Encrypted: | false |
| SSDEEP: | 1536:blivjgxiL8DUPKKh1EQ3Zeyo0aIWeTjXV0/KwIhFvyt2M5BH2w:bV4lfptKIW6F0JIzw2M5B1 |
| MD5: | B8ED55BF81883D2BECF23FC020585214 |
| SHA1: | 43F6DE28C98380B2FFBA0B29F381EB8408E6F691 |
| SHA-256: | C63B20B68FABD4DF695389494235345CC95CF7E1826896EE6393F0E402B565DA |
| SHA-512: | E1CB9501575B4CD66AFD6C67BE2AECA1615E9C37C2B37E68A645B21BB6B2CAAE88CAF0EC8BE3513AD72896AB6A870154D17A56F71E50D51581F00C706553B10D |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\is-VIRRO.tmp\is-L5RJL.tmp |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 20 |
| Entropy (8bit): | 3.3086949695628416 |
| Encrypted: | false |
| SSDEEP: | 3:IU4n:X4n |
| MD5: | AAA149E55DDAE6393FE099990747DA94 |
| SHA1: | F3011A304194E8AA27E0E29E49F8F2C81EAECDBD |
| SHA-256: | E2C57F46196C1BA3EF69792DEDF532F2A2286BA876E5BB6091C6B173D2E7C5BB |
| SHA-512: | 15121C5C5ECB404BE5E734BE437D744B8FCDB34DDD46D69E5F18CA23E4D74B79B605B9B41973989772432035332D24FFA310F78AF6F44F44C731D416F4A949AB |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\is-VIRRO.tmp\is-L5RJL.tmp |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 272134 |
| Entropy (8bit): | 6.156729185977344 |
| Encrypted: | false |
| SSDEEP: | 6144:TNKofL3cEjxCryOOYJH+8a1anwxrcSOQmlBkO+kKo:TNNzsEjxCryOOYvbnwxrcewf+1o |
| MD5: | 8E46BE5A4155710361181E3B67373404 |
| SHA1: | 18A19A04DD6E4BFE6731E6978F2CB295E1C52174 |
| SHA-256: | 32AB0D1DF26B0DCFE78D393A1F2534D1DAA5BABC6980017303ED925682CE19D0 |
| SHA-512: | 5497EEF00048125D67551FBF22747654D97903F0622830299792159DC8532013191FB006A832E7CE2B4383EE2EC67B7B7C1D06C25CF34EEB118D050AC89DC3B7 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\is-VIRRO.tmp\is-L5RJL.tmp |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 44011 |
| Entropy (8bit): | 5.026565347530582 |
| Encrypted: | false |
| SSDEEP: | 384:em3cWBnPz+p/zWFHQ1QDGteo75Y3kpTBLRA6AlEayF:emsuQ1WGIZ/6A9U |
| MD5: | 1AE62F00FC368364A2DE668B3299D793 |
| SHA1: | E4E32C3EDC269987E39FDC0883F589CECF9604B4 |
| SHA-256: | F9FF5B54BB1EBEECCC4104A62E32CAB4556DD75A5F76260E720485D5CC39D7E8 |
| SHA-512: | 844F4116FD8FF13B144D6D16DE695F7600283DC0B573CAAB5AE74573301B235AC234CE59D1D30BE8FB8ABBA3DFD27EDF8C53A7E0CD5320C23008B5F354377527 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\is-VIRRO.tmp\is-L5RJL.tmp |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 51922 |
| Entropy (8bit): | 4.912794307456054 |
| Encrypted: | false |
| SSDEEP: | 384:eA3cWBnPz+p/zWFHQ1Qp0SEW5FRLU+cB9nGog4jy6XFsa0eo75Y3kpTBLRA6AlE8:eAsuQ1IV75knFBV6ahZ/6A9r |
| MD5: | FE7C9C6F6E8F720F886BCC65FA2D9B20 |
| SHA1: | 2775F12A0BABDEE5CEEDB08452EF72732E49F13C |
| SHA-256: | B3F54F1D0C3EA747CC52BAD1B363815B9297088CACDF1398C8CFD7F8054CE2BB |
| SHA-512: | ABBFE43FBE4827C9CEDA8D1FDD3DB3B344E99E0CDC3512E4EF84F965F882BA5E3822A407AC1F974D1986F1CDA645A20C1D00CD16262200FE39574AEFF12F6A1A |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\is-VIRRO.tmp\is-L5RJL.tmp |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 20 |
| Entropy (8bit): | 3.3086949695628416 |
| Encrypted: | false |
| SSDEEP: | 3:IU4n:X4n |
| MD5: | AAA149E55DDAE6393FE099990747DA94 |
| SHA1: | F3011A304194E8AA27E0E29E49F8F2C81EAECDBD |
| SHA-256: | E2C57F46196C1BA3EF69792DEDF532F2A2286BA876E5BB6091C6B173D2E7C5BB |
| SHA-512: | 15121C5C5ECB404BE5E734BE437D744B8FCDB34DDD46D69E5F18CA23E4D74B79B605B9B41973989772432035332D24FFA310F78AF6F44F44C731D416F4A949AB |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\is-VIRRO.tmp\is-L5RJL.tmp |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 134921 |
| Entropy (8bit): | 6.105680271090377 |
| Encrypted: | false |
| SSDEEP: | 1536:blivjgxiL8DUPKKh1EQ3Zeyo0aIWeTjXV0/KwIhFvyt2M5BH2w:bV4lfptKIW6F0JIzw2M5B1 |
| MD5: | B8ED55BF81883D2BECF23FC020585214 |
| SHA1: | 43F6DE28C98380B2FFBA0B29F381EB8408E6F691 |
| SHA-256: | C63B20B68FABD4DF695389494235345CC95CF7E1826896EE6393F0E402B565DA |
| SHA-512: | E1CB9501575B4CD66AFD6C67BE2AECA1615E9C37C2B37E68A645B21BB6B2CAAE88CAF0EC8BE3513AD72896AB6A870154D17A56F71E50D51581F00C706553B10D |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\is-VIRRO.tmp\is-L5RJL.tmp |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 3782 |
| Entropy (8bit): | 4.488005777864942 |
| Encrypted: | false |
| SSDEEP: | 48:DuLagnyMCLBv8lD8zpjxcqtUQoIN6hqkLVO3471Isnyya3HFXwlyX4BXldxxMf:qLRKp8lD8zp7toIohqYOIhTynYCf |
| MD5: | BAAAA829587563C8725BC471F875672B |
| SHA1: | 2F6AF58FA32657D1DAFE672E22FD0C58DF885AED |
| SHA-256: | 0FB7FD51C277A97FBD10B16D940025930DC868B9190BBE6047569E1466C912E0 |
| SHA-512: | 2AD2AA47097BA1EF06BCE5FB1AFFEB3515332F56F0D6994BC75501EE6B0B80F2EC398361C768DB66C9B1004B7E9FF1B94C96C2F508503309EE286D44CC155D29 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\is-VIRRO.tmp\is-L5RJL.tmp |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 683801 |
| Entropy (8bit): | 6.4662372357428515 |
| Encrypted: | false |
| SSDEEP: | 12288:akxzRCUn4rP/37YzHXA6/YUKsGjQNw4qpRRpDWowphIxzb:RFRCUn4rP/37YzHXA6QJsoPtIpqxzb |
| MD5: | 9E3B7671A9A6D2B4E8F76ED1A56B85E3 |
| SHA1: | 57668EA771CF7CB069335AD487F0E775A9DB054B |
| SHA-256: | 07BC7383ACBE75BC37F3CBDEA92FBE047FAA371173FEF57A7A082A0D9F7C93CF |
| SHA-512: | 0768FF201EB680929D943F69EFEF89F5D1372CF408CC98C25E9DF7F2AB7650708F9E32E7501B9C81137D43130F102C7D1BE06F852D03952C5AC41C2D692FAB4F |
| Malicious: | true |
| Antivirus: |
|
| Preview: |
| Process: | C:\Program Files (x86)\fhSearcher\fhsearcher65.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1 |
| Entropy (8bit): | 0.0 |
| Encrypted: | false |
| SSDEEP: | 3:V:V |
| MD5: | CFCD208495D565EF66E7DFF9F98764DA |
| SHA1: | B6589FC6AB0DC82CF12099D1C2D40AB994E8410C |
| SHA-256: | 5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9 |
| SHA-512: | 31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99 |
| Malicious: | false |
| Preview: |
| Process: | C:\Program Files (x86)\fhSearcher\fhsearcher65.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1 |
| Entropy (8bit): | 0.0 |
| Encrypted: | false |
| SSDEEP: | 3:V:V |
| MD5: | CFCD208495D565EF66E7DFF9F98764DA |
| SHA1: | B6589FC6AB0DC82CF12099D1C2D40AB994E8410C |
| SHA-256: | 5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9 |
| SHA-512: | 31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99 |
| Malicious: | false |
| Preview: |
| Process: | C:\Program Files (x86)\fhSearcher\fhsearcher65.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1 |
| Entropy (8bit): | 0.0 |
| Encrypted: | false |
| SSDEEP: | 3:V:V |
| MD5: | CFCD208495D565EF66E7DFF9F98764DA |
| SHA1: | B6589FC6AB0DC82CF12099D1C2D40AB994E8410C |
| SHA-256: | 5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9 |
| SHA-512: | 31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99 |
| Malicious: | false |
| Preview: |
| Process: | C:\Program Files (x86)\fhSearcher\fhsearcher65.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1 |
| Entropy (8bit): | 0.0 |
| Encrypted: | false |
| SSDEEP: | 3:V:V |
| MD5: | CFCD208495D565EF66E7DFF9F98764DA |
| SHA1: | B6589FC6AB0DC82CF12099D1C2D40AB994E8410C |
| SHA-256: | 5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9 |
| SHA-512: | 31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99 |
| Malicious: | false |
| Preview: |
| Process: | C:\Program Files (x86)\fhSearcher\fhsearcher65.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 17 |
| Entropy (8bit): | 3.1751231351134614 |
| Encrypted: | false |
| SSDEEP: | 3:nCmxEl:Cmc |
| MD5: | 064DB2A4C3D31A4DC6AA2538F3FE7377 |
| SHA1: | 8F877AE1873C88076D854425221E352CA4178DFA |
| SHA-256: | 0A3EC2C4FC062D561F0DC989C6699E06FFF850BBDA7923F14F26135EF42107C0 |
| SHA-512: | CA94BC1338FC283C3E5C427065C29BA32C5A12170782E18AA0292722826C5CB4C3B29A5134464FFEB67A77CD85D8E15715C17A049B7AD4E2C890E97385751BEE |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\fuckingdllENCR[1].dll 
Download File
| Process: | C:\Program Files (x86)\fhSearcher\fhsearcher65.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 94224 |
| Entropy (8bit): | 7.998072640845361 |
| Encrypted: | true |
| SSDEEP: | 1536:NsbI9W6dHdtnEXOxZpPzIUcETzNtXofjmgGTeJduLLt+YBPoJTMRmNXg30:KWW6TZVz9PNtXo8M5OR0 |
| MD5: | 418619EA97671304AF80EC60F5A50B62 |
| SHA1: | F11DCD709BDE2FC86EBBCCD66E1CE68A8A3F9CB6 |
| SHA-256: | EB7ECE66C14849064F462DF4987D6D59073D812C44D81568429614581106E0F4 |
| SHA-512: | F2E1AE47B5B0A5D3DD22DD6339E15FEE3D7F04EF03917AE2A7686E73E9F06FB95C8008038C018939BB9925F395D765C9690BF7874DC5E90BC2F77C1E730D3A00 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\is-VIRRO.tmp\is-L5RJL.tmp |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 3584 |
| Entropy (8bit): | 4.012434743866195 |
| Encrypted: | false |
| SSDEEP: | 48:iAnz1hEU3FR/pmqBl8/QMCBaquEMx5BCwSS4k+bkguj0K:pz1eEFNcqBC/Qrex5MSKD |
| MD5: | C594B792B9C556EA62A30DE541D2FB03 |
| SHA1: | 69E0207515E913243B94C2D3A116D232FF79AF5F |
| SHA-256: | 5DCC1E0A197922907BCA2C4369F778BD07EE4B1BBBDF633E987A028A314D548E |
| SHA-512: | 387BD07857B0DE67C04E0ABF89B754691683F30515726045FF382DA9B6B7F36570E38FAE9ECA5C4F0110CE9BB421D8045A5EC273C4C47B5831948564763ED144 |
| Malicious: | false |
| Antivirus: |
|
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\is-VIRRO.tmp\is-L5RJL.tmp |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 2560 |
| Entropy (8bit): | 2.8818118453929262 |
| Encrypted: | false |
| SSDEEP: | 24:e1GSgDIX566lIB6SXvVmMPUjvhBrDsqZ:SgDKRlVImgUNBsG |
| MD5: | A69559718AB506675E907FE49DEB71E9 |
| SHA1: | BC8F404FFDB1960B50C12FF9413C893B56F2E36F |
| SHA-256: | 2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC |
| SHA-512: | E52E0AA7FE3F79E36330C455D944653D449BA05B2F9ABEE0914A0910C3452CFA679A40441F9AC696B3CCF9445CBB85095747E86153402FC362BB30AC08249A63 |
| Malicious: | true |
| Antivirus: |
|
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\is-VIRRO.tmp\is-L5RJL.tmp |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 5632 |
| Entropy (8bit): | 4.203889009972449 |
| Encrypted: | false |
| SSDEEP: | 48:SvTmfWvPcXegCWUo1vlZwrAxoONfHFZONfH3d1xCWMBgW2p3SS4k+bkg6j0K:nfkcXegjJ/ZgYNzcld1xamW2pCSKv |
| MD5: | B4604F8CD050D7933012AE4AA98E1796 |
| SHA1: | 36B7D966C7F87860CD6C46096B397AA23933DF8E |
| SHA-256: | B50B7AC03EC6DA865BF4504C7AC1E52D9F5B67C7BCB3EC0DB59FAB24F1B471C5 |
| SHA-512: | 3057AA4810245DA0B340E1C70201E5CE528CFDC5A164915E7B11855E3A5B9BA0ED77FBC542F5E4EB296EA65AF88F263647B577151068636BA188D8C4FD44E431 |
| Malicious: | true |
| Antivirus: |
|
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\is-VIRRO.tmp\is-L5RJL.tmp |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 23312 |
| Entropy (8bit): | 4.596242908851566 |
| Encrypted: | false |
| SSDEEP: | 384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4 |
| MD5: | 92DC6EF532FBB4A5C3201469A5B5EB63 |
| SHA1: | 3E89FF837147C16B4E41C30D6C796374E0B8E62C |
| SHA-256: | 9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87 |
| SHA-512: | 9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3 |
| Malicious: | false |
| Antivirus: |
|
| Preview: |
| Process: | C:\Users\user\Desktop\file.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 673280 |
| Entropy (8bit): | 6.456966952098253 |
| Encrypted: | false |
| SSDEEP: | 12288:CkxzRCUn4rP/37YzHXA6/YUKsGjQNw4qpRRpDWowphIxz:ZFRCUn4rP/37YzHXA6QJsoPtIpqxz |
| MD5: | 7CD12C54A9751CA6EEE6AB0C85FB68F5 |
| SHA1: | 76562E9B7888B6D20D67ADDB5A90B68B54A51987 |
| SHA-256: | E82CABB027DB8846C3430BE760F137AFA164C36F9E1B93A6E34C96DE0B2C5A5F |
| SHA-512: | 27BA5D2F719AAAC2EAD6FB42F23AF3AA866F75026BE897CD2F561F3E383904E89E6043BD22B4AE24F69787BD258A68FF696C09C03D656CBF7C79C2A52D8D82CC |
| Malicious: | true |
| Antivirus: |
|
| Preview: |
| Process: | C:\Program Files (x86)\fhSearcher\fhsearcher65.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 73728 |
| Entropy (8bit): | 6.20389308045717 |
| Encrypted: | false |
| SSDEEP: | 1536:bvUpDLxyxA14o3/M238r6+XfHAgbqmE8MpKdwuasZLUM7DsWlXcdyZgfmi:WDLZKa/MtXfHAgbqmEtxsfmyZgfmi |
| MD5: | 3FB36CB0B7172E5298D2992D42984D06 |
| SHA1: | 439827777DF4A337CBB9FA4A4640D0D3FA1738B7 |
| SHA-256: | 27AE813CEFF8AA56E9FA68C8E50BB1C6C4A01636015EAC4BD8BF444AFB7020D6 |
| SHA-512: | 6B39CB32D77200209A25080AC92BC71B1F468E2946B651023793F3585EE6034ADC70924DBD751CF4A51B5E71377854F1AB43C2DD287D4837E7B544FF886F470C |
| Malicious: | true |
| Antivirus: |
|
| Preview: |
| File type: | |
| Entropy (8bit): | 7.996373599780453 |
| TrID: |
|
| File name: | file.exe |
| File size: | 2576538 |
| MD5: | ba5cb5cabbcefb36996bd213b8c1d284 |
| SHA1: | 80a62facd7b8d19817b6ee1d45036bf67953f61b |
| SHA256: | c360868055519b145bf9169b913787cd1f6533995e4d8a8556f94676a6129f96 |
| SHA512: | bdb418eef9bd3ed6b4b313bed84fab396ee49ff1bc5aab53ed8ce2e893a753aacb80ec65e2e446be73c1de5943eac4911801245572363286493cbec3b4ecb5b9 |
| SSDEEP: | 49152:Z23hi36YDW7uVXa5eIrHGFqB/LyY529gnmIIr10KofC0vBA5hq:MxW6YD6Ga8IbqjgmIIhWf16Dq |
| TLSH: | 72C533F6A7F49C74C471C6B41DBDC980AEA6BFB0122966A6F6DCC19F1D32044D88239D |
| File Content Preview: | MZP.....................@...............................................!..L.!..This program must be run under Win32..$7....................................................................................................................................... |
 | |
| Icon Hash: | a2a0b496b2caca72 |
| Entrypoint: | 0x40991c |
| Entrypoint Section: | CODE |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI |
| DLL Characteristics: | TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 1 |
| OS Version Minor: | 0 |
| File Version Major: | 1 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 1 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 884310b1928934402ea6fec1dbd3cf5e |
| Instruction |
|---|
| push ebp |
| mov ebp, esp |
| add esp, FFFFFFCCh |
| push ebx |
| push esi |
| push edi |
| xor eax, eax |
| mov dword ptr [ebp-10h], eax |
| mov dword ptr [ebp-24h], eax |
| call 00007F99EC725A3Fh |
| call 00007F99EC726C46h |
| call 00007F99EC728E71h |
| call 00007F99EC728EF8h |
| call 00007F99EC72B59Fh |
| call 00007F99EC72B706h |
| xor eax, eax |
| push ebp |
| push 00409FC6h |
| push dword ptr fs:[eax] |
| mov dword ptr fs:[eax], esp |
| xor edx, edx |
| push ebp |
| push 00409F7Ch |
| push dword ptr fs:[edx] |
| mov dword ptr fs:[edx], esp |
| mov eax, dword ptr [0040C014h] |
| call 00007F99EC72C130h |
| call 00007F99EC72BCBBh |
| lea edx, dword ptr [ebp-10h] |
| xor eax, eax |
| call 00007F99EC729375h |
| mov edx, dword ptr [ebp-10h] |
| mov eax, 0040CDD4h |
| call 00007F99EC725AF0h |
| push 00000002h |
| push 00000000h |
| push 00000001h |
| mov ecx, dword ptr [0040CDD4h] |
| mov dl, 01h |
| mov eax, 0040719Ch |
| call 00007F99EC729BE0h |
| mov dword ptr [0040CDD8h], eax |
| xor edx, edx |
| push ebp |
| push 00409F5Ah |
| push dword ptr fs:[edx] |
| mov dword ptr fs:[edx], esp |
| call 00007F99EC72C1A0h |
| mov dword ptr [0040CDE0h], eax |
| mov eax, dword ptr [0040CDE0h] |
| cmp dword ptr [eax+0Ch], 01h |
| jne 00007F99EC72C2DAh |
| mov eax, dword ptr [0040CDE0h] |
| mov edx, 00000028h |
| call 00007F99EC729FE1h |
| mov edx, dword ptr [0040CDE0h] |
| cmp eax, dword ptr [edx+00h] |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0xd000 | 0x950 | .idata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x11000 | 0x2800 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0xf000 | 0x18 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|
| CODE | 0x1000 | 0x9040 | 0x9200 | False | 0.610980308219178 | data | 6.5386448278888665 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| DATA | 0xb000 | 0x248 | 0x400 | False | 0.3046875 | data | 2.711035285634283 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| BSS | 0xc000 | 0xe34 | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .idata | 0xd000 | 0x950 | 0xa00 | False | 0.414453125 | data | 4.430733069799036 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .tls | 0xe000 | 0x8 | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rdata | 0xf000 | 0x18 | 0x200 | False | 0.052734375 | data | 0.2044881574398449 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ |
| .reloc | 0x10000 | 0x8a4 | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ |
| .rsrc | 0x11000 | 0x2800 | 0x2800 | False | 0.33251953125 | data | 4.4675433295468965 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country |
|---|---|---|---|---|---|
| RT_ICON | 0x11354 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 192 | Dutch | Netherlands |
| RT_ICON | 0x1147c | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 320 | Dutch | Netherlands |
| RT_ICON | 0x119e4 | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 640 | Dutch | Netherlands |
| RT_ICON | 0x11ccc | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 1152 | Dutch | Netherlands |
| RT_STRING | 0x12574 | 0x2f2 | data | ||
| RT_STRING | 0x12868 | 0x30c | data | ||
| RT_STRING | 0x12b74 | 0x2ce | data | ||
| RT_STRING | 0x12e44 | 0x68 | data | ||
| RT_STRING | 0x12eac | 0xb4 | data | ||
| RT_STRING | 0x12f60 | 0xae | data | ||
| RT_RCDATA | 0x13010 | 0x2c | data | ||
| RT_GROUP_ICON | 0x1303c | 0x3e | data | English | United States |
| RT_VERSION | 0x1307c | 0x3cc | data | English | United States |
| RT_MANIFEST | 0x13448 | 0x383 | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States |
| DLL | Import |
|---|---|
| kernel32.dll | DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle |
| user32.dll | MessageBoxA |
| oleaut32.dll | VariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen |
| advapi32.dll | RegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA |
| kernel32.dll | WriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SizeofResource, SetLastError, SetFilePointer, SetErrorMode, SetEndOfFile, RemoveDirectoryA, ReadFile, LockResource, LoadResource, LoadLibraryA, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetUserDefaultLangID, GetSystemInfo, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, GetACP, InterlockedExchange, FormatMessageA, FindResourceA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle |
| user32.dll | TranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA |
| comctl32.dll | InitCommonControls |
| advapi32.dll | AdjustTokenPrivileges |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| Dutch | Netherlands |  |
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Oct 31, 2022 14:17:14.940839052 CET | 49699 | 80 | 192.168.2.6 | 45.139.105.171 |
| Oct 31, 2022 14:17:14.965576887 CET | 80 | 49699 | 45.139.105.171 | 192.168.2.6 |
| Oct 31, 2022 14:17:14.965712070 CET | 49699 | 80 | 192.168.2.6 | 45.139.105.171 |
| Oct 31, 2022 14:17:14.969476938 CET | 49699 | 80 | 192.168.2.6 | 45.139.105.171 |
| Oct 31, 2022 14:17:14.993484020 CET | 80 | 49699 | 45.139.105.171 | 192.168.2.6 |
| Oct 31, 2022 14:17:16.575625896 CET | 80 | 49699 | 45.139.105.171 | 192.168.2.6 |
| Oct 31, 2022 14:17:16.575742960 CET | 49699 | 80 | 192.168.2.6 | 45.139.105.171 |
| Oct 31, 2022 14:17:17.068640947 CET | 49699 | 80 | 192.168.2.6 | 45.139.105.171 |
| Oct 31, 2022 14:17:17.092787027 CET | 80 | 49699 | 45.139.105.171 | 192.168.2.6 |
| Oct 31, 2022 14:17:18.536246061 CET | 80 | 49699 | 45.139.105.171 | 192.168.2.6 |
| Oct 31, 2022 14:17:18.536371946 CET | 49699 | 80 | 192.168.2.6 | 45.139.105.171 |
| Oct 31, 2022 14:17:18.585042953 CET | 49700 | 80 | 192.168.2.6 | 107.182.129.235 |
| Oct 31, 2022 14:17:18.609004974 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.6 |
| Oct 31, 2022 14:17:18.609172106 CET | 49700 | 80 | 192.168.2.6 | 107.182.129.235 |
| Oct 31, 2022 14:17:18.609831095 CET | 49700 | 80 | 192.168.2.6 | 107.182.129.235 |
| Oct 31, 2022 14:17:18.633848906 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.6 |
| Oct 31, 2022 14:17:18.634196043 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.6 |
| Oct 31, 2022 14:17:18.634306908 CET | 49700 | 80 | 192.168.2.6 | 107.182.129.235 |
| Oct 31, 2022 14:17:18.654527903 CET | 49700 | 80 | 192.168.2.6 | 107.182.129.235 |
| Oct 31, 2022 14:17:18.678530931 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.6 |
| Oct 31, 2022 14:17:18.678968906 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.6 |
| Oct 31, 2022 14:17:18.678997993 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.6 |
| Oct 31, 2022 14:17:18.679024935 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.6 |
| Oct 31, 2022 14:17:18.679049015 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.6 |
| Oct 31, 2022 14:17:18.679068089 CET | 49700 | 80 | 192.168.2.6 | 107.182.129.235 |
| Oct 31, 2022 14:17:18.679073095 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.6 |
| Oct 31, 2022 14:17:18.679099083 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.6 |
| Oct 31, 2022 14:17:18.679100990 CET | 49700 | 80 | 192.168.2.6 | 107.182.129.235 |
| Oct 31, 2022 14:17:18.679126978 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.6 |
| Oct 31, 2022 14:17:18.679148912 CET | 49700 | 80 | 192.168.2.6 | 107.182.129.235 |
| Oct 31, 2022 14:17:18.679155111 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.6 |
| Oct 31, 2022 14:17:18.679172993 CET | 49700 | 80 | 192.168.2.6 | 107.182.129.235 |
| Oct 31, 2022 14:17:18.679181099 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.6 |
| Oct 31, 2022 14:17:18.679203987 CET | 49700 | 80 | 192.168.2.6 | 107.182.129.235 |
| Oct 31, 2022 14:17:18.679207087 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.6 |
| Oct 31, 2022 14:17:18.679224968 CET | 49700 | 80 | 192.168.2.6 | 107.182.129.235 |
| Oct 31, 2022 14:17:18.679245949 CET | 49700 | 80 | 192.168.2.6 | 107.182.129.235 |
| Oct 31, 2022 14:17:18.703057051 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.6 |
| Oct 31, 2022 14:17:18.703097105 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.6 |
| Oct 31, 2022 14:17:18.703121901 CET | 49700 | 80 | 192.168.2.6 | 107.182.129.235 |
| Oct 31, 2022 14:17:18.703125954 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.6 |
| Oct 31, 2022 14:17:18.703147888 CET | 49700 | 80 | 192.168.2.6 | 107.182.129.235 |
| Oct 31, 2022 14:17:18.703155041 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.6 |
| Oct 31, 2022 14:17:18.703157902 CET | 49700 | 80 | 192.168.2.6 | 107.182.129.235 |
| Oct 31, 2022 14:17:18.703181028 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.6 |
| Oct 31, 2022 14:17:18.703201056 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.6 |
| Oct 31, 2022 14:17:18.703206062 CET | 49700 | 80 | 192.168.2.6 | 107.182.129.235 |
| Oct 31, 2022 14:17:18.703219891 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.6 |
| Oct 31, 2022 14:17:18.703233004 CET | 49700 | 80 | 192.168.2.6 | 107.182.129.235 |
| Oct 31, 2022 14:17:18.703238010 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.6 |
| Oct 31, 2022 14:17:18.703258038 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.6 |
| Oct 31, 2022 14:17:18.703264952 CET | 49700 | 80 | 192.168.2.6 | 107.182.129.235 |
| Oct 31, 2022 14:17:18.703275919 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.6 |
| Oct 31, 2022 14:17:18.703293085 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.6 |
| Oct 31, 2022 14:17:18.703296900 CET | 49700 | 80 | 192.168.2.6 | 107.182.129.235 |
| Oct 31, 2022 14:17:18.703311920 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.6 |
| Oct 31, 2022 14:17:18.703330994 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.6 |
| Oct 31, 2022 14:17:18.703336954 CET | 49700 | 80 | 192.168.2.6 | 107.182.129.235 |
| Oct 31, 2022 14:17:18.703350067 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.6 |
| Oct 31, 2022 14:17:18.703366995 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.6 |
| Oct 31, 2022 14:17:18.703371048 CET | 49700 | 80 | 192.168.2.6 | 107.182.129.235 |
| Oct 31, 2022 14:17:18.703385115 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.6 |
| Oct 31, 2022 14:17:18.703391075 CET | 49700 | 80 | 192.168.2.6 | 107.182.129.235 |
| Oct 31, 2022 14:17:18.703403950 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.6 |
| Oct 31, 2022 14:17:18.703419924 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.6 |
| Oct 31, 2022 14:17:18.703422070 CET | 49700 | 80 | 192.168.2.6 | 107.182.129.235 |
| Oct 31, 2022 14:17:18.703438997 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.6 |
| Oct 31, 2022 14:17:18.703455925 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.6 |
| Oct 31, 2022 14:17:18.704304934 CET | 49700 | 80 | 192.168.2.6 | 107.182.129.235 |
| Oct 31, 2022 14:17:18.704329967 CET | 49700 | 80 | 192.168.2.6 | 107.182.129.235 |
| Oct 31, 2022 14:17:18.727323055 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.6 |
| Oct 31, 2022 14:17:18.727369070 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.6 |
| Oct 31, 2022 14:17:18.727395058 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.6 |
| Oct 31, 2022 14:17:18.727420092 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.6 |
| Oct 31, 2022 14:17:18.727435112 CET | 49700 | 80 | 192.168.2.6 | 107.182.129.235 |
| Oct 31, 2022 14:17:18.727451086 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.6 |
| Oct 31, 2022 14:17:18.727468967 CET | 49700 | 80 | 192.168.2.6 | 107.182.129.235 |
| Oct 31, 2022 14:17:18.727479935 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.6 |
| Oct 31, 2022 14:17:18.727490902 CET | 49700 | 80 | 192.168.2.6 | 107.182.129.235 |
| Oct 31, 2022 14:17:18.727509022 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.6 |
| Oct 31, 2022 14:17:18.727518082 CET | 49700 | 80 | 192.168.2.6 | 107.182.129.235 |
| Oct 31, 2022 14:17:18.727535963 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.6 |
| Oct 31, 2022 14:17:18.727546930 CET | 49700 | 80 | 192.168.2.6 | 107.182.129.235 |
| Oct 31, 2022 14:17:18.727561951 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.6 |
| Oct 31, 2022 14:17:18.727566004 CET | 49700 | 80 | 192.168.2.6 | 107.182.129.235 |
| Oct 31, 2022 14:17:18.727588892 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.6 |
| Oct 31, 2022 14:17:18.727602959 CET | 49700 | 80 | 192.168.2.6 | 107.182.129.235 |
| Oct 31, 2022 14:17:18.727613926 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.6 |
| Oct 31, 2022 14:17:18.727622032 CET | 49700 | 80 | 192.168.2.6 | 107.182.129.235 |
| Oct 31, 2022 14:17:18.727639914 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.6 |
| Oct 31, 2022 14:17:18.727652073 CET | 49700 | 80 | 192.168.2.6 | 107.182.129.235 |
| Oct 31, 2022 14:17:18.727664948 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.6 |
| Oct 31, 2022 14:17:18.727674961 CET | 49700 | 80 | 192.168.2.6 | 107.182.129.235 |
| Oct 31, 2022 14:17:18.727691889 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.6 |
| Oct 31, 2022 14:17:18.727703094 CET | 49700 | 80 | 192.168.2.6 | 107.182.129.235 |
| Oct 31, 2022 14:17:18.727718115 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.6 |
| Oct 31, 2022 14:17:18.727729082 CET | 49700 | 80 | 192.168.2.6 | 107.182.129.235 |
| Oct 31, 2022 14:17:18.727744102 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.6 |
| Oct 31, 2022 14:17:18.727752924 CET | 49700 | 80 | 192.168.2.6 | 107.182.129.235 |
| Oct 31, 2022 14:17:18.727770090 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.6 |
| Oct 31, 2022 14:17:18.727773905 CET | 49700 | 80 | 192.168.2.6 | 107.182.129.235 |
| Oct 31, 2022 14:17:18.727796078 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.6 |
| Oct 31, 2022 14:17:18.727807045 CET | 49700 | 80 | 192.168.2.6 | 107.182.129.235 |
| Oct 31, 2022 14:17:18.727821112 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.6 |
| Oct 31, 2022 14:17:18.727827072 CET | 49700 | 80 | 192.168.2.6 | 107.182.129.235 |
| Oct 31, 2022 14:17:18.727845907 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.6 |
| Oct 31, 2022 14:17:18.727858067 CET | 49700 | 80 | 192.168.2.6 | 107.182.129.235 |
| Oct 31, 2022 14:17:18.727870941 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.6 |
| Oct 31, 2022 14:17:18.727874994 CET | 49700 | 80 | 192.168.2.6 | 107.182.129.235 |
| Oct 31, 2022 14:17:18.727897882 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.6 |
| Oct 31, 2022 14:17:18.727910995 CET | 49700 | 80 | 192.168.2.6 | 107.182.129.235 |
| Oct 31, 2022 14:17:18.727924109 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.6 |
| Oct 31, 2022 14:17:18.727927923 CET | 49700 | 80 | 192.168.2.6 | 107.182.129.235 |
| Oct 31, 2022 14:17:18.727950096 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.6 |
| Oct 31, 2022 14:17:18.727972031 CET | 49700 | 80 | 192.168.2.6 | 107.182.129.235 |
| Oct 31, 2022 14:17:18.727974892 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.6 |
| Oct 31, 2022 14:17:18.727982044 CET | 49700 | 80 | 192.168.2.6 | 107.182.129.235 |
| Oct 31, 2022 14:17:18.728002071 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.6 |
| Oct 31, 2022 14:17:18.728012085 CET | 49700 | 80 | 192.168.2.6 | 107.182.129.235 |
| Oct 31, 2022 14:17:18.728028059 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.6 |
| Oct 31, 2022 14:17:18.728041887 CET | 49700 | 80 | 192.168.2.6 | 107.182.129.235 |
| Oct 31, 2022 14:17:18.728055954 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.6 |
| Oct 31, 2022 14:17:18.728063107 CET | 49700 | 80 | 192.168.2.6 | 107.182.129.235 |
| Oct 31, 2022 14:17:18.728081942 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.6 |
| Oct 31, 2022 14:17:18.728091002 CET | 49700 | 80 | 192.168.2.6 | 107.182.129.235 |
| Oct 31, 2022 14:17:18.728108883 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.6 |
| Oct 31, 2022 14:17:18.728132963 CET | 49700 | 80 | 192.168.2.6 | 107.182.129.235 |
| Oct 31, 2022 14:17:18.728133917 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.6 |
| Oct 31, 2022 14:17:18.728148937 CET | 49700 | 80 | 192.168.2.6 | 107.182.129.235 |
| Oct 31, 2022 14:17:18.728159904 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.6 |
| Oct 31, 2022 14:17:18.728172064 CET | 49700 | 80 | 192.168.2.6 | 107.182.129.235 |
| Oct 31, 2022 14:17:18.728187084 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.6 |
| Oct 31, 2022 14:17:18.728199005 CET | 49700 | 80 | 192.168.2.6 | 107.182.129.235 |
| Oct 31, 2022 14:17:18.728213072 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.6 |
| Oct 31, 2022 14:17:18.728221893 CET | 49700 | 80 | 192.168.2.6 | 107.182.129.235 |
| Oct 31, 2022 14:17:18.728239059 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.6 |
| Oct 31, 2022 14:17:18.728256941 CET | 49700 | 80 | 192.168.2.6 | 107.182.129.235 |
| Oct 31, 2022 14:17:18.728266001 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.6 |
| Oct 31, 2022 14:17:18.728286028 CET | 49700 | 80 | 192.168.2.6 | 107.182.129.235 |
| Oct 31, 2022 14:17:18.728291988 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.6 |
| Oct 31, 2022 14:17:18.728303909 CET | 49700 | 80 | 192.168.2.6 | 107.182.129.235 |
| Oct 31, 2022 14:17:18.728318930 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.6 |
| Oct 31, 2022 14:17:18.728322983 CET | 49700 | 80 | 192.168.2.6 | 107.182.129.235 |
| Oct 31, 2022 14:17:18.728346109 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.6 |
| Oct 31, 2022 14:17:18.728358030 CET | 49700 | 80 | 192.168.2.6 | 107.182.129.235 |
| Oct 31, 2022 14:17:18.728372097 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.6 |
| Oct 31, 2022 14:17:18.728383064 CET | 49700 | 80 | 192.168.2.6 | 107.182.129.235 |
| Oct 31, 2022 14:17:18.728410006 CET | 49700 | 80 | 192.168.2.6 | 107.182.129.235 |
| Oct 31, 2022 14:17:18.752238989 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.6 |
| Oct 31, 2022 14:17:18.752273083 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.6 |
| Oct 31, 2022 14:17:18.752296925 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.6 |
| Oct 31, 2022 14:17:18.752320051 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.6 |
| Oct 31, 2022 14:17:18.752420902 CET | 49700 | 80 | 192.168.2.6 | 107.182.129.235 |
| Oct 31, 2022 14:17:18.752458096 CET | 49700 | 80 | 192.168.2.6 | 107.182.129.235 |
| Oct 31, 2022 14:17:18.905550957 CET | 49701 | 80 | 192.168.2.6 | 171.22.30.106 |
| Oct 31, 2022 14:17:18.929617882 CET | 80 | 49701 | 171.22.30.106 | 192.168.2.6 |
| Oct 31, 2022 14:17:18.929790020 CET | 49701 | 80 | 192.168.2.6 | 171.22.30.106 |
| Oct 31, 2022 14:17:18.930911064 CET | 49701 | 80 | 192.168.2.6 | 171.22.30.106 |
| Oct 31, 2022 14:17:18.954818964 CET | 80 | 49701 | 171.22.30.106 | 192.168.2.6 |
| Oct 31, 2022 14:17:19.850228071 CET | 80 | 49701 | 171.22.30.106 | 192.168.2.6 |
| Oct 31, 2022 14:17:19.850330114 CET | 49701 | 80 | 192.168.2.6 | 171.22.30.106 |
| Oct 31, 2022 14:17:22.293817043 CET | 49701 | 80 | 192.168.2.6 | 171.22.30.106 |
| Oct 31, 2022 14:17:22.317771912 CET | 80 | 49701 | 171.22.30.106 | 192.168.2.6 |
| Oct 31, 2022 14:17:22.864605904 CET | 80 | 49701 | 171.22.30.106 | 192.168.2.6 |
| Oct 31, 2022 14:17:22.864801884 CET | 49701 | 80 | 192.168.2.6 | 171.22.30.106 |
| Oct 31, 2022 14:17:23.540091991 CET | 80 | 49699 | 45.139.105.171 | 192.168.2.6 |
| Oct 31, 2022 14:17:23.540227890 CET | 49699 | 80 | 192.168.2.6 | 45.139.105.171 |
| Oct 31, 2022 14:17:23.728935957 CET | 80 | 49700 | 107.182.129.235 | 192.168.2.6 |
| Oct 31, 2022 14:17:23.729124069 CET | 49700 | 80 | 192.168.2.6 | 107.182.129.235 |
| Oct 31, 2022 14:17:24.959558964 CET | 49701 | 80 | 192.168.2.6 | 171.22.30.106 |
| Oct 31, 2022 14:17:24.983350992 CET | 80 | 49701 | 171.22.30.106 | 192.168.2.6 |
| Oct 31, 2022 14:17:25.549472094 CET | 80 | 49701 | 171.22.30.106 | 192.168.2.6 |
| Oct 31, 2022 14:17:25.549580097 CET | 49701 | 80 | 192.168.2.6 | 171.22.30.106 |
| Oct 31, 2022 14:17:27.627589941 CET | 49701 | 80 | 192.168.2.6 | 171.22.30.106 |
| Oct 31, 2022 14:17:27.651539087 CET | 80 | 49701 | 171.22.30.106 | 192.168.2.6 |
| Oct 31, 2022 14:17:28.144742012 CET | 80 | 49701 | 171.22.30.106 | 192.168.2.6 |
| Oct 31, 2022 14:17:28.144889116 CET | 49701 | 80 | 192.168.2.6 | 171.22.30.106 |
| Oct 31, 2022 14:17:30.315901041 CET | 49701 | 80 | 192.168.2.6 | 171.22.30.106 |
| Oct 31, 2022 14:17:30.339968920 CET | 80 | 49701 | 171.22.30.106 | 192.168.2.6 |
| Oct 31, 2022 14:17:30.859983921 CET | 80 | 49701 | 171.22.30.106 | 192.168.2.6 |
| Oct 31, 2022 14:17:30.860152006 CET | 49701 | 80 | 192.168.2.6 | 171.22.30.106 |
| Oct 31, 2022 14:17:32.972939014 CET | 49701 | 80 | 192.168.2.6 | 171.22.30.106 |
| Oct 31, 2022 14:17:32.996895075 CET | 80 | 49701 | 171.22.30.106 | 192.168.2.6 |
| Oct 31, 2022 14:17:33.528526068 CET | 80 | 49701 | 171.22.30.106 | 192.168.2.6 |
| Oct 31, 2022 14:17:33.531575918 CET | 49701 | 80 | 192.168.2.6 | 171.22.30.106 |
| Oct 31, 2022 14:17:35.677289009 CET | 49701 | 80 | 192.168.2.6 | 171.22.30.106 |
| Oct 31, 2022 14:17:35.701622963 CET | 80 | 49701 | 171.22.30.106 | 192.168.2.6 |
| Oct 31, 2022 14:17:36.297446966 CET | 80 | 49701 | 171.22.30.106 | 192.168.2.6 |
| Oct 31, 2022 14:17:36.297584057 CET | 49701 | 80 | 192.168.2.6 | 171.22.30.106 |
| Oct 31, 2022 14:17:38.378695011 CET | 49701 | 80 | 192.168.2.6 | 171.22.30.106 |
| Oct 31, 2022 14:17:38.402729034 CET | 80 | 49701 | 171.22.30.106 | 192.168.2.6 |
| Oct 31, 2022 14:17:38.959870100 CET | 80 | 49701 | 171.22.30.106 | 192.168.2.6 |
| Oct 31, 2022 14:17:38.959994078 CET | 49701 | 80 | 192.168.2.6 | 171.22.30.106 |
| Oct 31, 2022 14:17:41.138602018 CET | 49701 | 80 | 192.168.2.6 | 171.22.30.106 |
| Oct 31, 2022 14:17:41.162659883 CET | 80 | 49701 | 171.22.30.106 | 192.168.2.6 |
| Oct 31, 2022 14:17:41.689835072 CET | 80 | 49701 | 171.22.30.106 | 192.168.2.6 |
| Oct 31, 2022 14:17:41.689948082 CET | 49701 | 80 | 192.168.2.6 | 171.22.30.106 |
| Oct 31, 2022 14:17:44.878555059 CET | 49701 | 80 | 192.168.2.6 | 171.22.30.106 |
| Oct 31, 2022 14:17:44.902822971 CET | 80 | 49701 | 171.22.30.106 | 192.168.2.6 |
| Oct 31, 2022 14:17:45.458594084 CET | 80 | 49701 | 171.22.30.106 | 192.168.2.6 |
| Oct 31, 2022 14:17:45.458950043 CET | 49701 | 80 | 192.168.2.6 | 171.22.30.106 |
| Oct 31, 2022 14:17:47.558216095 CET | 49701 | 80 | 192.168.2.6 | 171.22.30.106 |
| Oct 31, 2022 14:17:47.582226038 CET | 80 | 49701 | 171.22.30.106 | 192.168.2.6 |
| Oct 31, 2022 14:17:48.120137930 CET | 80 | 49701 | 171.22.30.106 | 192.168.2.6 |
| Oct 31, 2022 14:17:48.120421886 CET | 49701 | 80 | 192.168.2.6 | 171.22.30.106 |
| Oct 31, 2022 14:17:51.412739992 CET | 49699 | 80 | 192.168.2.6 | 45.139.105.171 |
| Oct 31, 2022 14:17:51.412810087 CET | 49700 | 80 | 192.168.2.6 | 107.182.129.235 |
| Oct 31, 2022 14:17:51.412986040 CET | 49701 | 80 | 192.168.2.6 | 171.22.30.106 |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
|---|---|---|---|---|---|
| 0 | 192.168.2.6 | 49699 | 45.139.105.171 | 80 | C:\Program Files (x86)\fhSearcher\fhsearcher65.exe |
| Timestamp | kBytes transferred | Direction | Data |
|---|---|---|---|
| Oct 31, 2022 14:17:14.969476938 CET | 9 | OUT | |
| Oct 31, 2022 14:17:16.575625896 CET | 9 | IN | |
| Oct 31, 2022 14:17:17.068640947 CET | 9 | OUT | |
| Oct 31, 2022 14:17:18.536246061 CET | 10 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
|---|---|---|---|---|---|
| 1 | 192.168.2.6 | 49700 | 107.182.129.235 | 80 | C:\Program Files (x86)\fhSearcher\fhsearcher65.exe |
| Timestamp | kBytes transferred | Direction | Data |
|---|---|---|---|
| Oct 31, 2022 14:17:18.609831095 CET | 10 | OUT | |
| Oct 31, 2022 14:17:18.634196043 CET | 11 | IN | |
| Oct 31, 2022 14:17:18.654527903 CET | 11 | OUT | |
| Oct 31, 2022 14:17:18.678968906 CET | 13 | IN |