Loading ...

Play interactive tourEdit tour

Analysis Report rb5iJg6pgN.exe

Overview

General Information

Joe Sandbox Version:26.0.0
Analysis ID:897192
Start date:27.06.2019
Start time:14:38:07
Joe Sandbox Product:Cloud
Overall analysis duration:0h 22m 32s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:rb5iJg6pgN.exe
Cookbook file name:default.jbs
Analysis system description:Windows 7 (Office 2010 SP2, Java 1.8.0_40 1.8.0_191, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:40
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:1
Technologies:
  • HCA enabled
  • EGA enabled
  • GSI enabled (VBA)
  • GSI enabled (Javascript)
  • GSI enabled (Java)
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.spre.bank.troj.spyw.evad.winEXE@47/15@3/2
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 72
  • Number of non-executed functions: 298
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, WmiPrvSE.exe
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtEnumerateValueKey calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryDirectoryFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold1000 - 100Report FP / FNfalsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample does not show any behavior and checks for the installed Java version. Likely requires a different JRE version.
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Sample monitors Window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsWindows Management Instrumentation211Hooking3Hooking3Software Packing1Credential Dumping3System Time Discovery1Application Deployment SoftwareData from Local System41Data Encrypted12Commonly Used Port1
Replication Through Removable MediaExecution through API1Port MonitorsProcess Injection811Deobfuscate/Decode Files or Information1Credentials in Files1Security Software Discovery361Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Cryptographic Protocol22
Drive-by CompromiseCommand-Line Interface1Accessibility FeaturesPath InterceptionFile Deletion1Hooking3File and Directory Discovery13Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Non-Application Layer Protocol2
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or Information2Credentials in FilesSystem Information Discovery266Logon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol2
Spearphishing LinkCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessRootkit3Account ManipulationQuery Registry1Shared WebrootData StagedScheduled TransferStandard Cryptographic Protocol
Spearphishing AttachmentGraphical User InterfaceModify Existing ServiceNew ServiceModify Registry1Brute ForceProcess Discovery4Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used Port
Spearphishing via ServiceScriptingPath InterceptionScheduled TaskProcess Injection811Two-Factor Authentication InterceptionApplication Window Discovery1Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used Port
Supply Chain CompromiseThird-party SoftwareLogon ScriptsProcess InjectionIndicator BlockingBash HistoryRemote System Discovery11Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer Protocol
Trusted RelationshipRundll32DLL Search Order HijackingService Registry Permissions WeaknessProcess InjectionInput PromptSystem Network Configuration Discovery2Windows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer Encryption

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus or Machine Learning detection for sampleShow sources
Source: rb5iJg6pgN.exeJoe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 0.0.rb5iJg6pgN.exe.400000.0.unpackJoe Sandbox ML: detected
Source: 0.1.rb5iJg6pgN.exe.400000.0.unpackJoe Sandbox ML: detected
Source: 0.2.rb5iJg6pgN.exe.400000.1.unpackJoe Sandbox ML: detected

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Users\user\Desktop\rb5iJg6pgN.exeCode function: 0_1_004060FB __EH_prolog,MessageBoxA,MessageBoxA,_memset,CreateAcceleratorTableA,wsprintfA,MessageBoxA,SendMessageA,TranslateAcceleratorA,TranslateMessage,_memset,SetAbortProc,GetCursorPos,CreateEventA,SetMapMode,SetWindowExtEx,GetCursorPos,SendInput,GetPriorityClass,GlobalAlloc,DialogBoxIndirectParamA,WaitForSingleObject,SendMessageA,SendMessageA,SendMessageA,GetSystemMetrics,_memset,__libm_sse2_asin_precise,__floor_pentium4,GetTextFaceA,__libm_sse2_asin_precise,GetViewportExtEx,#413,PdhCollectQueryData,SetWindowTextA,GetViewportOrgEx,LoadImageA,RedrawWindow,__libm_sse2_log10_precise,__libm_sse2_log10_precise,__libm_sse2_log10_precise,__floor_pentium4,__libm_sse2_asin_precise,CreateDialogParamA,SetDlgItemTextA,_memset,GetOpenFileNameA,_memset,GetClassNameA,GetClassNameA,__floor_pentium4,DescribePixelFormat,_memset,_memset,_strrchr,SetScrollInfo,GetScrollInfo,ScrollWindow,UpdateWindow,GetDialogBaseUnits,VirtualAlloc,ChooseColorA,SendMessageA,SendMessageA,SendMessageA,GetClientRect,MoveWindow,ShowWindow,ShowWin0_1_004060FB

Spreading:

barindex
Performs a network lookup / discovery via net viewShow sources
Source: unknownProcess created: C:\Windows\System32\net.exe net view
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net view Jump to behavior
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Windows\explorer.exeCode function: 2_2_01552003 FindFirstFileA,lstrcpy,GetFileAttributesA,mbstowcs,FindNextFileA,FindClose,2_2_01552003
Source: C:\Windows\explorer.exeCode function: 2_2_01560022 memset,FindFirstFileW,memset,wcscpy,RtlEnterCriticalSection,RtlLeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,FindNextFileW,WaitForSingleObject,FindClose,2_2_01560022
Source: C:\Windows\explorer.exeCode function: 2_2_015568A7 memset,FindFirstFileW,LocalFree,FindNextFileW,FindClose,LocalFree,2_2_015568A7
Source: C:\Windows\explorer.exeCode function: 2_2_01560316 FindFirstFileW,WaitForSingleObject,FindNextFileW,FindClose,2_2_01560316
Source: C:\Windows\explorer.exeCode function: 2_2_0156048A FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,FindClose,2_2_0156048A
Source: C:\Windows\explorer.exeCode function: 2_2_01541FF9 RtlAllocateHeap,TerminateProcess,CloseHandle,FindFirstFileW,lstrlenW,RtlAllocateHeap,lstrcpyW,lstrcpyW,DeleteFileW,FindNextFileW,FindClose,HeapFree,FindFirstFileW,lstrlenW,RtlAllocateHeap,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,HeapFree,RtlAllocateHeap,lstrcpyW,TerminateProcess,CloseHandle,lstrcpyW,DeleteFileW,HeapFree,HeapFree,2_2_01541FF9
Contains functionality to query local drivesShow sources
Source: C:\Windows\explorer.exeCode function: 2_2_0154C557 memset,memset,GetVersionExW,LoadLibraryW,memcmp,OpenFileMappingA,GetLogicalDriveStringsW,VirtualFree,VirtualFree,GetLogicalDriveStringsW,memcmp,OpenFileMappingA,GetLogicalDriveStringsW,VirtualFree,VirtualFree,GetLogicalDriveStringsW,FreeLibrary,2_2_0154C557

Networking:

barindex
Uses nslookup.exe to query domainsShow sources
Source: unknownProcess created: C:\Windows\System32\nslookup.exe nslookup 127.0.0.1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\nslookup.exe nslookup 127.0.0.1 Jump to behavior
Connects to country known for bullet proof hostersShow sources
Source: unknownNetwork traffic detected: IP: 5.188.60.53 Russian Federation
Found strings which match to known social media urlsShow sources
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: <SuggestionsURL>http://ie.search.yahoo.com/os?command={SearchTerms}</SuggestionsURL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: <FavoriteIcon>http://search.yahoo.co.jp/favicon.ico</FavoriteIcon> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: <FavoriteIcon>http://search.yahoo.com/favicon.ico</FavoriteIcon> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: <URL>http://br.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: <URL>http://de.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: <URL>http://es.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: <URL>http://espanol.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: <URL>http://fr.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: <URL>http://in.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: <URL>http://it.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: <URL>http://kr.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: <URL>http://ru.search.yahoo.com</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: <URL>http://sads.myspace.com/</URL> equals www.myspace.com (Myspace)
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: <URL>http://search.cn.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: <URL>http://search.yahoo.co.jp</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: <URL>http://search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: <URL>http://tw.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: <URL>http://uk.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000003.00000000.1514376422.05310000.00000008.sdmpString found in binary or memory: Free Hotmail.url equals www.hotmail.com (Hotmail)
Source: explorer.exeString found in binary or memory: eralbank ofbeneathDespiteCapitalgrounds), and percentit fromclosingcontainInsteadfifteenas well.yahoo.respondfighterobscurereflectorganic= Math.editingonline paddinga wholeonerroryear ofend of barrierwhen itheader home ofresumedrenamedstrong>heatingretainsclou equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000002.00000002.1544201745.0156E000.00000002.sdmpString found in binary or memory: monthlyofficercouncilgainingeven inSummarydate ofloyaltyfitnessand wasemperorsupremeSecond hearingRussianlongestAlbertalateralset of small">.appenddo withfederalbank ofbeneathDespiteCapitalgrounds), and percentit fromclosingcontainInsteadfifteenas well.yahoo.respondfighterobscurereflectorganic= Math.editingonline paddinga wholeonerroryear ofend of barrierwhen itheader home ofresumedrenamedstrong>heatingretainscloudfrway of March 1knowingin partBetweenlessonsclosestvirtuallinks">crossedEND -->famous awardedLicenseHealth fairly wealthyminimalAfricancompetelabel">singingfarmersBrasil)discussreplaceGregoryfont copursuedappearsmake uproundedboth ofblockedsaw theofficescoloursif(docuwhen heenforcepush(fuAugust UTF-8">Fantasyin mostinjuredUsuallyfarmingclosureobject defenceuse of Medical<body> equals www.yahoo.com (Yahoo)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: pilodirsob.com
Urls found in memory or binary dataShow sources
Source: explorer.exe, 00000003.00000000.1514376422.05310000.00000008.sdmpString found in binary or memory: http://%s.com
Source: explorer.exe, 00000002.00000002.1544201745.0156E000.00000002.sdmpString found in binary or memory: http://.css
Source: explorer.exe, explorer.exe, 00000002.00000002.1544201745.0156E000.00000002.sdmpString found in binary or memory: http://.jpg
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://amazon.fr/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://ariadna.elmundo.es/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://arianna.libero.it/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://arianna.libero.it/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://asp.usatoday.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://auone.jp/favicon.ico
Source: explorer.exe, 00000003.00000000.1514376422.05310000.00000008.sdmpString found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://br.search.yahoo.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://browse.guardian.co.uk/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://busca.buscape.com.br/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://busca.igbusca.com.br/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://busca.orange.es/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://busca.uol.com.br/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://buscador.lycos.es/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://buscador.terra.com.br/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://buscador.terra.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://buscador.terra.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://buscador.terra.es/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://buscar.ozu.es/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://buscar.ya.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://busqueda.aol.com.mx/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://cerca.lycos.it/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://cnet.search.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: explorer.exe, 00000002.00000002.1544224987.01596000.00000004.sdmpString found in binary or memory: http://constitution.org/usdeclar.txt
Source: explorer.exe, 00000002.00000002.1544224987.01596000.00000004.sdmpString found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://corp.naukri.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://corp.naukri.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1512922741.046ED000.00000004.sdmpString found in binary or memory: http://crl.comodo.n
Source: explorer.exe, 00000003.00000000.1512922741.046ED000.00000004.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: explorer.exe, 00000003.00000000.1513780152.049B0000.00000004.sdmpString found in binary or memory: http://crl.m
Source: explorer.exe, 00000003.00000000.1511733570.043DF000.00000004.sdmpString found in binary or memory: http://crl.microsoWBu4om
Source: explorer.exe, 00000003.00000000.1513780152.049B0000.00000004.sdmpString found in binary or memory: http://crl.microso_
Source: explorer.exe, 00000003.00000000.1512922741.046ED000.00000004.sdmpString found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://de.search.yahoo.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://es.ask.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://es.search.yahoo.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://esearch.rakuten.co.jp/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://espanol.search.yahoo.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://espn.go.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://find.joins.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://fr.search.yahoo.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://google.pchome.com.tw/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://home.altervista.org/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://home.altervista.org/favicon.ico
Source: explorer.exe, explorer.exe, 00000002.00000002.1544201745.0156E000.00000002.sdmpString found in binary or memory: http://html4/loose.dtd
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://images.monster.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://img.atlas.cz/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://in.search.yahoo.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://it.search.dada.net/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://it.search.dada.net/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://it.search.yahoo.com/
Source: C60A.bin.3.drString found in binary or memory: http://java.sun.com
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://jobsearch.monster.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://kr.search.yahoo.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://list.taobao.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://mail.live.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://msk.afisha.ru/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://p.zhongsou.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1512922741.046ED000.00000004.sdmpString found in binary or memory: http://policy.camerfirma.com0
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://price.ru/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://price.ru/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://recherche.linternaute.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://recherche.tf1.fr/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://rover.ebay.com
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://ru.search.yahoo.com
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://sads.myspace.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://search-dyn.tiscali.it/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://search.about.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://search.alice.it/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://search.alice.it/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://search.aol.co.uk/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://search.aol.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://search.aol.in/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://search.atlas.cz/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://search.auction.co.kr/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://search.auone.jp/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://search.books.com.tw/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://search.books.com.tw/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://search.centrum.cz/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://search.centrum.cz/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://search.chol.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://search.chol.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://search.cn.yahoo.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://search.daum.net/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://search.daum.net/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://search.dreamwiz.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://search.ebay.co.uk/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://search.ebay.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://search.ebay.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://search.ebay.de/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://search.ebay.es/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://search.ebay.fr/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://search.ebay.in/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://search.ebay.it/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://search.empas.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://search.empas.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://search.espn.go.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://search.gamer.com.tw/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://search.gismeteo.ru/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://search.goo.ne.jp/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://search.hanafos.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://search.hanafos.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://search.interpark.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://search.ipop.co.kr/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://search.live.com/results.aspx?q=
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://search.livedoor.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://search.livedoor.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://search.lycos.co.uk/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://search.lycos.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://search.lycos.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://search.msn.com/results.aspx?q=
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://search.nate.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://search.naver.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://search.naver.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://search.nifty.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://search.orange.co.uk/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://search.rediff.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://search.rediff.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://search.seznam.cz/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://search.seznam.cz/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://search.sify.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://search.yahoo.co.jp
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://search.yahoo.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://search.yahoo.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&amp;p=
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://search.yam.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://search1.taobao.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://search2.estadao.com.br/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://searchresults.news.com.au/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://service2.bfast.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://so-net.search.goo.ne.jp/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://suche.aol.de/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://suche.freenet.de/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://suche.freenet.de/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://suche.lycos.de/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://suche.t-online.de/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://suche.web.de/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://suche.web.de/favicon.ico
Source: explorer.exe, 00000003.00000000.1513780152.049B0000.00000004.sdmpString found in binary or memory: http://sv.symcb.com/sv.crlf
Source: explorer.exe, 00000003.00000000.1514376422.05310000.00000008.sdmpString found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000003.00000000.1513780152.049B0000.00000004.sdmpString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: explorer.exe, 00000003.00000000.1513780152.049B0000.00000004.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: explorer.exe, 00000003.00000000.1513780152.049B0000.00000004.sdmpString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://tw.search.yahoo.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://udn.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://udn.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://uk.ask.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://uk.ask.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://uk.search.yahoo.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://vachercher.lycos.fr/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://video.globo.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://video.globo.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://web.ask.com/
Source: explorer.exe, 00000003.00000000.1509319448.03C30000.00000008.sdmpString found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: explorer.exe, 00000003.00000000.1514376422.05310000.00000008.sdmpString found in binary or memory: http://www.%s.com
Source: explorer.exe, 00000003.00000000.1502801306.01D30000.00000008.sdmpString found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000003.00000000.1512679035.0464D000.00000004.sdmpString found in binary or memory: http://www.%s.comSoftware
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.abril.com.br/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.abril.com.br/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.alarabiya.net/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: C60A.bin.3.drString found in binary or memory: http://www.alexisisaac.net
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.amazon.co.jp/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.amazon.co.uk/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.amazon.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.amazon.de/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.aol.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.arrakis.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.arrakis.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.asharqalawsat.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.ask.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.auction.co.kr/auction.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.baidu.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.baidu.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.cdiscount.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.ceneo.pl/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.cjmall.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.cjmall.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.clarin.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.cnet.co.uk/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.cnet.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.dailymail.co.uk/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.etmall.com.tw/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.excite.co.jp/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.expedia.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.expedia.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.gmarket.co.kr/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.google.co.in/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.google.co.jp/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.google.co.uk/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.google.com.br/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.google.com.sa/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.google.com.tw/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.google.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.google.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.google.cz/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.google.de/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.google.es/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.google.fr/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.google.it/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.google.pl/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.google.ru/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.google.si/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.iask.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.iask.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.kkbox.com.tw/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.linternaute.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.maktoob.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.mercadolivre.com.br/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.merlin.com.pl/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: explorer.exe, 00000003.00000000.1513780152.049B0000.00000004.sdmpString found in binary or memory: http://www.microsoft.c
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&amp;a=
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.mtv.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.mtv.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.myspace.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.najdi.si/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.najdi.si/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.nate.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.neckermann.de/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.neckermann.de/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.news.com.au/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.nifty.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.orange.fr/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.otto.de/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.ozon.ru/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.ozon.ru/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.ozu.es/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.paginasamarillas.es/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.priceminister.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.priceminister.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1512922741.046ED000.00000004.sdmpString found in binary or memory: http://www.quovadisglobal.com/cps0
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.rambler.ru/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.rambler.ru/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.recherche.aol.fr/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.rtl.de/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.rtl.de/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.servicios.clarin.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.shopzilla.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.sify.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.sogou.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.sogou.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.soso.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.soso.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.t-online.de/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.taobao.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.taobao.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.target.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.target.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.tchibo.de/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.tchibo.de/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.tesco.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.tesco.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.tiscali.it/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.univision.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.univision.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.walmart.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.walmart.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.ya.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www.yam.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www3.fnac.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://www3.fnac.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&amp;Version=2008-06-26&amp;Operation
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmpString found in binary or memory: http://z.about.com/m/a08.ico
Source: explorer.exe, 00000003.00000000.1513780152.049B0000.00000004.sdmpString found in binary or memory: https://d.symcb.com/cps0%
Source: explorer.exe, 00000003.00000000.1513780152.049B0000.00000004.sdmpString found in binary or memory: https://d.symcb.com/rpa0
Source: C60A.bin.3.drString found in binary or memory: https://java.sun.com
Source: explorer.exe, 00000003.00000000.1499760778.004AD000.00000004.sdmp, C60A.bin.3.drString found in binary or memory: https://support.mozilla.org
Source: explorer.exe, 00000003.00000000.1499760778.004AD000.00000004.sdmp, C60A.bin.3.drString found in binary or memory: https://www.mozilla.org
Source: explorer.exe, 00000003.00000000.1499760778.004AD000.00000004.sdmp, C60A.bin.3.drString found in binary or memory: https://www.mozilla.org/firefox/43.0.1/releasenotes
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49218 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49219 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49220 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49220
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49219
Source: unknownNetwork traffic detected: HTTP traffic on port 49217 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49218
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49217

E-Banking Fraud:

barindex
Detected Gozi e-Banking trojanShow sources
Source: C:\Windows\explorer.exeCode function: lstrlen,RtlAllocateHeap,mbstowcs,lstrcatW,HeapFree,RtlAllocateHeap,lstrcatW,HeapFree,CreateDirectoryW,DeleteFileW,HeapFree,HeapFree, \cookie.ff2_2_01541E2E
Source: C:\Windows\explorer.exeCode function: lstrlen,RtlAllocateHeap,mbstowcs,lstrcatW,HeapFree,RtlAllocateHeap,lstrcatW,HeapFree,CreateDirectoryW,DeleteFileW,HeapFree,HeapFree, \cookie.ie2_2_01541E2E
Disables SPDY (HTTP compression, likely to perform web injects)Show sources
Source: C:\Windows\explorer.exeRegistry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0Jump to behavior

Spam, unwanted Advertisements and Ransom Demands:

barindex
Contains functionality to import cryptographic keys (often used in ransomware)Show sources
Source: C:\Users\user\Desktop\rb5iJg6pgN.exeCode function: 0_1_004060FB __EH_prolog,MessageBoxA,MessageBoxA,_memset,CreateAcceleratorTableA,wsprintfA,MessageBoxA,SendMessageA,TranslateAcceleratorA,TranslateMessage,_memset,SetAbortProc,GetCursorPos,CreateEventA,SetMapMode,SetWindowExtEx,GetCursorPos,SendInput,GetPriorityClass,GlobalAlloc,DialogBoxIndirectParamA,WaitForSingleObject,SendMessageA,SendMessageA,SendMessageA,GetSystemMetrics,_memset,__libm_sse2_asin_precise,__floor_pentium4,GetTextFaceA,__libm_sse2_asin_precise,GetViewportExtEx,#413,PdhCollectQueryData,SetWindowTextA,GetViewportOrgEx,LoadImageA,RedrawWindow,__libm_sse2_log10_precise,__libm_sse2_log10_precise,__libm_sse2_log10_precise,__floor_pentium4,__libm_sse2_asin_precise,CreateDialogParamA,SetDlgItemTextA,_memset,GetOpenFileNameA,_memset,GetClassNameA,GetClassNameA,__floor_pentium4,DescribePixelFormat,_memset,_memset,_strrchr,SetScrollInfo,GetScrollInfo,ScrollWindow,UpdateWindow,GetDialogBaseUnits,VirtualAlloc,ChooseColorA,SendMessageA,SendMessageA,SendMessageA,GetClientRect,MoveWindow,ShowWindow,ShowWin0_1_004060FB

System Summary:

barindex
Contains functionality to call native functionsShow sources
Source: C:\Users\user\Desktop\rb5iJg6pgN.exeCode function: 0_2_00402C11 NtWriteVirtualMemory,VirtualProtectEx,NtWriteVirtualMemory,0_2_00402C11
Source: C:\Users\user\Desktop\rb5iJg6pgN.exeCode function: 0_2_00402732 memset,memcpy,NtSetContextThread,NtSetContextThread,RtlNtStatusToDosError,GetLastError,0_2_00402732
Source: C:\Users\user\Desktop\rb5iJg6pgN.exeCode function: 0_2_00402C3D NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,0_2_00402C3D
Source: C:\Users\user\Desktop\rb5iJg6pgN.exeCode function: 0_2_00402AD0 memset,NtQueryInformationProcess,0_2_00402AD0
Source: C:\Users\user\Desktop\rb5iJg6pgN.exeCode function: 0_2_004032D4 memcpy,memcpy,memcpy,NtUnmapViewOfSection,RtlNtStatusToDosError,CloseHandle,0_2_004032D4
Source: C:\Users\user\Desktop\rb5iJg6pgN.exeCode function: 0_2_004039E1 NtCreateSection,memset,RtlNtStatusToDosError,ZwClose,0_2_004039E1
Source: C:\Users\user\Desktop\rb5iJg6pgN.exeCode function: 0_2_00402BE5 NtReadVirtualMemory,NtReadVirtualMemory,0_2_00402BE5
Source: C:\Users\user\Desktop\rb5iJg6pgN.exeCode function: 0_2_00403188 LdrLoadDll,LdrGetProcedureAddress,NtProtectVirtualMemory,GetModuleHandleA,memcpy,0_2_00403188
Source: C:\Users\user\Desktop\rb5iJg6pgN.exeCode function: 0_2_004039A2 NtMapViewOfSection,RtlNtStatusToDosError,0_2_004039A2
Source: C:\Users\user\Desktop\rb5iJg6pgN.exeCode function: 0_2_00404425 NtQueryVirtualMemory,0_2_00404425
Source: C:\Users\user\Desktop\rb5iJg6pgN.exeCode function: 0_2_00402BC4 NtGetContextThread,RtlNtStatusToDosError,0_2_00402BC4
Source: C:\Users\user\Desktop\rb5iJg6pgN.exeCode function: 0_1_00402B78 _memmove,NtWriteVirtualMemory,0_1_00402B78
Source: C:\Users\user\Desktop\rb5iJg6pgN.exeCode function: 0_1_00402C18 NtWriteVirtualMemory,0_1_00402C18
Source: C:\Windows\explorer.exeCode function: 2_2_0156B1C6 memcpy,memcpy,memcpy,NtUnmapViewOfSection,RtlNtStatusToDosError,CloseHandle,2_2_0156B1C6
Source: C:\Windows\explorer.exeCode function: 2_2_015630D0 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,2_2_015630D0
Source: C:\Windows\explorer.exeCode function: 2_2_015618C4 NtWriteVirtualMemory,2_2_015618C4
Source: C:\Windows\explorer.exeCode function: 2_2_015618F0 NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,2_2_015618F0
Source: C:\Windows\explorer.exeCode function: 2_2_01561898 NtReadVirtualMemory,2_2_01561898
Source: C:\Windows\explorer.exeCode function: 2_2_0156BF7B NtCreateSection,memset,RtlNtStatusToDosError,NtClose,2_2_0156BF7B
Source: C:\Windows\explorer.exeCode function: 2_2_0156BF3C NtMapViewOfSection,RtlNtStatusToDosError,2_2_0156BF3C
Source: C:\Windows\explorer.exeCode function: 2_2_01560FBC memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,2_2_01560FBC
Source: C:\Windows\explorer.exeCode function: 2_2_01561803 NtQuerySystemInformation,RtlNtStatusToDosError,2_2_01561803
Source: C:\Windows\explorer.exeCode function: 2_2_0156135C memset,NtQueryInformationProcess,2_2_0156135C
Source: C:\Windows\explorer.exeCode function: 2_2_01560AAA NtQueryInformationProcess,2_2_01560AAA
Source: C:\Windows\explorer.exeCode function: 2_2_015A0248 LdrLoadDll,NtProtectVirtualMemory,NtProtectVirtualMemory,2_2_015A0248
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\rb5iJg6pgN.exeCode function: 0_2_004042040_2_00404204
Source: C:\Users\user\Desktop\rb5iJg6pgN.exeCode function: 0_2_004012EF0_2_004012EF
Source: C:\Users\user\Desktop\rb5iJg6pgN.exeCode function: 0_1_004060FB0_1_004060FB
Source: C:\Users\user\Desktop\rb5iJg6pgN.exeCode function: 0_1_004315C90_1_004315C9
Source: C:\Users\user\Desktop\rb5iJg6pgN.exeCode function: 0_1_0040B0C40_1_0040B0C4
Source: C:\Users\user\Desktop\rb5iJg6pgN.exeCode function: 0_1_004331220_1_00433122
Source: C:\Users\user\Desktop\rb5iJg6pgN.exeCode function: 0_1_004422690_1_00442269
Source: C:\Users\user\Desktop\rb5iJg6pgN.exeCode function: 0_1_0044A2360_1_0044A236
Source: C:\Users\user\Desktop\rb5iJg6pgN.exeCode function: 0_1_0040C3600_1_0040C360
Source: C:\Users\user\Desktop\rb5iJg6pgN.exeCode function: 0_1_0040B3760_1_0040B376
Source: C:\Users\user\Desktop\rb5iJg6pgN.exeCode function: 0_1_0042D37C0_1_0042D37C
Source: C:\Users\user\Desktop\rb5iJg6pgN.exeCode function: 0_1_0040B31B0_1_0040B31B
Source: C:\Users\user\Desktop\rb5iJg6pgN.exeCode function: 0_1_004213EA0_1_004213EA
Source: C:\Users\user\Desktop\rb5iJg6pgN.exeCode function: 0_1_004194000_1_00419400
Source: C:\Users\user\Desktop\rb5iJg6pgN.exeCode function: 0_1_0040B4E20_1_0040B4E2
Source: C:\Users\user\Desktop\rb5iJg6pgN.exeCode function: 0_1_0042B4FE0_1_0042B4FE
Source: C:\Users\user\Desktop\rb5iJg6pgN.exeCode function: 0_1_004414A70_1_004414A7
Source: C:\Users\user\Desktop\rb5iJg6pgN.exeCode function: 0_1_004335570_1_00433557
Source: C:\Users\user\Desktop\rb5iJg6pgN.exeCode function: 0_1_0044B5F60_1_0044B5F6
Source: C:\Users\user\Desktop\rb5iJg6pgN.exeCode function: 0_1_0042D6810_1_0042D681
Source: C:\Users\user\Desktop\rb5iJg6pgN.exeCode function: 0_1_0042E7C20_1_0042E7C2
Source: C:\Users\user\Desktop\rb5iJg6pgN.exeCode function: 0_1_0042C7E40_1_0042C7E4
Source: C:\Users\user\Desktop\rb5iJg6pgN.exeCode function: 0_1_0044A7A60_1_0044A7A6
Source: C:\Users\user\Desktop\rb5iJg6pgN.exeCode function: 0_1_004318600_1_00431860
Source: C:\Users\user\Desktop\rb5iJg6pgN.exeCode function: 0_1_004328160_1_00432816
Source: C:\Users\user\Desktop\rb5iJg6pgN.exeCode function: 0_1_004398DB0_1_004398DB
Source: C:\Users\user\Desktop\rb5iJg6pgN.exeCode function: 0_1_0043398C0_1_0043398C
Source: C:\Users\user\Desktop\rb5iJg6pgN.exeCode function: 0_1_00443ABF0_1_00443ABF
Source: C:\Users\user\Desktop\rb5iJg6pgN.exeCode function: 0_1_0042BCEF0_1_0042BCEF
Source: C:\Users\user\Desktop\rb5iJg6pgN.exeCode function: 0_1_00432D0A0_1_00432D0A
Source: C:\Users\user\Desktop\rb5iJg6pgN.exeCode function: 0_1_0044AD160_1_0044AD16
Source: C:\Users\user\Desktop\rb5iJg6pgN.exeCode function: 0_1_0040DE100_1_0040DE10
Source: C:\Windows\explorer.exeCode function: 2_2_015650132_2_01565013
Source: C:\Windows\explorer.exeCode function: 2_2_0154482F2_2_0154482F
Source: C:\Windows\explorer.exeCode function: 2_2_0156D0BC2_2_0156D0BC
Source: C:\Windows\explorer.exeCode function: 2_2_01544B2B2_2_01544B2B
Source: C:\Windows\explorer.exeCode function: 2_2_01563BFD2_2_01563BFD
Source: C:\Windows\explorer.exeCode function: 2_2_01544A0A2_2_01544A0A
Source: C:\Windows\explorer.exeCode function: 2_2_01559A332_2_01559A33
Source: C:\Windows\explorer.exeCode function: 2_2_015595432_2_01559543
Source: C:\Windows\explorer.exeCode function: 2_2_01557DD02_2_01557DD0
Source: C:\Windows\explorer.exeCode function: 2_2_015434002_2_01543400
Source: C:\Windows\explorer.exeCode function: 2_2_01558FB02_2_01558FB0
Source: C:\Windows\explorer.exeCode function: 2_2_01558FAF2_2_01558FAF
Source: C:\Windows\explorer.exeCode function: 2_2_0155B6F42_2_0155B6F4
Source: C:\Windows\explorer.exeCode function: 2_2_015A084A2_2_015A084A
Source: C:\Windows\explorer.exeCode function: 2_2_015C526B2_2_015C526B
Source: C:\Windows\explorer.exeCode function: 2_2_015B92082_2_015B9208
Source: C:\Windows\explorer.exeCode function: 2_2_015B92072_2_015B9207
Source: C:\Windows\explorer.exeCode function: 2_2_015A4A872_2_015A4A87
Source: C:\Windows\explorer.exeCode function: 2_2_015BBDDC2_2_015BBDDC
Source: C:\Windows\explorer.exeCode function: 2_2_015A4D832_2_015A4D83
Source: C:\Windows\explorer.exeCode function: 2_2_015A4C622_2_015A4C62
Source: C:\Windows\explorer.exeCode function: 2_2_015B9C8B2_2_015B9C8B
Source: C:\Windows\explorer.exeCode function: 2_2_015B979B2_2_015B979B
Source: C:\Windows\explorer.exeCode function: 2_2_015C3E552_2_015C3E55
Source: C:\Windows\explorer.exeCode function: 2_2_015A36132_2_015A3613
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\Desktop\rb5iJg6pgN.exeCode function: String function: 0041B780 appears 33 times
Source: C:\Users\user\Desktop\rb5iJg6pgN.exeCode function: String function: 0041B9A0 appears 91 times
Source: C:\Users\user\Desktop\rb5iJg6pgN.exeCode function: String function: 004391D0 appears 50 times
Source: C:\Users\user\Desktop\rb5iJg6pgN.exeCode function: String function: 0041B170 appears 109 times
Source: C:\Users\user\Desktop\rb5iJg6pgN.exeCode function: String function: 00432414 appears 36 times
Source: C:\Users\user\Desktop\rb5iJg6pgN.exeCode function: String function: 0041B3B0 appears 63 times
PE file contains strange resourcesShow sources
Source: rb5iJg6pgN.exeStatic PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST
Reads the hosts fileShow sources
Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample file is different than original file name gathered from version infoShow sources
Source: rb5iJg6pgN.exeBinary or memory string: OriginalFilename vs rb5iJg6pgN.exe
Source: rb5iJg6pgN.exe, 00000000.00000002.1499833844.002D0000.00000008.sdmpBinary or memory string: OriginalFilenameSETUPAPI.DLL.MUIj% vs rb5iJg6pgN.exe
Source: rb5iJg6pgN.exeBinary or memory string: OriginalFilenameWorker. vs rb5iJg6pgN.exe
Uses reg.exe to modify the Windows registryShow sources
Source: unknownProcess created: C:\Windows\System32\reg.exe reg.exe query 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall' /s
Yara signature matchShow sources
Source: rb5iJg6pgN.exe, type: SAMPLEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000000.00000000.1467280177.00400000.00000002.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000000.00000001.1467651208.00400000.00000002.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000000.00000002.1499833844.002D0000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000000.00000002.1499976703.00400000.00000002.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000000.00000003.1486070629.01620000.00000004.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000002.00000002.1543921572.00060000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000002.00000002.1544091557.00650000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000002.00000002.1544074903.00630000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1499473775.00060000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1499698657.00440000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1501425872.016F0000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1502801306.01D30000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1502827811.01D70000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1502842638.01DA0000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1502889959.01E00000.00000002.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1502878957.01DF0000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1502536161.01A20000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1503029285.02020000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1507679611.02BA0000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1507689530.02BC0000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1507943848.02D40000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1507950533.02D70000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1507991377.02DE0000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1508015150.02E20000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1508035531.02E60000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1508020629.02E30000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1508119677.03020000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1508132762.03080000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1508179226.03130000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1508183860.03140000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1508802180.035F0000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1508810634.03600000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1508897767.03AF0000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1509255440.03C20000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1510641728.03D80000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1510698102.03E20000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1510826926.03EE0000.00000002.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1510791092.03EB0000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1510705859.03E40000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1510762006.03E90000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1510778872.03EA0000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1510661452.03DE0000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1510834757.03EF0000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1510878677.03F70000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1509201484.03B70000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1509319448.03C30000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1510996422.04150000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1511065722.042C0000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1516367336.070E0000.00000002.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1509998222.03CC0000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1526476296.016F0000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1528350249.01D70000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1528282321.01D30000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1529056137.01E00000.00000002.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1528914237.01DF0000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1529414366.02020000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1534115502.02BA0000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1534129692.02BC0000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1534313551.02D40000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1534334049.02D70000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1528641544.01DA0000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1534425716.02E20000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1534481919.02E60000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1534585823.03020000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1534437822.02E30000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1534605501.03080000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1534672142.03130000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1534679802.03140000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1524597638.00440000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1524475486.00060000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1514376422.05310000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1535904797.03AF0000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1534388387.02DE0000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1536709172.03D80000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1536750248.03E20000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1535812569.035F0000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1536757874.03E40000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1536809625.03EB0000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1536825861.03EE0000.00000002.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1536800241.03EA0000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1536870913.03F70000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1527805844.01A20000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1537045293.042C0000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1536075349.03C30000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1536732103.03DE0000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1536026873.03C20000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1535821910.03600000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1536791257.03E90000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1535957747.03B70000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1536833113.03EF0000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000002.1659326612.001E0000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000018.00000002.1694019901.000D0000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0000001D.00000002.1710546118.001A0000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000022.00000002.1734565185.000D0000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1538556444.05310000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0000000E.00000002.1686373712.000D0000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1536262211.03CC0000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000027.00000002.1736596250.000D0000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1540736146.070E0000.00000002.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000018.00000002.1694247399.00640000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0000000E.00000002.1686572361.00470000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0.1.rb5iJg6pgN.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0.2.rb5iJg6pgN.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0.2.rb5iJg6pgN.exe.2d0000.0.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0.2.rb5iJg6pgN.exe.2d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 2.2.explorer.exe.60000.0.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 2.2.explorer.exe.60000.0.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0.2.rb5iJg6pgN.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0.1.rb5iJg6pgN.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 2.2.explorer.exe.650000.2.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 2.2.explorer.exe.650000.2.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 2.2.explorer.exe.630000.1.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 2.2.explorer.exe.630000.1.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.60000.0.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.60000.0.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.16f0000.2.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.16f0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.440000.1.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2d70000.13.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2de0000.14.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2de0000.14.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2e20000.15.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2e20000.15.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2e60000.17.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2e30000.16.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2e30000.16.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3020000.18.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3020000.18.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2e60000.17.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3080000.19.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3080000.19.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3140000.21.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3130000.20.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.1d70000.5.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3140000.21.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.35f0000.22.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3600000.23.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3600000.23.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.35f0000.22.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.1d30000.4.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3af0000.24.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3c20000.26.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3c30000.27.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3c20000.26.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3c30000.27.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3d80000.29.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3d80000.29.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3de0000.30.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3e20000.31.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3de0000.30.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3b70000.25.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.1d30000.4.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.1d70000.5.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.1da0000.6.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3ea0000.34.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3e90000.33.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3ea0000.34.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3eb0000.35.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3af0000.24.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3eb0000.35.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3ee0000.36.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3ee0000.36.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3ef0000.37.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3f70000.38.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3ef0000.37.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.4150000.39.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.4150000.39.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3f70000.38.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.42c0000.40.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.1a20000.3.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3e90000.33.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3e40000.32.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.60000.43.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.60000.43.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3e20000.31.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3b70000.25.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.16f0000.45.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.16f0000.45.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.42c0000.40.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.440000.44.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.1d70000.48.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.1d30000.47.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.1d30000.47.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.1d70000.48.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.1a20000.3.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.1da0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.1df0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.1df0000.7.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.1e00000.8.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.1e00000.8.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2020000.52.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.1e00000.51.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0.0.rb5iJg6pgN.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.1da0000.49.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2ba0000.53.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2ba0000.53.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2bc0000.54.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2d40000.55.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2d40000.55.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2d70000.56.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2d70000.56.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2bc0000.54.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2de0000.57.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2de0000.57.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2e20000.58.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2e20000.58.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2e60000.60.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3020000.61.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.440000.44.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3020000.61.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3080000.62.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3130000.63.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2020000.9.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3080000.62.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3130000.63.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3140000.64.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.35f0000.65.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3600000.66.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3600000.66.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3af0000.67.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.1df0000.50.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3af0000.67.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0.0.rb5iJg6pgN.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2ba0000.10.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2ba0000.10.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.70e0000.42.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2d40000.12.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3d80000.72.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3d80000.72.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3b70000.68.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3c30000.70.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3c30000.70.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3c20000.69.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.1e00000.51.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3e20000.74.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3e20000.74.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3de0000.73.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3e40000.75.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3e40000.75.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3e90000.76.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3e90000.76.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2bc0000.11.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2bc0000.11.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2d40000.12.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2d70000.13.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.440000.1.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3eb0000.78.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3eb0000.78.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3ee0000.79.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.1a20000.46.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3ef0000.80.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3ef0000.80.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3f70000.81.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.42c0000.82.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.42c0000.82.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.2.systeminfo.exe.1e0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.1da0000.49.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.2.systeminfo.exe.1e0000.0.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3c20000.69.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3130000.20.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2020000.52.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3ea0000.77.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.35f0000.65.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 24.2.tasklist.exe.d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2e60000.60.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3ea0000.77.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 29.2.driverquery.exe.1a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 29.2.driverquery.exe.1a0000.0.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2e30000.59.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 34.2.reg.exe.d0000.0.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 34.2.reg.exe.d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 39.2.reg.exe.d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 39.2.reg.exe.d0000.0.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 24.2.tasklist.exe.d0000.0.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2020000.9.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3e40000.32.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.5310000.83.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3140000.64.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3cc0000.28.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.1df0000.50.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3de0000.73.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 14.2.net.exe.d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3f70000.81.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2e30000.59.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 14.2.net.exe.d0000.0.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3b70000.68.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3ee0000.79.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.5310000.41.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.70e0000.84.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.1a20000.46.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3cc0000.71.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 14.2.net.exe.470000.1.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 14.2.net.exe.470000.1.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3cc0000.28.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.5310000.83.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3cc0000.71.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.5310000.41.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 24.2.tasklist.exe.640000.1.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 24.2.tasklist.exe.640000.1.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Binary contains device paths (device paths are often used for kernel mode <-> user mode communication)Show sources
Source: C60A.bin.3.drBinary string: Boot Device: \Device\HarddiskVolume1
Classification labelShow sources
Source: classification engineClassification label: mal100.spre.bank.troj.spyw.evad.winEXE@47/15@3/2
Contains functionality to enum processes or threadsShow sources
Source: C:\Windows\explorer.exeCode function: 2_2_015518D9 CreateToolhelp32Snapshot,GetModuleHandleA,GetProcAddress,Thread32First,OpenThread,QueueUserAPC,Thread32Next,2_2_015518D9
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\Desktop\rb5iJg6pgN.exeCode function: 0_1_00407E91 SHGetMalloc,SHGetSpecialFolderLocation,SHGetSpecialFolderPathA,AuthzInitializeResourceManager,AuthzFreeResourceManager,GetLastError,MessageBoxA,GetUserDefaultLangID,EnumTimeFormatsA,FindResourceExW,FindResourceExW,LoadResource,0_1_00407E91
Creates files inside the user directoryShow sources
Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\{A29E757B-998D-241A-33F6-DD98178A614C}Jump to behavior
Creates temporary filesShow sources
Source: C:\Windows\explorer.exeFile created: C:\Users\user~1\AppData\Local\Temp\5F76.binJump to behavior
Found command line outputShow sources
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........3w..........3w0.............3w..0.............(.................................S...{w..S...................2.Jump to behavior
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........3w........L.o.a.d.i.n.g. .O.p.e.r.a.t.i.n.g. .S.y.s.t.e.m. .I.n.f.o.r.m.a.t.i.o.n. ...........P...............Jump to behavior
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........3w..........3w..............3w..0.................................<.............S...{w..S...................2.Jump to behavior
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........3w........L.o.a.d.i.n.g. .C.o.m.p.u.t.e.r. .I.n.f.o.r.m.a.t.i.o.n. .............S...{w..S.p...@...............Jump to behavior
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........3w..........3w..............3w..0.............................................X.S...{wX.S...................2.Jump to behavior
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........3w........L.o.a.d.i.n.g. .P.r.o.c.e.s.s.o.r. .I.n.f.o.r.m.a.t.i.o.n. .........X.S...{wX.S.....B...............Jump to behavior
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........3w..........3w..............3w..0..............................................$R...{w.$R...................2.Jump to behavior
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........3w........L.o.a.d.i.n.g. .B.I.O.S. .I.n.f.o.r.m.a.t.i.o.n. ....................$R...{w.$R.....8...............Jump to behavior
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........3w..........3w..............3w..0.................'.............................S...{w..S...................2.Jump to behavior
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........3w........L.o.a.d.i.n.g. .I.n.p.u.t. .L.o.c.a.l.e. .I.n.f.o.r.m.a.t.i.o.n. .........{w..S.....H...............Jump to behavior
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........3w..........3w..............3w..0...................................................ww.'....................2.Jump to behavior
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........3w........L.o.a.d.i.n.g. .T.i.m.e.Z.o.n.e. .I.n.f.o.r.m.a.t.i.o.n. .................ww.'......@...............Jump to behavior
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........3w..........3w..............3w..0.................4.................................ww.'....................2.Jump to behavior
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........3w........L.o.a.d.i.n.g. .P.r.o.f.i.l.e. .I.n.f.o.r.m.a.t.i.o.n. ...................ww.'......>...............Jump to behavior
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........3w..........3w..............3w..0...............................................S...{w..S...................2.Jump to behavior
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........3w........L.o.a.d.i.n.g. .P.a.g.e.f.i.l.e. .I.n.f.o.r.m.a.t.i.o.n. .............S...{w..S.....@...............Jump to behavior
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........3w..........3w..............3w..0..............................................#R...{w.#R...................2.Jump to behavior
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........3w........L.o.a.d.i.n.g. .H.o.t.f.i.x. .I.n.f.o.r.m.a.t.i.o.n. ................#R...{w.#R.....<...............Jump to behavior
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........3w..........3w..............3w..0.................................X.............S...{w..S...................2.Jump to behavior
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........3w........L.o.a.d.i.n.g. .N.e.t.w.o.r.k. .C.a.r.d. .I.n.f.o.r.m.a.t.i.o.n. .........{w..S.....H...............Jump to behavior
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........3w..........3w<.............3w..0.................,#..............D.r............. .........................2.Jump to behavior
Source: C:\Windows\System32\net.exeConsole Write: ....................S.y.s.t.e.m. .e.r.r.o.r. .6.1.1.8. .h.a.s. .o.c.c.u.r.r.e.d...........l.|...%tl.....B...........8.l.Jump to behavior
Source: C:\Windows\System32\net.exeConsole Write: ..........................0.....|............+..........................r.r.e.d...........l.|...%tl...........-.........Jump to behavior
Source: C:\Windows\System32\net.exeConsole Write: ....................a.5w..0.....|............+..................................8.l.......l.|...%tl.................8.l.Jump to behavior
Source: C:\Windows\System32\net.exeConsole Write: ..........................0.....|............,..................................8.l.......l.|...%tl.....................Jump to behavior
Source: C:\Windows\System32\reg.exeConsole Write: ........a.5w..0.....E.R.R.O.R.:. .............................4w..............4w....P.0.....$...G..w..................0.
Source: C:\Windows\System32\reg.exeConsole Write: ........a.5w..0.....<.......T...S...............................$.....................0.........X...........j.:w...o....
Launches a second explorer.exe instanceShow sources
Source: unknownProcess created: C:\Windows\explorer.exe
Source: C:\Users\user\Desktop\rb5iJg6pgN.exeProcess created: C:\Windows\explorer.exeJump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: rb5iJg6pgN.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Queries process information (via WMI, Win32_Process)Show sources
Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Reads ini filesShow sources
Source: C:\Windows\explorer.exeFile read: C:\Program Files\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\rb5iJg6pgN.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample might require command line argumentsShow sources
Source: explorer.exeString found in binary or memory: t xml:space=.gif" border="0"</body> </html> overflow:hidden;img src="http://addEventListenerresponsible for s.js"></script> /favicon.ico" />operating system" style="width:1target="_blank">State Universitytext-align:left; document.write(, including the around t
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\rb5iJg6pgN.exe 'C:\Users\user\Desktop\rb5iJg6pgN.exe'
Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /C 'systeminfo.exe > C:\Users\user~1\AppData\Local\Temp\C60A.bin1'
Source: unknownProcess created: C:\Windows\System32\systeminfo.exe systeminfo.exe
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /C 'net view >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'
Source: unknownProcess created: C:\Windows\System32\net.exe net view
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /C 'nslookup 127.0.0.1 >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'
Source: unknownProcess created: C:\Windows\System32\nslookup.exe nslookup 127.0.0.1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /C 'tasklist.exe /SVC >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'
Source: unknownProcess created: C:\Windows\System32\tasklist.exe tasklist.exe /SVC
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /C 'driverquery.exe >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'
Source: unknownProcess created: C:\Windows\System32\driverquery.exe driverquery.exe
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /C 'reg.exe query 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall' /s >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'
Source: unknownProcess created: C:\Windows\System32\reg.exe reg.exe query 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall' /s
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /C 'reg.exe query 'HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall' /s >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'
Source: unknownProcess created: C:\Windows\System32\reg.exe reg.exe query 'HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall' /s
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'
Source: C:\Users\user\Desktop\rb5iJg6pgN.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exeJump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe cmd /C 'systeminfo.exe > C:\Users\user~1\AppData\Local\Temp\C60A.bin1'Jump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'Jump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe cmd /C 'net view >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'Jump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'Jump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe cmd /C 'nslookup 127.0.0.1 >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'Jump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'Jump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe cmd /C 'tasklist.exe /SVC >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'Jump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'Jump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe cmd /C 'driverquery.exe >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'Jump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'Jump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe cmd /C 'reg.exe query 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall' /s >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'Jump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'Jump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe cmd /C 'reg.exe query 'HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall' /s >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'Jump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'Jump to behavior
Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo.exe Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net view Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\nslookup.exe nslookup 127.0.0.1 Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist.exe /SVC Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\driverquery.exe driverquery.exe Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg.exe query 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall' /s Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg.exe query 'HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall' /s
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0bf754aa-c967-445c-ab3d-d8fda9bae7ef}\InProcServer32Jump to behavior
Uses systeminfo.exe to query system informationShow sources
Source: unknownProcess created: C:\Windows\System32\systeminfo.exe systeminfo.exe
Uses tasklist.exe to query information about running processesShow sources
Source: unknownProcess created: C:\Windows\System32\tasklist.exe tasklist.exe /SVC
Checks if Microsoft Office is installedShow sources
Source: C:\Windows\explorer.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
Submission file is bigger than most known malware samplesShow sources
Source: rb5iJg6pgN.exeStatic file information: File size 1158144 > 1048576
Uses new MSVCR DllsShow sources
Source: C:\Windows\explorer.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dllJump to behavior
Binary contains paths to debug symbolsShow sources
Source: Binary string: c:\isfb3\release\client.pdb source: explorer.exe
PE file contains a valid data directory to section mappingShow sources
Source: rb5iJg6pgN.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: rb5iJg6pgN.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: rb5iJg6pgN.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: rb5iJg6pgN.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: rb5iJg6pgN.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\rb5iJg6pgN.exeCode function: 0_1_00444365 EncodePointer,EncodePointer,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_1_00444365
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\rb5iJg6pgN.exeCode function: 0_2_004041F3 push ecx; ret 0_2_00404203
Source: C:\Users\user\Desktop\rb5iJg6pgN.exeCode function: 0_2_002C0C9B push edi; ret 0_2_002C0CD2
Source: C:\Users\user\Desktop\rb5iJg6pgN.exeCode function: 0_1_00439215 push ecx; ret 0_1_00439228
Source: C:\Users\user\Desktop\rb5iJg6pgN.exeCode function: 0_1_0040533E push edx; ret 0_1_00405341
Source: C:\Users\user\Desktop\rb5iJg6pgN.exeCode function: 0_1_00432414 push eax; ret 0_1_00432432
Source: C:\Users\user\Desktop\rb5iJg6pgN.exeCode function: 0_1_00436D8A push ecx; ret 0_1_00436D9D
Source: C:\Windows\explorer.exeCode function: 2_2_0064027A push ecx; ret 2_2_0064028A
Source: C:\Windows\explorer.exeCode function: 2_2_0156D0AB push ecx; ret 2_2_0156D0BB
Source: C:\Windows\explorer.exeCode function: 2_2_015A0839 push ecx; ret 2_2_015A0849
Source: C:\Windows\explorer.exeCode function: 2_2_015BD374 push eax; iretd 2_2_015BD395
Source: C:\Windows\explorer.exeCode function: 2_2_015CD303 push ecx; ret 2_2_015CD313

Persistence and Installation Behavior:

barindex
Searches for installed JRE in non-default directoryShow sources
Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\.jre\ read data or list directory | synchronizeJump to behavior
Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\.jre\bin\ read data or list directory | synchronizeJump to behavior
Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\.jre\bin\client\ read data or list directory | synchronizeJump to behavior
Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\.jre\bin\dtplugin\ read data or list directory | synchronizeJump to behavior
Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\.jre\bin\plugin2\ read data or list directory | synchronizeJump to behavior
Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\.jre\lib\ read data or list directory | synchronizeJump to behavior
Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\.jre\lib\applet\ read data or list directory | synchronizeJump to behavior
Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\.jre\lib\cmm\ read data or list directory | synchronizeJump to behavior
Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\.jre\lib\deploy\ read data or list directory | synchronizeJump to behavior
Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\.jre\lib\ext\ read data or list directory | synchronizeJump to behavior
Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\.jre\lib\fonts\ read data or list directory | synchronizeJump to behavior
Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\.jre\lib\i386\ read data or list directory | synchronizeJump to behavior
Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\.jre\lib\images\ read data or list directory | synchronizeJump to behavior
Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\.jre\lib\images\cursors\ read data or list directory | synchronizeJump to behavior
Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\.jre\lib\jfr\ read data or list directory | synchronizeJump to behavior
Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\.jre\lib\management\ read data or list directory | synchronizeJump to behavior
Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\.jre\lib\security\ read data or list directory | synchronizeJump to behavior
Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\.jre\lib\security\policy\ read data or list directory | synchronizeJump to behavior
Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\.jre\lib\security\policy\limited\ read data or list directory | synchronizeJump to behavior
Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\.jre\lib\security\policy\unlimited\ read data or list directory | synchronizeJump to behavior

Boot Survival:

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)Show sources
Source: C:\Windows\explorer.exeWindow found: window name: ProgManJump to behavior
Source: C:\Windows\explorer.exeWindow found: window name: ProgManJump to behavior

Hooking and other Techniques for Hiding and Protection:

bar