Edit tour
Windows
Analysis Report
file.exe
Overview
General Information
Detection
Nymaim
Score: | 88 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Detected unpacking (overwrites its own PE header)
Yara detected Nymaim
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
PE file does not import any functions
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Found evasive API chain checking for process token information
Uses taskkill to terminate processes
Dropped file seen in connection with other malware
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality to detect sandboxes (foreground window change detection)
Creates a process in suspended mode (likely to inject code)
Classification
- System is w10x64
- file.exe (PID: 6084 cmdline:
C:\Users\u ser\Deskto p\file.exe MD5: 2ED741014B8CDAFD91A740432A3CFFA1) - is-QPTG8.tmp (PID: 6080 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\is-KU6 HQ.tmp\is- QPTG8.tmp" /SL4 $402 28 "C:\Use rs\user\De sktop\file .exe" 1252 960 51712 MD5: 85B94E72C3F2D2B5464E2AAF3C9E242A) - PrintFolders.exe (PID: 4532 cmdline:
"C:\Progra m Files (x 86)\PrintF olders\Pri ntFolders. exe" MD5: 2ABBE052537A4C836AFE8DBAC888F131) - uywwtiNQ.exe (PID: 6120 cmdline:
MD5: 3FB36CB0B7172E5298D2992D42984D06) - cmd.exe (PID: 1336 cmdline:
"C:\Window s\System32 \cmd.exe" /c taskkil l /im "Pri ntFolders. exe" /f & erase "C:\ Program Fi les (x86)\ PrintFolde rs\PrintFo lders.exe" & exit MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 1760 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - taskkill.exe (PID: 3416 cmdline:
taskkill / im "PrintF olders.exe " /f MD5: 15E2E0ACD891510C6268CB8899F2A1A1)
- cleanup
{"C2 addresses": ["45.139.105.1", "85.31.46.167", "107.182.129.235", "171.22.30.106"]}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security | ||
JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security | ||
JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security | ||
JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security | ||
JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security | ||
JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security |
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | URL Reputation: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: |
Source: | ReversingLabs: |
Source: | Joe Sandbox ML: |
Source: | Avira: | ||
Source: | Avira: |
Source: | Malware Configuration Extractor: |
Source: | Code function: | 1_2_10001000 | |
Source: | Code function: | 1_2_10001130 | |
Source: | Code function: | 2_2_00403770 |
Compliance |
---|
Source: | Unpacked PE file: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | Code function: | 1_2_0046C770 | |
Source: | Code function: | 1_2_00474708 | |
Source: | Code function: | 1_2_00451554 | |
Source: | Code function: | 1_2_0048A778 | |
Source: | Code function: | 1_2_004729D4 | |
Source: | Code function: | 1_2_0045CA54 | |
Source: | Code function: | 1_2_00406FEC | |
Source: | Code function: | 1_2_0045DB60 | |
Source: | Code function: | 1_2_0045DEF4 | |
Source: | Code function: | 2_2_00404490 | |
Source: | Code function: | 2_2_00423E2D | |
Source: | Code function: | 2_2_1000959D |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Networking |
---|
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: |
Source: | ASN Name: |
Source: | IP Address: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Code function: | 2_2_00401B30 |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | Binary or memory string: |
E-Banking Fraud |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Static PE information: |
Source: | Code function: | 0_2_004081C8 | |
Source: | Code function: | 1_2_00468940 | |
Source: | Code function: | 1_2_00460F30 | |
Source: | Code function: | 1_2_0043DF70 | |
Source: | Code function: | 1_2_004303A4 | |
Source: | Code function: | 1_2_0047A6D8 | |
Source: | Code function: | 1_2_004446E8 | |
Source: | Code function: | 1_2_00434994 | |
Source: | Code function: | 1_2_0045AA90 | |
Source: | Code function: | 1_2_00480BDC | |
Source: | Code function: | 1_2_00444C90 | |
Source: | Code function: | 1_2_00462F38 | |
Source: | Code function: | 1_2_00445388 | |
Source: | Code function: | 1_2_00435698 | |
Source: | Code function: | 1_2_00445794 | |
Source: | Code function: | 1_2_0042F948 | |
Source: | Code function: | 1_2_00457BB4 | |
Source: | Code function: | 2_2_00404490 | |
Source: | Code function: | 2_2_004096F0 | |
Source: | Code function: | 2_2_004056A0 | |
Source: | Code function: | 2_2_00406800 | |
Source: | Code function: | 2_2_00406AA0 | |
Source: | Code function: | 2_2_00404D40 | |
Source: | Code function: | 2_2_00405F40 | |
Source: | Code function: | 2_2_00402F20 | |
Source: | Code function: | 2_2_004150D3 | |
Source: | Code function: | 2_2_00415305 | |
Source: | Code function: | 2_2_004223A9 | |
Source: | Code function: | 2_2_00419510 | |
Source: | Code function: | 2_2_00404840 | |
Source: | Code function: | 2_2_00426850 | |
Source: | Code function: | 2_2_00410A50 | |
Source: | Code function: | 2_2_0042AB9A | |
Source: | Code function: | 2_2_00421C88 | |
Source: | Code function: | 2_2_0042ACBA | |
Source: | Code function: | 2_2_00447D2D | |
Source: | Code function: | 2_2_00428D39 | |
Source: | Code function: | 2_2_00404F20 | |
Source: | Code function: | 2_2_1000F670 | |
Source: | Code function: | 2_2_1000EC61 |
Source: | Code function: | 1_2_00423D9C | |
Source: | Code function: | 1_2_004127F0 | |
Source: | Code function: | 1_2_004551C4 |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Dropped File: |
Source: | Static PE information: |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Code function: | 0_2_00408F74 | |
Source: | Code function: | 1_2_00453A8C |
Source: | WMI Queries: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | Code function: | 2_2_00401B30 |
Source: | File read: | Jump to behavior |
Source: | Code function: | 1_2_00454498 |
Source: | Code function: | 2_2_00402BF0 |
Source: | Code function: | 2_2_00405350 |
Source: | Mutant created: |
Source: | Code function: | 1_2_0040B1E0 |
Source: | File created: | Jump to behavior |
Source: | Command line argument: | 2_2_004096F0 | |
Source: | Command line argument: | 2_2_004096F0 | |
Source: | Command line argument: | 2_2_004096F0 | |
Source: | Command line argument: | 2_2_004096F0 |
Source: | Window found: | Jump to behavior |
Source: | Window detected: |
Source: | Static file information: |
Source: | Binary string: |
Data Obfuscation |
---|
Source: | Unpacked PE file: |
Source: | Unpacked PE file: |
Source: | Code function: | 0_2_004065B9 | |
Source: | Code function: | 0_2_00404195 | |
Source: | Code function: | 0_2_0040442D | |
Source: | Code function: | 0_2_00407E89 | |
Source: | Code function: | 0_2_0040442D | |
Source: | Code function: | 0_2_00408B4F | |
Source: | Code function: | 0_2_0040442D | |
Source: | Code function: | 0_2_0040442D | |
Source: | Code function: | 1_2_00409BA5 | |
Source: | Code function: | 1_2_0040A258 | |
Source: | Code function: | 1_2_004782B3 | |
Source: | Code function: | 1_2_0040A255 | |
Source: | Code function: | 1_2_004063C9 | |
Source: | Code function: | 1_2_004303A9 | |
Source: | Code function: | 1_2_0045A751 | |
Source: | Code function: | 1_2_004108ED | |
Source: | Code function: | 1_2_00412B9B | |
Source: | Code function: | 1_2_00451023 | |
Source: | Code function: | 1_2_0040D242 | |
Source: | Code function: | 1_2_004055F9 | |
Source: | Code function: | 1_2_00443664 | |
Source: | Code function: | 1_2_00405891 | |
Source: | Code function: | 1_2_0047976D | |
Source: | Code function: | 1_2_00405891 | |
Source: | Code function: | 1_2_00405891 | |
Source: | Code function: | 1_2_00405891 | |
Source: | Code function: | 1_2_0040F7A2 | |
Source: | Code function: | 1_2_00419E45 | |
Source: | Code function: | 2_2_004311B6 | |
Source: | Code function: | 2_2_0040F4CE |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | Code function: | 1_2_00423E24 | |
Source: | Code function: | 1_2_00423E24 | |
Source: | Code function: | 1_2_004243F4 | |
Source: | Code function: | 1_2_004243AC | |
Source: | Code function: | 1_2_0041859C | |
Source: | Code function: | 1_2_00422A74 | |
Source: | Code function: | 1_2_004177B0 | |
Source: | Code function: | 1_2_00477D2C | |
Source: | Code function: | 1_2_00417EE6 | |
Source: | Code function: | 1_2_00417EE8 |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Evasive API call chain: | graph_0-5527 |
Source: | Last function: |
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file |
Source: | Check user administrative privileges: | graph_2-35021 |
Source: | Code function: | 2_2_004056A0 |
Source: | Process information queried: | Jump to behavior |
Source: | Code function: | 0_2_004095D0 |
Source: | Code function: | 1_2_0046C770 | |
Source: | Code function: | 1_2_00474708 | |
Source: | Code function: | 1_2_00451554 | |
Source: | Code function: | 1_2_0048A778 | |
Source: | Code function: | 1_2_004729D4 | |
Source: | Code function: | 1_2_0045CA54 | |
Source: | Code function: | 1_2_00406FEC | |
Source: | Code function: | 1_2_0045DB60 | |
Source: | Code function: | 1_2_0045DEF4 | |
Source: | Code function: | 2_2_00404490 | |
Source: | Code function: | 2_2_00423E2D | |
Source: | Code function: | 2_2_1000959D |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | Binary or memory string: |
Source: | Code function: | 2_2_0041336B |
Source: | Code function: | 2_2_00402BF0 |
Source: | Code function: | 2_2_00402F20 |
Source: | Process token adjusted: | Jump to behavior |
Source: | Code function: | 2_2_0044028F | |
Source: | Code function: | 2_2_0042041F | |
Source: | Code function: | 2_2_004429E7 | |
Source: | Code function: | 2_2_00417BAF | |
Source: | Code function: | 2_2_100091C7 | |
Source: | Code function: | 2_2_10006CE1 |
Source: | Code function: | 2_2_0040F789 | |
Source: | Code function: | 2_2_0041336B | |
Source: | Code function: | 2_2_0040F5F5 | |
Source: | Code function: | 2_2_0040EBD2 | |
Source: | Code function: | 2_2_10006180 | |
Source: | Code function: | 2_2_100035DF | |
Source: | Code function: | 2_2_10003AD4 |
Source: | Process created: | Jump to behavior |
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Code function: | 1_2_004593E4 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: | 0_2_004051C8 | |
Source: | Code function: | 0_2_00405214 | |
Source: | Code function: | 1_2_0040874C | |
Source: | Code function: | 1_2_00408798 | |
Source: | Code function: | 2_2_00404D40 | |
Source: | Code function: | 2_2_00427041 | |
Source: | Code function: | 2_2_0042708C | |
Source: | Code function: | 2_2_00427127 | |
Source: | Code function: | 2_2_004271B2 | |
Source: | Code function: | 2_2_0041E2FF | |
Source: | Code function: | 2_2_00427405 | |
Source: | Code function: | 2_2_0042752B | |
Source: | Code function: | 2_2_00427631 | |
Source: | Code function: | 2_2_00427700 | |
Source: | Code function: | 2_2_0041E821 | |
Source: | Code function: | 2_2_00426D9F |
Source: | Code function: | 2_2_0040F7F3 |
Source: | Code function: | 1_2_00455B2C |
Source: | Code function: | 0_2_004026C4 |
Source: | Code function: | 0_2_00405CB0 |
Source: | Code function: | 1_2_00453A24 |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | 1 Windows Management Instrumentation | Path Interception | 1 Access Token Manipulation | 2 Masquerading | 1 Input Capture | 1 System Time Discovery | Remote Services | 1 Input Capture | Exfiltration Over Other Network Medium | 2 Encrypted Channel | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | 2 Command and Scripting Interpreter | Boot or Logon Initialization Scripts | 13 Process Injection | 1 Disable or Modify Tools | LSASS Memory | 141 Security Software Discovery | Remote Desktop Protocol | 1 Archive Collected Data | Exfiltration Over Bluetooth | 2 Ingress Tool Transfer | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | 2 Native API | Logon Script (Windows) | Logon Script (Windows) | 1 Access Token Manipulation | Security Account Manager | 3 Process Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | 1 Non-Application Layer Protocol | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | 13 Process Injection | NTDS | 11 Application Window Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | 11 Application Layer Protocol | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | 1 Deobfuscate/Decode Files or Information | LSA Secrets | 1 Account Discovery | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | 3 Obfuscated Files or Information | Cached Domain Credentials | 1 System Owner/User Discovery | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | 23 Software Packing | DCSync | 3 File and Directory Discovery | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | Indicator Removal from Tools | Proc Filesystem | 26 System Information Discovery | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
⊘No Antivirus matches
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Joe Sandbox ML | |||
0% | ReversingLabs | |||
0% | ReversingLabs | |||
2% | ReversingLabs | |||
2% | ReversingLabs | |||
2% | ReversingLabs | |||
0% | ReversingLabs | |||
2% | ReversingLabs | |||
4% | ReversingLabs | |||
46% | ReversingLabs | Win32.Trojan.Generic |
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | TR/Crypt.XPACK.Gen8 | Download File | ||
100% | Avira | HEUR/AGEN.1232832 | Download File | ||
100% | Avira | HEUR/AGEN.1250671 | Download File | ||
100% | Avira | HEUR/AGEN.1248792 | Download File | ||
100% | Avira | TR/Patched.Ren.Gen | Download File |
⊘No Antivirus matches
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
100% | URL Reputation | malware | ||
0% | URL Reputation | safe | ||
100% | Avira URL Cloud | malware | ||
0% | Avira URL Cloud | safe | ||
0% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
100% | Avira URL Cloud | malware | ||
0% | Avira URL Cloud | safe |
⊘No contacted domains info
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false |
| unknown | |
true |
| unknown | |
true |
| unknown | |
true |
| unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown | ||
true |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
true |
| unknown | ||
false |
| low | ||
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
45.139.105.171 | unknown | Italy | 33657 | CMCSUS | false | |
45.139.105.1 | unknown | Italy | 33657 | CMCSUS | true | |
85.31.46.167 | unknown | Germany | 43659 | CLOUDCOMPUTINGDE | true | |
107.182.129.235 | unknown | Reserved | 11070 | META-ASUS | true | |
171.22.30.106 | unknown | Germany | 33657 | CMCSUS | true |
Joe Sandbox Version: | 36.0.0 Rainbow Opal |
Analysis ID: | 753425 |
Start date and time: | 2022-11-24 20:03:09 +01:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 7m 58s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | file.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 18 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal88.troj.evad.winEXE@12/23@0/5 |
EGA Information: |
|
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
- Excluded domains from analysis (whitelisted): fs.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report creation exceeded maximum time and may have missing disassembly code information.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
Time | Type | Description |
---|---|---|
20:04:06 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
45.139.105.171 | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
⊘No context
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
CMCSUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
CMCSUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
⊘No context
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
C:\Program Files (x86)\PrintFolders\Russian.dll (copy) | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse |
Process: | C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 118869 |
Entropy (8bit): | 7.933172616287708 |
Encrypted: | false |
SSDEEP: | 1536:a8+b7UxVIBmVQVxSHmIKruCGFkw8dctBJcIFEvSrT3eoxNjT+YL/fe3iWP7:Z+b76wV3hCb86tBJc7SffxNjqO/qiWT |
MD5: | 204A5BF160646F9A55ED70AB6E1A07A6 |
SHA1: | 5404AB219FA01C270ADC36303D447109503C4A4D |
SHA-256: | CACDD2C8BFA4BAE33A16A10ED609F4841AC5C4C2FE481ED0FD8CB04BC8016BBD |
SHA-512: | 6AAFBAF8565BF57BF4CC9E8D5EEF947E32E0D1A962C0BB619A25C35C68B7AA24599C60CB1C1B108FC9F58A1F13FF80B66E1A4DA506BE2FFD2DD05331865DAA15 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 5403 |
Entropy (8bit): | 4.918324842676727 |
Encrypted: | false |
SSDEEP: | 96:uUzxQ0Bz664UbxDcqEVFUz1BDzeRGH+QanjY3ZLBxdfC4INXM/gr53F8EPeHl9j4:uU1QyZ4e9cqEfUz1BD0GH+QGjYJBxdfY |
MD5: | C8B211D81EB7D4F9EBB071A117444D51 |
SHA1: | 43BF57BB0931EBED953FE17F937C1C7FF58A027C |
SHA-256: | AFD6FEA6A792B722E45A6587F70334F30051798017F4A278508C7ED3FEEA80CC |
SHA-512: | C7C558EB666B570A0B03D1E8941217673677A6AF1F7CE4C43BE77D1AA859AD8DF7B212CF778B03678DD451535C7A7B02FEB65F20B744A8E9C969DF633F79A2AB |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 3391 |
Entropy (8bit): | 4.812121234949207 |
Encrypted: | false |
SSDEEP: | 96:FjjD9GrzqpptIaj6JGcnRH7aamJL4zUtWAbakj:FYrrawhbaVFtTuk |
MD5: | A5E8094B0CBADE929AEE07F5DA5E9429 |
SHA1: | 60BB56A380CD9126AC067AE39B262E28A22532CD |
SHA-256: | F3AC2009C96EB3A42AFAEC7FA67D3A14E5E9E30819B543D572C9BEA790CFCAD1 |
SHA-512: | 018D1963A0B45A731687C5811E6447911E9BC7285B25EE3BBAD95D4D9C23718EF4E9714714C8A68617EAE4F840FB3D76BC77B0C49A64346D9605CCF70592356C |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp |
File Type: | |
Category: | modified |
Size (bytes): | 1990648 |
Entropy (8bit): | 6.135022664098298 |
Encrypted: | false |
SSDEEP: | 49152:G0e7jkeRVgTU1Sw1pUfsWFQVNiTneoDsQ:gE2kYpUfs0QCe9Q |
MD5: | 2ABBE052537A4C836AFE8DBAC888F131 |
SHA1: | A0629A6130B7B7107681B033C0AFEE0C4EEB6CDB |
SHA-256: | 70717E7EE9E2A9EE5EF3804E3571B0DF6A1C2ABAF63179410A414C99705F9A47 |
SHA-512: | CD0361EF97CF7EB1CF248875FCBA471A2D5A9F82FA38EA15825EE60159B16465904116C1244D0CA21ED3B49895C2647653FF836B7A114FE5EC384C4E28962E0D |
Malicious: | true |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 21504 |
Entropy (8bit): | 4.508743257769972 |
Encrypted: | false |
SSDEEP: | 192:kxsrC3rSQgvlS7pEeHPmIOBaVeFSiLW70ygWr:csvGmIOBa5f |
MD5: | 4FB606EDBDE8EFB6D34E6E1BC5F677F1 |
SHA1: | F8F094064D107384E619DED1139932AA38476272 |
SHA-256: | A960C9DCD1D5C7B79F4FDD38D6F25299F4F7925555E381EA4AB6217681482F62 |
SHA-512: | 5B34ECB87582FFC210CA4EED06C729979D7197191CF74EB3CDB59D0F629603C171D50B6D9351DEB7DD13F6FCBBD79F8A23ED0114BBD991520CA9BFA4EF10A44D |
Malicious: | true |
Antivirus: |
|
Joe Sandbox View: |
|
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 3391 |
Entropy (8bit): | 4.812121234949207 |
Encrypted: | false |
SSDEEP: | 96:FjjD9GrzqpptIaj6JGcnRH7aamJL4zUtWAbakj:FYrrawhbaVFtTuk |
MD5: | A5E8094B0CBADE929AEE07F5DA5E9429 |
SHA1: | 60BB56A380CD9126AC067AE39B262E28A22532CD |
SHA-256: | F3AC2009C96EB3A42AFAEC7FA67D3A14E5E9E30819B543D572C9BEA790CFCAD1 |
SHA-512: | 018D1963A0B45A731687C5811E6447911E9BC7285B25EE3BBAD95D4D9C23718EF4E9714714C8A68617EAE4F840FB3D76BC77B0C49A64346D9605CCF70592356C |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 21504 |
Entropy (8bit): | 4.508743257769972 |
Encrypted: | false |
SSDEEP: | 192:kxsrC3rSQgvlS7pEeHPmIOBaVeFSiLW70ygWr:csvGmIOBa5f |
MD5: | 4FB606EDBDE8EFB6D34E6E1BC5F677F1 |
SHA1: | F8F094064D107384E619DED1139932AA38476272 |
SHA-256: | A960C9DCD1D5C7B79F4FDD38D6F25299F4F7925555E381EA4AB6217681482F62 |
SHA-512: | 5B34ECB87582FFC210CA4EED06C729979D7197191CF74EB3CDB59D0F629603C171D50B6D9351DEB7DD13F6FCBBD79F8A23ED0114BBD991520CA9BFA4EF10A44D |
Malicious: | true |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 669450 |
Entropy (8bit): | 6.478399502986981 |
Encrypted: | false |
SSDEEP: | 12288:2h5UooqWolrP837JzHvA6izJgnnyFNmayiAZrvJxOx:M5NoqWolrP837JzHvA6yknyWFxvJxOx |
MD5: | CF680B53729F6E3059183D51F91D337D |
SHA1: | 4D6EB765BB4837F09283101490375DF5F68C8E37 |
SHA-256: | A3F8C832C69388A88E47DD8B612382F74D5131E8C710741EFB2410EC450BDF2D |
SHA-512: | 1F59A9A03485DFDB9E232F0D8B52CD864993FC25734E16DD2160190045626531685E81BDBCF0636EBA9F7CEDA9DA082A9AAD2DD4C5BFE165110731B7F89FCA51 |
Malicious: | true |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 5403 |
Entropy (8bit): | 4.918324842676727 |
Encrypted: | false |
SSDEEP: | 96:uUzxQ0Bz664UbxDcqEVFUz1BDzeRGH+QanjY3ZLBxdfC4INXM/gr53F8EPeHl9j4:uU1QyZ4e9cqEfUz1BD0GH+QGjYJBxdfY |
MD5: | C8B211D81EB7D4F9EBB071A117444D51 |
SHA1: | 43BF57BB0931EBED953FE17F937C1C7FF58A027C |
SHA-256: | AFD6FEA6A792B722E45A6587F70334F30051798017F4A278508C7ED3FEEA80CC |
SHA-512: | C7C558EB666B570A0B03D1E8941217673677A6AF1F7CE4C43BE77D1AA859AD8DF7B212CF778B03678DD451535C7A7B02FEB65F20B744A8E9C969DF633F79A2AB |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 118869 |
Entropy (8bit): | 7.933172616287708 |
Encrypted: | false |
SSDEEP: | 1536:a8+b7UxVIBmVQVxSHmIKruCGFkw8dctBJcIFEvSrT3eoxNjT+YL/fe3iWP7:Z+b76wV3hCb86tBJc7SffxNjqO/qiWT |
MD5: | 204A5BF160646F9A55ED70AB6E1A07A6 |
SHA1: | 5404AB219FA01C270ADC36303D447109503C4A4D |
SHA-256: | CACDD2C8BFA4BAE33A16A10ED609F4841AC5C4C2FE481ED0FD8CB04BC8016BBD |
SHA-512: | 6AAFBAF8565BF57BF4CC9E8D5EEF947E32E0D1A962C0BB619A25C35C68B7AA24599C60CB1C1B108FC9F58A1F13FF80B66E1A4DA506BE2FFD2DD05331865DAA15 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 1990648 |
Entropy (8bit): | 6.13502190347102 |
Encrypted: | false |
SSDEEP: | 49152:v0e7jkeRVgTU1Sw1pUfsWFQVNiTneoDsQ:zE2kYpUfs0QCe9Q |
MD5: | DE99B1E8819F3E7BD2265CDB39050B9C |
SHA1: | FC3C8DDE6D6D01983B1888C3139AD37DED4ED2FE |
SHA-256: | 37343E82AD7BE281C2CB98A3B97DE2E5AD31BDFEB7850E5A54F07D124B96D4D6 |
SHA-512: | 04B99842B22DD22AFCF5399B71915D0EEF0036581050AC6DE4320AEBFE81A0EA7FD1EC9ED79D98B4FD2D4704DD006D12F1B47869DAFC51EAC10096CF328F54BC |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 3813 |
Entropy (8bit): | 4.504029461113114 |
Encrypted: | false |
SSDEEP: | 48:weNyMHLBv8iD86plmE6FoIN0hqkLVO3471qV/LDa0zA47brL1XLk:hrp8iD86p45oIyhqYOIh0No |
MD5: | 5CA9A255015A4BEF13CC4C4CB36429CA |
SHA1: | C26147239E8EB7D5E47FF10808E94D91DACB2C1D |
SHA-256: | E6A32D3F74C0E10502BD5D726A310B9AC7D7DB52E79F87728AD30110F580CED5 |
SHA-512: | 070DA32A80D5C79807BE4579CEB958CCD33CE07080D35EFAC817A9DC5B4BC42FD2008A12764D774AB999834968F1F9206C5094685FE889B4DEE01671837E59C4 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 669450 |
Entropy (8bit): | 6.478399502986981 |
Encrypted: | false |
SSDEEP: | 12288:2h5UooqWolrP837JzHvA6izJgnnyFNmayiAZrvJxOx:M5NoqWolrP837JzHvA6yknyWFxvJxOx |
MD5: | CF680B53729F6E3059183D51F91D337D |
SHA1: | 4D6EB765BB4837F09283101490375DF5F68C8E37 |
SHA-256: | A3F8C832C69388A88E47DD8B612382F74D5131E8C710741EFB2410EC450BDF2D |
SHA-512: | 1F59A9A03485DFDB9E232F0D8B52CD864993FC25734E16DD2160190045626531685E81BDBCF0636EBA9F7CEDA9DA082A9AAD2DD4C5BFE165110731B7F89FCA51 |
Malicious: | true |
Antivirus: |
|
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\fuckingdllENCR[1].dll
Download File
Process: | C:\Program Files (x86)\PrintFolders\PrintFolders.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 94224 |
Entropy (8bit): | 7.998072640845361 |
Encrypted: | true |
SSDEEP: | 1536:NsbI9W6dHdtnEXOxZpPzIUcETzNtXofjmgGTeJduLLt+YBPoJTMRmNXg30:KWW6TZVz9PNtXo8M5OR0 |
MD5: | 418619EA97671304AF80EC60F5A50B62 |
SHA1: | F11DCD709BDE2FC86EBBCCD66E1CE68A8A3F9CB6 |
SHA-256: | EB7ECE66C14849064F462DF4987D6D59073D812C44D81568429614581106E0F4 |
SHA-512: | F2E1AE47B5B0A5D3DD22DD6339E15FEE3D7F04EF03917AE2A7686E73E9F06FB95C8008038C018939BB9925F395D765C9690BF7874DC5E90BC2F77C1E730D3A00 |
Malicious: | false |
Preview: |
Process: | C:\Program Files (x86)\PrintFolders\PrintFolders.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 17 |
Entropy (8bit): | 3.1751231351134614 |
Encrypted: | false |
SSDEEP: | 3:nCmxEl:Cmc |
MD5: | 064DB2A4C3D31A4DC6AA2538F3FE7377 |
SHA1: | 8F877AE1873C88076D854425221E352CA4178DFA |
SHA-256: | 0A3EC2C4FC062D561F0DC989C6699E06FFF850BBDA7923F14F26135EF42107C0 |
SHA-512: | CA94BC1338FC283C3E5C427065C29BA32C5A12170782E18AA0292722826C5CB4C3B29A5134464FFEB67A77CD85D8E15715C17A049B7AD4E2C890E97385751BEE |
Malicious: | false |
Preview: |
Process: | C:\Program Files (x86)\PrintFolders\PrintFolders.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:V:V |
MD5: | CFCD208495D565EF66E7DFF9F98764DA |
SHA1: | B6589FC6AB0DC82CF12099D1C2D40AB994E8410C |
SHA-256: | 5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9 |
SHA-512: | 31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99 |
Malicious: | false |
Preview: |
Process: | C:\Program Files (x86)\PrintFolders\PrintFolders.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:V:V |
MD5: | CFCD208495D565EF66E7DFF9F98764DA |
SHA1: | B6589FC6AB0DC82CF12099D1C2D40AB994E8410C |
SHA-256: | 5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9 |
SHA-512: | 31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99 |
Malicious: | false |
Preview: |
Process: | C:\Program Files (x86)\PrintFolders\PrintFolders.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:V:V |
MD5: | CFCD208495D565EF66E7DFF9F98764DA |
SHA1: | B6589FC6AB0DC82CF12099D1C2D40AB994E8410C |
SHA-256: | 5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9 |
SHA-512: | 31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 2560 |
Entropy (8bit): | 2.8818118453929262 |
Encrypted: | false |
SSDEEP: | 24:e1GSgDIX566lIB6SXvVmMPUjvhBrDsqZ:SgDKRlVImgUNBsG |
MD5: | A69559718AB506675E907FE49DEB71E9 |
SHA1: | BC8F404FFDB1960B50C12FF9413C893B56F2E36F |
SHA-256: | 2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC |
SHA-512: | E52E0AA7FE3F79E36330C455D944653D449BA05B2F9ABEE0914A0910C3452CFA679A40441F9AC696B3CCF9445CBB85095747E86153402FC362BB30AC08249A63 |
Malicious: | true |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 4608 |
Entropy (8bit): | 4.226829458093667 |
Encrypted: | false |
SSDEEP: | 48:6Q5EWGg69eR+Xl4SH8u09tmRJ/tE/wJI/tZ/P8sB1a:32Gel4NP9tK2/wGXhHa |
MD5: | 9E5BA8A0DB2AE3A955BEE397534D535D |
SHA1: | EF08EF5FAC94F42C276E64765759F8BC71BF88CB |
SHA-256: | 08D2876741F4FD5EDFAE20054081CEF03E41C458AB1C5BBF095A288FA93627FA |
SHA-512: | 229A9C66080D59B7D2E1E651CFF9F00DB0CBDC08703E60D645651AF0664520CA143B088C71AD73813A500A33B48C63CA1795E2162B7620453935A4C26DB96B21 |
Malicious: | true |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 23312 |
Entropy (8bit): | 4.596242908851566 |
Encrypted: | false |
SSDEEP: | 384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4 |
MD5: | 92DC6EF532FBB4A5C3201469A5B5EB63 |
SHA1: | 3E89FF837147C16B4E41C30D6C796374E0B8E62C |
SHA-256: | 9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87 |
SHA-512: | 9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3 |
Malicious: | false |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\Desktop\file.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 658944 |
Entropy (8bit): | 6.468629759056718 |
Encrypted: | false |
SSDEEP: | 12288:Oh5UooqWolrP837JzHvA6izJgnnyFNmayiAZrvJxO0:05NoqWolrP837JzHvA6yknyWFxvJxO0 |
MD5: | 85B94E72C3F2D2B5464E2AAF3C9E242A |
SHA1: | CE7CCAE5F50A990D059D59292D4A332979E162BA |
SHA-256: | 1441464FEEEF365573AF18802C464769B7D3107624FDE24604F57E386F97F1A7 |
SHA-512: | C0C27189989DB482BE9BDA5B6B8B1441BDC5E9B0F3A414CCAB4C4BE516E7F99E25717845361A5B196114502FAAAF21BEC7ACA91B497ACD2E2396F49C31850880 |
Malicious: | true |
Antivirus: |
|
Preview: |
Process: | C:\Program Files (x86)\PrintFolders\PrintFolders.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 73728 |
Entropy (8bit): | 6.20389308045717 |
Encrypted: | false |
SSDEEP: | 1536:bvUpDLxyxA14o3/M238r6+XfHAgbqmE8MpKdwuasZLUM7DsWlXcdyZgfmi:WDLZKa/MtXfHAgbqmEtxsfmyZgfmi |
MD5: | 3FB36CB0B7172E5298D2992D42984D06 |
SHA1: | 439827777DF4A337CBB9FA4A4640D0D3FA1738B7 |
SHA-256: | 27AE813CEFF8AA56E9FA68C8E50BB1C6C4A01636015EAC4BD8BF444AFB7020D6 |
SHA-512: | 6B39CB32D77200209A25080AC92BC71B1F468E2946B651023793F3585EE6034ADC70924DBD751CF4A51B5E71377854F1AB43C2DD287D4837E7B544FF886F470C |
Malicious: | true |
Antivirus: |
|
Preview: |
File type: | |
Entropy (8bit): | 7.991071631974842 |
TrID: |
|
File name: | file.exe |
File size: | 1488975 |
MD5: | 2ed741014b8cdafd91a740432a3cffa1 |
SHA1: | 3d65ac9a3d0950a55d4c7e4cb5a6fbfeab180cab |
SHA256: | fc33189d3c146375f5742bbb0e82277e2b8ed3789d8feae27939e834b07ee8dc |
SHA512: | a309386146699f4cfd48872f705cce681266c63af93d9e9347a79e940a6221ce6a3606e52f7afa8a4ca91e259c31f600bad43c851eca387941b4154fe69c6d3c |
SSDEEP: | 24576:hizo5TdlqnGpid2DCDeCSxDQrOAE/1MA5sLspIYJj85itIqSdgZIY7eCLxYi5:KSjiQeef2E/1MDQLJjHIqDNeVi5 |
TLSH: | 2D65330EE623297CE08340B25F7A59584766BE240D782162FAF0A4F58D7FB85690F7D3 |
File Content Preview: | MZP.....................@.......................Inno'....G..............!..L.!..This program must be run under Win32..$7....................................................................................................................................... |
Icon Hash: | a2a0b496b2caca72 |
Entrypoint: | 0x40968c |
Entrypoint Section: | CODE |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI |
DLL Characteristics: | |
Time Stamp: | 0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 1 |
OS Version Minor: | 0 |
File Version Major: | 1 |
File Version Minor: | 0 |
Subsystem Version Major: | 1 |
Subsystem Version Minor: | 0 |
Import Hash: | da86ff6d22d7419ae7f10724a403dffd |
Instruction |
---|
push ebp |
mov ebp, esp |
add esp, FFFFFFD4h |
push ebx |
push esi |
push edi |
xor eax, eax |
mov dword ptr [ebp-10h], eax |
mov dword ptr [ebp-1Ch], eax |
call 00007FB90D3609BFh |
call 00007FB90D361C6Ah |
call 00007FB90D363E5Dh |
call 00007FB90D363EA4h |
call 00007FB90D3663F3h |
call 00007FB90D3664E2h |
mov esi, 0040BDE0h |
xor eax, eax |
push ebp |
push 00409D71h |
push dword ptr fs:[eax] |
mov dword ptr fs:[eax], esp |
xor edx, edx |
push ebp |
push 00409D27h |
push dword ptr fs:[edx] |
mov dword ptr fs:[edx], esp |
mov eax, dword ptr [0040B014h] |
call 00007FB90D366E6Fh |
call 00007FB90D366A2Eh |
lea edx, dword ptr [ebp-10h] |
xor eax, eax |
call 00007FB90D364318h |
mov edx, dword ptr [ebp-10h] |
mov eax, 0040BDD4h |
call 00007FB90D360A6Bh |
push 00000002h |
push 00000000h |
push 00000001h |
mov ecx, dword ptr [0040BDD4h] |
mov dl, 01h |
mov eax, 004070C4h |
call 00007FB90D36497Bh |
mov dword ptr [0040BDD8h], eax |
xor edx, edx |
push ebp |
push 00409D05h |
push dword ptr fs:[edx] |
mov dword ptr fs:[edx], esp |
lea edx, dword ptr [ebp-18h] |
mov eax, dword ptr [0040BDD8h] |
call 00007FB90D364A53h |
mov ebx, dword ptr [ebp-18h] |
mov edx, 00000030h |
mov eax, dword ptr [0040BDD8h] |
call 00007FB90D364B8Dh |
mov edx, esi |
mov ecx, 0000000Ch |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0xc000 | 0x8c8 | .idata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x10000 | 0x263c | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0xf000 | 0x0 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0xe000 | 0x18 | .rdata |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
CODE | 0x1000 | 0x8e00 | 0x8e00 | False | 0.6218364876760564 | data | 6.600437911517656 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
DATA | 0xa000 | 0x248 | 0x400 | False | 0.3115234375 | data | 2.7204325510923035 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
BSS | 0xb000 | 0xe64 | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.idata | 0xc000 | 0x8c8 | 0xa00 | False | 0.389453125 | data | 4.2507970587946735 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.tls | 0xd000 | 0x8 | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rdata | 0xe000 | 0x18 | 0x200 | False | 0.052734375 | data | 0.1991075177871819 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ |
.reloc | 0xf000 | 0x86c | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ |
.rsrc | 0x10000 | 0x263c | 0x2800 | False | 0.322265625 | data | 4.568719834340923 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_ICON | 0x1030c | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 192 | English | United States |
RT_ICON | 0x10434 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 320 | English | United States |
RT_ICON | 0x1099c | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 640 | English | United States |
RT_ICON | 0x10c84 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 1152 | English | United States |
RT_STRING | 0x1152c | 0x2f2 | data | ||
RT_STRING | 0x11820 | 0x30c | data | ||
RT_STRING | 0x11b2c | 0x2ce | data | ||
RT_STRING | 0x11dfc | 0x68 | data | ||
RT_STRING | 0x11e64 | 0xb4 | data | ||
RT_STRING | 0x11f18 | 0xae | data | ||
RT_GROUP_ICON | 0x11fc8 | 0x3e | data | English | United States |
RT_VERSION | 0x12008 | 0x3a8 | data | English | United States |
RT_MANIFEST | 0x123b0 | 0x289 | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States |
DLL | Import |
---|---|
kernel32.dll | DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle |
user32.dll | MessageBoxA |
oleaut32.dll | VariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen |
advapi32.dll | RegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA |
kernel32.dll | WriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SetLastError, SetFilePointer, SetEndOfFile, RemoveDirectoryA, ReadFile, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetUserDefaultLangID, GetSystemInfo, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, InterlockedExchange, FormatMessageA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle |
user32.dll | TranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA |
comctl32.dll | InitCommonControls |
advapi32.dll | AdjustTokenPrivileges |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Nov 24, 2022 20:04:06.946058989 CET | 49698 | 80 | 192.168.2.3 | 45.139.105.171 |
Nov 24, 2022 20:04:06.974109888 CET | 80 | 49698 | 45.139.105.171 | 192.168.2.3 |
Nov 24, 2022 20:04:06.974369049 CET | 49698 | 80 | 192.168.2.3 | 45.139.105.171 |
Nov 24, 2022 20:04:06.975188017 CET | 49698 | 80 | 192.168.2.3 | 45.139.105.171 |
Nov 24, 2022 20:04:07.002732992 CET | 80 | 49698 | 45.139.105.171 | 192.168.2.3 |
Nov 24, 2022 20:04:07.008284092 CET | 80 | 49698 | 45.139.105.171 | 192.168.2.3 |
Nov 24, 2022 20:04:07.008407116 CET | 49698 | 80 | 192.168.2.3 | 45.139.105.171 |
Nov 24, 2022 20:04:07.070561886 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Nov 24, 2022 20:04:07.098324060 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Nov 24, 2022 20:04:07.098479033 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Nov 24, 2022 20:04:07.099627018 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Nov 24, 2022 20:04:07.129308939 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Nov 24, 2022 20:04:07.129746914 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Nov 24, 2022 20:04:07.129908085 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Nov 24, 2022 20:04:07.167032003 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Nov 24, 2022 20:04:07.195297956 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Nov 24, 2022 20:04:07.195595026 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Nov 24, 2022 20:04:07.195625067 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Nov 24, 2022 20:04:07.195647955 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Nov 24, 2022 20:04:07.195672035 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Nov 24, 2022 20:04:07.195697069 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Nov 24, 2022 20:04:07.195724964 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Nov 24, 2022 20:04:07.195734978 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Nov 24, 2022 20:04:07.195753098 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Nov 24, 2022 20:04:07.195776939 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Nov 24, 2022 20:04:07.195781946 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Nov 24, 2022 20:04:07.195808887 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Nov 24, 2022 20:04:07.195836067 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Nov 24, 2022 20:04:07.195873022 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Nov 24, 2022 20:04:07.195914030 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Nov 24, 2022 20:04:07.223795891 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Nov 24, 2022 20:04:07.223831892 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Nov 24, 2022 20:04:07.223859072 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Nov 24, 2022 20:04:07.223885059 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Nov 24, 2022 20:04:07.223911047 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Nov 24, 2022 20:04:07.223913908 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Nov 24, 2022 20:04:07.223938942 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Nov 24, 2022 20:04:07.223963976 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Nov 24, 2022 20:04:07.223965883 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Nov 24, 2022 20:04:07.223993063 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Nov 24, 2022 20:04:07.224016905 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Nov 24, 2022 20:04:07.224037886 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Nov 24, 2022 20:04:07.224055052 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Nov 24, 2022 20:04:07.224085093 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Nov 24, 2022 20:04:07.224133015 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Nov 24, 2022 20:04:07.251636028 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Nov 24, 2022 20:04:07.251678944 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Nov 24, 2022 20:04:07.251702070 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Nov 24, 2022 20:04:07.251724005 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Nov 24, 2022 20:04:07.251743078 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Nov 24, 2022 20:04:07.251748085 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Nov 24, 2022 20:04:07.251773119 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Nov 24, 2022 20:04:07.251797915 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Nov 24, 2022 20:04:07.251797915 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Nov 24, 2022 20:04:07.251797915 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Nov 24, 2022 20:04:07.251820087 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Nov 24, 2022 20:04:07.251822948 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Nov 24, 2022 20:04:07.251847982 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Nov 24, 2022 20:04:07.251859903 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Nov 24, 2022 20:04:07.251873016 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Nov 24, 2022 20:04:07.251887083 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Nov 24, 2022 20:04:07.251902103 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Nov 24, 2022 20:04:07.251909971 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Nov 24, 2022 20:04:07.251938105 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Nov 24, 2022 20:04:07.251966000 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Nov 24, 2022 20:04:07.281215906 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Nov 24, 2022 20:04:07.281248093 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Nov 24, 2022 20:04:07.281270981 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Nov 24, 2022 20:04:07.281295061 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Nov 24, 2022 20:04:07.281317949 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Nov 24, 2022 20:04:07.281327963 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Nov 24, 2022 20:04:07.281347990 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Nov 24, 2022 20:04:07.281378031 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Nov 24, 2022 20:04:07.281383991 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Nov 24, 2022 20:04:07.281383991 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Nov 24, 2022 20:04:07.281399012 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Nov 24, 2022 20:04:07.281409979 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Nov 24, 2022 20:04:07.281419992 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Nov 24, 2022 20:04:07.281443119 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Nov 24, 2022 20:04:07.281457901 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Nov 24, 2022 20:04:07.281459093 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Nov 24, 2022 20:04:07.281481028 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Nov 24, 2022 20:04:07.281492949 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Nov 24, 2022 20:04:07.281510115 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Nov 24, 2022 20:04:07.281532049 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Nov 24, 2022 20:04:07.309762955 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Nov 24, 2022 20:04:07.309798956 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Nov 24, 2022 20:04:07.309824944 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Nov 24, 2022 20:04:07.309849977 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Nov 24, 2022 20:04:07.309875965 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Nov 24, 2022 20:04:07.309887886 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Nov 24, 2022 20:04:07.309889078 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Nov 24, 2022 20:04:07.309889078 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Nov 24, 2022 20:04:07.309900999 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Nov 24, 2022 20:04:07.309926033 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Nov 24, 2022 20:04:07.309950113 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Nov 24, 2022 20:04:07.309973001 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Nov 24, 2022 20:04:07.309973001 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Nov 24, 2022 20:04:07.309973001 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Nov 24, 2022 20:04:07.309973955 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Nov 24, 2022 20:04:07.309973955 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Nov 24, 2022 20:04:07.309998989 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Nov 24, 2022 20:04:07.310023069 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Nov 24, 2022 20:04:07.310024023 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Nov 24, 2022 20:04:07.310024023 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Nov 24, 2022 20:04:07.310046911 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Nov 24, 2022 20:04:07.310049057 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Nov 24, 2022 20:04:07.310080051 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Nov 24, 2022 20:04:07.310175896 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Nov 24, 2022 20:04:07.338548899 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Nov 24, 2022 20:04:07.338596106 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Nov 24, 2022 20:04:07.338620901 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Nov 24, 2022 20:04:07.338644981 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Nov 24, 2022 20:04:07.338660955 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Nov 24, 2022 20:04:07.338660955 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Nov 24, 2022 20:04:07.338668108 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Nov 24, 2022 20:04:07.338694096 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Nov 24, 2022 20:04:07.338716984 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Nov 24, 2022 20:04:07.338741064 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Nov 24, 2022 20:04:07.338758945 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Nov 24, 2022 20:04:07.338758945 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Nov 24, 2022 20:04:07.338758945 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Nov 24, 2022 20:04:07.338758945 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Nov 24, 2022 20:04:07.338766098 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Nov 24, 2022 20:04:07.338790894 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Nov 24, 2022 20:04:07.338790894 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Nov 24, 2022 20:04:07.338808060 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Nov 24, 2022 20:04:07.338815928 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Nov 24, 2022 20:04:07.338826895 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Nov 24, 2022 20:04:07.338840008 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Nov 24, 2022 20:04:07.338915110 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Nov 24, 2022 20:04:07.338915110 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Nov 24, 2022 20:04:07.338915110 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Nov 24, 2022 20:04:07.366193056 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Nov 24, 2022 20:04:07.366230965 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Nov 24, 2022 20:04:07.366257906 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Nov 24, 2022 20:04:07.366281033 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Nov 24, 2022 20:04:07.366303921 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Nov 24, 2022 20:04:07.366327047 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Nov 24, 2022 20:04:07.366349936 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Nov 24, 2022 20:04:07.366369963 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Nov 24, 2022 20:04:07.366432905 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Nov 24, 2022 20:04:07.366503954 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Nov 24, 2022 20:04:07.487350941 CET | 49700 | 80 | 192.168.2.3 | 171.22.30.106 |
Nov 24, 2022 20:04:07.516808033 CET | 80 | 49700 | 171.22.30.106 | 192.168.2.3 |
Nov 24, 2022 20:04:07.516962051 CET | 49700 | 80 | 192.168.2.3 | 171.22.30.106 |
Nov 24, 2022 20:04:07.517386913 CET | 49700 | 80 | 192.168.2.3 | 171.22.30.106 |
Nov 24, 2022 20:04:07.547811985 CET | 80 | 49700 | 171.22.30.106 | 192.168.2.3 |
Nov 24, 2022 20:04:08.183096886 CET | 80 | 49700 | 171.22.30.106 | 192.168.2.3 |
Nov 24, 2022 20:04:08.183384895 CET | 49700 | 80 | 192.168.2.3 | 171.22.30.106 |
Nov 24, 2022 20:04:10.274821043 CET | 49700 | 80 | 192.168.2.3 | 171.22.30.106 |
Nov 24, 2022 20:04:10.303235054 CET | 80 | 49700 | 171.22.30.106 | 192.168.2.3 |
Nov 24, 2022 20:04:10.921152115 CET | 80 | 49700 | 171.22.30.106 | 192.168.2.3 |
Nov 24, 2022 20:04:10.921443939 CET | 49700 | 80 | 192.168.2.3 | 171.22.30.106 |
Nov 24, 2022 20:04:12.010909081 CET | 80 | 49698 | 45.139.105.171 | 192.168.2.3 |
Nov 24, 2022 20:04:12.011039972 CET | 49698 | 80 | 192.168.2.3 | 45.139.105.171 |
Nov 24, 2022 20:04:12.314830065 CET | 80 | 49699 | 107.182.129.235 | 192.168.2.3 |
Nov 24, 2022 20:04:12.315078020 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Nov 24, 2022 20:04:13.009390116 CET | 49700 | 80 | 192.168.2.3 | 171.22.30.106 |
Nov 24, 2022 20:04:13.037208080 CET | 80 | 49700 | 171.22.30.106 | 192.168.2.3 |
Nov 24, 2022 20:04:13.651431084 CET | 80 | 49700 | 171.22.30.106 | 192.168.2.3 |
Nov 24, 2022 20:04:13.651510000 CET | 49700 | 80 | 192.168.2.3 | 171.22.30.106 |
Nov 24, 2022 20:04:16.725641966 CET | 49700 | 80 | 192.168.2.3 | 171.22.30.106 |
Nov 24, 2022 20:04:16.753967047 CET | 80 | 49700 | 171.22.30.106 | 192.168.2.3 |
Nov 24, 2022 20:04:17.408674002 CET | 80 | 49700 | 171.22.30.106 | 192.168.2.3 |
Nov 24, 2022 20:04:17.408866882 CET | 49700 | 80 | 192.168.2.3 | 171.22.30.106 |
Nov 24, 2022 20:04:19.479399920 CET | 49700 | 80 | 192.168.2.3 | 171.22.30.106 |
Nov 24, 2022 20:04:19.507314920 CET | 80 | 49700 | 171.22.30.106 | 192.168.2.3 |
Nov 24, 2022 20:04:20.138571024 CET | 80 | 49700 | 171.22.30.106 | 192.168.2.3 |
Nov 24, 2022 20:04:20.138660908 CET | 49700 | 80 | 192.168.2.3 | 171.22.30.106 |
Nov 24, 2022 20:04:22.232724905 CET | 49700 | 80 | 192.168.2.3 | 171.22.30.106 |
Nov 24, 2022 20:04:22.263175964 CET | 80 | 49700 | 171.22.30.106 | 192.168.2.3 |
Nov 24, 2022 20:04:22.886122942 CET | 80 | 49700 | 171.22.30.106 | 192.168.2.3 |
Nov 24, 2022 20:04:22.886228085 CET | 49700 | 80 | 192.168.2.3 | 171.22.30.106 |
Nov 24, 2022 20:04:25.004755020 CET | 49700 | 80 | 192.168.2.3 | 171.22.30.106 |
Nov 24, 2022 20:04:25.033701897 CET | 80 | 49700 | 171.22.30.106 | 192.168.2.3 |
Nov 24, 2022 20:04:25.909393072 CET | 80 | 49700 | 171.22.30.106 | 192.168.2.3 |
Nov 24, 2022 20:04:25.909506083 CET | 49700 | 80 | 192.168.2.3 | 171.22.30.106 |
Nov 24, 2022 20:04:27.996823072 CET | 49700 | 80 | 192.168.2.3 | 171.22.30.106 |
Nov 24, 2022 20:04:28.027730942 CET | 80 | 49700 | 171.22.30.106 | 192.168.2.3 |
Nov 24, 2022 20:04:28.684456110 CET | 80 | 49700 | 171.22.30.106 | 192.168.2.3 |
Nov 24, 2022 20:04:28.684699059 CET | 49700 | 80 | 192.168.2.3 | 171.22.30.106 |
Nov 24, 2022 20:04:30.746705055 CET | 49700 | 80 | 192.168.2.3 | 171.22.30.106 |
Nov 24, 2022 20:04:30.777260065 CET | 80 | 49700 | 171.22.30.106 | 192.168.2.3 |
Nov 24, 2022 20:04:31.385026932 CET | 80 | 49700 | 171.22.30.106 | 192.168.2.3 |
Nov 24, 2022 20:04:31.385099888 CET | 49700 | 80 | 192.168.2.3 | 171.22.30.106 |
Nov 24, 2022 20:04:33.849196911 CET | 49700 | 80 | 192.168.2.3 | 171.22.30.106 |
Nov 24, 2022 20:04:33.879093885 CET | 80 | 49700 | 171.22.30.106 | 192.168.2.3 |
Nov 24, 2022 20:04:34.525691032 CET | 80 | 49700 | 171.22.30.106 | 192.168.2.3 |
Nov 24, 2022 20:04:34.525862932 CET | 49700 | 80 | 192.168.2.3 | 171.22.30.106 |
Nov 24, 2022 20:04:36.730756998 CET | 49700 | 80 | 192.168.2.3 | 171.22.30.106 |
Nov 24, 2022 20:04:36.760432005 CET | 80 | 49700 | 171.22.30.106 | 192.168.2.3 |
Nov 24, 2022 20:04:37.394530058 CET | 80 | 49700 | 171.22.30.106 | 192.168.2.3 |
Nov 24, 2022 20:04:37.394788027 CET | 49700 | 80 | 192.168.2.3 | 171.22.30.106 |
Nov 24, 2022 20:04:40.588359118 CET | 49699 | 80 | 192.168.2.3 | 107.182.129.235 |
Nov 24, 2022 20:04:40.588391066 CET | 49698 | 80 | 192.168.2.3 | 45.139.105.171 |
Nov 24, 2022 20:04:40.588444948 CET | 49700 | 80 | 192.168.2.3 | 171.22.30.106 |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.3 | 49698 | 45.139.105.171 | 80 | C:\Program Files (x86)\PrintFolders\PrintFolders.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Nov 24, 2022 20:04:06.975188017 CET | 95 | OUT | |
Nov 24, 2022 20:04:07.008284092 CET | 95 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
1 | 192.168.2.3 | 49699 | 107.182.129.235 | 80 | C:\Program Files (x86)\PrintFolders\PrintFolders.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Nov 24, 2022 20:04:07.099627018 CET | 96 | OUT | |
Nov 24, 2022 20:04:07.129746914 CET | 96 | IN | |
Nov 24, 2022 20:04:07.167032003 CET | 96 | OUT | |
Nov 24, 2022 20:04:07.195595026 CET | 98 | IN |