Play interactive tour

Edit tour

Analysis Report rb5iJg6pgN.exe

Overview

General Information

Joe Sandbox Version:	26.0.0
Analysis ID:	897192
Start date:	27.06.2019
Start time:	14:38:07
Joe Sandbox Product:	Cloud
Overall analysis duration:	0h 22m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	rb5iJg6pgN.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 7 (Office 2010 SP2, Java 1.8.0_40 1.8.0_191, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled GSI enabled (VBA) GSI enabled (Javascript) GSI enabled (Java) AMSI enabled
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.spre.bank.troj.spyw.evad.winEXE@47/15@3/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 72 Number of non-executed functions: 298
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, WmiPrvSE.exe Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtEnumerateValueKey calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryDirectoryFile calls found. Report size getting too big, too many NtQueryValueKey calls found.

Detection

Strategy	Score	Range	Reporting	Whitelisted	Detection
Threshold	100	0 - 100	Report FP / FN	false

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification

Analysis Advice

Sample does not show any behavior and checks for the installed Java version. Likely requires a different JRE version.

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Sample monitors Window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook

Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control
Valid Accounts	Windows Management Instrumentation211	Hooking3	Hooking3	Software Packing1	Credential Dumping3	System Time Discovery1	Application Deployment Software	Data from Local System41	Data Encrypted12	Commonly Used Port1
Replication Through Removable Media	Execution through API1	Port Monitors	Process Injection811	Deobfuscate/Decode Files or Information1	Credentials in Files1	Security Software Discovery361	Remote Services	Data from Removable Media	Exfiltration Over Other Network Medium	Standard Cryptographic Protocol22
Drive-by Compromise	Command-Line Interface1	Accessibility Features	Path Interception	File Deletion1	Hooking3	File and Directory Discovery13	Windows Remote Management	Data from Network Shared Drive	Automated Exfiltration	Standard Non-Application Layer Protocol2
Exploit Public-Facing Application	Scheduled Task	System Firmware	DLL Search Order Hijacking	Obfuscated Files or Information2	Credentials in Files	System Information Discovery266	Logon Scripts	Input Capture	Data Encrypted	Standard Application Layer Protocol2
Spearphishing Link	Command-Line Interface	Shortcut Modification	File System Permissions Weakness	Rootkit3	Account Manipulation	Query Registry1	Shared Webroot	Data Staged	Scheduled Transfer	Standard Cryptographic Protocol
Spearphishing Attachment	Graphical User Interface	Modify Existing Service	New Service	Modify Registry1	Brute Force	Process Discovery4	Third-party Software	Screen Capture	Data Transfer Size Limits	Commonly Used Port
Spearphishing via Service	Scripting	Path Interception	Scheduled Task	Process Injection811	Two-Factor Authentication Interception	Application Window Discovery1	Pass the Hash	Email Collection	Exfiltration Over Command and Control Channel	Uncommonly Used Port
Supply Chain Compromise	Third-party Software	Logon Scripts	Process Injection	Indicator Blocking	Bash History	Remote System Discovery11	Remote Desktop Protocol	Clipboard Data	Exfiltration Over Alternative Protocol	Standard Application Layer Protocol
Trusted Relationship	Rundll32	DLL Search Order Hijacking	Service Registry Permissions Weakness	Process Injection	Input Prompt	System Network Configuration Discovery2	Windows Admin Shares	Automated Collection	Exfiltration Over Physical Medium	Multilayer Encryption

Signature Overview

Click to jump to signature section

AV Detection:

Antivirus or Machine Learning detection for sample

Show sources

Source: rb5iJg6pgN.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Show sources

Source: 0.0.rb5iJg6pgN.exe.400000.0.unpack	Joe Sandbox ML: detected
Source: 0.1.rb5iJg6pgN.exe.400000.0.unpack	Joe Sandbox ML: detected
Source: 0.2.rb5iJg6pgN.exe.400000.1.unpack	Joe Sandbox ML: detected

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Show sources

Source: C:\Users\user\Desktop\rb5iJg6pgN.exe

Code function: 0_1_004060FB __EH_prolog,MessageBoxA,MessageBoxA,_memset,CreateAcceleratorTableA,wsprintfA,MessageBoxA,SendMessageA,TranslateAcceleratorA,TranslateMessage,_memset,SetAbortProc,GetCursorPos,CreateEventA,SetMapMode,SetWindowExtEx,GetCursorPos,SendInput,GetPriorityClass,GlobalAlloc,DialogBoxIndirectParamA,WaitForSingleObject,SendMessageA,SendMessageA,SendMessageA,GetSystemMetrics,_memset,__libm_sse2_asin_precise,__floor_pentium4,GetTextFaceA,__libm_sse2_asin_precise,GetViewportExtEx,#413,PdhCollectQueryData,SetWindowTextA,GetViewportOrgEx,LoadImageA,RedrawWindow,__libm_sse2_log10_precise,__libm_sse2_log10_precise,__libm_sse2_log10_precise,__floor_pentium4,__libm_sse2_asin_precise,CreateDialogParamA,SetDlgItemTextA,_memset,GetOpenFileNameA,_memset,GetClassNameA,GetClassNameA,__floor_pentium4,DescribePixelFormat,_memset,_memset,_strrchr,SetScrollInfo,GetScrollInfo,ScrollWindow,UpdateWindow,GetDialogBaseUnits,VirtualAlloc,ChooseColorA,SendMessageA,SendMessageA,SendMessageA,GetClientRect,MoveWindow,ShowWindow,ShowWin

0_1_004060FB

Spreading:

Performs a network lookup / discovery via net view

Show sources

Source: unknown	Process created: C:\Windows\System32\net.exe net view
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view			Jump to behavior

Contains functionality to enumerate / list files inside a directory

Show sources

Source: C:\Windows\explorer.exe	Code function: 2_2_01552003 FindFirstFileA,lstrcpy,GetFileAttributesA,mbstowcs,FindNextFileA,FindClose,	2_2_01552003
Source: C:\Windows\explorer.exe	Code function: 2_2_01560022 memset,FindFirstFileW,memset,wcscpy,RtlEnterCriticalSection,RtlLeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,FindNextFileW,WaitForSingleObject,FindClose,	2_2_01560022
Source: C:\Windows\explorer.exe	Code function: 2_2_015568A7 memset,FindFirstFileW,LocalFree,FindNextFileW,FindClose,LocalFree,	2_2_015568A7
Source: C:\Windows\explorer.exe	Code function: 2_2_01560316 FindFirstFileW,WaitForSingleObject,FindNextFileW,FindClose,	2_2_01560316
Source: C:\Windows\explorer.exe	Code function: 2_2_0156048A FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,FindClose,	2_2_0156048A
Source: C:\Windows\explorer.exe	Code function: 2_2_01541FF9 RtlAllocateHeap,TerminateProcess,CloseHandle,FindFirstFileW,lstrlenW,RtlAllocateHeap,lstrcpyW,lstrcpyW,DeleteFileW,FindNextFileW,FindClose,HeapFree,FindFirstFileW,lstrlenW,RtlAllocateHeap,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,HeapFree,RtlAllocateHeap,lstrcpyW,TerminateProcess,CloseHandle,lstrcpyW,DeleteFileW,HeapFree,HeapFree,	2_2_01541FF9

Contains functionality to query local drives

Show sources

Source: C:\Windows\explorer.exe

Code function: 2_2_0154C557 memset,memset,GetVersionExW,LoadLibraryW,memcmp,OpenFileMappingA,GetLogicalDriveStringsW,VirtualFree,VirtualFree,GetLogicalDriveStringsW,memcmp,OpenFileMappingA,GetLogicalDriveStringsW,VirtualFree,VirtualFree,GetLogicalDriveStringsW,FreeLibrary,

2_2_0154C557

Networking:

Uses nslookup.exe to query domains

Show sources

Source: unknown	Process created: C:\Windows\System32\nslookup.exe nslookup 127.0.0.1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nslookup.exe nslookup 127.0.0.1			Jump to behavior

Connects to country known for bullet proof hosters

Show sources

Source: unknown

Network traffic detected: IP: 5.188.60.53 Russian Federation

Found strings which match to known social media urls

Show sources

Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: <SuggestionsURL>http://ie.search.yahoo.com/os?command={SearchTerms}</SuggestionsURL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: <FavoriteIcon>http://search.yahoo.co.jp/favicon.ico</FavoriteIcon> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: <FavoriteIcon>http://search.yahoo.com/favicon.ico</FavoriteIcon> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: <URL>http://br.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: <URL>http://de.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: <URL>http://es.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: <URL>http://espanol.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: <URL>http://fr.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: <URL>http://in.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: <URL>http://it.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: <URL>http://kr.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: <URL>http://ru.search.yahoo.com</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: <URL>http://sads.myspace.com/</URL> equals www.myspace.com (Myspace)
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: <URL>http://search.cn.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: <URL>http://search.yahoo.co.jp</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: <URL>http://search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: <URL>http://tw.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: <URL>http://uk.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000003.00000000.1514376422.05310000.00000008.sdmp	String found in binary or memory: Free Hotmail.url equals www.hotmail.com (Hotmail)
Source: explorer.exe	String found in binary or memory: eralbank ofbeneathDespiteCapitalgrounds), and percentit fromclosingcontainInsteadfifteenas well.yahoo.respondfighterobscurereflectorganic= Math.editingonline paddinga wholeonerroryear ofend of barrierwhen itheader home ofresumedrenamedstrong>heatingretainsclou equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000002.00000002.1544201745.0156E000.00000002.sdmp	String found in binary or memory: monthlyofficercouncilgainingeven inSummarydate ofloyaltyfitnessand wasemperorsupremeSecond hearingRussianlongestAlbertalateralset of small">.appenddo withfederalbank ofbeneathDespiteCapitalgrounds), and percentit fromclosingcontainInsteadfifteenas well.yahoo.respondfighterobscurereflectorganic= Math.editingonline paddinga wholeonerroryear ofend of barrierwhen itheader home ofresumedrenamedstrong>heatingretainscloudfrway of March 1knowingin partBetweenlessonsclosestvirtuallinks">crossedEND -->famous awardedLicenseHealth fairly wealthyminimalAfricancompetelabel">singingfarmersBrasil)discussreplaceGregoryfont copursuedappearsmake uproundedboth ofblockedsaw theofficescoloursif(docuwhen heenforcepush(fuAugust UTF-8">Fantasyin mostinjuredUsuallyfarmingclosureobject defenceuse of Medical<body> equals www.yahoo.com (Yahoo)

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: pilodirsob.com

Urls found in memory or binary data

Show sources

Source: explorer.exe, 00000003.00000000.1514376422.05310000.00000008.sdmp	String found in binary or memory: http://%s.com
Source: explorer.exe, 00000002.00000002.1544201745.0156E000.00000002.sdmp	String found in binary or memory: http://.css
Source: explorer.exe, explorer.exe, 00000002.00000002.1544201745.0156E000.00000002.sdmp	String found in binary or memory: http://.jpg
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://amazon.fr/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://ariadna.elmundo.es/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://arianna.libero.it/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://asp.usatoday.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://auone.jp/favicon.ico
Source: explorer.exe, 00000003.00000000.1514376422.05310000.00000008.sdmp	String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://br.search.yahoo.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://browse.guardian.co.uk/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://busca.buscape.com.br/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://busca.igbusca.com.br/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://busca.orange.es/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://busca.uol.com.br/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://buscador.lycos.es/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://buscador.terra.com.br/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://buscador.terra.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://buscador.terra.es/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://buscar.ozu.es/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://buscar.ya.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://busqueda.aol.com.mx/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://cerca.lycos.it/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://cnet.search.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: explorer.exe, 00000002.00000002.1544224987.01596000.00000004.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txt
Source: explorer.exe, 00000002.00000002.1544224987.01596000.00000004.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://corp.naukri.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1512922741.046ED000.00000004.sdmp	String found in binary or memory: http://crl.comodo.n
Source: explorer.exe, 00000003.00000000.1512922741.046ED000.00000004.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: explorer.exe, 00000003.00000000.1513780152.049B0000.00000004.sdmp	String found in binary or memory: http://crl.m
Source: explorer.exe, 00000003.00000000.1511733570.043DF000.00000004.sdmp	String found in binary or memory: http://crl.microsoWBu4om
Source: explorer.exe, 00000003.00000000.1513780152.049B0000.00000004.sdmp	String found in binary or memory: http://crl.microso_
Source: explorer.exe, 00000003.00000000.1512922741.046ED000.00000004.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://de.search.yahoo.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://es.ask.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://es.search.yahoo.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://esearch.rakuten.co.jp/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://espanol.search.yahoo.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://espn.go.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://find.joins.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://fr.search.yahoo.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://google.pchome.com.tw/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://home.altervista.org/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://home.altervista.org/favicon.ico
Source: explorer.exe, explorer.exe, 00000002.00000002.1544201745.0156E000.00000002.sdmp	String found in binary or memory: http://html4/loose.dtd
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://images.monster.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://in.search.yahoo.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://it.search.dada.net/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://it.search.yahoo.com/
Source: C60A.bin.3.dr	String found in binary or memory: http://java.sun.com
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://jobsearch.monster.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://kr.search.yahoo.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://list.taobao.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&q=
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://mail.live.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://msk.afisha.ru/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://p.zhongsou.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1512922741.046ED000.00000004.sdmp	String found in binary or memory: http://policy.camerfirma.com0
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://price.ru/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://price.ru/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://recherche.linternaute.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://recherche.tf1.fr/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://rover.ebay.com
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://ru.search.yahoo.com
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://sads.myspace.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search-dyn.tiscali.it/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.about.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.alice.it/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.alice.it/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.aol.co.uk/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.aol.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.aol.in/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.atlas.cz/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.auction.co.kr/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.auone.jp/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.books.com.tw/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.centrum.cz/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.chol.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.chol.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.cn.yahoo.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.daum.net/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.daum.net/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.dreamwiz.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.ebay.co.uk/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.ebay.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.ebay.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.ebay.de/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.ebay.es/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.ebay.fr/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.ebay.in/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.ebay.it/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.empas.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.empas.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.espn.go.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.gamer.com.tw/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.gismeteo.ru/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.goo.ne.jp/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.hanafos.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.interpark.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.ipop.co.kr/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&q=
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&q=
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&q=
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.livedoor.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.lycos.co.uk/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.lycos.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.lycos.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.nate.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.naver.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.naver.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.nifty.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.orange.co.uk/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.rediff.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.rediff.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.seznam.cz/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.sify.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.yahoo.co.jp
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.yahoo.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&p=
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search.yam.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search1.taobao.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://search2.estadao.com.br/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://searchresults.news.com.au/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://service2.bfast.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://suche.aol.de/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://suche.freenet.de/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://suche.lycos.de/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://suche.t-online.de/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://suche.web.de/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://suche.web.de/favicon.ico
Source: explorer.exe, 00000003.00000000.1513780152.049B0000.00000004.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crlf
Source: explorer.exe, 00000003.00000000.1514376422.05310000.00000008.sdmp	String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000003.00000000.1513780152.049B0000.00000004.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: explorer.exe, 00000003.00000000.1513780152.049B0000.00000004.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: explorer.exe, 00000003.00000000.1513780152.049B0000.00000004.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://tw.search.yahoo.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://udn.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://udn.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://uk.ask.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://uk.ask.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://uk.search.yahoo.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://vachercher.lycos.fr/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://video.globo.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://video.globo.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://web.ask.com/
Source: explorer.exe, 00000003.00000000.1509319448.03C30000.00000008.sdmp	String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: explorer.exe, 00000003.00000000.1514376422.05310000.00000008.sdmp	String found in binary or memory: http://www.%s.com
Source: explorer.exe, 00000003.00000000.1502801306.01D30000.00000008.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000003.00000000.1512679035.0464D000.00000004.sdmp	String found in binary or memory: http://www.%s.comSoftware
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.abril.com.br/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.alarabiya.net/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: C60A.bin.3.dr	String found in binary or memory: http://www.alexisisaac.net
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.amazon.co.jp/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.amazon.co.uk/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&keyword=
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.amazon.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&tag=ie8search-20&index=blended&linkCode=qs&c
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.amazon.de/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.aol.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.arrakis.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.asharqalawsat.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.ask.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.baidu.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.baidu.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.cdiscount.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.ceneo.pl/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.cjmall.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.clarin.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.cnet.co.uk/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.cnet.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.dailymail.co.uk/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.etmall.com.tw/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.excite.co.jp/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.expedia.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.expedia.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.gmarket.co.kr/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.google.co.in/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.google.co.jp/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.google.co.uk/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.google.com.br/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.google.com.sa/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.google.com.tw/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.google.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.google.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.google.cz/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.google.de/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.google.es/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.google.fr/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.google.it/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.google.pl/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.google.ru/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.google.si/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.iask.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.iask.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.kkbox.com.tw/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.merlin.com.pl/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: explorer.exe, 00000003.00000000.1513780152.049B0000.00000004.sdmp	String found in binary or memory: http://www.microsoft.c
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&a=
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.mtv.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.mtv.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.myspace.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.najdi.si/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.najdi.si/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.nate.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.neckermann.de/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.news.com.au/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.nifty.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.orange.fr/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.otto.de/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.ozon.ru/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.ozu.es/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.paginasamarillas.es/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.priceminister.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1512922741.046ED000.00000004.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.rambler.ru/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.recherche.aol.fr/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.rtl.de/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.rtl.de/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.servicios.clarin.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.shopzilla.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.sify.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.sogou.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.sogou.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.soso.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.soso.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.t-online.de/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.taobao.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.taobao.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.target.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.target.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.tchibo.de/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.tesco.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.tesco.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.univision.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.univision.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.walmart.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.walmart.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.ya.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www.yam.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www3.fnac.com/
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&Version=2008-06-26&Operation
Source: explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	String found in binary or memory: http://z.about.com/m/a08.ico
Source: explorer.exe, 00000003.00000000.1513780152.049B0000.00000004.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: explorer.exe, 00000003.00000000.1513780152.049B0000.00000004.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: C60A.bin.3.dr	String found in binary or memory: https://java.sun.com
Source: explorer.exe, 00000003.00000000.1499760778.004AD000.00000004.sdmp, C60A.bin.3.dr	String found in binary or memory: https://support.mozilla.org
Source: explorer.exe, 00000003.00000000.1499760778.004AD000.00000004.sdmp, C60A.bin.3.dr	String found in binary or memory: https://www.mozilla.org
Source: explorer.exe, 00000003.00000000.1499760778.004AD000.00000004.sdmp, C60A.bin.3.dr	String found in binary or memory: https://www.mozilla.org/firefox/43.0.1/releasenotes

Uses HTTPS

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 49218 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49219 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49220 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49220
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49219
Source: unknown	Network traffic detected: HTTP traffic on port 49217 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49218
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49217

E-Banking Fraud:

Detected Gozi e-Banking trojan

Show sources

Source: C:\Windows\explorer.exe	Code function: lstrlen,RtlAllocateHeap,mbstowcs,lstrcatW,HeapFree,RtlAllocateHeap,lstrcatW,HeapFree,CreateDirectoryW,DeleteFileW,HeapFree,HeapFree, \cookie.ff		2_2_01541E2E
Source: C:\Windows\explorer.exe	Code function: lstrlen,RtlAllocateHeap,mbstowcs,lstrcatW,HeapFree,RtlAllocateHeap,lstrcatW,HeapFree,CreateDirectoryW,DeleteFileW,HeapFree,HeapFree, \cookie.ie		2_2_01541E2E

Disables SPDY (HTTP compression, likely to perform web injects)

Show sources

Source: C:\Windows\explorer.exe

Registry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0

Jump to behavior

Spam, unwanted Advertisements and Ransom Demands:

Contains functionality to import cryptographic keys (often used in ransomware)

Show sources

Source: C:\Users\user\Desktop\rb5iJg6pgN.exe

0_1_004060FB

System Summary:

Contains functionality to call native functions

Show sources

Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_2_00402C11 NtWriteVirtualMemory,VirtualProtectEx,NtWriteVirtualMemory,	0_2_00402C11
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_2_00402732 memset,memcpy,NtSetContextThread,NtSetContextThread,RtlNtStatusToDosError,GetLastError,	0_2_00402732
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_2_00402C3D NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,	0_2_00402C3D
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_2_00402AD0 memset,NtQueryInformationProcess,	0_2_00402AD0
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_2_004032D4 memcpy,memcpy,memcpy,NtUnmapViewOfSection,RtlNtStatusToDosError,CloseHandle,	0_2_004032D4
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_2_004039E1 NtCreateSection,memset,RtlNtStatusToDosError,ZwClose,	0_2_004039E1
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_2_00402BE5 NtReadVirtualMemory,NtReadVirtualMemory,	0_2_00402BE5
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_2_00403188 LdrLoadDll,LdrGetProcedureAddress,NtProtectVirtualMemory,GetModuleHandleA,memcpy,	0_2_00403188
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_2_004039A2 NtMapViewOfSection,RtlNtStatusToDosError,	0_2_004039A2
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_2_00404425 NtQueryVirtualMemory,	0_2_00404425
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_2_00402BC4 NtGetContextThread,RtlNtStatusToDosError,	0_2_00402BC4
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_1_00402B78 _memmove,NtWriteVirtualMemory,	0_1_00402B78
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_1_00402C18 NtWriteVirtualMemory,	0_1_00402C18
Source: C:\Windows\explorer.exe	Code function: 2_2_0156B1C6 memcpy,memcpy,memcpy,NtUnmapViewOfSection,RtlNtStatusToDosError,CloseHandle,	2_2_0156B1C6
Source: C:\Windows\explorer.exe	Code function: 2_2_015630D0 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	2_2_015630D0
Source: C:\Windows\explorer.exe	Code function: 2_2_015618C4 NtWriteVirtualMemory,	2_2_015618C4
Source: C:\Windows\explorer.exe	Code function: 2_2_015618F0 NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,	2_2_015618F0
Source: C:\Windows\explorer.exe	Code function: 2_2_01561898 NtReadVirtualMemory,	2_2_01561898
Source: C:\Windows\explorer.exe	Code function: 2_2_0156BF7B NtCreateSection,memset,RtlNtStatusToDosError,NtClose,	2_2_0156BF7B
Source: C:\Windows\explorer.exe	Code function: 2_2_0156BF3C NtMapViewOfSection,RtlNtStatusToDosError,	2_2_0156BF3C
Source: C:\Windows\explorer.exe	Code function: 2_2_01560FBC memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,	2_2_01560FBC
Source: C:\Windows\explorer.exe	Code function: 2_2_01561803 NtQuerySystemInformation,RtlNtStatusToDosError,	2_2_01561803
Source: C:\Windows\explorer.exe	Code function: 2_2_0156135C memset,NtQueryInformationProcess,	2_2_0156135C
Source: C:\Windows\explorer.exe	Code function: 2_2_01560AAA NtQueryInformationProcess,	2_2_01560AAA
Source: C:\Windows\explorer.exe	Code function: 2_2_015A0248 LdrLoadDll,NtProtectVirtualMemory,NtProtectVirtualMemory,	2_2_015A0248

Detected potential crypto function

Show sources

Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_2_00404204	0_2_00404204
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_2_004012EF	0_2_004012EF
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_1_004060FB	0_1_004060FB
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_1_004315C9	0_1_004315C9
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_1_0040B0C4	0_1_0040B0C4
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_1_00433122	0_1_00433122
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_1_00442269	0_1_00442269
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_1_0044A236	0_1_0044A236
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_1_0040C360	0_1_0040C360
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_1_0040B376	0_1_0040B376
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_1_0042D37C	0_1_0042D37C
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_1_0040B31B	0_1_0040B31B
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_1_004213EA	0_1_004213EA
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_1_00419400	0_1_00419400
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_1_0040B4E2	0_1_0040B4E2
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_1_0042B4FE	0_1_0042B4FE
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_1_004414A7	0_1_004414A7
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_1_00433557	0_1_00433557
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_1_0044B5F6	0_1_0044B5F6
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_1_0042D681	0_1_0042D681
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_1_0042E7C2	0_1_0042E7C2
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_1_0042C7E4	0_1_0042C7E4
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_1_0044A7A6	0_1_0044A7A6
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_1_00431860	0_1_00431860
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_1_00432816	0_1_00432816
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_1_004398DB	0_1_004398DB
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_1_0043398C	0_1_0043398C
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_1_00443ABF	0_1_00443ABF
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_1_0042BCEF	0_1_0042BCEF
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_1_00432D0A	0_1_00432D0A
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_1_0044AD16	0_1_0044AD16
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_1_0040DE10	0_1_0040DE10
Source: C:\Windows\explorer.exe	Code function: 2_2_01565013	2_2_01565013
Source: C:\Windows\explorer.exe	Code function: 2_2_0154482F	2_2_0154482F
Source: C:\Windows\explorer.exe	Code function: 2_2_0156D0BC	2_2_0156D0BC
Source: C:\Windows\explorer.exe	Code function: 2_2_01544B2B	2_2_01544B2B
Source: C:\Windows\explorer.exe	Code function: 2_2_01563BFD	2_2_01563BFD
Source: C:\Windows\explorer.exe	Code function: 2_2_01544A0A	2_2_01544A0A
Source: C:\Windows\explorer.exe	Code function: 2_2_01559A33	2_2_01559A33
Source: C:\Windows\explorer.exe	Code function: 2_2_01559543	2_2_01559543
Source: C:\Windows\explorer.exe	Code function: 2_2_01557DD0	2_2_01557DD0
Source: C:\Windows\explorer.exe	Code function: 2_2_01543400	2_2_01543400
Source: C:\Windows\explorer.exe	Code function: 2_2_01558FB0	2_2_01558FB0
Source: C:\Windows\explorer.exe	Code function: 2_2_01558FAF	2_2_01558FAF
Source: C:\Windows\explorer.exe	Code function: 2_2_0155B6F4	2_2_0155B6F4
Source: C:\Windows\explorer.exe	Code function: 2_2_015A084A	2_2_015A084A
Source: C:\Windows\explorer.exe	Code function: 2_2_015C526B	2_2_015C526B
Source: C:\Windows\explorer.exe	Code function: 2_2_015B9208	2_2_015B9208
Source: C:\Windows\explorer.exe	Code function: 2_2_015B9207	2_2_015B9207
Source: C:\Windows\explorer.exe	Code function: 2_2_015A4A87	2_2_015A4A87
Source: C:\Windows\explorer.exe	Code function: 2_2_015BBDDC	2_2_015BBDDC
Source: C:\Windows\explorer.exe	Code function: 2_2_015A4D83	2_2_015A4D83
Source: C:\Windows\explorer.exe	Code function: 2_2_015A4C62	2_2_015A4C62
Source: C:\Windows\explorer.exe	Code function: 2_2_015B9C8B	2_2_015B9C8B
Source: C:\Windows\explorer.exe	Code function: 2_2_015B979B	2_2_015B979B
Source: C:\Windows\explorer.exe	Code function: 2_2_015C3E55	2_2_015C3E55
Source: C:\Windows\explorer.exe	Code function: 2_2_015A3613	2_2_015A3613

Found potential string decryption / allocating functions

Show sources

Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: String function: 0041B780 appears 33 times
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: String function: 0041B9A0 appears 91 times
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: String function: 004391D0 appears 50 times
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: String function: 0041B170 appears 109 times
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: String function: 00432414 appears 36 times
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: String function: 0041B3B0 appears 63 times

PE file contains strange resources

Show sources

Source: rb5iJg6pgN.exe

Static PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST

Reads the hosts file

Show sources

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Sample file is different than original file name gathered from version info

Show sources

Source: rb5iJg6pgN.exe	Binary or memory string: OriginalFilename vs rb5iJg6pgN.exe
Source: rb5iJg6pgN.exe, 00000000.00000002.1499833844.002D0000.00000008.sdmp	Binary or memory string: OriginalFilenameSETUPAPI.DLL.MUIj% vs rb5iJg6pgN.exe
Source: rb5iJg6pgN.exe	Binary or memory string: OriginalFilenameWorker. vs rb5iJg6pgN.exe

Uses reg.exe to modify the Windows registry

Show sources

Source: unknown

Process created: C:\Windows\System32\reg.exe reg.exe query 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall' /s

Yara signature match

Show sources

Source: rb5iJg6pgN.exe, type: SAMPLE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000000.00000000.1467280177.00400000.00000002.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000000.00000001.1467651208.00400000.00000002.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000000.00000002.1499833844.002D0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000000.00000002.1499976703.00400000.00000002.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000000.00000003.1486070629.01620000.00000004.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000002.00000002.1543921572.00060000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000002.00000002.1544091557.00650000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000002.00000002.1544074903.00630000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1499473775.00060000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1499698657.00440000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1501425872.016F0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1502801306.01D30000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1502827811.01D70000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1502842638.01DA0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1502889959.01E00000.00000002.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1502878957.01DF0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1502536161.01A20000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1503029285.02020000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1507679611.02BA0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1507689530.02BC0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1507943848.02D40000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1507950533.02D70000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1507991377.02DE0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1508015150.02E20000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1508035531.02E60000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1508020629.02E30000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1508119677.03020000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1508132762.03080000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1508179226.03130000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1508183860.03140000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1508802180.035F0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1508810634.03600000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1508897767.03AF0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1509255440.03C20000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1510641728.03D80000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1510698102.03E20000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1510826926.03EE0000.00000002.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1510791092.03EB0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1510705859.03E40000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1510762006.03E90000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1510778872.03EA0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1510661452.03DE0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1510834757.03EF0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1510878677.03F70000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1509201484.03B70000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1509319448.03C30000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1510996422.04150000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1511065722.042C0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1516367336.070E0000.00000002.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1509998222.03CC0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1526476296.016F0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1528350249.01D70000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1528282321.01D30000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1529056137.01E00000.00000002.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1528914237.01DF0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1529414366.02020000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1534115502.02BA0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1534129692.02BC0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1534313551.02D40000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1534334049.02D70000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1528641544.01DA0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1534425716.02E20000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1534481919.02E60000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1534585823.03020000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1534437822.02E30000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1534605501.03080000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1534672142.03130000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1534679802.03140000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1524597638.00440000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1524475486.00060000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1514376422.05310000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1535904797.03AF0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1534388387.02DE0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1536709172.03D80000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1536750248.03E20000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1535812569.035F0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1536757874.03E40000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1536809625.03EB0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1536825861.03EE0000.00000002.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1536800241.03EA0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1536870913.03F70000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1527805844.01A20000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1537045293.042C0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1536075349.03C30000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1536732103.03DE0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1536026873.03C20000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1535821910.03600000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1536791257.03E90000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1535957747.03B70000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1536833113.03EF0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000002.1659326612.001E0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000018.00000002.1694019901.000D0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0000001D.00000002.1710546118.001A0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000022.00000002.1734565185.000D0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1538556444.05310000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0000000E.00000002.1686373712.000D0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1536262211.03CC0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000027.00000002.1736596250.000D0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000003.00000000.1540736146.070E0000.00000002.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000018.00000002.1694247399.00640000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0000000E.00000002.1686572361.00470000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0.1.rb5iJg6pgN.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0.2.rb5iJg6pgN.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0.2.rb5iJg6pgN.exe.2d0000.0.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0.2.rb5iJg6pgN.exe.2d0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 2.2.explorer.exe.60000.0.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 2.2.explorer.exe.60000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0.2.rb5iJg6pgN.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0.1.rb5iJg6pgN.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 2.2.explorer.exe.650000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 2.2.explorer.exe.650000.2.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 2.2.explorer.exe.630000.1.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 2.2.explorer.exe.630000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.60000.0.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.60000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.16f0000.2.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.16f0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.440000.1.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2d70000.13.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2de0000.14.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2de0000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2e20000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2e20000.15.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2e60000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2e30000.16.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2e30000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3020000.18.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3020000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2e60000.17.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3080000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3080000.19.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3140000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3130000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.1d70000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3140000.21.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.35f0000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3600000.23.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3600000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.35f0000.22.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.1d30000.4.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3af0000.24.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3c20000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3c30000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3c20000.26.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3c30000.27.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3d80000.29.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3d80000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3de0000.30.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3e20000.31.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3de0000.30.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3b70000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.1d30000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.1d70000.5.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.1da0000.6.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3ea0000.34.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3e90000.33.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3ea0000.34.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3eb0000.35.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3af0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3eb0000.35.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3ee0000.36.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3ee0000.36.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3ef0000.37.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3f70000.38.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3ef0000.37.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.4150000.39.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.4150000.39.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3f70000.38.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.42c0000.40.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.1a20000.3.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3e90000.33.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3e40000.32.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.60000.43.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.60000.43.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3e20000.31.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3b70000.25.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.16f0000.45.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.16f0000.45.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.42c0000.40.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.440000.44.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.1d70000.48.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.1d30000.47.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.1d30000.47.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.1d70000.48.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.1a20000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.1da0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.1df0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.1df0000.7.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.1e00000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.1e00000.8.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2020000.52.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.1e00000.51.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0.0.rb5iJg6pgN.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.1da0000.49.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2ba0000.53.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2ba0000.53.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2bc0000.54.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2d40000.55.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2d40000.55.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2d70000.56.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2d70000.56.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2bc0000.54.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2de0000.57.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2de0000.57.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2e20000.58.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2e20000.58.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2e60000.60.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3020000.61.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.440000.44.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3020000.61.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3080000.62.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3130000.63.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2020000.9.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3080000.62.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3130000.63.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3140000.64.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.35f0000.65.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3600000.66.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3600000.66.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3af0000.67.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.1df0000.50.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3af0000.67.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0.0.rb5iJg6pgN.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2ba0000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2ba0000.10.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.70e0000.42.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2d40000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3d80000.72.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3d80000.72.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3b70000.68.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3c30000.70.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3c30000.70.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3c20000.69.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.1e00000.51.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3e20000.74.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3e20000.74.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3de0000.73.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3e40000.75.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3e40000.75.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3e90000.76.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3e90000.76.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2bc0000.11.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2bc0000.11.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2d40000.12.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2d70000.13.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.440000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3eb0000.78.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3eb0000.78.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3ee0000.79.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.1a20000.46.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3ef0000.80.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3ef0000.80.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3f70000.81.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.42c0000.82.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.42c0000.82.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.2.systeminfo.exe.1e0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.1da0000.49.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.2.systeminfo.exe.1e0000.0.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3c20000.69.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3130000.20.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2020000.52.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3ea0000.77.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.35f0000.65.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 24.2.tasklist.exe.d0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2e60000.60.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3ea0000.77.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 29.2.driverquery.exe.1a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 29.2.driverquery.exe.1a0000.0.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2e30000.59.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 34.2.reg.exe.d0000.0.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 34.2.reg.exe.d0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 39.2.reg.exe.d0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 39.2.reg.exe.d0000.0.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 24.2.tasklist.exe.d0000.0.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2020000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3e40000.32.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.5310000.83.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3140000.64.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3cc0000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.1df0000.50.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3de0000.73.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 14.2.net.exe.d0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3f70000.81.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.2e30000.59.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 14.2.net.exe.d0000.0.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3b70000.68.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3ee0000.79.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.5310000.41.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.70e0000.84.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.1a20000.46.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3cc0000.71.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 14.2.net.exe.470000.1.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 14.2.net.exe.470000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3cc0000.28.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.5310000.83.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.3cc0000.71.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 3.0.explorer.exe.5310000.41.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 24.2.tasklist.exe.640000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 24.2.tasklist.exe.640000.1.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs

Binary contains device paths (device paths are often used for kernel mode <-> user mode communication)

Show sources

Source: C60A.bin.3.dr

Binary string: Boot Device: \Device\HarddiskVolume1

Classification label

Show sources

Source: classification engine

Classification label: mal100.spre.bank.troj.spyw.evad.winEXE@47/15@3/2

Contains functionality to enum processes or threads

Show sources

Source: C:\Windows\explorer.exe

Code function: 2_2_015518D9 CreateToolhelp32Snapshot,GetModuleHandleA,GetProcAddress,Thread32First,OpenThread,QueueUserAPC,Thread32Next,

2_2_015518D9

Contains functionality to load and extract PE file embedded resources

Show sources

Source: C:\Users\user\Desktop\rb5iJg6pgN.exe

Code function: 0_1_00407E91 SHGetMalloc,SHGetSpecialFolderLocation,SHGetSpecialFolderPathA,AuthzInitializeResourceManager,AuthzFreeResourceManager,GetLastError,MessageBoxA,GetUserDefaultLangID,EnumTimeFormatsA,FindResourceExW,FindResourceExW,LoadResource,

0_1_00407E91

Creates files inside the user directory

Show sources

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\{A29E757B-998D-241A-33F6-DD98178A614C}

Jump to behavior

Creates temporary files

Show sources

Source: C:\Windows\explorer.exe

File created: C:\Users\user~1\AppData\Local\Temp\5F76.bin

Jump to behavior

Found command line output

Show sources

Source: C:\Windows\System32\systeminfo.exe	Console Write: ..........3w..........3w0.............3w..0.............(.................................S...{w..S...................2.	Jump to behavior
Source: C:\Windows\System32\systeminfo.exe	Console Write: ..........3w........L.o.a.d.i.n.g. .O.p.e.r.a.t.i.n.g. .S.y.s.t.e.m. .I.n.f.o.r.m.a.t.i.o.n. ...........P...............	Jump to behavior
Source: C:\Windows\System32\systeminfo.exe	Console Write: ..........3w..........3w..............3w..0.................................<.............S...{w..S...................2.	Jump to behavior
Source: C:\Windows\System32\systeminfo.exe	Console Write: ..........3w........L.o.a.d.i.n.g. .C.o.m.p.u.t.e.r. .I.n.f.o.r.m.a.t.i.o.n. .............S...{w..S.p...@...............	Jump to behavior
Source: C:\Windows\System32\systeminfo.exe	Console Write: ..........3w..........3w..............3w..0.............................................X.S...{wX.S...................2.	Jump to behavior
Source: C:\Windows\System32\systeminfo.exe	Console Write: ..........3w........L.o.a.d.i.n.g. .P.r.o.c.e.s.s.o.r. .I.n.f.o.r.m.a.t.i.o.n. .........X.S...{wX.S.....B...............	Jump to behavior
Source: C:\Windows\System32\systeminfo.exe	Console Write: ..........3w..........3w..............3w..0..............................................$R...{w.$R...................2.	Jump to behavior
Source: C:\Windows\System32\systeminfo.exe	Console Write: ..........3w........L.o.a.d.i.n.g. .B.I.O.S. .I.n.f.o.r.m.a.t.i.o.n. ....................$R...{w.$R.....8...............	Jump to behavior
Source: C:\Windows\System32\systeminfo.exe	Console Write: ..........3w..........3w..............3w..0.................'.............................S...{w..S...................2.	Jump to behavior
Source: C:\Windows\System32\systeminfo.exe	Console Write: ..........3w........L.o.a.d.i.n.g. .I.n.p.u.t. .L.o.c.a.l.e. .I.n.f.o.r.m.a.t.i.o.n. .........{w..S.....H...............	Jump to behavior
Source: C:\Windows\System32\systeminfo.exe	Console Write: ..........3w..........3w..............3w..0...................................................ww.'....................2.	Jump to behavior
Source: C:\Windows\System32\systeminfo.exe	Console Write: ..........3w........L.o.a.d.i.n.g. .T.i.m.e.Z.o.n.e. .I.n.f.o.r.m.a.t.i.o.n. .................ww.'......@...............	Jump to behavior
Source: C:\Windows\System32\systeminfo.exe	Console Write: ..........3w..........3w..............3w..0.................4.................................ww.'....................2.	Jump to behavior
Source: C:\Windows\System32\systeminfo.exe	Console Write: ..........3w........L.o.a.d.i.n.g. .P.r.o.f.i.l.e. .I.n.f.o.r.m.a.t.i.o.n. ...................ww.'......>...............	Jump to behavior
Source: C:\Windows\System32\systeminfo.exe	Console Write: ..........3w..........3w..............3w..0...............................................S...{w..S...................2.	Jump to behavior
Source: C:\Windows\System32\systeminfo.exe	Console Write: ..........3w........L.o.a.d.i.n.g. .P.a.g.e.f.i.l.e. .I.n.f.o.r.m.a.t.i.o.n. .............S...{w..S.....@...............	Jump to behavior
Source: C:\Windows\System32\systeminfo.exe	Console Write: ..........3w..........3w..............3w..0..............................................#R...{w.#R...................2.	Jump to behavior
Source: C:\Windows\System32\systeminfo.exe	Console Write: ..........3w........L.o.a.d.i.n.g. .H.o.t.f.i.x. .I.n.f.o.r.m.a.t.i.o.n. ................#R...{w.#R.....<...............	Jump to behavior
Source: C:\Windows\System32\systeminfo.exe	Console Write: ..........3w..........3w..............3w..0.................................X.............S...{w..S...................2.	Jump to behavior
Source: C:\Windows\System32\systeminfo.exe	Console Write: ..........3w........L.o.a.d.i.n.g. .N.e.t.w.o.r.k. .C.a.r.d. .I.n.f.o.r.m.a.t.i.o.n. .........{w..S.....H...............	Jump to behavior
Source: C:\Windows\System32\systeminfo.exe	Console Write: ..........3w..........3w<.............3w..0.................,#..............D.r............. .........................2.	Jump to behavior
Source: C:\Windows\System32\net.exe	Console Write: ....................S.y.s.t.e.m. .e.r.r.o.r. .6.1.1.8. .h.a.s. .o.c.c.u.r.r.e.d...........l.\|...%tl.....B...........8.l.	Jump to behavior
Source: C:\Windows\System32\net.exe	Console Write: ..........................0.....\|............+..........................r.r.e.d...........l.\|...%tl...........-.........	Jump to behavior
Source: C:\Windows\System32\net.exe	Console Write: ....................a.5w..0.....\|............+..................................8.l.......l.\|...%tl.................8.l.	Jump to behavior
Source: C:\Windows\System32\net.exe	Console Write: ..........................0.....\|............,..................................8.l.......l.\|...%tl.....................	Jump to behavior
Source: C:\Windows\System32\reg.exe	Console Write: ........a.5w..0.....E.R.R.O.R.:. .............................4w..............4w....P.0.....$...G..w..................0.
Source: C:\Windows\System32\reg.exe	Console Write: ........a.5w..0.....<.......T...S...............................$.....................0.........X...........j.:w...o....

Launches a second explorer.exe instance

Show sources

Source: unknown	Process created: C:\Windows\explorer.exe
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Process created: C:\Windows\explorer.exe			Jump to behavior

PE file has an executable .text section and no other executable section

Show sources

Source: rb5iJg6pgN.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Queries process information (via WMI, Win32_Process)

Show sources

Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Reads ini files

Show sources

Source: C:\Windows\explorer.exe

File read: C:\Program Files\desktop.ini

Jump to behavior

Reads software policies

Show sources

Source: C:\Users\user\Desktop\rb5iJg6pgN.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Sample might require command line arguments

Show sources

Source: explorer.exe

String found in binary or memory: t xml:space=.gif" border="0"</body> </html> overflow:hidden;img src="http://addEventListenerresponsible for s.js"></script> /favicon.ico" />operating system" style="width:1target="_blank">State Universitytext-align:left; document.write(, including the around t

Spawns processes

Show sources

Source: unknown	Process created: C:\Users\user\Desktop\rb5iJg6pgN.exe 'C:\Users\user\Desktop\rb5iJg6pgN.exe'
Source: unknown	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /C 'systeminfo.exe > C:\Users\user~1\AppData\Local\Temp\C60A.bin1'
Source: unknown	Process created: C:\Windows\System32\systeminfo.exe systeminfo.exe
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /C 'net view >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'
Source: unknown	Process created: C:\Windows\System32\net.exe net view
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /C 'nslookup 127.0.0.1 >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'
Source: unknown	Process created: C:\Windows\System32\nslookup.exe nslookup 127.0.0.1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /C 'tasklist.exe /SVC >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'
Source: unknown	Process created: C:\Windows\System32\tasklist.exe tasklist.exe /SVC
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /C 'driverquery.exe >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'
Source: unknown	Process created: C:\Windows\System32\driverquery.exe driverquery.exe
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /C 'reg.exe query 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall' /s >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'
Source: unknown	Process created: C:\Windows\System32\reg.exe reg.exe query 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall' /s
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /C 'reg.exe query 'HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall' /s >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'
Source: unknown	Process created: C:\Windows\System32\reg.exe reg.exe query 'HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall' /s
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C 'systeminfo.exe > C:\Users\user~1\AppData\Local\Temp\C60A.bin1'	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C 'net view >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C 'nslookup 127.0.0.1 >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C 'tasklist.exe /SVC >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C 'driverquery.exe >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C 'reg.exe query 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall' /s >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C 'reg.exe query 'HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall' /s >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nslookup.exe nslookup 127.0.0.1	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist.exe /SVC	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\driverquery.exe driverquery.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg.exe query 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall' /s	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg.exe query 'HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall' /s

Uses an in-process (OLE) Automation server

Show sources

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0bf754aa-c967-445c-ab3d-d8fda9bae7ef}\InProcServer32

Jump to behavior

Uses systeminfo.exe to query system information

Show sources

Source: unknown

Process created: C:\Windows\System32\systeminfo.exe systeminfo.exe

Uses tasklist.exe to query information about running processes

Show sources

Source: unknown

Process created: C:\Windows\System32\tasklist.exe tasklist.exe /SVC

Checks if Microsoft Office is installed

Show sources

Source: C:\Windows\explorer.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts

Jump to behavior

Submission file is bigger than most known malware samples

Show sources

Source: rb5iJg6pgN.exe

Static file information: File size 1158144 > 1048576

Uses new MSVCR Dlls

Show sources

Source: C:\Windows\explorer.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dll

Jump to behavior

Binary contains paths to debug symbols

Show sources

Source:

Binary string: c:\isfb3\release\client.pdb source: explorer.exe

PE file contains a valid data directory to section mapping

Show sources

Source: rb5iJg6pgN.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: rb5iJg6pgN.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: rb5iJg6pgN.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: rb5iJg6pgN.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: rb5iJg6pgN.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

Contains functionality to dynamically determine API calls

Show sources

Source: C:\Users\user\Desktop\rb5iJg6pgN.exe

Code function: 0_1_00444365 EncodePointer,EncodePointer,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_1_00444365

Uses code obfuscation techniques (call, push, ret)

Show sources

Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_2_004041F3 push ecx; ret	0_2_00404203
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_2_002C0C9B push edi; ret	0_2_002C0CD2
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_1_00439215 push ecx; ret	0_1_00439228
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_1_0040533E push edx; ret	0_1_00405341
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_1_00432414 push eax; ret	0_1_00432432
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_1_00436D8A push ecx; ret	0_1_00436D9D
Source: C:\Windows\explorer.exe	Code function: 2_2_0064027A push ecx; ret	2_2_0064028A
Source: C:\Windows\explorer.exe	Code function: 2_2_0156D0AB push ecx; ret	2_2_0156D0BB
Source: C:\Windows\explorer.exe	Code function: 2_2_015A0839 push ecx; ret	2_2_015A0849
Source: C:\Windows\explorer.exe	Code function: 2_2_015BD374 push eax; iretd	2_2_015BD395
Source: C:\Windows\explorer.exe	Code function: 2_2_015CD303 push ecx; ret	2_2_015CD313

Persistence and Installation Behavior:

Searches for installed JRE in non-default directory

Show sources

Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\.jre\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\.jre\bin\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\.jre\bin\client\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\.jre\bin\dtplugin\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\.jre\bin\plugin2\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\.jre\lib\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\.jre\lib\applet\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\.jre\lib\cmm\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\.jre\lib\deploy\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\.jre\lib\ext\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\.jre\lib\fonts\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\.jre\lib\i386\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\.jre\lib\images\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\.jre\lib\images\cursors\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\.jre\lib\jfr\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\.jre\lib\management\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\.jre\lib\security\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\.jre\lib\security\policy\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\.jre\lib\security\policy\limited\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\.jre\lib\security\policy\unlimited\ read data or list directory \| synchronize	Jump to behavior

Boot Survival:

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Show sources

Source: C:\Windows\explorer.exe	Window found: window name: ProgMan			Jump to behavior
Source: C:\Windows\explorer.exe	Window found: window name: ProgMan			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Deletes itself after installation

Show sources

Source: C:\Windows\explorer.exe

File deleted: c:\users\user\desktop\rb5ijg6pgn.exe

Jump to behavior

Modifies the export address table of user mode modules (user mode EAT hooks)

Show sources

Source: explorer.exe

IAT of a user mode module has changed: module: kernel32.dll function: CreateProcessW address: 773C9000

Modifies the import address table of user mode modules (user mode IAT hooks)

Show sources

Source: explorer.exe

EAT of a user mode module has changed: module: USER32.dll function: KERNEL32.dll:CreateProcessW address: 51BB9C1

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: kernel32.dll function: CreateProcessW new code: 0xE9 0x9B 0xBC 0xC2 0x29 0x9D

Extensive use of GetProcAddress (often used to hide API calls)

Show sources

Source: C:\Users\user\Desktop\rb5iJg6pgN.exe

Code function: 0_1_004315C9 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_1_004315C9

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Users\user\Desktop\rb5iJg6pgN.exe

Code function: 0_2_00401260 GetModuleHandleA,Sleep,_aulldiv,

0_2_00401260

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Windows\System32\systeminfo.exe

WMI Queries: IWbemServices::CreateInstanceEnum - Win32_BIOS

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Windows\System32\systeminfo.exe

WMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapter

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\rb5iJg6pgN.exe

RDTSC instruction interceptor: First address: 401278 second address: 401292 instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [ebp-08h], eax 0x00000005 mov dword ptr [ebp-04h], edx 0x00000008 mov esi, dword ptr [ebp-04h] 0x0000000b mov eax, dword ptr [ebp-08h] 0x0000000e xor edi, edi 0x00000010 xor ecx, ecx 0x00000012 or edi, eax 0x00000014 or esi, ecx 0x00000016 xor eax, eax 0x00000018 cpuid 0x0000001a rdtsc

Contains functionality for execution timing, often used to detect debuggers

Show sources

Source: C:\Users\user\Desktop\rb5iJg6pgN.exe

Code function: 0_2_00401260 rdtsc

0_2_00401260

Contains functionality to read device registry values (via SetupAPI)

Show sources

Source: C:\Users\user\Desktop\rb5iJg6pgN.exe

Code function: 0_2_00401453 GetModuleHandleA,SetupDiGetClassDevsA,SetupDiEnumDeviceInfo,SetupDiGetDeviceRegistryPropertyA,SetupDiGetDeviceRegistryPropertyA,SetupDiGetDeviceRegistryPropertyA,SetupDiDestroyDeviceInfoList,

0_2_00401453

Contains long sleeps (>= 3 min)

Show sources

Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Thread delayed: delay time: 5000000	Jump to behavior
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Thread delayed: delay time: 1000000	Jump to behavior
Source: C:\Windows\explorer.exe	Thread delayed: delay time: 1000000	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Show sources

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 1687			Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 450			Jump to behavior

Found large amount of non-executed APIs

Show sources

Source: C:\Windows\explorer.exe

API coverage: 4.1 %

May sleep (evasive loops) to hinder dynamic analysis

Show sources

Source: C:\Users\user\Desktop\rb5iJg6pgN.exe TID: 1724	Thread sleep time: -500000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe TID: 1724	Thread sleep time: -50000000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe TID: 1724	Thread sleep time: -1000000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1720	Thread sleep time: -1000000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3712	Thread sleep count: 1687 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3712	Thread sleep time: -1012200000000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3716	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3328	Thread sleep time: -5000000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3712	Thread sleep time: -600000000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\systeminfo.exe TID: 1400	Thread sleep time: -2400000000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\systeminfo.exe TID: 1400	Thread sleep time: -600000000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\tasklist.exe TID: 1500	Thread sleep time: -600000000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\tasklist.exe TID: 1500	Thread sleep time: -600000000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\driverquery.exe TID: 3484	Thread sleep time: -1200000000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\driverquery.exe TID: 3484	Thread sleep time: -600000000s >= -30000s	Jump to behavior

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Show sources

Source: C:\Windows\System32\systeminfo.exe

WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor

Contains functionality to enumerate / list files inside a directory

Show sources

Source: C:\Windows\explorer.exe	Code function: 2_2_01552003 FindFirstFileA,lstrcpy,GetFileAttributesA,mbstowcs,FindNextFileA,FindClose,	2_2_01552003
Source: C:\Windows\explorer.exe	Code function: 2_2_01560022 memset,FindFirstFileW,memset,wcscpy,RtlEnterCriticalSection,RtlLeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,FindNextFileW,WaitForSingleObject,FindClose,	2_2_01560022
Source: C:\Windows\explorer.exe	Code function: 2_2_015568A7 memset,FindFirstFileW,LocalFree,FindNextFileW,FindClose,LocalFree,	2_2_015568A7
Source: C:\Windows\explorer.exe	Code function: 2_2_01560316 FindFirstFileW,WaitForSingleObject,FindNextFileW,FindClose,	2_2_01560316
Source: C:\Windows\explorer.exe	Code function: 2_2_0156048A FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,FindClose,	2_2_0156048A
Source: C:\Windows\explorer.exe	Code function: 2_2_01541FF9 RtlAllocateHeap,TerminateProcess,CloseHandle,FindFirstFileW,lstrlenW,RtlAllocateHeap,lstrcpyW,lstrcpyW,DeleteFileW,FindNextFileW,FindClose,HeapFree,FindFirstFileW,lstrlenW,RtlAllocateHeap,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,HeapFree,RtlAllocateHeap,lstrcpyW,TerminateProcess,CloseHandle,lstrcpyW,DeleteFileW,HeapFree,HeapFree,	2_2_01541FF9

Contains functionality to query local drives

Show sources

Source: C:\Windows\explorer.exe

2_2_0154C557

Contains functionality to query system information

Show sources

Source: C:\Windows\explorer.exe

Code function: 2_2_0155FACA GetSystemInfo,

2_2_0155FACA

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Show sources

Source: rb5iJg6pgN.exe	Binary or memory string: virtual hd
Source: rb5iJg6pgN.exe	Binary or memory string: vmware
Source: explorer.exe, 00000003.00000000.1511733570.043DF000.00000004.sdmp	Binary or memory string: vmbusres.dll
Source: rb5iJg6pgN.exe, 00000000.00000002.1500032102.00406000.00000004.sdmp	Binary or memory string: 64RtlSetUnhandledExceptionFilterAppDataLowSystemRootLdrGetProcedureAddress.RtlExitUserThreadLdrLoadDllZwProtectVirtualMemoryLow\vboxqemuvmwarevirtual hdResumeThreadSuspendThreadProgMan

Program exit points

Show sources

Source: C:\Windows\explorer.exe

API call chain: ExitProcess graph end node

graph_2-33693

Queries a list of all running processes

Show sources

Source: C:\Windows\explorer.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Show sources

Source: C:\Windows\System32\systeminfo.exe

System information queried: KernelDebuggerInformation

Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Show sources

Source: C:\Users\user\Desktop\rb5iJg6pgN.exe

Code function: 0_2_00401260 rdtsc

0_2_00401260

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Show sources

Source: C:\Users\user\Desktop\rb5iJg6pgN.exe

Code function: 0_2_00403188 LdrLoadDll,LdrGetProcedureAddress,NtProtectVirtualMemory,GetModuleHandleA,memcpy,

0_2_00403188

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Show sources

Source: C:\Users\user\Desktop\rb5iJg6pgN.exe

0_1_00444365

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Show sources

Source: C:\Users\user\Desktop\rb5iJg6pgN.exe

0_1_00444365

Contains functionality to dynamically determine API calls

Show sources

Source: C:\Users\user\Desktop\rb5iJg6pgN.exe

0_1_00444365

Contains functionality to read the PEB

Show sources

Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_2_002C215E mov eax, dword ptr fs:[00000030h]	0_2_002C215E
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_2_002C0000 mov eax, dword ptr fs:[00000030h]	0_2_002C0000
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_2_002C04C7 mov eax, dword ptr fs:[00000030h]	0_2_002C04C7

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Show sources

Source: C:\Users\user\Desktop\rb5iJg6pgN.exe

Code function: 0_1_0044C3FA __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

0_1_0044C3FA

Enables debug privileges

Show sources

Source: C:\Windows\System32\tasklist.exe

Process token adjusted: Debug

Jump to behavior

Contains functionality to register its own exception handler

Show sources

Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_1_00437BC3 SetUnhandledExceptionFilter,	0_1_00437BC3
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: 0_1_00437BE6 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_1_00437BE6
Source: C:\Windows\explorer.exe	Code function: 2_2_01556306 lstrlenW,ExitProcess,GetCurrentProcessId,CreateEventA,GetLastError,SetEvent,Sleep,ResetEvent,CloseHandle,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,WaitForSingleObject,	2_2_01556306

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe

Network Connect: 5.188.60.53 187

Jump to behavior

Allocates memory in foreign processes

Show sources

Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Memory allocated: C:\Windows\explorer.exe base: 640000 protect: page execute and read and write			Jump to behavior
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\explorer.exe base: 2D60000 protect: page execute and read and write			Jump to behavior

Changes memory attributes in foreign processes to executable or writable

Show sources

Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\explorer.exe base: 7778F515 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\explorer.exe base: 7778F515 protect: page execute read	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\explorer.exe base: 7778F515 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\explorer.exe base: 7778F515 protect: page execute read	Jump to behavior

Creates a thread in another existing process (thread injection)

Show sources

Source: C:\Windows\explorer.exe

Thread created: C:\Windows\explorer.exe EIP: 7778F515

Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Show sources

Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Memory written: PID: 2752 base: 50000 value: 01	Jump to behavior
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Memory written: PID: 2752 base: 50020 value: 9A	Jump to behavior
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Memory written: PID: 2752 base: 7FFD7238 value: 00	Jump to behavior
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Memory written: PID: 2752 base: A102D value: EB	Jump to behavior
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Memory written: PID: 2752 base: 640000 value: 2D	Jump to behavior
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Memory written: PID: 2752 base: A102D value: E8	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: PID: 3692 base: 7778F515 value: EB	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: PID: 3692 base: 2D60000 value: 15	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: PID: 3692 base: 7778F515 value: 8B	Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\rb5iJg6pgN.exe

Section loaded: unknown target pid: 2752 protection: execute and read and write

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Thread register set: target process: 2752			Jump to behavior
Source: C:\Windows\explorer.exe	Thread register set: target process: 3692			Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Memory written: C:\Windows\explorer.exe base: A102D	Jump to behavior
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Memory written: C:\Windows\explorer.exe base: 640000	Jump to behavior
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Memory written: C:\Windows\explorer.exe base: A102D	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\explorer.exe base: 7778F515	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\explorer.exe base: 2D60000	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\explorer.exe base: 7778F515	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Show sources

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nslookup.exe nslookup 127.0.0.1	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist.exe /SVC	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\driverquery.exe driverquery.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg.exe query 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall' /s	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg.exe query 'HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall' /s

May try to detect the Windows Explorer process (often used for injection)

Show sources

Source: explorer.exe, 00000002.00000002.1544224987.01596000.00000004.sdmp	Binary or memory string: ExceptionCode = 0x%x\dump.dmpDBGHELP.DLLMiniDumpWriteDumpFullReplaceOffGetWindowThreadProcessIdProgManUSER32.DLL\Explorer\Shell Folders\*.dll%systemroot%\system32\c_1252.nls.exe.dll.lnkpowershell-NoLogo -NonInteractive -WindowStyle Hidden -ExecutionPolicy bypass -File "%s"AppDataGIF87a89a!
Source: explorer.exe, 00000003.00000000.1500326584.00830000.00000002.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000003.00000000.1500326584.00830000.00000002.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000003.00000000.1500326584.00830000.00000002.sdmp	Binary or memory string: Shell_TrayWnd
Source: rb5iJg6pgN.exe, explorer.exe, 00000002.00000002.1544224987.01596000.00000004.sdmp	Binary or memory string: ProgMan
Source: rb5iJg6pgN.exe, 00000000.00000002.1500032102.00406000.00000004.sdmp	Binary or memory string: 64RtlSetUnhandledExceptionFilterAppDataLowSystemRootLdrGetProcedureAddress.RtlExitUserThreadLdrLoadDllZwProtectVirtualMemoryLow\vboxqemuvmwarevirtual hdResumeThreadSuspendThreadProgMan
Source: explorer.exe, 00000003.00000000.1499760778.004AD000.00000004.sdmp	Binary or memory string: Progmanp

Language, Device and Operating System Detection:

Contains functionality locales information (e.g. system language)

Show sources

Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: GetLocaleInfoW,	0_1_004381D2
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: EnumSystemLocalesW,	0_1_00438195
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,	0_1_004452B3
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	0_1_0044461F
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,GetLocaleInfoW,	0_1_004466C2
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: GetLocaleInfoW,	0_1_00446884
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___ge	0_1_004458B7
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	0_1_00446972
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: EnumSystemLocalesW,	0_1_00446932
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	0_1_004469EF
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,	0_1_00446A72
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: GetLocaleInfoW,	0_1_00446C65
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_1_00446D8D
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,	0_1_00446E3A
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeW,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,	0_1_00436ED1
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,	0_1_00444EAA
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,	0_1_00438F7A
Source: C:\Users\user\Desktop\rb5iJg6pgN.exe	Code function: _memset,_TranslateName,_TranslateName,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,	0_1_00446F0E

Contains functionality to query CPU information (cpuid)

Show sources

Source: C:\Users\user\Desktop\rb5iJg6pgN.exe

Code function: 0_2_00401260 cpuid

0_2_00401260

Queries device information via Setup API

Show sources

Source: C:\Users\user\Desktop\rb5iJg6pgN.exe

0_2_00401453

Queries the installation date of Windows

Show sources

Source: C:\Users\user\Desktop\rb5iJg6pgN.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Queries the product ID of Windows

Show sources

Source: C:\Windows\explorer.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID			Jump to behavior
Source: C:\Windows\explorer.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Show sources

Source: C:\Users\user\Desktop\rb5iJg6pgN.exe

Queries volume information: unknown VolumeInformation

Jump to behavior

Contains functionality to create pipes for IPC

Show sources

Source: C:\Windows\explorer.exe

Code function: 2_2_015527A1 CreateNamedPipeA,CreateThread,GetLastError,CloseHandle,GetLastError,

2_2_015527A1

Contains functionality to query local / system time

Show sources

Source: C:\Users\user\Desktop\rb5iJg6pgN.exe

Code function: 0_1_00434B6E GetSystemTimeAsFileTime,__aulldiv,

0_1_00434B6E

Contains functionality to query windows version

Show sources

Source: C:\Users\user\Desktop\rb5iJg6pgN.exe

Code function: 0_2_00402055 GetModuleHandleA,GetModuleHandleA,GetVersion,GetCurrentProcessId,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CloseHandle,

0_2_00402055

Queries the cryptographic machine GUID

Show sources

Source: C:\Windows\System32\systeminfo.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

May initialize a security null descriptor

Show sources

Source: explorer.exe, 00000002.00000002.1544224987.01596000.00000004.sdmp

Binary or memory string: S:(ML;;NRNWNX;;;LW)

Stealing of Sensitive Information:

Detected list of crypto currency wallet names in memory (likely to steal)

Show sources

Source: explorer.exe	String found in binary or memory: electrum-
Source: explorer.exe	String found in binary or memory: armory-
Source: explorer.exe	String found in binary or memory: msigna.
Source: explorer.exe	String found in binary or memory: multibit-hd
Source: explorer.exe	String found in binary or memory: JEdudus.
Source: explorer.exe	String found in binary or memory: bither
Source: explorer.exe	String found in binary or memory: Jaxx.
Source: explorer.exe	String found in binary or memory: bitcoin

May steal data from Internet Explorer (IESTEALER detected)

Show sources

Source: explorer.exe	String found in binary or memory: #IESTEALER#
Source: explorer.exe	String found in binary or memory: #IESTEALER#
Source: explorer.exe, 00000002.00000002.1544201745.0156E000.00000002.sdmp	String found in binary or memory: Username: Software\Microsoft\Internet Explorer\TypedURLsSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2#IESTEALER#

May steal data from Outlook (OLSTEALER detected)

Show sources

Source: explorer.exe	String found in binary or memory: #OLSTEALER#
Source: explorer.exe	String found in binary or memory: #OLSTEALER#
Source: explorer.exe, 00000002.00000002.1544201745.0156E000.00000002.sdmp	String found in binary or memory: %02X?%uSMTP PasswordHTTP PasswordNNTP PasswordIMAP PasswordPOP3 PasswordSMTP Password2HTTPMail Password2NNTP Password2IMAP Password2POP3 Password2IMAP PortSMTP PortPOP3 PortSMTP UserHTTPMail ServerHTTPMail User NameIMAP UserPOP3 UserHTTP Server URLHTTP UserEmailIMAP User NameIMAP ServerNNTP ServerNNTP User NameNNTP Email AddressSMTP User NamePOP3 User NamePOP3 ServerSMTP ServerSMTP Email Address#OLSTEALER#

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\2FC00D105DDC9C4B11E5D8DDE4091512B1EEA3C7	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\240DBA190FBDB5C15D3DC194B329223B5B19D549	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\A587D4F5472B1A6BBBBA4A37D224FA8619926015	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\chrome\idb\2918063365piupsah.files	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.files	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\929BCF811537CE5A1B05BC367E7D5FCD9D1512C2	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\D969E6FE602AA63FF192D0E10C841D12C8630308	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\098A3394207ED67B189FE76C2DC12503C3C08949	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\chrome\idb	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\D85795856A15100A0C45C075CFB29C4FC314C2EE	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\chrome	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\moz-safe-about+home\idb	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\FD24152333840F176EE70AE0628F9364B85BB1F7	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\doomed	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\01974EBFBB850697430A4F12734195ED05077738	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\38DF22172C17E32AA1584C6DD44E81038E19EFB5	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\F045CCBF583BD17042216E343183D80AC87C5FB9	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\BC9BC80654AEBC9F7505DD601A9A1B4BDBC0C7F3	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\moz-safe-about+home	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\CE40DF72E47995F12B7A0C9DB884C82D865203F5	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\EF266C446B089CF06B1E028D371C054ABCDEBA8D	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\834E996870C3095DCCB32D197E6FF17DDECDD31E	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\cookies.sqlite	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.sqlite	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\228A34E27343511229AA075674752A42E75408BD	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\E325B486B777C14C29762600D998974140F8FD34	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\EA4732DBF7EE1F2B169923CD35582C482705391E	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\F1B5C3EDE100D4A38A0A28F1CEF6FAEFB619EC1B	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\6DF8F54B434FDF7BB9EBD7E5B1D7FB4081D310C6	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\EE3B023192255EF0F8BF72624FD26BCBEA167009	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\D884B3C0D6FDA5EAB04FCB8FC7E00A32EAD9147D	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\4BCFB577C7B1B9001B922FFD2473F2B7AF1B75BE	Jump to behavior

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings	Jump to behavior
Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings	Jump to behavior
Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings	Jump to behavior
Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings	Jump to behavior
Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings	Jump to behavior
Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings	Jump to behavior
Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings	Jump to behavior
Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings	Jump to behavior
Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings	Jump to behavior
Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Jump to behavior
Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Jump to behavior
Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Jump to behavior
Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Jump to behavior
Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Jump to behavior
Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Jump to behavior
Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Jump to behavior
Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Jump to behavior
Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Jump to behavior

Searches for user specific document files

Show sources

Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior

Remote Access Functionality:

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Show sources

Source: C:\Users\user\Desktop\rb5iJg6pgN.exe

Code function: 0_1_00407FF4 __EH_prolog,GetDialogBaseUnits,GetDialogBaseUnits,GetDialogBaseUnits,BeginDeferWindowPos,DeferWindowPos,DeferWindowPos,DeferWindowPos,DeferWindowPos,EndDeferWindowPos,DefWindowProcA,GetMenu,GetMenu,GetMenu,GetSubMenu,GetSubMenu,GetSubMenu,GetMenu,GetSubMenu,GetMenu,GetSubMenu,GetMenu,GetSubMenu,SendMessageA,SendMessageA,SendMessageA,CheckMenuItem,CheckMenuItem,CheckMenuItem,CheckMenuItem,CheckMenuItem,CheckMenuItem,EnableMenuItem,EnableMenuItem,SendMessageA,EnableMenuItem,SendMessageA,EnableMenuItem,EnableMenuItem,EnableMenuItem,EnableMenuItem,EnableMenuItem,EnableMenuItem,EnableMenuItem,EnableMenuItem,EnableMenuItem,GetLastError,CreateBindCtx,CreateRectRgn,CombineRgn,CertDuplicateStore,GlobalAlloc,DialogBoxIndirectParamA,

0_1_00407FF4

Behavior Graph

Simulations

Behavior and APIs

Time	Type	Description
14:38:30	API Interceptor	18275x Sleep call for process: rb5iJg6pgN.exe modified
14:38:46	API Interceptor	3375x Sleep call for process: explorer.exe modified
14:39:45	API Interceptor	12x Sleep call for process: systeminfo.exe modified
14:40:05	API Interceptor	3x Sleep call for process: tasklist.exe modified
14:40:08	API Interceptor	3x Sleep call for process: driverquery.exe modified

Antivirus and Machine Learning Detection

Initial Sample

Source	Detection	Scanner	Label	Link
rb5iJg6pgN.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Download
0.0.rb5iJg6pgN.exe.400000.0.unpack	100%	Joe Sandbox ML	Download File
0.1.rb5iJg6pgN.exe.400000.0.unpack	100%	Joe Sandbox ML	Download File
0.2.rb5iJg6pgN.exe.400000.1.unpack	100%	Joe Sandbox ML	Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
rb5iJg6pgN.exe	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A 0x3507f:$mz: 4D 5A 0x3af37:$mz: 4D 5A 0x714ea:$mz: 4D 5A 0x7c1b0:$mz: 4D 5A 0xa1959:$mz: 4D 5A 0xa6c87:$mz: 4D 5A 0xaef58:$mz: 4D 5A 0xb47cc:$mz: 4D 5A 0xbcc42:$mz: 4D 5A 0xbf097:$mz: 4D 5A 0xcd2e5:$mz: 4D 5A 0xd1f91:$mz: 4D 5A

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1467280177.00400000.00000002.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000000.00000001.1467651208.00400000.00000002.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000000.00000002.1499833844.002D0000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000000.00000002.1499976703.00400000.00000002.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000000.00000003.1486070629.01620000.00000004.sdmp	Embedded_PE	unknown	unknown	0x20:$mz: 4D 5A 0x399e:$mz: 4D 5A 0xd573:$mz: 4D 5A 0xdbdc:$mz: 4D 5A 0x10aa9:$mz: 4D 5A 0x192e8:$mz: 4D 5A 0x1b9ad:$mz: 4D 5A 0x27e1d:$mz: 4D 5A 0x2d879:$mz: 4D 5A 0x38edc:$mz: 4D 5A 0x39262:$mz: 4D 5A 0x41409:$mz: 4D 5A 0x4b53e:$mz: 4D 5A
00000002.00000002.1543921572.00060000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000002.00000002.1544091557.00650000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000002.00000002.1544074903.00630000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1499473775.00060000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1499698657.00440000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1501425872.016F0000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1502801306.01D30000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1502827811.01D70000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1502842638.01DA0000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1502889959.01E00000.00000002.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1502878957.01DF0000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1502536161.01A20000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1503029285.02020000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1507679611.02BA0000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1507689530.02BC0000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1507943848.02D40000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1507950533.02D70000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1507991377.02DE0000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1508015150.02E20000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1508035531.02E60000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1508020629.02E30000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1508119677.03020000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1508132762.03080000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1508179226.03130000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1508183860.03140000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1508802180.035F0000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1508810634.03600000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1508897767.03AF0000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1509255440.03C20000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1510641728.03D80000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1510698102.03E20000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1510826926.03EE0000.00000002.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1510791092.03EB0000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1510705859.03E40000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1510762006.03E90000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1510778872.03EA0000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1510661452.03DE0000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1510834757.03EF0000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1510878677.03F70000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1509201484.03B70000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1509319448.03C30000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1510996422.04150000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1511065722.042C0000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1516367336.070E0000.00000002.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A 0x62f67:$mz: 4D 5A 0xc7b9f:$mz: 4D 5A 0xc8cc4:$mz: 4D 5A 0xfa22c:$mz: 4D 5A 0xfab23:$mz: 4D 5A 0xfb5e6:$mz: 4D 5A 0xfbcde:$mz: 4D 5A 0x11c4ef:$mz: 4D 5A 0x126750:$mz: 4D 5A 0x12eb59:$mz: 4D 5A 0x1305fb:$mz: 4D 5A 0x130a9c:$mz: 4D 5A 0x133cb4:$mz: 4D 5A 0x14d7f7:$mz: 4D 5A 0x1523e2:$mz: 4D 5A 0x15513b:$mz: 4D 5A 0x159cc0:$mz: 4D 5A 0x16837f:$mz: 4D 5A 0x242953:$mz: 4D 5A 0x26cf5a:$mz: 4D 5A
00000003.00000000.1509998222.03CC0000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1526476296.016F0000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1528350249.01D70000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1528282321.01D30000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1529056137.01E00000.00000002.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1528914237.01DF0000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1529414366.02020000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1534115502.02BA0000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1534129692.02BC0000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1534313551.02D40000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1534334049.02D70000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1528641544.01DA0000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1534425716.02E20000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1534481919.02E60000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1534585823.03020000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1534437822.02E30000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1534605501.03080000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1534672142.03130000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1534679802.03140000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1524597638.00440000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1524475486.00060000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1514376422.05310000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A 0x601df:$mz: 4D 5A
00000003.00000000.1535904797.03AF0000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1534388387.02DE0000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1536709172.03D80000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1536750248.03E20000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1535812569.035F0000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1536757874.03E40000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1536809625.03EB0000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1536825861.03EE0000.00000002.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1536800241.03EA0000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1536870913.03F70000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1527805844.01A20000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1537045293.042C0000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1536075349.03C30000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1536732103.03DE0000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1536026873.03C20000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1535821910.03600000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1536791257.03E90000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1535957747.03B70000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1536833113.03EF0000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000006.00000002.1659326612.001E0000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000018.00000002.1694019901.000D0000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
0000001D.00000002.1710546118.001A0000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000022.00000002.1734565185.000D0000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1538556444.05310000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A 0x601df:$mz: 4D 5A
0000000E.00000002.1686373712.000D0000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1536262211.03CC0000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000027.00000002.1736596250.000D0000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
00000003.00000000.1540736146.070E0000.00000002.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A 0x62f67:$mz: 4D 5A 0xc7b9f:$mz: 4D 5A 0xc8cc4:$mz: 4D 5A 0xfa22c:$mz: 4D 5A 0xfab23:$mz: 4D 5A 0xfb5e6:$mz: 4D 5A 0xfbcde:$mz: 4D 5A 0x11c4ef:$mz: 4D 5A 0x126750:$mz: 4D 5A 0x12eb59:$mz: 4D 5A 0x1305fb:$mz: 4D 5A 0x130a9c:$mz: 4D 5A 0x133cb4:$mz: 4D 5A 0x14d7f7:$mz: 4D 5A 0x1523e2:$mz: 4D 5A 0x15513b:$mz: 4D 5A 0x159cc0:$mz: 4D 5A 0x16837f:$mz: 4D 5A 0x242953:$mz: 4D 5A 0x26cf5a:$mz: 4D 5A
00000018.00000002.1694247399.00640000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
0000000E.00000002.1686572361.00470000.00000008.sdmp	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A

Unpacked PEs

Source	Rule	Description	Author	Strings
0.1.rb5iJg6pgN.exe.400000.0.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
0.2.rb5iJg6pgN.exe.400000.1.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
0.2.rb5iJg6pgN.exe.2d0000.0.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
0.2.rb5iJg6pgN.exe.2d0000.0.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
2.2.explorer.exe.60000.0.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
2.2.explorer.exe.60000.0.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
0.2.rb5iJg6pgN.exe.400000.1.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A 0x397e:$mz: 4D 5A 0xd153:$mz: 4D 5A 0xd7bc:$mz: 4D 5A 0x10689:$mz: 4D 5A 0x18ec8:$mz: 4D 5A 0x1b58d:$mz: 4D 5A 0x279fd:$mz: 4D 5A 0x2d459:$mz: 4D 5A 0x38abc:$mz: 4D 5A 0x38e42:$mz: 4D 5A 0x40fe9:$mz: 4D 5A 0x4b11e:$mz: 4D 5A
0.1.rb5iJg6pgN.exe.400000.0.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A 0x3507f:$mz: 4D 5A 0x3af37:$mz: 4D 5A 0x714ea:$mz: 4D 5A 0x7c1b0:$mz: 4D 5A 0xa1959:$mz: 4D 5A 0xa6c87:$mz: 4D 5A 0xaef58:$mz: 4D 5A 0xb47cc:$mz: 4D 5A 0xbcc42:$mz: 4D 5A 0xbf097:$mz: 4D 5A 0xcd2e5:$mz: 4D 5A 0xd1f91:$mz: 4D 5A
2.2.explorer.exe.650000.2.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
2.2.explorer.exe.650000.2.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
2.2.explorer.exe.630000.1.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
2.2.explorer.exe.630000.1.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.60000.0.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.60000.0.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.16f0000.2.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.16f0000.2.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.440000.1.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.2d70000.13.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.2de0000.14.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.2de0000.14.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.2e20000.15.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.2e20000.15.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.2e60000.17.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.2e30000.16.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.2e30000.16.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3020000.18.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3020000.18.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.2e60000.17.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3080000.19.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3080000.19.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3140000.21.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3130000.20.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.1d70000.5.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3140000.21.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.35f0000.22.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3600000.23.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3600000.23.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.35f0000.22.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.1d30000.4.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3af0000.24.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3c20000.26.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3c30000.27.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3c20000.26.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3c30000.27.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3d80000.29.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3d80000.29.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3de0000.30.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3e20000.31.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3de0000.30.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3b70000.25.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.1d30000.4.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.1d70000.5.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.1da0000.6.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3ea0000.34.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3e90000.33.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3ea0000.34.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3eb0000.35.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3af0000.24.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3eb0000.35.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3ee0000.36.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3ee0000.36.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3ef0000.37.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3f70000.38.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3ef0000.37.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.4150000.39.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.4150000.39.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3f70000.38.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.42c0000.40.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.1a20000.3.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3e90000.33.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3e40000.32.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.60000.43.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.60000.43.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3e20000.31.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3b70000.25.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.16f0000.45.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.16f0000.45.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.42c0000.40.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.440000.44.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.1d70000.48.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.1d30000.47.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.1d30000.47.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.1d70000.48.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.1a20000.3.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.1da0000.6.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.1df0000.7.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.1df0000.7.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.1e00000.8.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.1e00000.8.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.2020000.52.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.1e00000.51.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
0.0.rb5iJg6pgN.exe.400000.0.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A 0x3507f:$mz: 4D 5A 0x3af37:$mz: 4D 5A 0x714ea:$mz: 4D 5A 0x7c1b0:$mz: 4D 5A 0xa1959:$mz: 4D 5A 0xa6c87:$mz: 4D 5A 0xaef58:$mz: 4D 5A 0xb47cc:$mz: 4D 5A 0xbcc42:$mz: 4D 5A 0xbf097:$mz: 4D 5A 0xcd2e5:$mz: 4D 5A 0xd1f91:$mz: 4D 5A
3.0.explorer.exe.1da0000.49.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.2ba0000.53.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.2ba0000.53.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.2bc0000.54.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.2d40000.55.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.2d40000.55.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.2d70000.56.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.2d70000.56.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.2bc0000.54.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.2de0000.57.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.2de0000.57.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.2e20000.58.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.2e20000.58.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.2e60000.60.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3020000.61.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.440000.44.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3020000.61.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3080000.62.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3130000.63.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.2020000.9.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3080000.62.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3130000.63.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3140000.64.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.35f0000.65.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3600000.66.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3600000.66.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3af0000.67.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.1df0000.50.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3af0000.67.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
0.0.rb5iJg6pgN.exe.400000.0.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.2ba0000.10.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.2ba0000.10.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.70e0000.42.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A 0x62f67:$mz: 4D 5A 0xc7b9f:$mz: 4D 5A 0xc8cc4:$mz: 4D 5A 0xfa22c:$mz: 4D 5A 0xfab23:$mz: 4D 5A 0xfb5e6:$mz: 4D 5A 0xfbcde:$mz: 4D 5A 0x11c4ef:$mz: 4D 5A 0x126750:$mz: 4D 5A 0x12eb59:$mz: 4D 5A 0x1305fb:$mz: 4D 5A 0x130a9c:$mz: 4D 5A 0x133cb4:$mz: 4D 5A 0x14d7f7:$mz: 4D 5A 0x1523e2:$mz: 4D 5A 0x15513b:$mz: 4D 5A 0x159cc0:$mz: 4D 5A 0x16837f:$mz: 4D 5A 0x242953:$mz: 4D 5A 0x26cf5a:$mz: 4D 5A
3.0.explorer.exe.2d40000.12.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3d80000.72.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3d80000.72.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3b70000.68.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3c30000.70.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3c30000.70.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3c20000.69.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.1e00000.51.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3e20000.74.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3e20000.74.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3de0000.73.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3e40000.75.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3e40000.75.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3e90000.76.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3e90000.76.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.2bc0000.11.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.2bc0000.11.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.2d40000.12.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.2d70000.13.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.440000.1.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3eb0000.78.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3eb0000.78.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3ee0000.79.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.1a20000.46.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3ef0000.80.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3ef0000.80.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3f70000.81.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.42c0000.82.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.42c0000.82.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
6.2.systeminfo.exe.1e0000.0.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.1da0000.49.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
6.2.systeminfo.exe.1e0000.0.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3c20000.69.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3130000.20.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.2020000.52.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3ea0000.77.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.35f0000.65.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
24.2.tasklist.exe.d0000.0.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.2e60000.60.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3ea0000.77.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
29.2.driverquery.exe.1a0000.0.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
29.2.driverquery.exe.1a0000.0.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.2e30000.59.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
34.2.reg.exe.d0000.0.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
34.2.reg.exe.d0000.0.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
39.2.reg.exe.d0000.0.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
39.2.reg.exe.d0000.0.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
24.2.tasklist.exe.d0000.0.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.2020000.9.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3e40000.32.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.5310000.83.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A 0x601df:$mz: 4D 5A
3.0.explorer.exe.3140000.64.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3cc0000.28.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.1df0000.50.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3de0000.73.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
14.2.net.exe.d0000.0.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3f70000.81.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.2e30000.59.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
14.2.net.exe.d0000.0.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3b70000.68.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3ee0000.79.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.5310000.41.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A 0x601df:$mz: 4D 5A
3.0.explorer.exe.70e0000.84.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A 0x62f67:$mz: 4D 5A 0xc7b9f:$mz: 4D 5A 0xc8cc4:$mz: 4D 5A 0xfa22c:$mz: 4D 5A 0xfab23:$mz: 4D 5A 0xfb5e6:$mz: 4D 5A 0xfbcde:$mz: 4D 5A 0x11c4ef:$mz: 4D 5A 0x126750:$mz: 4D 5A 0x12eb59:$mz: 4D 5A 0x1305fb:$mz: 4D 5A 0x130a9c:$mz: 4D 5A 0x133cb4:$mz: 4D 5A 0x14d7f7:$mz: 4D 5A 0x1523e2:$mz: 4D 5A 0x15513b:$mz: 4D 5A 0x159cc0:$mz: 4D 5A 0x16837f:$mz: 4D 5A 0x242953:$mz: 4D 5A 0x26cf5a:$mz: 4D 5A
3.0.explorer.exe.1a20000.46.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3cc0000.71.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
14.2.net.exe.470000.1.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
14.2.net.exe.470000.1.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
3.0.explorer.exe.3cc0000.28.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A 0xbf200:$mz: 4D 5A
3.0.explorer.exe.5310000.83.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A 0x5f3df:$mz: 4D 5A 0xa07a0:$mz: 4D 5A 0xc3f48:$mz: 4D 5A 0xc5f38:$mz: 4D 5A 0x1184f0:$mz: 4D 5A 0x16fe24:$mz: 4D 5A 0x17afe7:$mz: 4D 5A 0x17e3e3:$mz: 4D 5A
3.0.explorer.exe.3cc0000.71.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A 0xbf200:$mz: 4D 5A
3.0.explorer.exe.5310000.41.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A 0x5f3df:$mz: 4D 5A 0xa07a0:$mz: 4D 5A 0xc3f48:$mz: 4D 5A 0xc5f38:$mz: 4D 5A 0x1184f0:$mz: 4D 5A 0x16fe24:$mz: 4D 5A 0x17afe7:$mz: 4D 5A 0x17e3e3:$mz: 4D 5A
24.2.tasklist.exe.640000.1.raw.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A
24.2.tasklist.exe.640000.1.unpack	Embedded_PE	unknown	unknown	0x0:$mz: 4D 5A

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Startup

System is w7_1

rb5iJg6pgN.exe (PID: 588 cmdline: 'C:\Users\user\Desktop\rb5iJg6pgN.exe' MD5: 879D9A2C75EE83443A0A913F5DC71B5C)

explorer.exe (PID: 2752 cmdline: C:\Windows\explorer.exe MD5: 6DDCA324434FFA506CF7DC4E51DB7935)

explorer.exe (PID: 3692 cmdline: C:\Windows\Explorer.EXE MD5: 6DDCA324434FFA506CF7DC4E51DB7935)

cmd.exe (PID: 2764 cmdline: cmd /C 'systeminfo.exe > C:\Users\user~1\AppData\Local\Temp\C60A.bin1' MD5: AD7B9C14083B52BC532FBA5948342B98)

systeminfo.exe (PID: 3856 cmdline: systeminfo.exe MD5: 258B2ED54FC7F74E2FDCCE5861549C1A)

cmd.exe (PID: 324 cmdline: cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1' MD5: AD7B9C14083B52BC532FBA5948342B98)

cmd.exe (PID: 3840 cmdline: cmd /C 'net view >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1' MD5: AD7B9C14083B52BC532FBA5948342B98)

net.exe (PID: 3956 cmdline: net view MD5: B9A4DAC2192FD78CDA097BFA79F6E7B2)

cmd.exe (PID: 3996 cmdline: cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1' MD5: AD7B9C14083B52BC532FBA5948342B98)

cmd.exe (PID: 1164 cmdline: cmd /C 'nslookup 127.0.0.1 >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1' MD5: AD7B9C14083B52BC532FBA5948342B98)

nslookup.exe (PID: 3752 cmdline: nslookup 127.0.0.1 MD5: 5E3830EE3282A53920E00784FEC44CFD)

cmd.exe (PID: 3896 cmdline: cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1' MD5: AD7B9C14083B52BC532FBA5948342B98)

cmd.exe (PID: 1600 cmdline: cmd /C 'tasklist.exe /SVC >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1' MD5: AD7B9C14083B52BC532FBA5948342B98)

tasklist.exe (PID: 1968 cmdline: tasklist.exe /SVC MD5: A9A00E71E3DD67B029FC904FE3BB61DA)

cmd.exe (PID: 4032 cmdline: cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1' MD5: AD7B9C14083B52BC532FBA5948342B98)

cmd.exe (PID: 3576 cmdline: cmd /C 'driverquery.exe >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1' MD5: AD7B9C14083B52BC532FBA5948342B98)

driverquery.exe (PID: 2012 cmdline: driverquery.exe MD5: 5D1CFD8CF86F05BB27926C9A6893B635)

cmd.exe (PID: 3928 cmdline: cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1' MD5: AD7B9C14083B52BC532FBA5948342B98)

cmd.exe (PID: 2496 cmdline: cmd /C 'reg.exe query 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall' /s >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1' MD5: AD7B9C14083B52BC532FBA5948342B98)

reg.exe (PID: 1668 cmdline: reg.exe query 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall' /s MD5: D69A9ABBB0D795F21995C2F48C1EB560)

cmd.exe (PID: 3120 cmdline: cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1' MD5: AD7B9C14083B52BC532FBA5948342B98)

cmd.exe (PID: 608 cmdline: cmd /C 'reg.exe query 'HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall' /s >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1' MD5: AD7B9C14083B52BC532FBA5948342B98)

reg.exe (PID: 3524 cmdline: reg.exe query 'HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall' /s MD5: D69A9ABBB0D795F21995C2F48C1EB560)

cmd.exe (PID: 812 cmdline: cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1' MD5: AD7B9C14083B52BC532FBA5948342B98)

cleanup

Created / dropped Files

C:\Users\user\AppData\Local\Temp\5F76.bin Download File
Process:	C:\Windows\explorer.exe
File Type:	ASCII text, with CRLF line terminators
Size (bytes):	159
Entropy (8bit):	5.054319599962191
Encrypted:	false
MD5:	D09C3E6F8C7111B2DB30B2D3601CC987
SHA1:	E2C675D03518D29BA2D14D4BDC63FDCB675B2B6D
SHA-256:	82DA6D5742114A473C1E2817655021EEA018626B76F896A2FFE183D9026A3F2D
SHA-512:	6F137C195EADF65E7EBC07E14DE8E19968CDCCCDD19437EF01D2411D09734990E1217F0C46A045E013EE8FC7DE51555EAC1C51464F7290BEE4542AFEC79B96AD
Malicious:	false
Reputation:	low
Preview:	.set MaxDiskSize=0...set DiskDirectory1="C:\Users\user~1\AppData\Local\Temp"...set CabinetName1="681A.bin".."C:\Users\user~1\AppData\Local\Temp\C60A.bin"..

C:\Users\user\AppData\Local\Temp\C60A.bin Download File
Process:	C:\Windows\explorer.exe
File Type:	ASCII news text, with very long lines, with CRLF line terminators
Size (bytes):	77642
Entropy (8bit):	5.03702115025166
Encrypted:	false
MD5:	0D0D607C072B2A224C81DE53E197DB44
SHA1:	5466BAE567C4A04C59EEBAFF6AAF9A862B5F58CF
SHA-256:	542ACE99CEB2CA4F5171337CD87C1A0F4F4045D78109D955C9B8EFAA34DD9CD7
SHA-512:	71FB8878F1E5D2990956C6075F33BF1834821356D3CDE5555C7F25D64BB17BA53DC3090D4492506AC319AD82227D91C0404CA42CD4619A7D3C79E4932072D30C
Malicious:	false
Reputation:	low
Preview:	..Host Name: 715575..OS Name: Microsoft Windows 7 Professional ..OS Version: 6.1.7601 Service Pack 1 Build 7601..OS Manufacturer: Microsoft Corporation..OS Configuration: Standalone Workstation..OS Build Type: Multiprocessor Free..Registered Owner: admin..Registered Organization: ..Product ID: 00371-O5M-9000752-95802..Original Install Date: 1/1/1601, 12:00:00 AM..System Boot Time: 6/27/2019, 1:22:19 PM..System Manufacturer: gExFScMrxa2lnLa..System Model: eg3wsF5O..System Type: X86-based PC..Processor(s): 1 Processor(s) Installed... [01]: x64 Family 6 Model 63 Stepping 2 GenuineIntel ~2394 Mhz..BIOS Version: KR89T EPNVG, 12/1/2006..Windows Directory: C:\Windows..System Directory: C:\Windows\system32..Boot Device: \Device\HarddiskVolume1..System Locale:

C:\Users\user\AppData\Local\Temp\C60A.bin1 Download File
Process:	C:\Windows\System32\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Size (bytes):	11
Entropy (8bit):	1.2776134368191157
Encrypted:	false
MD5:	5B3345909519932D6670D92F16496463
SHA1:	6CCABAAC9315486C106AB1BBB7E6F153F5C1A3BD
SHA-256:	0B5C0F6FFAC14107357E2C1BFE0DEA06932FD2AA5C8BD598A73F25655F0ABFD5
SHA-512:	B41A0E9BA8A092E134E9403EA3C1B080B8F2D1030CE14AFA2647B282F66A76C48A4419D5D0F7C3C78412A427F4B84B8B48349B76FF2C3FD1DA9EC80D2AB14A6B
Malicious:	false
Reputation:	low
Preview:	-------- ..

C:\Users\user\AppData\Roaming\Microsoft\{A29E757B-998D-241A-33F6-DD98178A614C}\cookie.ff\22qkc0w7.default\cookies.sqlite Download File
Process:	C:\Windows\explorer.exe
File Type:	SQLite 3.x database, user version 5
Size (bytes):	524288
Entropy (8bit):	0.027066873966569035
Encrypted:	false
MD5:	F44EA3853EDEC64521D77BE37417D577
SHA1:	53ECAC6D5E3BEFACD893E890D26E745508013676
SHA-256:	A151C9B2E25BF98E64F76B5CF3F23D5529BD68220DB595C894FA7F84DBEAEA44
SHA-512:	F71AC3937ED6AB4BE12E3C7F8705ACE7BB5DFD7DD19E4843E976814061C8FA8B8A92B029A4324459940708661AE71880DF41338E8D4CF5A8F1ECF3AB561F4CA7
Malicious:	false
Reputation:	low
Preview:	SQLite format 3......@ .........................................................................-.......}..~E..}.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
pilodirsob.com	5.188.60.53	true	true	unknown
1.0.0.127.in-addr.arpa	unknown	unknown	true	unknown
8.8.8.8.in-addr.arpa	unknown	unknown	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://search.chol.com/favicon.ico	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://www.mercadolivre.com.br/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://www.merlin.com.pl/favicon.ico	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://search.ebay.de/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://www.mtv.com/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://www.rambler.ru/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://www.nifty.com/favicon.ico	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://www.dailymail.co.uk/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://www3.fnac.com/favicon.ico	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://buscar.ya.com/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://search.yahoo.com/favicon.ico	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://constitution.org/usdeclar.txtC:	explorer.exe, 00000002.00000002.1544224987.01596000.00000004.sdmp	false	unknown
http://www.sogou.com/favicon.ico	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://asp.usatoday.com/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://fr.search.yahoo.com/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://rover.ebay.com	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://in.search.yahoo.com/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://img.shopzilla.com/shopzilla/shopzilla.ico	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://search.ebay.in/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://image.excite.co.jp/jp/favicon/lep.ico	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://%s.com	explorer.exe, 00000003.00000000.1514376422.05310000.00000008.sdmp	false	high
http://msk.afisha.ru/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://busca.igbusca.com.br//app/static/images/favicon.ico	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://policy.camerfirma.com0	explorer.exe, 00000003.00000000.1512922741.046ED000.00000004.sdmp	false	unknown
http://search.rediff.com/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://www.alexisisaac.net	C60A.bin.3.dr	false	unknown
http://www.ya.com/favicon.ico	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://www.etmall.com.tw/favicon.ico	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://it.search.dada.net/favicon.ico	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://search.naver.com/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://www.google.ru/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://search.hanafos.com/favicon.ico	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://cgi.search.biglobe.ne.jp/favicon.ico	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://www.abril.com.br/favicon.ico	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://search.daum.net/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://search.naver.com/favicon.ico	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://search.msn.co.jp/results.aspx?q=	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://www.clarin.com/favicon.ico	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://buscar.ozu.es/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://kr.search.yahoo.com/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://search.about.com/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://busca.igbusca.com.br/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://www.ask.com/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://www.priceminister.com/favicon.ico	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://www.cjmall.com/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://search.centrum.cz/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://suche.t-online.de/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://www.google.it/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://search.auction.co.kr/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://www.ceneo.pl/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://www.amazon.de/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://sads.myspace.com/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
https://java.sun.com	C60A.bin.3.dr	false	unknown
http://busca.buscape.com.br/favicon.ico	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://www.pchome.com.tw/favicon.ico	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://browse.guardian.co.uk/favicon.ico	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://google.pchome.com.tw/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://list.taobao.com/browse/search_visual.htm?n=15&q=	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://www.rambler.ru/favicon.ico	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://uk.search.yahoo.com/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://html4/loose.dtd	explorer.exe, explorer.exe, 00000002.00000002.1544201745.0156E000.00000002.sdmp	false	low
http://espanol.search.yahoo.com/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://www.ozu.es/favicon.ico	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://search.sify.com/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://openimage.interpark.com/interpark.ico	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://search.yahoo.co.jp/favicon.ico	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://search.ebay.com/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://www.gmarket.co.kr/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://search.nifty.com/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://searchresults.news.com.au/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://www.google.si/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://www.google.cz/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://www.soso.com/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://www.univision.com/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://search.ebay.it/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://images.joins.com/ui_c/fvc_joins.ico	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://www.asharqalawsat.com/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://.css	explorer.exe, 00000002.00000002.1544201745.0156E000.00000002.sdmp	false	low
http://busca.orange.es/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://cnweb.search.live.com/results.aspx?q=	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://auto.search.msn.com/response.asp?MT=	explorer.exe, 00000003.00000000.1514376422.05310000.00000008.sdmp	false	high
http://search.yahoo.co.jp	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://www.target.com/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://buscador.terra.es/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://search.orange.co.uk/favicon.ico	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://www.iask.com/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://www.tesco.com/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://cgi.search.biglobe.ne.jp/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://search.seznam.cz/favicon.ico	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://suche.freenet.de/favicon.ico	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://www.quovadisglobal.com/cps0	explorer.exe, 00000003.00000000.1512922741.046ED000.00000004.sdmp	false	high
http://search.interpark.com/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://search.ipop.co.kr/favicon.ico	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://search.espn.go.com/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://www.myspace.com/favicon.ico	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://search.centrum.cz/favicon.ico	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://p.zhongsou.com/favicon.ico	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://service2.bfast.com/	explorer.exe, 00000003.00000000.1514674223.053C9000.00000008.sdmp	false	high
http://www.%s.comPA	explorer.exe, 00000003.00000000.1502801306.01D30000.00000008.sdmp	false	low

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Country	Flag	ASN	ASN Name	Malicious
5.188.60.53	Russian Federation		62088	unknown	true

Private

IP
127.0.0.1

Static File Info

General
File type:	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Entropy (8bit):	7.512686634305566
TrID:	Win32 Executable (generic) a (10002005/4) 99.94% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Java Script embedded in Visual Basic Script (1500/0) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	rb5iJg6pgN.exe
File size:	1158144
MD5:	879d9a2c75ee83443a0a913f5dc71b5c
SHA1:	41c124f8b5341773046ac9c6b5924b7919e0ac15
SHA256:	53f7d917ad9ebf5b7d2ccc1a835083bc0c0b92cc69ee584703ea6e4345f5c457
SHA512:	1f84756f6f30b6bff2cf3d5796549c96672e6fe4b6ebaa55f3b2d2f8e5ea034dd8086d5985f640f2c37b58eac0af089ab48ae5a730403e86b0939923b2f3c69a
SSDEEP:	24576:GmZ5G43EgTDD55vd9lTTwTJvLqWZlzSq05sRlKi9AwvjUkSSX:jZ5rEgPfd9lTmvLq2lY0l+0X
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......E.mk...8...8...8.w.87..8...8...8.w.8F..8.w.8...8...8...8...8...8g_.8...8g_.8...8...8...8g_.8...8Rich...8................PE..L..

File Icon


Icon Hash:	0000000000000000

Static PE Info

General
Entrypoint:	0x435c58
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x5CEB9756 [Mon May 27 07:52:54 2019 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	f716ba60b7f16c8a90094437582b28f7

Entrypoint Preview

Instruction
call 5F1ADD01h
jmp 5F1A3B05h
push 00000014h
push 004677A0h
call 5F1A7067h
call 5F1A5789h
movzx esi, ax
push 00000002h
call 5F1ADC94h
pop ecx
mov eax, 00005A4Dh
cmp word ptr [00400000h], ax
je 5F1A3B06h
xor ebx, ebx
jmp 5F1A3B35h
mov eax, dword ptr [0040003Ch]
cmp dword ptr [eax+00400000h], 00004550h
jne 5F1A3AEDh
mov ecx, 0000010Bh
cmp word ptr [eax+00400018h], cx
jne 5F1A3ADFh
xor ebx, ebx
cmp dword ptr [eax+00400074h], 0Eh
jbe 5F1A3B0Bh
cmp dword ptr [eax+004000E8h], ebx
setne bl
mov dword ptr [ebp-1Ch], ebx
call 5F1AA374h
test eax, eax
jne 5F1A3B0Ah
push 0000001Ch
call 5F1A3BE1h
pop ecx
call 5F1AAB72h
test eax, eax
jne 5F1A3B0Ah
push 00000010h
call 5F1A3BD0h
pop ecx
call 5F1A97F1h
and dword ptr [ebp-04h], 00000000h
call 5F1A8035h
test eax, eax
jns 5F1A3B0Ah
push 0000001Bh
call 5F1A3BB6h
pop ecx
call dword ptr [0044D16Ch]
mov dword ptr [0046C9D4h], eax
call 5F1ADCE6h
mov dword ptr [0046BAF8h], eax
call 5F1AD8E7h
test eax, eax
jns 5F1A3B0Ah

Rich Headers

Programming Language:

[RES] VS2012 UPD4 build 61030
[C++] VS2012 UPD4 build 61030
[ C ] VS2008 SP1 build 30729
[LNK] VS2012 UPD4 build 61030

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x67d2c	0xf0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6e000	0xab650	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x11a000	0x2ca8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x66050	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x4d000	0x290	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4c000	0x4c000	False	0.51803749486	ump; data	6.56856854584	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x4d000	0x1bc24	0x1be00	False	0.555177970852	ump; ACB archive data	6.29298955089	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x69000	0x4a00	0x1c00	False	0.317103794643	ump; data	3.76908810963	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x6e000	0xab650	0xab800	False	0.930057625729	ump; data	7.84161700641	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x11a000	0x5580	0x5600	False	0.414471293605	ump; data	4.31039869015	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
PNG	0x6ea50	0x137b	ump; PNG image, 438 x 240, 8-bit/color RGB, non-interlaced	English	United States
PNG	0x6fdcc	0x1766	ump; PNG image, 365 x 200, 8-bit/color RGB, non-interlaced	English	United States
PNG	0x71534	0x443	ump; PNG image, 32 x 32, 8-bit/color RGBA, non-interlaced	English	United States
PNG	0x71978	0x3b9	ump; PNG image, 40 x 40, 8-bit/color RGBA, non-interlaced	English	United States
PNG	0x71d34	0x172	ump; PNG image, 40 x 40, 8-bit/color RGBA, non-interlaced	English	United States
PNG	0x71ea8	0x286	ump; PNG image, 48 x 48, 8-bit/color RGBA, non-interlaced	English	United States
SCID	0x72130	0x10f1a	ump; data	English	United States
SCID	0x8304c	0x5852	ump; data	English	United States
SCID	0x888a0	0x8f04	ump; data	English	United States
SCID	0x917a4	0xf2da	ump; data	English	United States
SCID	0xa0a80	0x10a46	ump; data	English	United States
SCID	0xb14c8	0x5802	ump; data	English	United States
SCID	0xb6ccc	0x643e	ump; data	English	United States
SCID	0xbd10c	0xa08c	ump; data	English	United States
XML	0xc7198	0xd181	ump; data	English	United States
XML	0xd431c	0x131b0	ump; data	English	United States
XML	0xe74cc	0xed0e	ump; data	English	United States
XML	0xf61dc	0xbc11	ump; data	English	United States
XML	0x101df0	0xaf12	ump; data	English	United States
RT_ICON	0x10cd04	0x1915	ump; PNG image, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0x10e61c	0x468	ump; GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x10ea84	0x25a8	ump; data	English	United States
RT_ICON	0x11102c	0x10a8	ump; data	English	United States
RT_ICON	0x1120d4	0x2868	ump; data	English	United States
RT_ICON	0x11493c	0x4228	ump; data	English	United States
RT_ACCELERATOR	0x118b64	0x10	ump; data	English	United States
RT_ACCELERATOR	0x118b74	0x180	ump; data	English	United States
RT_ACCELERATOR	0x118cf4	0x50	ump; data	English	United States
RT_ACCELERATOR	0x118d44	0x8	ump; DBase 3 data file with memo(s) (38 records)	English	United States
RT_ACCELERATOR	0x118d4c	0x50	ump; DBase 3 data file (7 records)	English	United States
RT_ACCELERATOR	0x118d9c	0x48	ump; data	English	United States
RT_ACCELERATOR	0x118de4	0x18	ump; data	English	United States
RT_ACCELERATOR	0x118dfc	0x48	ump; data	English	United States
RT_ACCELERATOR	0x118e44	0x18	ump; DBase 3 data file (58114 records)	English	United States
RT_ACCELERATOR	0x118e5c	0x120	ump; data	English	United States
RT_GROUP_ICON	0x118f7c	0x5a	ump; MS Windows icon resource - 6 icons, 256-colors	English	United States
RT_VERSION	0x118fd8	0x404	ump; data	English	United States
RT_MANIFEST	0x1193dc	0x271	ump; XML document text	English	United States

Imports

DLL	Import
KERNEL32.dll	GetProcessHeap, GetOEMCP, GetACP, IsValidCodePage, SetFilePointerEx, ReadFile, GetFileType, GetConsoleMode, GetConsoleCP, FlushFileBuffers, IsDebuggerPresent, HeapSize, GetModuleFileNameW, WriteFile, GetStdHandle, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetLocaleInfoW, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, SetFilePointer, DeleteFileW, ReadConsoleW, OutputDebugStringW, LoadLibraryW, SetStdHandle, WriteConsoleW, CreateFileW, SetEndOfFile, GetUserDefaultLangID, EnumTimeFormatsA, QueryPerformanceCounter, GetPriorityClass, CreateEventA, CloseHandle, GetFileInformationByHandle, LoadResource, WaitForSingleObject, GetLastError, GetCurrentProcess, VirtualAlloc, IsProcessorFeaturePresent, GetModuleHandleW, GetStartupInfoW, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, TerminateProcess, SetLastError, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetCPInfo, FindResourceExW, GetCurrentProcessId, InitializeCriticalSectionAndSpinCount, GetCommandLineA, LoadLibraryExW, GlobalAlloc, LCMapStringW, GetModuleFileNameA, InterlockedIncrement, InterlockedDecrement, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, Sleep, EncodePointer, DecodePointer, WideCharToMultiByte, MultiByteToWideChar, GetStringTypeW, ExitProcess, GetModuleHandleExW, GetProcAddress, AreFileApisANSI, HeapFree, HeapAlloc, RaiseException, RtlUnwind, GetSystemTimeAsFileTime, GetCurrentThreadId
USER32.dll	BeginDeferWindowPos, MoveWindow, TranslateMessage, ShowWindow, DrawFrameControl, wsprintfA, DestroyWindow, DefWindowProcA, GetScrollInfo, SetScrollInfo, LoadImageA, GetClassNameA, SetWindowLongA, GetCursorPos, MessageBoxA, GetClientRect, SetWindowTextA, DeferWindowPos, ScrollWindow, RedrawWindow, UpdateWindow, GetSubMenu, EnableMenuItem, CheckMenuItem, GetMenu, GetSystemMetrics, TranslateAcceleratorA, CreateAcceleratorTableA, SendInput, SetFocus, GetDialogBaseUnits, SendDlgItemMessageA, SetDlgItemTextA, DialogBoxIndirectParamA, CreateDialogParamA, EndDeferWindowPos, SendMessageA
GDI32.dll	GetTextFaceA, SetWindowExtEx, TextOutA, SetAbortProc, SetTextColor, SetStretchBltMode, SetMapMode, SelectObject, GetViewportOrgEx, DescribePixelFormat, DeleteObject, CreateRectRgn, CreateFontIndirectA, CombineRgn, GetViewportExtEx
COMDLG32.dll	ChooseColorA, GetOpenFileNameA
ADVAPI32.dll	CryptSetKeyParam, CryptEncrypt, CryptImportKey, CryptDestroyKey, CryptReleaseContext, CryptAcquireContextA
SHELL32.dll	SHGetSpecialFolderPathA, SHGetSpecialFolderLocation, SHGetMalloc
ole32.dll	CreateBindCtx
CRYPT32.dll	CertDuplicateStore
COMCTL32.dll
pdh.dll	PdhCollectQueryData
AUTHZ.dll	AuthzInitializeResourceManager, AuthzFreeResourceManager

Version Infos

Description	Data
LegalCopyright	AT&T . All rights reserved.
InternalName	Worker
FileVersion	3.2.34.7
CompanyName	AT&T
PrivateBuild	3.2.34.7
LegalTrademarks	AT&T . All rights reserved.
Comments	Nvarchar Anatomicity Cursor Hping Presentation
ProductName	Worker
ProductVersion	3.2.34.7
FileDescription	Nvarchar Anatomicity Cursor Hping Presentation
OriginalFilename	Worker
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 27, 2019 14:40:30.664177895 MESZ	49217	443	192.168.1.82	5.188.60.53
Jun 27, 2019 14:40:30.664243937 MESZ	443	49217	5.188.60.53	192.168.1.82
Jun 27, 2019 14:40:30.664310932 MESZ	49217	443	192.168.1.82	5.188.60.53
Jun 27, 2019 14:40:30.677723885 MESZ	49217	443	192.168.1.82	5.188.60.53
Jun 27, 2019 14:40:30.677813053 MESZ	443	49217	5.188.60.53	192.168.1.82
Jun 27, 2019 14:41:30.676192045 MESZ	49217	443	192.168.1.82	5.188.60.53
Jun 27, 2019 14:41:40.710488081 MESZ	49218	443	192.168.1.82	5.188.60.53
Jun 27, 2019 14:41:40.710549116 MESZ	443	49218	5.188.60.53	192.168.1.82
Jun 27, 2019 14:41:40.710649014 MESZ	49218	443	192.168.1.82	5.188.60.53
Jun 27, 2019 14:41:40.711812973 MESZ	49218	443	192.168.1.82	5.188.60.53
Jun 27, 2019 14:41:40.711837053 MESZ	443	49218	5.188.60.53	192.168.1.82
Jun 27, 2019 14:42:43.925165892 MESZ	49218	443	192.168.1.82	5.188.60.53
Jun 27, 2019 14:45:28.455424070 MESZ	49219	443	192.168.1.82	5.188.60.53
Jun 27, 2019 14:45:28.455466986 MESZ	443	49219	5.188.60.53	192.168.1.82
Jun 27, 2019 14:45:28.455539942 MESZ	49219	443	192.168.1.82	5.188.60.53
Jun 27, 2019 14:45:28.456442118 MESZ	49219	443	192.168.1.82	5.188.60.53
Jun 27, 2019 14:45:28.456466913 MESZ	443	49219	5.188.60.53	192.168.1.82
Jun 27, 2019 14:46:27.800895929 MESZ	49219	443	192.168.1.82	5.188.60.53
Jun 27, 2019 14:46:37.843228102 MESZ	49220	443	192.168.1.82	5.188.60.53
Jun 27, 2019 14:46:37.843271971 MESZ	443	49220	5.188.60.53	192.168.1.82
Jun 27, 2019 14:46:37.844336987 MESZ	49220	443	192.168.1.82	5.188.60.53
Jun 27, 2019 14:46:37.854083061 MESZ	49220	443	192.168.1.82	5.188.60.53
Jun 27, 2019 14:46:37.854146004 MESZ	443	49220	5.188.60.53	192.168.1.82

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 27, 2019 14:40:30.214903116 MESZ	51204	53	192.168.1.82	8.8.8.8
Jun 27, 2019 14:40:30.554101944 MESZ	53	51204	8.8.8.8	192.168.1.82
Jun 27, 2019 14:40:50.641695976 MESZ	51205	53	192.168.1.82	8.8.8.8
Jun 27, 2019 14:40:50.656946898 MESZ	53	51205	8.8.8.8	192.168.1.82
Jun 27, 2019 14:40:50.663505077 MESZ	51206	53	192.168.1.82	8.8.8.8
Jun 27, 2019 14:40:50.676203012 MESZ	53	51206	8.8.8.8	192.168.1.82

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jun 27, 2019 14:40:30.214903116 MESZ	192.168.1.82	8.8.8.8	0x902e	Standard query (0)	pilodirsob.com	A (IP address)	IN (0x0001)
Jun 27, 2019 14:40:50.641695976 MESZ	192.168.1.82	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Jun 27, 2019 14:40:50.663505077 MESZ	192.168.1.82	8.8.8.8	0x2	Standard query (0)	1.0.0.127.in-addr.arpa	PTR (Pointer record)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jun 27, 2019 14:40:30.554101944 MESZ	8.8.8.8	192.168.1.82	0x902e	No error (0)	pilodirsob.com		5.188.60.53	A (IP address)	IN (0x0001)
Jun 27, 2019 14:40:50.656946898 MESZ	8.8.8.8	192.168.1.82	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Jun 27, 2019 14:40:50.676203012 MESZ	8.8.8.8	192.168.1.82	0x2	Name error (3)	1.0.0.127.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
CreateProcessW	EAT	explorer.exe
CreateProcessW	INLINE	explorer.exe
CreateProcessA	EAT	explorer.exe
CreateProcessA	INLINE	explorer.exe
CreateProcessAsUserW	EAT	explorer.exe
CreateProcessAsUserW	INLINE	explorer.exe
KERNEL32.dll:CreateProcessW	IAT	explorer.exe

Processes

Process: explorer.exe, Module: kernel32.dll

Function Name	Hook Type	New Data
CreateProcessW	EAT	773C9000
CreateProcessW	INLINE	0xE9 0x9B 0xBC 0xC2 0x29 0x9D
CreateProcessA	EAT	773C9005
CreateProcessA	INLINE	0xE9 0x94 0x44 0x42 0x2A 0xAD
CreateProcessAsUserW	EAT	773C900A
CreateProcessAsUserW	INLINE	0xE9 0x96 0x6E 0xE2 0x2B 0xBD

Process: explorer.exe, Module: USER32.dll

Function Name	Hook Type	New Data
KERNEL32.dll:CreateProcessW	IAT	51BB9C1

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: rb5iJg6pgN.exe PID: 588 Parent PID: 3356

General

Start time:	14:38:30
Start date:	27/06/2019
Path:	C:\Users\user\Desktop\rb5iJg6pgN.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\rb5iJg6pgN.exe'
Imagebase:	0x400000
File size:	1158144 bytes
MD5 hash:	879D9A2C75EE83443A0A913F5DC71B5C
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Embedded_PE, Description: unknown, Source: 00000000.00000000.1467280177.00400000.00000002.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000000.00000001.1467651208.00400000.00000002.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000000.00000002.1499833844.002D0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000000.00000002.1499976703.00400000.00000002.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000000.00000003.1486070629.01620000.00000004.sdmp, Author: unknown
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 2752 Parent PID: 588

General

Start time:	14:38:43
Start date:	27/06/2019
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\explorer.exe
Imagebase:	0x70000
File size:	2972672 bytes
MD5 hash:	6DDCA324434FFA506CF7DC4E51DB7935
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Embedded_PE, Description: unknown, Source: 00000002.00000002.1543921572.00060000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000002.00000002.1544091557.00650000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000002.00000002.1544074903.00630000.00000008.sdmp, Author: unknown
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 3692 Parent PID: 2752

General

Start time:	14:38:43
Start date:	27/06/2019
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x70000
File size:	2972672 bytes
MD5 hash:	6DDCA324434FFA506CF7DC4E51DB7935
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1499473775.00060000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1499698657.00440000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1501425872.016F0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1502801306.01D30000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1502827811.01D70000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1502842638.01DA0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1502889959.01E00000.00000002.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1502878957.01DF0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1502536161.01A20000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1503029285.02020000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1507679611.02BA0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1507689530.02BC0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1507943848.02D40000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1507950533.02D70000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1507991377.02DE0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1508015150.02E20000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1508035531.02E60000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1508020629.02E30000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1508119677.03020000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1508132762.03080000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1508179226.03130000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1508183860.03140000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1508802180.035F0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1508810634.03600000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1508897767.03AF0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1509255440.03C20000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1510641728.03D80000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1510698102.03E20000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1510826926.03EE0000.00000002.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1510791092.03EB0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1510705859.03E40000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1510762006.03E90000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1510778872.03EA0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1510661452.03DE0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1510834757.03EF0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1510878677.03F70000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1509201484.03B70000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1509319448.03C30000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1510996422.04150000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1511065722.042C0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1516367336.070E0000.00000002.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1509998222.03CC0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1526476296.016F0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1528350249.01D70000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1528282321.01D30000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1529056137.01E00000.00000002.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1528914237.01DF0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1529414366.02020000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1534115502.02BA0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1534129692.02BC0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1534313551.02D40000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1534334049.02D70000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1528641544.01DA0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1534425716.02E20000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1534481919.02E60000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1534585823.03020000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1534437822.02E30000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1534605501.03080000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1534672142.03130000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1534679802.03140000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1524597638.00440000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1524475486.00060000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1514376422.05310000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1535904797.03AF0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1534388387.02DE0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1536709172.03D80000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1536750248.03E20000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1535812569.035F0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1536757874.03E40000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1536809625.03EB0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1536825861.03EE0000.00000002.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1536800241.03EA0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1536870913.03F70000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1527805844.01A20000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1537045293.042C0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1536075349.03C30000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1536732103.03DE0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1536026873.03C20000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1535821910.03600000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1536791257.03E90000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1535957747.03B70000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1536833113.03EF0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1538556444.05310000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1536262211.03CC0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000003.00000000.1540736146.070E0000.00000002.sdmp, Author: unknown
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 2764 Parent PID: 3692

General

Start time:	14:39:43
Start date:	27/06/2019
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C 'systeminfo.exe > C:\Users\user~1\AppData\Local\Temp\C60A.bin1'
Imagebase:	0x4abd0000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: systeminfo.exe PID: 3856 Parent PID: 2764

General

Start time:	14:39:43
Start date:	27/06/2019
Path:	C:\Windows\System32\systeminfo.exe
Wow64 process (32bit):	false
Commandline:	systeminfo.exe
Imagebase:	0x320000
File size:	75776 bytes
MD5 hash:	258B2ED54FC7F74E2FDCCE5861549C1A
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Embedded_PE, Description: unknown, Source: 00000006.00000002.1659326612.001E0000.00000008.sdmp, Author: unknown
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 324 Parent PID: 3692

General

Start time:	14:39:53
Start date:	27/06/2019
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'
Imagebase:	0x4a490000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 3840 Parent PID: 3692

General

Start time:	14:39:53
Start date:	27/06/2019
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C 'net view >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'
Imagebase:	0x4aa40000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: net.exe PID: 3956 Parent PID: 3840

General

Start time:	14:39:53
Start date:	27/06/2019
Path:	C:\Windows\System32\net.exe
Wow64 process (32bit):	false
Commandline:	net view
Imagebase:	0x6c0000
File size:	46080 bytes
MD5 hash:	B9A4DAC2192FD78CDA097BFA79F6E7B2
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Embedded_PE, Description: unknown, Source: 0000000E.00000002.1686373712.000D0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 0000000E.00000002.1686572361.00470000.00000008.sdmp, Author: unknown
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 3996 Parent PID: 3692

General

Start time:	14:40:03
Start date:	27/06/2019
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'
Imagebase:	0x4a470000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 1164 Parent PID: 3692

General

Start time:	14:40:04
Start date:	27/06/2019
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C 'nslookup 127.0.0.1 >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'
Imagebase:	0x4ac40000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: nslookup.exe PID: 3752 Parent PID: 1164

General

Start time:	14:40:04
Start date:	27/06/2019
Path:	C:\Windows\System32\nslookup.exe
Wow64 process (32bit):	false
Commandline:	nslookup 127.0.0.1
Imagebase:	0x5e0000
File size:	98304 bytes
MD5 hash:	5E3830EE3282A53920E00784FEC44CFD
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 3896 Parent PID: 3692

General

Start time:	14:40:05
Start date:	27/06/2019
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'
Imagebase:	0x4a2b0000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 1600 Parent PID: 3692

General

Start time:	14:40:05
Start date:	27/06/2019
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C 'tasklist.exe /SVC >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'
Imagebase:	0x49fe0000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: tasklist.exe PID: 1968 Parent PID: 1600

General

Start time:	14:40:05
Start date:	27/06/2019
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist.exe /SVC
Imagebase:	0x990000
File size:	80896 bytes
MD5 hash:	A9A00E71E3DD67B029FC904FE3BB61DA
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Embedded_PE, Description: unknown, Source: 00000018.00000002.1694019901.000D0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000018.00000002.1694247399.00640000.00000008.sdmp, Author: unknown
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 4032 Parent PID: 3692

General

Start time:	14:40:07
Start date:	27/06/2019
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'
Imagebase:	0x4a310000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 3576 Parent PID: 3692

General

Start time:	14:40:07
Start date:	27/06/2019
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C 'driverquery.exe >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'
Imagebase:	0x4a480000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: driverquery.exe PID: 2012 Parent PID: 3576

General

Start time:	14:40:07
Start date:	27/06/2019
Path:	C:\Windows\System32\driverquery.exe
Wow64 process (32bit):	false
Commandline:	driverquery.exe
Imagebase:	0x850000
File size:	66048 bytes
MD5 hash:	5D1CFD8CF86F05BB27926C9A6893B635
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Embedded_PE, Description: unknown, Source: 0000001D.00000002.1710546118.001A0000.00000008.sdmp, Author: unknown
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 3928 Parent PID: 3692

General

Start time:	14:40:14
Start date:	27/06/2019
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C 'echo -------- >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'
Imagebase:	0x4a150000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 2496 Parent PID: 3692

General

Start time:	14:40:14
Start date:	27/06/2019
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C 'reg.exe query 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall' /s >> C:\Users\user~1\AppData\Local\Temp\C60A.bin1'
Imagebase:	0x4a1f0000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: reg.exe PID: 1668 Parent PID: 2496

General

Start time:	14:40:15
Start date:

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report rb5iJg6pgN.exe

Overview

General Information

Detection

Confidence

Classification

Analysis Advice

Mitre Att&ck Matrix

Signature Overview

AV Detection:

Cryptography:

Spreading:

Networking:

E-Banking Fraud:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Behavior Graph

Simulations

Behavior and APIs

Antivirus and Machine Learning Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Screenshots

Thumbnails

Startup

Created / dropped Files

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Private

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Code Manipulations

User Modules