Joe Sandbox Cloud Pro Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report zhAQkCQvME

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:997215
Start date:13.11.2019
Start time:19:26:48
Joe Sandbox Product:Cloud
Overall analysis duration:0h 15m 0s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:zhAQkCQvME (renamed file extension from none to exe)
Cookbook file name:default.jbs
Analysis system description:Windows 7 (Office 2010 SP2, Java 1.8.0_40 1.8.0_191, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:21
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:6
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.bank.troj.spyw.evad.winEXE@25/7@2/4
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 66.9% (good quality ratio 61.7%)
  • Quality average: 77%
  • Quality standard deviation: 31.8%
HCA Information:
  • Successful, ratio: 83%
  • Number of executed functions: 255
  • Number of non-executed functions: 213
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe
  • Excluded IPs from analysis (whitelisted): 93.184.221.240
  • Excluded domains from analysis (whitelisted): wu.ec.azureedge.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, wu.wpc.apr-52dd2.edgecastdns.net, wu.azureedge.net
  • Report creation exceeded maximum time and may have missing disassembly code information.
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtEnumerateValueKey calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtReadVirtualMemory calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100Report FP / FNfalse
Qbot
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Contains functionality to modify the execution of threads in other processes
Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior
Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook
Sample hooks winsock APIs (likely related to a banking trojan), analyze sample with the 'Check if internet explorer is infected by malware' cookbook
Sample is a service DLL but no service has been registered
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid Accounts1Windows Management Instrumentation21Registry Run Keys / Startup Folder1Exploitation for Privilege Escalation1Software Packing22Network Sniffing1System Time Discovery1Remote File Copy2Input Capture11Data Encrypted11Uncommonly Used Port1
Replication Through Removable MediaExecution through API1Hooking21Hooking21Deobfuscate/Decode Files or Information1Hooking21Account Discovery1Remote ServicesClipboard Data1Exfiltration Over Other Network MediumRemote File Copy2
Drive-by CompromiseCommand-Line Interface1Valid Accounts1Valid Accounts1Obfuscated Files or Information2Input Capture11Security Software Discovery341Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Cryptographic Protocol22
Exploit Public-Facing ApplicationService Execution2Scheduled Task1Access Token Manipulation11Rootkit2Credentials in FilesFile and Directory Discovery1Logon ScriptsInput CaptureData EncryptedStandard Non-Application Layer Protocol3
Spearphishing LinkScheduled Task1Modify Existing Service1Process Injection711Valid Accounts1Account ManipulationNetwork Sniffing1Shared WebrootData StagedScheduled TransferStandard Application Layer Protocol13
Spearphishing AttachmentGraphical User InterfaceNew Service3Scheduled Task1Access Token Manipulation11Brute ForceSystem Information Discovery35Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used Port
Spearphishing via ServiceScriptingPath InterceptionNew Service3Process Injection711Two-Factor Authentication InterceptionNetwork Share Discovery1Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used Port
Supply Chain CompromiseThird-party SoftwareLogon ScriptsProcess InjectionIndicator BlockingBash HistoryQuery Registry1Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer Protocol
Trusted RelationshipRundll32DLL Search Order HijackingService Registry Permissions WeaknessProcess InjectionInput PromptProcess Discovery4Windows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer Encryption
Hardware AdditionsPowerShellChange Default File AssociationExploitation for Privilege EscalationScriptingKeychainSystem Owner/User Discovery1Taint Shared ContentAudio CaptureConnection Proxy
Execution through APIFile System Permissions WeaknessValid AccountsIndicator Removal from ToolsPrivate KeysRemote System Discovery11Replication Through Removable MediaVideo CaptureCommunication Through Removable Media
Regsvr32New ServiceBypass User Account ControlIndicator Removal on HostSecurityd MemorySystem Network Configuration Discovery2Pass the TicketMan in the BrowserCustom Command and Control Protocol

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus or Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exeAvira: detection malicious, Label: TR/Crypt.ZPACK.hfoah
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exeJoe Sandbox ML: detected
Antivirus or Machine Learning detection for sampleShow sources
Source: zhAQkCQvME.exeAvira: detection malicious, Label: TR/Crypt.ZPACK.hfoah
Source: zhAQkCQvME.exeJoe Sandbox ML: detected
Genetic Malware detection for sampleShow sources
Source: zhAQkCQvME.exeIntezer: detection malicious, Label: QakbotPerma Link
Genetic detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exeIntezer: detection malicious, Label: QakbotPerma Link
Multi AV Scanner detection for submitted fileShow sources
Source: zhAQkCQvME.exeVirustotal: Detection: 76%Perma Link
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 18.0.jkfkdm.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.hfoah
Source: 12.2.explorer.exe.3f0000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen3
Source: 17.0.jkfkdm.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.hfoah
Source: 5.0.zhAQkCQvME.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.hfoah
Source: 14.2.jkfkdm.exe.400000.1.unpackAvira: Label: TR/Crypt.XPACK.Gen3
Source: 7.0.jkfkdm.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.hfoah
Source: 7.2.jkfkdm.exe.400000.1.unpackAvira: Label: TR/Crypt.XPACK.Gen3
Source: 2.0.jkfkdm.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.hfoah
Source: 1.0.zhAQkCQvME.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.hfoah
Source: 6.2.jkfkdm.exe.400000.1.unpackAvira: Label: TR/Crypt.XPACK.Gen3
Source: 2.2.jkfkdm.exe.400000.1.unpackAvira: Label: TR/Crypt.XPACK.Gen3
Source: 0.2.zhAQkCQvME.exe.400000.1.unpackAvira: Label: TR/Crypt.XPACK.Gen3
Source: 5.2.zhAQkCQvME.exe.400000.1.unpackAvira: Label: TR/Crypt.XPACK.Gen3
Source: 0.0.zhAQkCQvME.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.hfoah
Source: 14.0.jkfkdm.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.hfoah
Source: 18.2.jkfkdm.exe.400000.1.unpackAvira: Label: TR/Crypt.XPACK.Gen3
Source: 1.2.zhAQkCQvME.exe.400000.1.unpackAvira: Label: TR/Crypt.XPACK.Gen3
Source: 17.2.jkfkdm.exe.400000.1.unpackAvira: Label: TR/Crypt.XPACK.Gen3
Source: 6.0.jkfkdm.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.hfoah

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Windows\explorer.exeCode function: 12_2_01510C9E CryptAcquireContextA,12_2_01510C9E

Spreading:

barindex
Contains functionality to enumerate network sharesShow sources
Source: C:\Users\user\Desktop\zhAQkCQvME.exeCode function: 0_2_00410BA0 NetUserEnum,LookupAccountNameW,LookupAccountNameW,Sleep,NetApiBufferFree,0_2_00410BA0
Source: C:\Windows\explorer.exeCode function: 12_2_00400BA0 NetUserEnum,LookupAccountNameW,LookupAccountNameW,Sleep,NetApiBufferFree,12_2_00400BA0
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Windows\explorer.exeCode function: 12_2_0151B870 FindFirstFileW,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,12_2_0151B870

Networking:

barindex
May check the online IP address of the machineShow sources
Source: unknownDNS query: name: www.ip-adress.com
Uses ping.exe to check the status of other devices and networksShow sources
Source: unknownProcess created: C:\Windows\System32\PING.EXE ping.exe -n 6 127.0.0.1
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.1.107:49161 -> 23.49.13.33:7000
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 23.49.13.33 23.49.13.33
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: unknown unknown
JA3 SSL client fingerprint seen in connection with other malwareShow sources
Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Source: Joe Sandbox ViewJA3 fingerprint: eb88d0b3e1961a0562f006e5ce2a0b87
Uses a known web browser user agent for HTTP communicationShow sources
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoHost: www.ip-adress.comCache-Control: no-cache
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 23.49.13.33
Source: unknownTCP traffic detected without corresponding DNS query: 23.49.13.33
Source: unknownTCP traffic detected without corresponding DNS query: 23.49.13.33
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 23.49.13.33
Source: unknownTCP traffic detected without corresponding DNS query: 23.49.13.33
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 23.49.13.33
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 23.49.13.33
Source: unknownTCP traffic detected without corresponding DNS query: 23.49.13.33
Downloads filesShow sources
Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TM8F7R7G\Y0S5SGVE.htmJump to behavior
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoHost: www.ip-adress.comCache-Control: no-cache
Found strings which match to known social media urlsShow sources
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: <a href="https://www.facebook.com/whoisip" target="_blank">Visit ip-adress.com on Facebook</a> equals www.facebook.com (Facebook)
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: <aside class="share"><div class="shariff" data-button-style="standard" data-lang="en" data-services="facebook,twitter,googleplus"></div></aside><aside class="ad link no-label"> equals www.twitter.com (Twitter)
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: <p>Your IP is the network protocol in the background that helps you communicate online using websites, sending email, chatting on Facebook, and everything else requiring an Internet connection. An IP Address is required to connect to the Internet, and IP-Adress.com gives you the tools that can help you.</p> equals www.facebook.com (Facebook)
Source: taskhost.exe, 00000013.00000000.541041949.01510000.00000004.00000001.sdmpString found in binary or memory: GMSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365!$ equals www.hotmail.com (Hotmail)
Source: dwm.exe, 00000015.00000002.761332062.01B70000.00000004.00000040.sdmpString found in binary or memory: NTUSER.DAT<%02X>AVAST Softwarei3w1explorer.exef1DELETE.aniEND*/* url=[%s] user=[%s] pass=[%s]LEFT10AvastObtainUserAgentString.lnkPR_SetError000comet.yahoo.com;.hiro.tv;safebrowsing.google.com;geo.query.yahoo.com;googleusercontent.com;salesforce.com;officeapps.live.com;storage.live.com;messenger.live.com;.twimg.com;api.skype.com;mail.google.com;.bing.com;playtoga.com;.mozilla.com;.mozilla.org;hotbar.com;lphbs.com;contacts.msn.com;search.msn.com;clients.mindbodyonline.com;loyaltyconnect.ihg.com;.amazonaws.com;audatexsolutions.com;mail.services.live.com;etsy.com;.king.com;phantomefx.com;facebook.com;.gator.com;doubleclick.;zango.com;180solutions.com;wildtangent.com;webhancer.com;tbreport.bellsouth.net;spamblockerutility.com;internet-optimizer.com;.adworldmedia.com;seekmo.com;r777r.info;sipuku.com;eorezo.com;newasp.com.cn;wpzkq.com;radialpoint.com;owlforce.com;.microsoft.com;localhost;127.0.0.1;securestudies.com;farmville.com;mybrowserbar.com;auditude.com;digitalmediacommunications.com;mapquest.com;kixeye.com;mysh
Source: dwm.exe, 00000015.00000002.761332062.01B70000.00000004.00000040.sdmpString found in binary or memory: comet.yahoo.com;.hiro.tv;safebrowsing.google.com;geo.query.yahoo.com;googleusercontent.com;salesforce.com;officeapps.live.com;storage.live.com;messenger.live.com;.twimg.com;api.skype.com;mail.google.com;.bing.com;playtoga.com;.mozilla.com;.mozilla.org;hotbar.com;lphbs.com;contacts.msn.com;search.msn.com;clients.mindbodyonline.com;loyaltyconnect.ihg.com;.amazonaws.com;audatexsolutions.com;mail.services.live.com;etsy.com;.king.com;phantomefx.com;facebook.com;.gator.com;doubleclick.;zango.com;180solutions.com;wildtangent.com;webhancer.com;tbreport.bellsouth.net;spamblockerutility.com;internet-optimizer.com;.adworldmedia.com;seekmo.com;r777r.info;sipuku.com;eorezo.com;newasp.com.cn;wpzkq.com;radialpoint.com;owlforce.com;.microsoft.com;localhost;127.0.0.1;securestudies.com;farmville.com;mybrowserbar.com;auditude.com;digitalmediacommunications.com;mapquest.com;kixeye.com;myshopres.com;conduit-services.com;zynga.com;.5min.com;netflix.com;tubemogul.com;youtube.com;brightcove.com;mochibot.com;fwmrm.net;mendeley.com equ
Source: zhAQkCQvME.exe, 00000000.00000002.470959957.015D0000.00000004.00000040.sdmp, zhAQkCQvME.exe, 00000001.00000002.452348450.016D0000.00000004.00000040.sdmp, jkfkdm.exe, 00000002.00000002.487446283.01550000.00000004.00000040.sdmp, zhAQkCQvME.exe, 00000005.00000002.485333119.00AA0000.00000004.00000040.sdmp, jkfkdm.exe, 00000006.00000002.478496840.01600000.00000004.00000040.sdmp, jkfkdm.exe, 00000007.00000002.493272674.01630000.00000004.00000040.sdmp, explorer.exe, 0000000C.00000002.753873444.018E0000.00000004.00000040.sdmp, jkfkdm.exe, 0000000E.00000002.491326133.015A0000.00000004.00000040.sdmp, jkfkdm.exe, 00000011.00000002.518700844.016D0000.00000004.00000040.sdmp, jkfkdm.exe, 00000012.00000002.517136665.01490000.00000004.00000040.sdmp, taskhost.exe, 00000013.00000002.759522715.028D0000.00000004.00000040.sdmp, dwm.exe, 00000015.00000002.761332062.01B70000.00000004.00000040.sdmpString found in binary or memory: facebook.com/login equals www.facebook.com (Facebook)
Source: explorer.exe, 0000000C.00000002.752929952.00646000.00000004.00000020.sdmpString found in binary or memory: login.yahoo.com equals www.yahoo.com (Yahoo)
Source: explorer.exe, 0000000C.00000002.752929952.00646000.00000004.00000020.sdmpString found in binary or memory: login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: explorer.exe, 0000000C.00000002.752929952.00646000.00000004.00000020.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: www.ip-adress.com
Urls found in memory or binary dataShow sources
Source: taskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmp, taskhost.exe, 00000013.00000000.541041949.01510000.00000004.00000001.sdmpString found in binary or memory: http://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=true
Source: taskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmpString found in binary or memory: http://cookies.onetrust.mgr.consensu.org/onetrust-logo.svg
Source: explorer.exe, 0000000C.00000002.752929952.00646000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: explorer.exe, 0000000C.00000003.528867765.024F6000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSADomainVal
Source: explorer.exe, 0000000C.00000002.752929952.00646000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl0
Source: explorer.exe, 0000000C.00000002.752929952.00646000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: explorer.exe, 0000000C.00000002.752929952.00646000.00000004.00000020.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: explorer.exe, 0000000C.00000002.752929952.00646000.00000004.00000020.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
Source: explorer.exe, 0000000C.00000002.752929952.00646000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 0000000C.00000002.752929952.00646000.00000004.00000020.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: explorer.exe, 0000000C.00000002.752929952.00646000.00000004.00000020.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: explorer.exe, 0000000C.00000002.752929952.00646000.00000004.00000020.sdmp, explorer.exe, 0000000C.00000002.755364075.0247C000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?5c237a5af5bbb
Source: taskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmpString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjI2NTk3ZDdlZTYwMzFkMzk0ODg0N2Q0ZDdjMDZhM2Y2NDM3M
Source: taskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmpString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjdkZGUzNDRkMmI2YjI4YjRhM2YzOWRiOTcyMzY5Y2EzNzJlY
Source: taskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmpString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6Ijk0Zjk4MDE0NWQzMTY4NzhkNWI2YjZhNDRlYTRiYTdlNzQ4O
Source: taskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmpString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6ImMzZDkyYjY0ZGRiNGYzNjgwYTJjNTY2ZDdmOWEzMGUyZjdjY
Source: taskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmpString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6ImQzZDU5ZjFhY2VmYzk3ZDhjYTk4NDhmMDYwNjk1Y2JiMTA5Z
Source: taskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmpString found in binary or memory: http://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE2MMBW?ver=870f
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE2MRl4?ver=1412
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE2MRl8?ver=7064
Source: taskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmpString found in binary or memory: http://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE2MzIE?ver=198d
Source: taskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmpString found in binary or memory: http://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE2MzIH?ver=cc00
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE2MzIm?ver=d018
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA7XCQ3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA8uJZv?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAFvutY?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jp
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHtTgs?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHtYkG?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHtrJ1?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHuD5P?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHuFNw?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHucYP?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHudP8?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHudWM?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHuzRp?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHv5DU?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHv9aU?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: taskhost.exe, 00000013.00000000.536034759.00490000.00000004.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHvWgM?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHvXhQ?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHvaL6?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHvwNG?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHwCff?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHwESx?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHwGur?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHwOoE?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHwR4s?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: taskhost.exe, 00000013.00000000.536034759.00490000.00000004.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyuliQ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzklAJ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB46JmN?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBGjoVB?h=50&w=50&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBIbTiS?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: taskhost.exe, 00000013.00000000.536034759.00490000.00000004.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBK9Hzy?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBO5Geh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPRPvf?h=50&w=50&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBSDdmG?h=50&w=50&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBTrj40?h=50&w=50&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBUZVvV?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVBUge?h=50&w=50&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVQ7lO?h=50&w=50&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBWoHwx?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: taskhost.exe, 00000013.00000000.536034759.00490000.00000004.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBih5H?m=6&o=true&u=true&n=true&w=30&h=30
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnYSFZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: explorer.exe, 0000000C.00000002.752929952.00646000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0
Source: explorer.exe, 0000000C.00000002.752929952.00646000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
Source: explorer.exe, 0000000C.00000002.752929952.00646000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0)
Source: explorer.exe, 0000000C.00000002.752929952.00646000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
Source: explorer.exe, 0000000C.00000002.752929952.00646000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
Source: explorer.exe, 0000000C.00000002.752929952.00646000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com05
Source: explorer.exe, 0000000C.00000002.752929952.00646000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.entrust.net03
Source: explorer.exe, 0000000C.00000002.752929952.00646000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.entrust.net0D
Source: taskhost.exe, 00000013.00000000.539359532.00216000.00000004.00000020.sdmpString found in binary or memory: http://schemas.micro
Source: zhAQkCQvME.exe, 00000000.00000003.453309642.01B5B000.00000004.00000001.sdmp, zhAQkCQvME.exe, 00000005.00000003.475248063.00F2B000.00000004.00000001.sdmp, explorer.exe, 0000000C.00000003.481716807.0177B000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoa
Source: explorer.exe, 0000000C.00000003.535349218.01779000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: explorer.exe, 0000000C.00000003.535349218.01779000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/865af804/webcore/externalscripts/oneTrust/de-
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/a1438951/webcore/externalscripts/oneTrust/ski
Source: taskhost.exe, 00000013.00000000.556852384.00498000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/3bf20fde-434a1743/directi
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmp, taskhost.exe, 00000013.00000000.536034759.00490000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-2923b6c2/directio
Source: taskhost.exe, 00000013.00000000.556852384.00498000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-72257498/directio
Source: taskhost.exe, 00000013.00000000.541041949.01510000.00000004.00000001.sdmp, taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/44/c08e43.jpg
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/52/8adb60.jpg
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/81/58b810.gif
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/95/8bd8bf.jpg
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA7XCQ3.img?h=16&w=16&m
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA8uJZv.img?h=16&w=16&m
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAFvutY.img?h=368&w=622
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHtTgs.img?h=166&w=310
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHtYkG.img?h=166&w=310
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHtrJ1.img?h=75&w=100&
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHuD5P.img?h=75&w=100&
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHuFNw.img?h=75&w=100&
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHucYP.img?h=75&w=100&
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHudP8.img?h=75&w=100&
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHudWM.img?h=75&w=100&
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHuzRp.img?h=166&w=310
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHv5DU.img?h=166&w=310
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHv9aU.img?h=333&w=311
Source: taskhost.exe, 00000013.00000000.536034759.00490000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHvWgM.img?h=166&w=310
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHvXhQ.img?h=166&w=310
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHvaL6.img?h=166&w=310
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHvwNG.img?h=250&w=300
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHwCff.img?h=333&w=311
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHwESx.img?h=333&w=311
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHwGur.img?h=166&w=310
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHwOoE.img?h=250&w=300
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHwR4s.img?h=333&w=311
Source: taskhost.exe, 00000013.00000000.536034759.00490000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyuliQ.img?h=16&w=16&m
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzklAJ.img?h=16&w=16&m
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB46JmN.img?h=16&w=16&m
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBGjoVB.img?h=50&w=50&m
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBIbTiS.img?h=16&w=16&m
Source: taskhost.exe, 00000013.00000000.536034759.00490000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBK9Hzy.img?h=16&w=16&m
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBO5Geh.img?h=16&w=16&m
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPRPvf.img?h=50&w=50&m
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBSDdmG.img?h=50&w=50&m
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBTrj40.img?h=50&w=50&m
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBUZVvV.img?h=16&w=16&m
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVBUge.img?h=50&w=50&m
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVQ7lO.img?h=50&w=50&m
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBWoHwx.img?h=27&w=27&m
Source: taskhost.exe, 00000013.00000000.536034759.00490000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBih5H.img?m=6&o=true&u
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&m
Source: explorer.exe, 0000000C.00000002.752929952.00646000.00000004.00000020.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: explorer.exe, 0000000C.00000002.752929952.00646000.00000004.00000020.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: zhAQkCQvME.exe, 00000000.00000002.470874320.006C3000.00000004.00000020.sdmp, zhAQkCQvME.exe, 00000001.00000000.447916030.0049E000.00000002.00020000.sdmp, jkfkdm.exe, 00000002.00000000.469403714.0049E000.00000002.00020000.sdmp, zhAQkCQvME.exe, 00000005.00000000.472415467.0049E000.00000002.00020000.sdmp, jkfkdm.exe, 00000006.00000000.473336388.0049E000.00000002.00020000.sdmp, jkfkdm.exe, 00000007.00000000.476350633.0049E000.00000002.00020000.sdmp, jkfkdm.exe, 0000000E.00000000.483322855.0049E000.00000002.00020000.sdmp, jkfkdm.exe, 00000011.00000000.509911255.0049E000.00000002.00020000.sdmp, jkfkdm.exe, 00000012.00000000.513021961.0049E000.00000002.00020000.sdmpString found in binary or memory: http://www.flos-freeware.ch
Source: zhAQkCQvME.exe, 00000000.00000002.470874320.006C3000.00000004.00000020.sdmp, zhAQkCQvME.exe, 00000001.00000000.447916030.0049E000.00000002.00020000.sdmp, jkfkdm.exe, 00000002.00000000.469403714.0049E000.00000002.00020000.sdmp, zhAQkCQvME.exe, 00000005.00000000.472415467.0049E000.00000002.00020000.sdmp, jkfkdm.exe, 00000006.00000000.473336388.0049E000.00000002.00020000.sdmp, jkfkdm.exe, 00000007.00000000.476350633.0049E000.00000002.00020000.sdmp, jkfkdm.exe, 0000000E.00000000.483322855.0049E000.00000002.00020000.sdmp, jkfkdm.exe, 00000011.00000000.509911255.0049E000.00000002.00020000.sdmp, jkfkdm.exe, 00000012.00000000.513021961.0049E000.00000002.00020000.sdmpString found in binary or memory: http://www.flos-freeware.ch.JNo
Source: zhAQkCQvME.exe, 00000000.00000002.470976903.015F7000.00000004.00000040.sdmp, zhAQkCQvME.exe, 00000005.00000002.488530565.00EF0000.00000004.00000001.sdmp, explorer.exeString found in binary or memory: http://www.ip-adress.com
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: http://www.ip-adress.com/
Source: zhAQkCQvME.exe, 00000000.00000002.470976903.015F7000.00000004.00000040.sdmp, zhAQkCQvME.exe, 00000005.00000002.488530565.00EF0000.00000004.00000001.sdmp, explorer.exe, 0000000C.00000003.535349218.01779000.00000004.00000001.sdmpString found in binary or memory: http://www.ip-adress.comIP
Source: taskhost.exe, 00000013.00000000.541041949.01510000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehp
Source: taskhost.exe, 00000013.00000000.549280591.015B0000.00000004.00000001.sdmp, taskhost.exe, 00000013.00000000.541041949.01510000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://162.244.225.30/
Source: explorer.exe, 0000000C.00000002.755328696.02450000.00000004.00000001.sdmp, taskhost.exe, 00000013.00000000.551865684.00262000.00000004.00000020.sdmpString found in binary or memory: https://162.244.225.30/t3
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://162.244.225.30/t3l
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://162.244.225.30/t3rn
Source: explorer.exe, 0000000C.00000002.753929443.0190E000.00000004.00000040.sdmpString found in binary or memory: https://162.244.225.30:443/t3
Source: zhAQkCQvME.exe, 00000000.00000002.470959957.015D0000.00000004.00000040.sdmp, zhAQkCQvME.exe, 00000001.00000002.452348450.016D0000.00000004.00000040.sdmp, jkfkdm.exe, 00000002.00000002.487446283.01550000.00000004.00000040.sdmp, zhAQkCQvME.exe, 00000005.00000002.485333119.00AA0000.00000004.00000040.sdmp, jkfkdm.exe, 00000006.00000002.478496840.01600000.00000004.00000040.sdmp, jkfkdm.exe, 00000007.00000002.493272674.01630000.00000004.00000040.sdmp, explorer.exe, 0000000C.00000002.753873444.018E0000.00000004.00000040.sdmp, jkfkdm.exe, 0000000E.00000002.491326133.015A0000.00000004.00000040.sdmp, jkfkdm.exe, 00000011.00000002.518700844.016D0000.00000004.00000040.sdmp, jkfkdm.exe, 00000012.00000002.517136665.01490000.00000004.00000040.sdmp, taskhost.exe, 00000013.00000002.759522715.028D0000.00000004.00000040.sdmp, dwm.exe, 00000015.00000002.761332062.01B70000.00000004.00000040.sdmpString found in binary or memory: https://9i43.gifabc11application/x-shockwave-flash
Source: explorer.exe, 0000000C.00000003.535537778.01779000.00000004.00000001.sdmp, taskhost.exe, 00000013.00000002.757799892.015D0000.00000040.00000001.sdmp, dwm.exe, 00000015.00000002.760410563.013B0000.00000040.00000001.sdmpString found in binary or memory: https://Content-LengthHostHTTP/1.1.text
Source: taskhost.exe, 00000013.00000002.757756422.015C0000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/__media__/js/util/nrrV4251.js
Source: taskhost.exe, 00000013.00000002.757756422.015C0000.00000004.00000001.sdmp, taskhost.exe, 00000013.00000000.541041949.01510000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: taskhost.exe, 00000013.00000002.757756422.015C0000.00000004.00000001.sdmp, taskhost.exe, 00000013.00000000.541041949.01510000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: taskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmpString found in binary or memory: https://cvision.media.net/new/300x300/2/215/35/104/aa3002d0-2753-44c0-81c6-b4a1cc6b295a.jpg?v=9
Source: taskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmpString found in binary or memory: https://cvision.media.net/new/300x300/2/249/134/240/448cf229-1ded-4c2a-8cfe-21be5d0e9c41.jpg?v=9
Source: taskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmpString found in binary or memory: https://cvision.media.net/new/300x300/2/29/52/32/f97e093e-8f0a-46a8-8138-df7da8ff5790.jpg?v=9
Source: taskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmpString found in binary or memory: https://cvision.media.net/new/300x300/3/74/46/90/d639d099-11d6-4d90-82f4-691ae09aeb85.jpg?v=9
Source: taskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmpString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31
Source: taskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmpString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE2MMCc?ver=931d&q=90&m
Source: taskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmpString found in binary or memory: https://linkmaker.itunes.apple.com/assets/shared/badges/de-de/appstore-lrg.svg
Source: taskhost.exe, 00000013.00000002.757756422.015C0000.00000004.00000001.sdmpString found in binary or memory: https://logincdn.msauth.net/16.000/MeControl_c9aw5DbuWFl6vX_Fomxwrw2.js
Source: taskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmpString found in binary or memory: https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=1
Source: taskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmpString found in binary or memory: https://mem.gfx.ms/scripts/me/MeControl/10.19256.4/en-US/meBoot.min.js
Source: taskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmpString found in binary or memory: https://mem.gfx.ms/scripts/me/MeControl/10.19256.4/en-US/meCore.min.js
Source: taskhost.exe, 00000013.00000002.757756422.015C0000.00000004.00000001.sdmpString found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/css/optanon.c
Source: taskhost.exe, 00000013.00000002.757756422.015C0000.00000004.00000001.sdmpString found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/images/cookie
Source: taskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmpString found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png
Source: explorer.exe, 0000000C.00000002.752929952.00646000.00000004.00000020.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://wh.ip-adress.com/c
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://wh.ip-adress.com/r1
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://www.google-analytics.com/analytics.js
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/maps/embed/v1/view?key=AIzaSyDtXbKhM0BYZn5-zkO-6b1E8DE6UG9vMbo&center=47.3925
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://www.ip-adress.com/
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://www.ip-adress.com/N
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://www.ip-adress.com/about
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://www.ip-adress.com/advertising
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://www.ip-adress.com/contact
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://www.ip-adress.com/glossary/
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://www.ip-adress.com/ip-address-distance
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://www.ip-adress.com/ip-address/ipv4/10.234.25.119
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://www.ip-adress.com/ip-address/ipv4/162.159.133.234
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://www.ip-adress.com/ip-address/ipv4/189.239.190.192
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://www.ip-adress.com/ip-address/ipv4/197.80.130.8
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://www.ip-adress.com/ip-address/ipv4/65.25.55.21
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://www.ip-adress.com/ip-address/ipv4/74.50.111.156
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://www.ip-adress.com/ip-address/ipv4/80.187.107.2
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://www.ip-adress.com/ip-address/lookup
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://www.ip-adress.com/ip-to-zip-code
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://www.ip-adress.com/legal-notice
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://www.ip-adress.com/privacy-policy
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://www.ip-adress.com/proxy-checker
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://www.ip-adress.com/proxy-list
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://www.ip-adress.com/reverse-ip-lookup
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://www.ip-adress.com/search
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://www.ip-adress.com/service/ip-location-api
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://www.ip-adress.com/service/ip-location-database
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://www.ip-adress.com/shariff/shariff.complete.css
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://www.ip-adress.com/shariff/shariff.complete.js
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://www.ip-adress.com/site-list
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://www.ip-adress.com/sitemap
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://www.ip-adress.com/speedtest/
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://www.ip-adress.com/trace-email-address
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://www.ip-adress.com/verify-email-address
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://www.ip-adress.com/website/
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://www.ip-adress.com/website/express.de
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://www.ip-adress.com/website/indoxxi.center
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://www.ip-adress.com/what-is-my-ip-address
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://www.ip-adress.com/whois-lookup
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49160 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49158
Source: unknownNetwork traffic detected: HTTP traffic on port 49163 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49162 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49158 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49164 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49166
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49164
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49163
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49162
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49160
Source: unknownNetwork traffic detected: HTTP traffic on port 49166 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Hooks clipboard functions (used to sniff clipboard data)Show sources
Source: explorer.exeIAT, EAT or inline hook detected: module: USER32.dll function: GetClipboardData
Contains functionality to retrieve information about pressed keystrokesShow sources
Source: C:\Windows\System32\taskhost.exeCode function: 19_2_015D9210 GetModuleHandleA,GetProcAddress,GetKeyboardState,ToAscii,19_2_015D9210

E-Banking Fraud:

barindex
Hooks winsocket function (used for sniffing or altering network traffic)Show sources
Source: explorer.exeFile created: function: HttpSendRequestExW

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: QakBot Payload Author: kevoreilly
Source: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, type: MEMORYMatched rule: QakBot Payload Author: kevoreilly
Source: 12.2.explorer.exe.3f0000.0.unpack, type: UNPACKEDPEMatched rule: QakBot Payload Author: kevoreilly
Source: 12.2.explorer.exe.3f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: QakBot Payload Author: kevoreilly
Source: 14.2.jkfkdm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: QakBot Payload Author: kevoreilly
Source: 12.2.explorer.exe.1500000.3.unpack, type: UNPACKEDPEMatched rule: QakBot Payload Author: kevoreilly
Source: 7.2.jkfkdm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: QakBot Payload Author: kevoreilly
Source: 6.2.jkfkdm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: QakBot Payload Author: kevoreilly
Source: 2.2.jkfkdm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: QakBot Payload Author: kevoreilly
Source: 0.2.zhAQkCQvME.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: QakBot Payload Author: kevoreilly
Source: 12.2.explorer.exe.1500000.3.raw.unpack, type: UNPACKEDPEMatched rule: QakBot Payload Author: kevoreilly
Source: 5.2.zhAQkCQvME.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: QakBot Payload Author: kevoreilly
Source: 18.2.jkfkdm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: QakBot Payload Author: kevoreilly
Source: 1.2.zhAQkCQvME.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: QakBot Payload Author: kevoreilly
Source: 17.2.jkfkdm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: QakBot Payload Author: kevoreilly
Contains functionality to call native functionsShow sources
Source: C:\Users\user\Desktop\zhAQkCQvME.exeCode function: 0_2_0040C370 GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,OpenProcess,NtQuerySystemInformation,GetCurrentProcess,NtDuplicateObject,CloseHandle,_wcscmp,CloseHandle,CloseHandle,CloseHandle,StrStrIW,CloseHandle,CloseHandle,0_2_0040C370
Source: C:\Windows\System32\taskhost.exeCode function: 19_2_015D940B NtQueryInformationThread,GetCurrentProcessId,NtResumeThread,19_2_015D940B
Source: C:\Windows\System32\dwm.exeCode function: 21_2_013B940B NtQueryInformationThread,GetCurrentProcessId,NtResumeThread,21_2_013B940B
Source: C:\Windows\System32\conhost.exeCode function: 24_2_011D940B NtQueryInformationThread,GetCurrentProcessId,NtResumeThread,24_2_011D940B
Source: C:\Windows\System32\notepad.exeCode function: 25_2_011B940B NtQueryInformationThread,GetCurrentProcessId,NtResumeThread,25_2_011B940B
Contains functionality to launch a process as a different userShow sources
Source: C:\Users\user\Desktop\zhAQkCQvME.exeCode function: 0_2_00404400 GetLastError,EqualSid,memset,CreateProcessAsUserW,CloseHandle,0_2_00404400
Creates mutexesShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{D72D0A04-1F72-49F1-8077-3C73EF051907}
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{B9EC2CD2-EC20-4B7F-99E4-9EB20CB3037F}
Source: C:\Users\user\Desktop\zhAQkCQvME.exeMutant created: \BaseNamedObjects\Global\{D72D0A04-1F72-49F1-8077-3C73EF051907}
Source: C:\Users\user\Desktop\zhAQkCQvME.exeMutant created: \Sessions\1\BaseNamedObjects\wuinmr
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\zhAQkCQvME.exeCode function: 0_2_00409C000_2_00409C00
Source: C:\Users\user\Desktop\zhAQkCQvME.exeCode function: 0_2_0040A0900_2_0040A090
Source: C:\Users\user\Desktop\zhAQkCQvME.exeCode function: 0_2_0040F7700_2_0040F770
Source: C:\Users\user\Desktop\zhAQkCQvME.exeCode function: 0_2_004031F00_2_004031F0
Source: C:\Users\user\Desktop\zhAQkCQvME.exeCode function: 0_2_0041280F0_2_0041280F
Source: C:\Users\user\Desktop\zhAQkCQvME.exeCode function: 0_2_004026900_2_00402690
Source: C:\Users\user\Desktop\zhAQkCQvME.exeCode function: 0_2_0040CEA00_2_0040CEA0
Source: C:\Users\user\Desktop\zhAQkCQvME.exeCode function: 0_2_004088B00_2_004088B0
Source: C:\Users\user\Desktop\zhAQkCQvME.exeCode function: 0_2_004131200_2_00413120
Source: C:\Windows\explorer.exeCode function: 12_2_003F269012_2_003F2690
Source: C:\Windows\explorer.exeCode function: 12_2_003F9C0012_2_003F9C00
Source: C:\Windows\explorer.exeCode function: 12_2_0040280F12_2_0040280F
Source: C:\Windows\explorer.exeCode function: 12_2_003F88B012_2_003F88B0
Source: C:\Windows\explorer.exeCode function: 12_2_003FA09012_2_003FA090
Source: C:\Windows\explorer.exeCode function: 12_2_0040312012_2_00403120
Source: C:\Windows\explorer.exeCode function: 12_2_003F31F012_2_003F31F0
Source: C:\Windows\explorer.exeCode function: 12_2_003FCEA012_2_003FCEA0
Source: C:\Windows\explorer.exeCode function: 12_2_003FF77012_2_003FF770
Source: C:\Windows\explorer.exeCode function: 12_2_0151EA5012_2_0151EA50
Source: C:\Windows\explorer.exeCode function: 12_2_0151E5C012_2_0151E5C0
Source: C:\Windows\explorer.exeCode function: 12_2_0151111212_2_01511112
Source: C:\Windows\explorer.exeCode function: 12_2_015131DC12_2_015131DC
Source: C:\Windows\explorer.exeCode function: 12_2_015269AF12_2_015269AF
Source: C:\Windows\explorer.exeCode function: 12_2_01511A1B12_2_01511A1B
Source: C:\Windows\explorer.exeCode function: 12_2_01512AD612_2_01512AD6
Source: C:\Windows\explorer.exeCode function: 12_2_015272C012_2_015272C0
Source: C:\Windows\explorer.exeCode function: 12_2_0151553012_2_01515530
Source: C:\Windows\explorer.exeCode function: 12_2_0151153312_2_01511533
Source: C:\Windows\explorer.exeCode function: 12_2_01523C5012_2_01523C50
Source: C:\Windows\explorer.exeCode function: 12_2_0152065012_2_01520650
Source: C:\Windows\System32\taskhost.exeCode function: 19_2_015E9EC019_2_015E9EC0
Source: C:\Windows\System32\taskhost.exeCode function: 19_2_015E710019_2_015E7100
Source: C:\Windows\System32\taskhost.exeCode function: 19_2_015E51D019_2_015E51D0
Source: C:\Windows\System32\taskhost.exeCode function: 19_2_015EB58019_2_015EB580
Source: C:\Windows\System32\taskhost.exeCode function: 19_2_015E4C0019_2_015E4C00
Source: C:\Windows\System32\taskhost.exeCode function: 19_2_015D143019_2_015D1430
Source: C:\Windows\System32\taskhost.exeCode function: 19_2_015E238219_2_015E2382
Source: C:\Windows\System32\taskhost.exeCode function: 19_2_015E1AD019_2_015E1AD0
Source: C:\Windows\System32\taskhost.exeCode function: 19_2_015E9AF019_2_015E9AF0
Source: C:\Windows\System32\dwm.exeCode function: 21_2_013C9EC021_2_013C9EC0
Source: C:\Windows\System32\dwm.exeCode function: 21_2_013C710021_2_013C7100
Source: C:\Windows\System32\dwm.exeCode function: 21_2_013C51D021_2_013C51D0
Source: C:\Windows\System32\dwm.exeCode function: 21_2_013DA1CF21_2_013DA1CF
Source: C:\Windows\System32\dwm.exeCode function: 21_2_013DA35421_2_013DA354
Source: C:\Windows\System32\dwm.exeCode function: 21_2_013DA35221_2_013DA352
Source: C:\Windows\System32\dwm.exeCode function: 21_2_013C238221_2_013C2382
Source: C:\Windows\System32\dwm.exeCode function: 21_2_013C9AF021_2_013C9AF0
Source: C:\Windows\System32\dwm.exeCode function: 21_2_013C1AD021_2_013C1AD0
Source: C:\Windows\System32\dwm.exeCode function: 21_2_013CB58021_2_013CB580
Source: C:\Windows\System32\dwm.exeCode function: 21_2_013B143021_2_013B1430
Source: C:\Windows\System32\dwm.exeCode function: 21_2_013C4C0021_2_013C4C00
Source: C:\Windows\System32\conhost.exeCode function: 24_2_011E9EC024_2_011E9EC0
Source: C:\Windows\System32\conhost.exeCode function: 24_2_011E710024_2_011E7100
Source: C:\Windows\System32\conhost.exeCode function: 24_2_011E51D024_2_011E51D0
Source: C:\Windows\System32\conhost.exeCode function: 24_2_011FA1CF24_2_011FA1CF
Source: C:\Windows\System32\conhost.exeCode function: 24_2_011FA35424_2_011FA354
Source: C:\Windows\System32\conhost.exeCode function: 24_2_011FA35224_2_011FA352
Source: C:\Windows\System32\conhost.exeCode function: 24_2_011E238224_2_011E2382
Source: C:\Windows\System32\conhost.exeCode function: 24_2_011E1AD024_2_011E1AD0
Source: C:\Windows\System32\conhost.exeCode function: 24_2_011E9AF024_2_011E9AF0
Source: C:\Windows\System32\conhost.exeCode function: 24_2_011EB58024_2_011EB580
Source: C:\Windows\System32\conhost.exeCode function: 24_2_011E4C0024_2_011E4C00
Source: C:\Windows\System32\conhost.exeCode function: 24_2_011D143024_2_011D1430
Source: C:\Windows\System32\notepad.exeCode function: 25_2_011C9EC025_2_011C9EC0
Source: C:\Windows\System32\notepad.exeCode function: 25_2_011C710025_2_011C7100
Source: C:\Windows\System32\notepad.exeCode function: 25_2_011C51D025_2_011C51D0
Source: C:\Windows\System32\notepad.exeCode function: 25_2_011DA1CF25_2_011DA1CF
Source: C:\Windows\System32\notepad.exeCode function: 25_2_011DA35425_2_011DA354
Source: C:\Windows\System32\notepad.exeCode function: 25_2_011DA35225_2_011DA352
Source: C:\Windows\System32\notepad.exeCode function: 25_2_011C238225_2_011C2382
Source: C:\Windows\System32\notepad.exeCode function: 25_2_011C1AD025_2_011C1AD0
Source: C:\Windows\System32\notepad.exeCode function: 25_2_011C9AF025_2_011C9AF0
Source: C:\Windows\System32\notepad.exeCode function: 25_2_011CB58025_2_011CB580
Source: C:\Windows\System32\notepad.exeCode function: 25_2_011C4C0025_2_011C4C00
Source: C:\Windows\System32\notepad.exeCode function: 25_2_011B143025_2_011B1430
Found potential string decryption / allocating functionsShow sources
Source: C:\Windows\explorer.exeCode function: String function: 01510CBC appears 37 times
PE file contains strange resourcesShow sources
Source: zhAQkCQvME.exe.8.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: zhAQkCQvME.exe.8.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: zhAQkCQvME.exe.8.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Reads the hosts fileShow sources
Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample file is different than original file name gathered from version infoShow sources
Source: zhAQkCQvME.exe, 00000000.00000002.470874320.006C3000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamerjrwer.exev vs zhAQkCQvME.exe
Source: zhAQkCQvME.exe, 00000000.00000002.470874320.006C3000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamerjrwer.exe vs zhAQkCQvME.exe
Source: zhAQkCQvME.exe, 00000000.00000002.470376366.002B0000.00000008.00000001.sdmpBinary or memory string: OriginalFilenameSETUPAPI.DLL.MUIj% vs zhAQkCQvME.exe
Source: zhAQkCQvME.exe, 00000001.00000000.447916030.0049E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamerjrwer.exe vs zhAQkCQvME.exe
Source: zhAQkCQvME.exe, 00000001.00000002.451933719.00170000.00000008.00000001.sdmpBinary or memory string: OriginalFilenameSETUPAPI.DLL.MUIj% vs zhAQkCQvME.exe
Source: zhAQkCQvME.exe, 00000005.00000002.489044820.01260000.00000008.00000001.sdmpBinary or memory string: originalfilename vs zhAQkCQvME.exe
Source: zhAQkCQvME.exe, 00000005.00000002.489044820.01260000.00000008.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs zhAQkCQvME.exe
Source: zhAQkCQvME.exe, 00000005.00000002.482849544.002B0000.00000008.00000001.sdmpBinary or memory string: OriginalFilenameSETUPAPI.DLL.MUIj% vs zhAQkCQvME.exe
Source: zhAQkCQvME.exe, 00000005.00000000.472415467.0049E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamerjrwer.exe vs zhAQkCQvME.exe
Source: zhAQkCQvME.exe, 00000005.00000002.485204244.00A60000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs zhAQkCQvME.exe
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\zhAQkCQvME.exeFile read: C:\Users\user\Desktop\zhAQkCQvME.exeJump to behavior
Yara signature matchShow sources
Source: 00000005.00000002.488530565.00EF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Datper author = JPCERT/CC Incident Response Group, description = detect Datper in memory, rule_usage = memory scan, reference = https://blogs.jpcert.or.jp/en/2017/08/detecting-datper-malware-from-proxy-logs.html
Source: 0000000C.00000003.535349218.01779000.00000004.00000001.sdmp, type: MEMORYMatched rule: Datper author = JPCERT/CC Incident Response Group, description = detect Datper in memory, rule_usage = memory scan, reference = https://blogs.jpcert.or.jp/en/2017/08/detecting-datper-malware-from-proxy-logs.html
Source: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 00000000.00000002.470976903.015F7000.00000004.00000040.sdmp, type: MEMORYMatched rule: Datper author = JPCERT/CC Incident Response Group, description = detect Datper in memory, rule_usage = memory scan, reference = https://blogs.jpcert.or.jp/en/2017/08/detecting-datper-malware-from-proxy-logs.html
Source: 00000000.00000002.472365977.01B20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Datper author = JPCERT/CC Incident Response Group, description = detect Datper in memory, rule_usage = memory scan, reference = https://blogs.jpcert.or.jp/en/2017/08/detecting-datper-malware-from-proxy-logs.html
Source: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, type: MEMORYMatched rule: Datper author = JPCERT/CC Incident Response Group, description = detect Datper in memory, rule_usage = memory scan, reference = https://blogs.jpcert.or.jp/en/2017/08/detecting-datper-malware-from-proxy-logs.html
Source: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, type: MEMORYMatched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 00000005.00000002.485394157.00AC7000.00000004.00000040.sdmp, type: MEMORYMatched rule: Datper author = JPCERT/CC Incident Response Group, description = detect Datper in memory, rule_usage = memory scan, reference = https://blogs.jpcert.or.jp/en/2017/08/detecting-datper-malware-from-proxy-logs.html
Source: 12.2.explorer.exe.3f0000.0.unpack, type: UNPACKEDPEMatched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 12.2.explorer.exe.3f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 14.2.jkfkdm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 12.2.explorer.exe.1500000.3.unpack, type: UNPACKEDPEMatched rule: Datper author = JPCERT/CC Incident Response Group, description = detect Datper in memory, rule_usage = memory scan, reference = https://blogs.jpcert.or.jp/en/2017/08/detecting-datper-malware-from-proxy-logs.html
Source: 12.2.explorer.exe.1500000.3.unpack, type: UNPACKEDPEMatched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 7.2.jkfkdm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 6.2.jkfkdm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 2.2.jkfkdm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 0.2.zhAQkCQvME.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 12.2.explorer.exe.1500000.3.raw.unpack, type: UNPACKEDPEMatched rule: Datper author = JPCERT/CC Incident Response Group, description = detect Datper in memory, rule_usage = memory scan, reference = https://blogs.jpcert.or.jp/en/2017/08/detecting-datper-malware-from-proxy-logs.html
Source: 12.2.explorer.exe.1500000.3.raw.unpack, type: UNPACKEDPEMatched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 5.2.zhAQkCQvME.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 18.2.jkfkdm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 1.2.zhAQkCQvME.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 17.2.jkfkdm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
PE file contains an invalid data directoryShow sources
Source: zhAQkCQvME.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_SECURITY size: 0x4 address: 0x0
Source: jkfkdm.exe.0.drStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_SECURITY size: 0x4 address: 0x0
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)Show sources
Source: zhAQkCQvME.exeStatic PE information: Section: CODE ZLIB complexity 0.999666291739
Source: jkfkdm.exe.0.drStatic PE information: Section: CODE ZLIB complexity 0.999666291739
Classification labelShow sources
Source: classification engineClassification label: mal100.bank.troj.spyw.evad.winEXE@25/7@2/4
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Users\user\Desktop\zhAQkCQvME.exeCode function: 0_2_00407340 LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,AdjustTokenPrivileges,GetLastError,CloseHandle,0_2_00407340
Contains functionality to enum processes or threadsShow sources
Source: C:\Users\user\Desktop\zhAQkCQvME.exeCode function: 0_2_00404290 CreateToolhelp32Snapshot,Process32First,CloseHandle,Process32Next,CloseHandle,0_2_00404290
Contains functionality to instantiate COM classesShow sources
Source: C:\Users\user\Desktop\zhAQkCQvME.exeCode function: 0_2_00410920 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,0_2_00410920
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\Desktop\zhAQkCQvME.exeCode function: 0_2_00408290 FindResourceA,SizeofResource,LoadResource,0_2_00408290
Contains functionality to modify services (start/stop/modify)Show sources
Source: C:\Users\user\Desktop\zhAQkCQvME.exeCode function: 0_2_00401420 StartServiceCtrlDispatcherA,0_2_00401420
Contains functionality to register a service control handler (likely the sample is a service DLL)Show sources
Source: C:\Users\user\Desktop\zhAQkCQvME.exeCode function: 0_2_00401420 StartServiceCtrlDispatcherA,0_2_00401420
Source: C:\Windows\explorer.exeCode function: 12_2_003F1420 StartServiceCtrlDispatcherA,12_2_003F1420
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\zhAQkCQvME.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\EacrrvkownJump to behavior
Creates temporary filesShow sources
Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\~jkfkdm.tmpJump to behavior
Found command line outputShow sources
Source: C:\Windows\System32\schtasks.exeConsole Write: ........a..v..0.....d...`...D....f..........................`.L...l.<.n.0.n.......!...L.........0.!.........rp....!.G..uJump to behavior
Source: C:\Windows\System32\schtasks.exeConsole Write: ........a..v..0.........$...L...,n..........................`.....&.x.....(...................................w.....G..uJump to behavior
Launches a second explorer.exe instanceShow sources
Source: unknownProcess created: C:\Windows\explorer.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exeProcess created: C:\Windows\explorer.exeJump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: zhAQkCQvME.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Queries a list of all open handlesShow sources
Source: C:\Users\user\Desktop\zhAQkCQvME.exeSystem information queried: HandleInformationJump to behavior
Queries process information (via WMI, Win32_Process)Show sources
Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Reads software policiesShow sources
Source: C:\Users\user\Desktop\zhAQkCQvME.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: zhAQkCQvME.exeVirustotal: Detection: 76%
Sample requires command line parameters (based on API chain)Show sources
Source: C:\Users\user\Desktop\zhAQkCQvME.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcess
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\zhAQkCQvME.exe 'C:\Users\user\Desktop\zhAQkCQvME.exe'
Source: unknownProcess created: C:\Users\user\Desktop\zhAQkCQvME.exe C:\Users\user\Desktop\zhAQkCQvME.exe /C
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe
Source: unknownProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn ahizzkkevf /tr '\'C:\Users\user\Desktop\zhAQkCQvME.exe\' /I ahizzkkevf' /SC ONCE /Z /ST 19:29 /ET 19:41
Source: unknownProcess created: C:\Users\user\Desktop\zhAQkCQvME.exe C:\Users\user\Desktop\zhAQkCQvME.exe /I ahizzkkevf
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe /C
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c ping.exe -n 6 127.0.0.1 & type 'C:\Windows\System32\calc.exe' > 'C:\Users\user\Desktop\zhAQkCQvME.exe'
Source: unknownProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\system32\schtasks.exe' /DELETE /F /TN ahizzkkevf
Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: unknownProcess created: C:\Windows\System32\PING.EXE ping.exe -n 6 127.0.0.1
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe /C
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe 'C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe'
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe /C
Source: C:\Users\user\Desktop\zhAQkCQvME.exeProcess created: C:\Users\user\Desktop\zhAQkCQvME.exe C:\Users\user\Desktop\zhAQkCQvME.exe /CJump to behavior
Source: C:\Users\user\Desktop\zhAQkCQvME.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exeJump to behavior
Source: C:\Users\user\Desktop\zhAQkCQvME.exeProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn ahizzkkevf /tr '\'C:\Users\user\Desktop\zhAQkCQvME.exe\' /I ahizzkkevf' /SC ONCE /Z /ST 19:29 /ET 19:41Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe /CJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exeJump to behavior
Source: C:\Users\user\Desktop\zhAQkCQvME.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exeJump to behavior
Source: C:\Users\user\Desktop\zhAQkCQvME.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c ping.exe -n 6 127.0.0.1 & type 'C:\Windows\System32\calc.exe' > 'C:\Users\user\Desktop\zhAQkCQvME.exe'Jump to behavior
Source: C:\Users\user\Desktop\zhAQkCQvME.exeProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\system32\schtasks.exe' /DELETE /F /TN ahizzkkevfJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe /CJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping.exe -n 6 127.0.0.1 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe /CJump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\zhAQkCQvME.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32Jump to behavior
PE file contains a debug data directoryShow sources
Source: zhAQkCQvME.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)Show sources
Source: C:\Users\user\Desktop\zhAQkCQvME.exeUnpacked PE file: 0.2.zhAQkCQvME.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;CODE:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\Desktop\zhAQkCQvME.exeUnpacked PE file: 1.2.zhAQkCQvME.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;CODE:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exeUnpacked PE file: 2.2.jkfkdm.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;CODE:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\Desktop\zhAQkCQvME.exeUnpacked PE file: 5.2.zhAQkCQvME.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;CODE:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exeUnpacked PE file: 6.2.jkfkdm.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;CODE:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exeUnpacked PE file: 7.2.jkfkdm.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;CODE:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exeUnpacked PE file: 14.2.jkfkdm.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;CODE:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exeUnpacked PE file: 17.2.jkfkdm.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;CODE:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exeUnpacked PE file: 18.2.jkfkdm.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;CODE:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Detected unpacking (overwrites its own PE header)Show sources
Source: C:\Users\user\Desktop\zhAQkCQvME.exeUnpacked PE file: 0.2.zhAQkCQvME.exe.400000.1.unpack
Source: C:\Users\user\Desktop\zhAQkCQvME.exeUnpacked PE file: 1.2.zhAQkCQvME.exe.400000.1.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exeUnpacked PE file: 2.2.jkfkdm.exe.400000.1.unpack
Source: C:\Users\user\Desktop\zhAQkCQvME.exeUnpacked PE file: 5.2.zhAQkCQvME.exe.400000.1.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exeUnpacked PE file: 6.2.jkfkdm.exe.400000.1.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exeUnpacked PE file: 7.2.jkfkdm.exe.400000.1.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exeUnpacked PE file: 14.2.jkfkdm.exe.400000.1.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exeUnpacked PE file: 17.2.jkfkdm.exe.400000.1.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exeUnpacked PE file: 18.2.jkfkdm.exe.400000.1.unpack
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\zhAQkCQvME.exeCode function: 0_2_00407A30 GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_00407A30
PE file contains an invalid checksumShow sources
Source: jkfkdm.exe.0.drStatic PE information: real checksum: 0x36016 should be: 0xb495e
Source: zhAQkCQvME.exeStatic PE information: real checksum: 0x36016 should be: 0xb495e
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Windows\explorer.exeCode function: 12_2_0040ACE6 push ebx; ret 12_2_0040ACE7
Source: C:\Windows\explorer.exeCode function: 12_2_0040AA34 push cs; iretd 12_2_0040AB0A
Source: C:\Windows\explorer.exeCode function: 12_2_0040AB36 push cs; iretd 12_2_0040AB0A
Source: C:\Windows\explorer.exeCode function: 12_2_0153212C push cs; iretd 12_2_01532202
Source: C:\Windows\explorer.exeCode function: 12_2_0152B043 push 0000006Ah; retf 12_2_0152B11C
Source: C:\Windows\explorer.exeCode function: 12_2_0152B0AB push 0000006Ah; retf 12_2_0152B11C
Source: C:\Windows\explorer.exeCode function: 12_2_0152B0AD push 0000006Ah; retf 12_2_0152B11C
Source: C:\Windows\explorer.exeCode function: 12_2_015323DE push ebx; ret 12_2_015323DF
Source: C:\Windows\explorer.exeCode function: 12_2_01535260 push esp; ret 12_2_01535264
Source: C:\Windows\explorer.exeCode function: 12_2_0153222E push cs; iretd 12_2_01532202
Source: C:\Windows\System32\taskhost.exeCode function: 19_2_015F3D7E push ebx; ret 19_2_015F3D7F
Source: C:\Windows\System32\taskhost.exeCode function: 19_2_015F3BCE push cs; iretd 19_2_015F3BA2
Source: C:\Windows\System32\taskhost.exeCode function: 19_2_015F3ACC push cs; iretd 19_2_015F3BA2
Source: C:\Windows\System32\dwm.exeCode function: 21_2_013D3BCE push cs; iretd 21_2_013D3BA2
Source: C:\Windows\System32\dwm.exeCode function: 21_2_013D3ACC push cs; iretd 21_2_013D3BA2
Source: C:\Windows\System32\dwm.exeCode function: 21_2_013D3D7E push ebx; ret 21_2_013D3D7F
Source: C:\Windows\System32\conhost.exeCode function: 24_2_011F3BCE push cs; iretd 24_2_011F3BA2
Source: C:\Windows\System32\conhost.exeCode function: 24_2_011F3ACC push cs; iretd 24_2_011F3BA2
Source: C:\Windows\System32\conhost.exeCode function: 24_2_011F3D7E push ebx; ret 24_2_011F3D7F
Source: C:\Windows\System32\notepad.exeCode function: 25_2_011D3BCE push cs; iretd 25_2_011D3BA2
Source: C:\Windows\System32\notepad.exeCode function: 25_2_011D3ACC push cs; iretd 25_2_011D3BA2
Source: C:\Windows\System32\notepad.exeCode function: 25_2_011D3D7E push ebx; ret 25_2_011D3D7F

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Windows\System32\cmd.exeFile created: C:\Users\user\Desktop\zhAQkCQvME.exeJump to dropped file
Source: C:\Users\user\Desktop\zhAQkCQvME.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exeJump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
Source: unknownProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn ahizzkkevf /tr '\'C:\Users\user\Desktop\zhAQkCQvME.exe\' /I ahizzkkevf' /SC ONCE /Z /ST 19:29 /ET 19:41
Contains functionality to start windows servicesShow sources
Source: C:\Users\user\Desktop\zhAQkCQvME.exeCode function: 0_2_00401420 StartServiceCtrlDispatcherA,0_2_00401420
Creates an autostart registry keyShow sources
Source: C:\Windows\explorer.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run tjmptzibrJump to behavior
Source: C:\Windows\explorer.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run tjmptzibrJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Modifies the prolog of user mode functions (user mode inline hooks)Show sources
Source: explorer.exeUser mode code has changed: module: USER32.dll function: TranslateMessage new code: 0xE9 0x91 0x10 0x02 0x2F 0xF4
Overwrites code with unconditional jumps - possibly settings hooks in foreign processShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exeMemory written: PID: 2600 base: 5102D value: E9 2E 1A 3A 00 Jump to behavior
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\zhAQkCQvME.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\zhAQkCQvME.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\zhAQkCQvME.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\zhAQkCQvME.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\zhAQkCQvME.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\zhAQkCQvME.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\zhAQkCQvME.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\zhAQkCQvME.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\zhAQkCQvME.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to compare user and computer (likely to detect sandboxes)Show sources
Source: C:\Users\user\Desktop\zhAQkCQvME.exeCode function: GetModuleHandleA,GetModuleFileNameA,StrStrIA,0_2_0040B120
Source: C:\Windows\explorer.exeCode function: GetModuleHandleA,GetModuleFileNameA,StrStrIA,12_2_003FB120
Contains functionality to detect virtual machines (IN, VMware)Show sources
Source: C:\Users\user\Desktop\zhAQkCQvME.exeCode function: 0_2_0040B450 in eax, dx0_2_0040B450
Found evasive API chain (may stop execution after checking mutex)Show sources
Source: C:\Users\user\Desktop\zhAQkCQvME.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcess
Source: C:\Users\user\Desktop\zhAQkCQvME.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleep
Found stalling execution ending in API Sleep callShow sources
Source: C:\Windows\explorer.exeStalling execution: Execution stalls by calling Sleep
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
Source: explorer.exe, 0000000C.00000003.535514712.0161F000.00000004.00000040.sdmp, taskhost.exe, 00000013.00000002.759557288.0294F000.00000004.00000040.sdmp, dwm.exe, 00000015.00000002.761415105.01BEF000.00000004.00000040.sdmpBinary or memory string: OLLYDBG.EXE
Source: dwm.exe, 00000015.00000002.761415105.01BEF000.00000004.00000040.sdmpBinary or memory string: OLLYDBG.EXEP
Source: explorer.exe, 0000000C.00000003.535514712.0161F000.00000004.00000040.sdmpBinary or memory string: OLLYDBG.EXECJ
Source: explorer.exe, 0000000C.00000003.535514712.0161F000.00000004.00000040.sdmp, taskhost.exe, 00000013.00000002.759557288.0294F000.00000004.00000040.sdmp, dwm.exe, 00000015.00000002.761415105.01BEF000.00000004.00000040.sdmpBinary or memory string: WINDBG.EXE
Source: explorer.exe, 0000000C.00000003.535514712.0161F000.00000004.00000040.sdmpBinary or memory string: WINDBG.EXEDJ
Tries to detect virtualization through RDTSC time measurementsShow sources
Source: C:\Users\user\Desktop\zhAQkCQvME.exeRDTSC instruction interceptor: First address: 401330 second address: 401336 instructions: 0x00000000 rdtsc 0x00000002 mov esi, edx 0x00000004 mov edi, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\zhAQkCQvME.exeRDTSC instruction interceptor: First address: 401336 second address: 401330 instructions: 0x00000000 rdtsc 0x00000002 mov ebx, edx 0x00000004 mov ecx, eax 0x00000006 mov eax, dword ptr [esp+44h] 0x0000000a add eax, eax 0x0000000c mov edx, dword ptr [esp+40h] 0x00000010 adc edx, edx 0x00000012 mov dword ptr [esp+70h], eax 0x00000016 mov dword ptr [esp+74h], edx 0x0000001a sub ecx, edi 0x0000001c mov eax, dword ptr [esp+30h] 0x00000020 test eax, eax 0x00000022 mov dword ptr [esp+70h], FF0832F0h 0x0000002a mov dword ptr [esp+74h], FFFFFFFFh 0x00000032 mov edx, dword ptr [esp+34h] 0x00000036 cmove edx, ecx 0x00000039 mov dword ptr [esp+70h], A6C64046h 0x00000041 cmp eax, 00000000h 0x00000044 mov edi, dword ptr [esp+2Ch] 0x00000048 cmove edi, ecx 0x0000004b cmp edi, ecx 0x0000004d cmovnbe edi, ecx 0x00000050 mov dword ptr [esp+58h], edi 0x00000054 mov di, word ptr [esp+6Eh] 0x00000059 cmp edx, ecx 0x0000005b cmovb edx, ecx 0x0000005e mov word ptr [esp+6Eh], di 0x00000063 mov dword ptr [esp+4Ch], edx 0x00000067 add eax, 01h 0x0000006a mov ecx, dw
Source: C:\Users\user\Desktop\zhAQkCQvME.exeRDTSC instruction interceptor: First address: 401336 second address: 401330 instructions: 0x00000000 rdtsc 0x00000002 mov ebx, edx 0x00000004 mov ecx, eax 0x00000006 mov eax, dword ptr [esp+44h] 0x0000000a add eax, eax 0x0000000c mov edx, dword ptr [esp+40h] 0x00000010 adc edx, edx 0x00000012 mov dword ptr [esp+70h], eax 0x00000016 mov dword ptr [esp+74h], edx 0x0000001a sub ecx, edi 0x0000001c mov eax, dword ptr [esp+30h] 0x00000020 test eax, eax 0x00000022 mov dword ptr [esp+70h], FF0832F0h 0x0000002a mov dword ptr [esp+74h], FFFFFFFFh 0x00000032 mov edx, dword ptr [esp+34h] 0x00000036 cmove edx, ecx 0x00000039 mov dword ptr [esp+70h], A6C64046h 0x00000041 cmp eax, 00000000h 0x00000044 mov edi, dword ptr [esp+2Ch] 0x00000048 cmove edi, ecx 0x0000004b cmp edi, ecx 0x0000004d cmovnbe edi, ecx 0x00000050 mov dword ptr [esp+58h], edi 0x00000054 mov di, word ptr [esp+6Eh] 0x00000059 cmp edx, ecx 0x0000005b cmovb edx, ecx 0x0000005e mov word ptr [esp+6Eh], di 0x00000063 mov dword ptr [esp+4Ch], edx 0x00000067 add eax, 01h 0x0000006a mov ecx, dw
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exeRDTSC instruction interceptor: First address: 401330 second address: 401336 instructions: 0x00000000 rdtsc 0x00000002 mov esi, edx 0x00000004 mov edi, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exeRDTSC instruction interceptor: First address: 401336 second address: 401330 instructions: 0x00000000 rdtsc 0x00000002 mov ebx, edx 0x00000004 mov ecx, eax 0x00000006 mov eax, dword ptr [esp+44h] 0x0000000a add eax, eax 0x0000000c mov edx, dword ptr [esp+40h] 0x00000010 adc edx, edx 0x00000012 mov dword ptr [esp+70h], eax 0x00000016 mov dword ptr [esp+74h], edx 0x0000001a sub ecx, edi 0x0000001c mov eax, dword ptr [esp+30h] 0x00000020 test eax, eax 0x00000022 mov dword ptr [esp+70h], FF0832F0h 0x0000002a mov dword ptr [esp+74h], FFFFFFFFh 0x00000032 mov edx, dword ptr [esp+34h] 0x00000036 cmove edx, ecx 0x00000039 mov dword ptr [esp+70h], A6C64046h 0x00000041 cmp eax, 00000000h 0x00000044 mov edi, dword ptr [esp+2Ch] 0x00000048 cmove edi, ecx 0x0000004b cmp edi, ecx 0x0000004d cmovnbe edi, ecx 0x00000050 mov dword ptr [esp+58h], edi 0x00000054 mov di, word ptr [esp+6Eh] 0x00000059 cmp edx, ecx 0x0000005b cmovb edx, ecx 0x0000005e mov word ptr [esp+6Eh], di 0x00000063 mov dword ptr [esp+4Ch], edx 0x00000067 add eax, 01h 0x0000006a mov ecx, dw
Source: C:\Users\user\Desktop\zhAQkCQvME.exeRDTSC instruction interceptor: First address: 401336 second address: 401330 instructions: 0x00000000 rdtsc 0x00000002 mov ebx, edx 0x00000004 mov ecx, eax 0x00000006 mov eax, dword ptr [esp+44h] 0x0000000a add eax, eax 0x0000000c mov edx, dword ptr [esp+40h] 0x00000010 adc edx, edx 0x00000012 mov dword ptr [esp+70h], eax 0x00000016 mov dword ptr [esp+74h], edx 0x0000001a sub ecx, edi 0x0000001c mov eax, dword ptr [esp+30h] 0x00000020 test eax, eax 0x00000022 mov dword ptr [esp+70h], FF0832F0h 0x0000002a mov dword ptr [esp+74h], FFFFFFFFh 0x00000032 mov edx, dword ptr [esp+34h] 0x00000036 cmove edx, ecx 0x00000039 mov dword ptr [esp+70h], A6C64046h 0x00000041 cmp eax, 00000000h 0x00000044 mov edi, dword ptr [esp+2Ch] 0x00000048 cmove edi, ecx 0x0000004b cmp edi, ecx 0x0000004d cmovnbe edi, ecx 0x00000050 mov dword ptr [esp+58h], edi 0x00000054 mov di, word ptr [esp+6Eh] 0x00000059 cmp edx, ecx 0x0000005b cmovb edx, ecx 0x0000005e mov word ptr [esp+6Eh], di 0x00000063 mov dword ptr [esp+4Ch], edx 0x00000067 add eax, 01h 0x0000006a mov ecx, dw
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exeRDTSC instruction interceptor: First address: 401336 second address: 401330 instructions: 0x00000000 rdtsc 0x00000002 mov ebx, edx 0x00000004 mov ecx, eax 0x00000006 mov eax, dword ptr [esp+44h] 0x0000000a add eax, eax 0x0000000c mov edx, dword ptr [esp+40h] 0x00000010 adc edx, edx 0x00000012 mov dword ptr [esp+70h], eax 0x00000016 mov dword ptr [esp+74h], edx 0x0000001a sub ecx, edi 0x0000001c mov eax, dword ptr [esp+30h] 0x00000020 test eax, eax 0x00000022 mov dword ptr [esp+70h], FF0832F0h 0x0000002a mov dword ptr [esp+74h], FFFFFFFFh 0x00000032 mov edx, dword ptr [esp+34h] 0x00000036 cmove edx, ecx 0x00000039 mov dword ptr [esp+70h], A6C64046h 0x00000041 cmp eax, 00000000h 0x00000044 mov edi, dword ptr [esp+2Ch] 0x00000048 cmove edi, ecx 0x0000004b cmp edi, ecx 0x0000004d cmovnbe edi, ecx 0x00000050 mov dword ptr [esp+58h], edi 0x00000054 mov di, word ptr [esp+6Eh] 0x00000059 cmp edx, ecx 0x0000005b cmovb edx, ecx 0x0000005e mov word ptr [esp+6Eh], di 0x00000063 mov dword ptr [esp+4Ch], edx 0x00000067 add eax, 01h 0x0000006a mov ecx, dw
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exeRDTSC instruction interceptor: First address: 401336 second address: 401330 instructions: 0x00000000 rdtsc 0x00000002 mov ebx, edx 0x00000004 mov ecx, eax 0x00000006 mov eax, dword ptr [esp+44h] 0x0000000a add eax, eax 0x0000000c mov edx, dword ptr [esp+40h] 0x00000010 adc edx, edx 0x00000012 mov dword ptr [esp+70h], eax 0x00000016 mov dword ptr [esp+74h], edx 0x0000001a sub ecx, edi 0x0000001c mov eax, dword ptr [esp+30h] 0x00000020 test eax, eax 0x00000022 mov dword ptr [esp+70h], FF0832F0h 0x0000002a mov dword ptr [esp+74h], FFFFFFFFh 0x00000032 mov edx, dword ptr [esp+34h] 0x00000036 cmove edx, ecx 0x00000039 mov dword ptr [esp+70h], A6C64046h 0x00000041 cmp eax, 00000000h 0x00000044 mov edi, dword ptr [esp+2Ch] 0x00000048 cmove edi, ecx 0x0000004b cmp edi, ecx 0x0000004d cmovnbe edi, ecx 0x00000050 mov dword ptr [esp+58h], edi 0x00000054 mov di, word ptr [esp+6Eh] 0x00000059 cmp edx, ecx 0x0000005b cmovb edx, ecx 0x0000005e mov word ptr [esp+6Eh], di 0x00000063 mov dword ptr [esp+4Ch], edx 0x00000067 add eax, 01h 0x0000006a mov ecx, dw
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exeRDTSC instruction interceptor: First address: 401336 second address: 401330 instructions: 0x00000000 rdtsc 0x00000002 mov ebx, edx 0x00000004 mov ecx, eax 0x00000006 mov eax, dword ptr [esp+44h] 0x0000000a add eax, eax 0x0000000c mov edx, dword ptr [esp+40h] 0x00000010 adc edx, edx 0x00000012 mov dword ptr [esp+70h], eax 0x00000016 mov dword ptr [esp+74h], edx 0x0000001a sub ecx, edi 0x0000001c mov eax, dword ptr [esp+30h] 0x00000020 test eax, eax 0x00000022 mov dword ptr [esp+70h], FF0832F0h 0x0000002a mov dword ptr [esp+74h], FFFFFFFFh 0x00000032 mov edx, dword ptr [esp+34h] 0x00000036 cmove edx, ecx 0x00000039 mov dword ptr [esp+70h], A6C64046h 0x00000041 cmp eax, 00000000h 0x00000044 mov edi, dword ptr [esp+2Ch] 0x00000048 cmove edi, ecx 0x0000004b cmp edi, ecx 0x0000004d cmovnbe edi, ecx 0x00000050 mov dword ptr [esp+58h], edi 0x00000054 mov di, word ptr [esp+6Eh] 0x00000059 cmp edx, ecx 0x0000005b cmovb edx, ecx 0x0000005e mov word ptr [esp+6Eh], di 0x00000063 mov dword ptr [esp+4Ch], edx 0x00000067 add eax, 01h 0x0000006a mov ecx, dw
Uses ping.exe to sleepShow sources
Source: unknownProcess created: C:\Windows\System32\PING.EXE ping.exe -n 6 127.0.0.1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping.exe -n 6 127.0.0.1 Jump to behavior
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)Show sources
Source: C:\Users\user\Desktop\zhAQkCQvME.exeCode function: 0_2_0040AE50 GetCurrentProcessId,CreateToolhelp32Snapshot,memset,Process32First,Process32Next,CloseHandle,0_2_0040AE50
Contains functionality to read device registry values (via SetupAPI)Show sources
Source: C:\Users\user\Desktop\zhAQkCQvME.exeCode function: 0_2_0040AC10 SetupDiGetDeviceRegistryPropertyA,GetLastError,0_2_0040AC10
Found dropped PE file which has not been started or loadedShow sources
Source: C:\Windows\System32\cmd.exeDropped PE file which has not been started: C:\Users\user\Desktop\zhAQkCQvME.exeJump to dropped file
Found evasive API chain (date check)Show sources
Source: C:\Users\user\Desktop\zhAQkCQvME.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Windows\explorer.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Windows\System32\dwm.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Windows\System32\conhost.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Windows\System32\notepad.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Windows\System32\taskhost.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found evasive API chain (may stop execution after checking a module file name)Show sources
Source: C:\Users\user\Desktop\zhAQkCQvME.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Found evasive API chain checking for process token informationShow sources
Source: C:\Windows\explorer.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\System32\dwm.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\System32\conhost.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\Desktop\zhAQkCQvME.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\System32\taskhost.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\System32\notepad.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\zhAQkCQvME.exe TID: 1500Thread sleep count: 32 > 30Jump to behavior
Source: C:\Users\user\Desktop\zhAQkCQvME.exe TID: 2376Thread sleep count: 34 > 30Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe TID: 2396Thread sleep count: 31 > 30Jump to behavior
Source: C:\Users\user\Desktop\zhAQkCQvME.exe TID: 2428Thread sleep count: 33 > 30Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe TID: 2440Thread sleep count: 33 > 30Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe TID: 2464Thread sleep count: 34 > 30Jump to behavior
Source: C:\Windows\explorer.exe TID: 1988Thread sleep time: -780000s >= -30000sJump to behavior
Source: C:\Windows\explorer.exe TID: 2112Thread sleep time: -300000s >= -30000sJump to behavior
Source: C:\Windows\explorer.exe TID: 2112Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe TID: 2500Thread sleep count: 38 > 30Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe TID: 2924Thread sleep count: 36 > 30Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe TID: 2056Thread sleep count: 35 > 30Jump to behavior
Source: C:\Windows\explorer.exe TID: 1892Thread sleep time: -6240000s >= -30000sJump to behavior
Source: C:\Windows\explorer.exe TID: 1892Thread sleep time: -60000s >= -30000sJump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)Show sources
Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Windows\explorer.exeCode function: 12_2_0151B870 FindFirstFileW,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,12_2_0151B870
Contains functionality to query system informationShow sources
Source: C:\Users\user\Desktop\zhAQkCQvME.exeCode function: 0_2_00409F40 GetSystemInfo,0_2_00409F40
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: explorer.exe, 00000016.00000000.606027780.031C6000.00000004.00000001.sdmpBinary or memory string: vmbusres.dlld
Program exit pointsShow sources
Source: C:\Windows\explorer.exeAPI call chain: ExitProcess graph end node
Queries a list of all running processesShow sources
Source: C:\Users\user\Desktop\zhAQkCQvME.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)Show sources
Source: C:\Users\user\Desktop\zhAQkCQvME.exeCode function: 0_2_0040AE50 GetCurrentProcessId,CreateToolhelp32Snapshot,memset,Process32First,Process32Next,CloseHandle,0_2_0040AE50
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\zhAQkCQvME.exeCode function: 0_2_00407A30 GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_00407A30
Contains functionality to read the PEBShow sources
Source: C:\Windows\System32\taskhost.exeCode function: 19_2_015FCDB0 mov eax, dword ptr fs:[00000030h]19_2_015FCDB0
Source: C:\Windows\System32\taskhost.exeCode function: 19_2_004C0000 mov eax, dword ptr fs:[00000030h]19_2_004C0000
Source: C:\Windows\System32\dwm.exeCode function: 21_2_013DCDB0 mov eax, dword ptr fs:[00000030h]21_2_013DCDB0
Source: C:\Windows\System32\dwm.exeCode function: 21_2_013DCDB0 mov eax, dword ptr fs:[00000030h]21_2_013DCDB0
Source: C:\Windows\System32\dwm.exeCode function: 21_2_001E0000 mov eax, dword ptr fs:[00000030h]21_2_001E0000
Source: C:\Windows\System32\conhost.exeCode function: 24_2_011FD090 mov eax, dword ptr fs:[00000030h]24_2_011FD090
Source: C:\Windows\System32\conhost.exeCode function: 24_2_011FD090 mov eax, dword ptr fs:[00000030h]24_2_011FD090
Source: C:\Windows\System32\conhost.exeCode function: 24_2_01250000 mov eax, dword ptr fs:[00000030h]24_2_01250000
Source: C:\Windows\System32\notepad.exeCode function: 25_2_011DCDB0 mov eax, dword ptr fs:[00000030h]25_2_011DCDB0
Source: C:\Windows\System32\notepad.exeCode function: 25_2_011DCDB0 mov eax, dword ptr fs:[00000030h]25_2_011DCDB0
Source: C:\Windows\System32\notepad.exeCode function: 25_2_011F0000 mov eax, dword ptr fs:[00000030h]25_2_011F0000
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Windows\explorer.exeCode function: 12_2_0150F10A GetProcessHeap,HeapAlloc,12_2_0150F10A
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\zhAQkCQvME.exeCode function: 0_2_005C2A35 FlsFree,FreeConsole,SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,0_2_005C2A35
Source: C:\Users\user\Desktop\zhAQkCQvME.exeCode function: 1_2_01322A35 FlsFree,FreeConsole,SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,1_2_01322A35
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exeCode function: 2_2_01292A35 FlsFree,FreeConsole,SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,2_2_01292A35
Source: C:\Users\user\Desktop\zhAQkCQvME.exeCode function: 5_2_006D2A35 FlsFree,FreeConsole,SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,5_2_006D2A35
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exeCode function: 6_2_01292A35 FlsFree,FreeConsole,SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,6_2_01292A35
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exeCode function: 7_2_01292A35 FlsFree,FreeConsole,SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,7_2_01292A35
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exeCode function: 14_2_01252A35 FlsFree,FreeConsole,SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,14_2_01252A35
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exeCode function: 17_2_012A2A35 FlsFree,FreeConsole,SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,17_2_012A2A35
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exeCode function: 18_2_01252A35 FlsFree,FreeConsole,SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,18_2_01252A35

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)Show sources
Source: C:\Windows\explorer.exeNetwork Connect: 209.126.124.166 187Jump to behavior
Source: C:\Windows\explorer.exeNetwork Connect: 23.49.13.33 7000Jump to behavior
Source: C:\Windows\explorer.exeNetwork Connect: 162.244.225.30 187Jump to behavior
Allocates memory in foreign processesShow sources
Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\taskhost.exe base: 4A0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\taskhost.exe base: 4B0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\taskhost.exe base: 15D0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\taskhost.exe base: 1F60000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\taskhost.exe base: 4C0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\dwm.exe base: 180000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\dwm.exe base: 1D0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\dwm.exe base: 13B0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\dwm.exe base: 1760000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\dwm.exe base: 1E0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\explorer.exe base: 1E20000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\explorer.exe base: 1E30000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\explorer.exe base: 1E40000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\explorer.exe base: 1E80000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\explorer.exe base: 1ED0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\conhost.exe base: 11B0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\conhost.exe base: 11C0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\conhost.exe base: 11D0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\conhost.exe base: 1210000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\conhost.exe base: 1250000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\notepad.exe base: 1190000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\notepad.exe base: 11A0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\notepad.exe base: 11B0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\notepad.exe base: 12C0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\notepad.exe base: 11F0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\conhost.exe base: 70000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\conhost.exe base: 80000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\conhost.exe base: 1E0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\conhost.exe base: 390000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\conhost.exe base: 90000 protect: page execute and read and writeJump to behavior
Changes memory attributes in foreign processes to executable or writableShow sources
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\taskhost.exe base: 4A0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\taskhost.exe base: 4A0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\taskhost.exe base: 4B0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\taskhost.exe base: 4B0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\taskhost.exe base: 15D0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\taskhost.exe base: 15D0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\taskhost.exe base: 1F60000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\taskhost.exe base: 1F60000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\taskhost.exe base: 4C0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\taskhost.exe base: 4C0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\taskhost.exe base: 4C0000 protect: page execute readJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\dwm.exe base: 180000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\dwm.exe base: 180000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\dwm.exe base: 1D0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\dwm.exe base: 1D0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\dwm.exe base: 13B0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\dwm.exe base: 13B0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\dwm.exe base: 1760000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\dwm.exe base: 1760000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\dwm.exe base: 1E0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\dwm.exe base: 1E0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\dwm.exe base: 1E0000 protect: page execute readJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\explorer.exe base: 1E20000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\explorer.exe base: 1E20000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\explorer.exe base: 1E30000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\explorer.exe base: 1E30000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\explorer.exe base: 1E40000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\explorer.exe base: 1E40000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\explorer.exe base: 1E80000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\explorer.exe base: 1E80000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\explorer.exe base: 1ED0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\explorer.exe base: 1ED0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\explorer.exe base: 1ED0000 protect: page execute readJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\conhost.exe base: 11B0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\conhost.exe base: 11B0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\conhost.exe base: 11C0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\conhost.exe base: 11C0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\conhost.exe base: 11D0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\conhost.exe base: 11D0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\conhost.exe base: 1210000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\conhost.exe base: 1210000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\conhost.exe base: 1250000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\conhost.exe base: 1250000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\conhost.exe base: 1250000 protect: page execute readJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\notepad.exe base: 1190000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\notepad.exe base: 1190000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\notepad.exe base: 11A0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\notepad.exe base: 11A0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\notepad.exe base: 11B0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\notepad.exe base: 11B0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\notepad.exe base: 12C0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\notepad.exe base: 12C0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\notepad.exe base: 11F0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\notepad.exe base: 11F0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\notepad.exe base: 11F0000 protect: page execute readJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\conhost.exe base: 70000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\conhost.exe base: 70000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\conhost.exe base: 80000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\conhost.exe base: 80000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\conhost.exe base: 1E0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\conhost.exe base: 1E0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\conhost.exe base: 390000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\conhost.exe base: 390000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\conhost.exe base: 90000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\conhost.exe base: 90000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\conhost.exe base: 90000 protect: page execute readJump to behavior
Creates a thread in another existing process (thread injection)Show sources
Source: C:\Windows\explorer.exeThread created: C:\Windows\System32\taskhost.exe EIP: 4C0000Jump to behavior
Source: C:\Windows\explorer.exeThread created: C:\Windows\System32\dwm.exe EIP: 1E0000Jump to behavior
Source: C:\Windows\explorer.exeThread created: C:\Windows\explorer.exe EIP: 1ED0000Jump to behavior
Source: C:\Windows\explorer.exeThread created: C:\Windows\System32\conhost.exe EIP: 1250000Jump to behavior
Source: C:\Windows\explorer.exeThread created: C:\Windows\System32\notepad.exe EIP: 11F0000Jump to behavior
Source: C:\Windows\explorer.exeThread created: C:\Windows\System32\conhost.exe EIP: 90000Jump to behavior
Injects code into the Windows Explorer (explorer.exe)Show sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exeMemory written: PID: 2600 base: 5102D value: E9Jump to behavior
Source: C:\Windows\explorer.exeMemory written: PID: 1692 base: 1E20000 value: FEJump to behavior
Source: C:\Windows\explorer.exeMemory written: PID: 1692 base: 1E30000 value: F6Jump to behavior
Source: C:\Windows\explorer.exeMemory written: PID: 1692 base: 1E40000 value: 11Jump to behavior
Source: C:\Windows\explorer.exeMemory written: PID: 1692 base: 1E80000 value: 43Jump to behavior
Source: C:\Windows\explorer.exeMemory written: PID: 1692 base: 1ED0000 value: 55Jump to behavior
Maps a DLL or memory area into another processShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exeSection loaded: unknown target pid: 2600 protection: execute and read and writeJump to behavior
Writes to foreign memory regionsShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exeMemory written: C:\Windows\explorer.exe base: 5102DJump to behavior
Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\taskhost.exe base: 4A0000Jump to behavior
Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\taskhost.exe base: 4B0000Jump to behavior
Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\taskhost.exe base: 15D0000Jump to behavior
Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\taskhost.exe base: 1F60000Jump to behavior
Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\taskhost.exe base: 4C0000Jump to behavior
Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\dwm.exe base: 180000Jump to behavior
Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\dwm.exe base: 1D0000Jump to behavior
Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\dwm.exe base: 13B0000Jump to behavior
Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\dwm.exe base: 1760000Jump to behavior
Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\dwm.exe base: 1E0000Jump to behavior
Source: C:\Windows\explorer.exeMemory written: C:\Windows\explorer.exe base: 1E20000Jump to behavior
Source: C:\Windows\explorer.exeMemory written: C:\Windows\explorer.exe base: 1E30000Jump to behavior
Source: C:\Windows\explorer.exeMemory written: C:\Windows\explorer.exe base: 1E40000Jump to behavior
Source: C:\Windows\explorer.exeMemory written: C:\Windows\explorer.exe base: 1E80000Jump to behavior
Source: C:\Windows\explorer.exeMemory written: C:\Windows\explorer.exe base: 1ED0000Jump to behavior
Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\conhost.exe base: 11B0000Jump to behavior
Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\conhost.exe base: 11C0000Jump to behavior
Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\conhost.exe base: 11D0000Jump to behavior
Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\conhost.exe base: 1210000Jump to behavior
Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\conhost.exe base: 1250000Jump to behavior
Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\notepad.exe base: 1190000Jump to behavior
Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\notepad.exe base: 11A0000Jump to behavior
Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\notepad.exe base: 11B0000Jump to behavior
Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\notepad.exe base: 12C0000Jump to behavior
Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\notepad.exe base: 11F0000Jump to behavior
Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\conhost.exe base: 70000Jump to behavior
Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\conhost.exe base: 80000Jump to behavior
Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\conhost.exe base: 1E0000Jump to behavior
Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\conhost.exe base: 390000Jump to behavior
Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\conhost.exe base: 90000Jump to behavior
Contains functionality to launch a program with higher privilegesShow sources
Source: C:\Users\user\Desktop\zhAQkCQvME.exeCode function: 0_2_004031F0 EntryPoint,memset,GetCommandLineW,CommandLineToArgvW,GetModuleHandleA,#31,#31,__vprintf_l,_wtol,CoInitializeEx,GetForegroundWindow,ShellExecuteW,Sleep,CopyFileW,#31,#31,ExitProcess,0_2_004031F0
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping.exe -n 6 127.0.0.1 Jump to behavior
Contains functionality to add an ACL to a security descriptorShow sources
Source: C:\Users\user\Desktop\zhAQkCQvME.exeCode function: 0_2_004077F0 AllocateAndInitializeSid,AllocateAndInitializeSid,SetEntriesInAclA,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,FreeSid,FreeSid,FreeSid,FreeSid,LocalFree,LocalFree,0_2_004077F0
Contains functionality to create a new security descriptorShow sources
Source: C:\Users\user\Desktop\zhAQkCQvME.exeCode function: 0_2_00407550 AllocateAndInitializeSid,EqualSid,FreeSid,CloseHandle,0_2_00407550
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: explorer.exe, 0000000C.00000002.753120574.00800000.00000002.00000001.sdmp, taskhost.exe, 00000013.00000000.536540136.00840000.00000002.00000001.sdmp, dwm.exe, 00000015.00000000.562825512.004E0000.00000002.00000001.sdmp, explorer.exe, 00000016.00000000.598539788.007A0000.00000002.00000001.sdmpBinary or memory string: ProgmanN
Source: explorer.exe, 0000000C.00000002.753120574.00800000.00000002.00000001.sdmp, taskhost.exe, 00000013.00000000.536540136.00840000.00000002.00000001.sdmp, dwm.exe, 00000015.00000000.562825512.004E0000.00000002.00000001.sdmp, explorer.exe, 00000016.00000000.598539788.007A0000.00000002.00000001.sdmpBinary or memory string: Progman
Source: explorer.exe, 0000000C.00000002.753120574.00800000.00000002.00000001.sdmp, taskhost.exe, 00000013.00000000.536540136.00840000.00000002.00000001.sdmp, dwm.exe, 00000015.00000000.562825512.004E0000.00000002.00000001.sdmp, explorer.exe, 00000016.00000000.598539788.007A0000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: explorer.exe, 0000000C.00000002.753120574.00800000.00000002.00000001.sdmp, taskhost.exe, 00000013.00000000.536540136.00840000.00000002.00000001.sdmp, dwm.exe, 00000015.00000000.562825512.004E0000.00000002.00000001.sdmp, explorer.exe, 00000016.00000000.598539788.007A0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Users\user\Desktop\zhAQkCQvME.exeCode function: 0_2_0040A800 cpuid 0_2_0040A800
Queries device information via Setup APIShow sources
Source: C:\Users\user\Desktop\zhAQkCQvME.exeCode function: 0_2_0040AC10 SetupDiGetDeviceRegistryPropertyA,GetLastError,0_2_0040AC10
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\Desktop\zhAQkCQvME.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\zhAQkCQvME.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\zhAQkCQvME.exeQueries volume information: C:\ VolumeInformationJump to behavior
Contains functionality to create pipes for IPCShow sources
Source: C:\Windows\explorer.exeCode function: 12_2_01505564 CreateNamedPipeA,12_2_01505564
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\zhAQkCQvME.exeCode function: 0_2_0040F770 memset,GetLocalTime,memset,GetLocalTime,lstrcpynW,lstrcatW,DeleteFileW,0_2_0040F770
Contains functionality to query the account / user nameShow sources
Source: C:\Users\user\Desktop\zhAQkCQvME.exeCode function: 0_2_00410BA0 NetUserEnum,LookupAccountNameW,LookupAccountNameW,Sleep,NetApiBufferFree,0_2_00410BA0
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\zhAQkCQvME.exeCode function: 0_2_0040A090 GetCurrentProcessId,GetTickCount,GetModuleFileNameW,GetCurrentProcess,LookupAccountSidW,GetLastError,#31,lstrcpynW,lstrcpynW,GetModuleFileNameW,lstrcpynW,lstrlenW,lstrcpynW,lstrcatW,lstrcatW,lstrcatW,lstrlenA,GetCurrentProcess,GetVersionExA,GetModuleHandleA,GetProcAddress,GetWindowsDirectoryW,GetEnvironmentVariableW,SetEnvironmentVariableW,GetEnvironmentVariableW,SetEnvironmentVariableW,GetEnvironmentVariableW,SetEnvironmentVariableW,GetEnvironmentVariableA,SetEnvironmentVariableA,GetComputerNameW,lstrlenA,0_2_0040A090
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)Show sources
Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information:

barindex
Yara detected QbotShow sources
Source: Yara matchFile source: Process Memory Space: zhAQkCQvME.exe PID: 2444, type: MEMORY

Remote Access Functionality:

barindex
Yara detected QbotShow sources
Source: Yara matchFile source: Process Memory Space: zhAQkCQvME.exe PID: 2444, type: MEMORY

Signature Similarity

Sample Distance (10 = nearest)
10 9 8 7 6 5 4 3 2 1
Samplename Analysis ID SHA256 Similarity

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 997215 Sample: zhAQkCQvME Startdate: 13/11/2019 Architecture: WINDOWS Score: 100 75 Genetic Malware detection for sample 2->75 77 Malicious sample detected (through community Yara rule) 2->77 79 Antivirus or Machine Learning detection for sample 2->79 81 10 other signatures 2->81 8 zhAQkCQvME.exe 4 2->8         started        12 zhAQkCQvME.exe 2 2 2->12         started        14 jkfkdm.exe 2->14         started        process3 file4 51 C:\Users\user\AppData\Roaming\...\jkfkdm.exe, PE32 8->51 dropped 53 C:\Users\user\...\jkfkdm.exe:Zone.Identifier, ASCII 8->53 dropped 91 Detected unpacking (changes PE section rights) 8->91 93 Detected unpacking (overwrites its own PE header) 8->93 95 Found evasive API chain (may stop execution after checking mutex) 8->95 97 3 other signatures 8->97 16 jkfkdm.exe 8->16         started        19 zhAQkCQvME.exe 8->19         started        21 schtasks.exe 8->21         started        23 cmd.exe 12->23         started        27 jkfkdm.exe 12->27         started        29 schtasks.exe 12->29         started        31 jkfkdm.exe 14->31         started        signatures5 process6 dnsIp7 65 Genetic detection for dropped file 16->65 67 Antivirus or Machine Learning detection for dropped file 16->67 69 Detected unpacking (changes PE section rights) 16->69 73 6 other signatures 16->73 33 explorer.exe 1 14 16->33         started        37 jkfkdm.exe 16->37         started        63 127.0.0.1 unknown unknown 23->63 55 C:\Users\user\Desktop\zhAQkCQvME.exe, PE32 23->55 dropped 71 Uses ping.exe to sleep 23->71 39 PING.EXE 23->39         started        41 jkfkdm.exe 27->41         started        file8 signatures9 process10 dnsIp11 57 162.244.225.30, 443, 49158, 49162 CARSON-RTCA-CarsonCommunicationsLLCUS United States 33->57 59 23.49.13.33, 7000 unknown United States 33->59 61 2 other IPs or domains 33->61 83 System process connects to network (likely due to code injection or exploit) 33->83 85 Found stalling execution ending in API Sleep call 33->85 87 Changes memory attributes in foreign processes to executable or writable 33->87 89 5 other signatures 33->89 43 explorer.exe 2 33->43 injected 45 taskhost.exe 33->45 injected 47 dwm.exe 33->47 injected 49 3 other processes 33->49 signatures12 process13

Simulations

Behavior and APIs

TimeTypeDescription
19:27:48API Interceptor125x Sleep call for process: zhAQkCQvME.exe modified
19:27:58API Interceptor3x Sleep call for process: schtasks.exe modified
19:27:59Task SchedulerRun new task: ahizzkkevf path: "C:\Users\user\Desktop\zhAQkCQvME.exe" s>/I ahizzkkevf
19:27:59API Interceptor150x Sleep call for process: jkfkdm.exe modified
19:41:05API Interceptor2934x Sleep call for process: explorer.exe modified
19:41:08AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run tjmptzibr "C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe"
19:41:39API Interceptor24x Sleep call for process: taskhost.exe modified
19:41:44API Interceptor220x Sleep call for process: dwm.exe modified
19:42:22API Interceptor325x Sleep call for process: conhost.exe modified
19:42:34API Interceptor87x Sleep call for process: notepad.exe modified

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
zhAQkCQvME.exe76%VirustotalBrowse
zhAQkCQvME.exe100%IntezerQakbotBrowse
zhAQkCQvME.exe100%AviraTR/Crypt.ZPACK.hfoah
zhAQkCQvME.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe100%AviraTR/Crypt.ZPACK.hfoah
C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe100%Joe Sandbox ML
C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe100%IntezerQakbotBrowse
C:\Users\user\Desktop\zhAQkCQvME.exe0%MetadefenderBrowse

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
25.2.notepad.exe.11b0000.2.unpack100%AviraHEUR/AGEN.1007600Download File
18.0.jkfkdm.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.hfoahDownload File
5.1.zhAQkCQvME.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
0.1.zhAQkCQvME.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
12.2.explorer.exe.3f0000.0.unpack100%AviraTR/Crypt.XPACK.Gen3Download File
17.0.jkfkdm.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.hfoahDownload File
12.2.explorer.exe.1500000.3.unpack100%AviraHEUR/AGEN.1042725Download File
5.0.zhAQkCQvME.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.hfoahDownload File
14.2.jkfkdm.exe.400000.1.unpack100%AviraTR/Crypt.XPACK.Gen3Download File
7.0.jkfkdm.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.hfoahDownload File
2.1.jkfkdm.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
7.2.jkfkdm.exe.400000.1.unpack100%AviraTR/Crypt.XPACK.Gen3Download File
1.1.zhAQkCQvME.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
19.2.taskhost.exe.15d0000.4.unpack100%AviraHEUR/AGEN.1007600Download File
14.1.jkfkdm.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.0.jkfkdm.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.hfoahDownload File
1.0.zhAQkCQvME.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.hfoahDownload File
6.2.jkfkdm.exe.400000.1.unpack100%AviraTR/Crypt.XPACK.Gen3Download File
2.2.jkfkdm.exe.400000.1.unpack100%AviraTR/Crypt.XPACK.Gen3Download File
0.2.zhAQkCQvME.exe.400000.1.unpack100%AviraTR/Crypt.XPACK.Gen3Download File
5.2.zhAQkCQvME.exe.400000.1.unpack100%AviraTR/Crypt.XPACK.Gen3Download File
0.0.zhAQkCQvME.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.hfoahDownload File
26.2.conhost.exe.1e0000.1.unpack100%AviraHEUR/AGEN.1007600Download File
14.0.jkfkdm.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.hfoahDownload File
18.2.jkfkdm.exe.400000.1.unpack100%AviraTR/Crypt.XPACK.Gen3Download File
18.1.jkfkdm.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
1.2.zhAQkCQvME.exe.400000.1.unpack100%AviraTR/Crypt.XPACK.Gen3Download File
17.1.jkfkdm.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
21.2.dwm.exe.13b0000.1.unpack100%AviraHEUR/AGEN.1007600Download File
6.1.jkfkdm.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
0.1.zhAQkCQvME.exe.1c20000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
17.2.jkfkdm.exe.400000.1.unpack100%AviraTR/Crypt.XPACK.Gen3Download File
6.0.jkfkdm.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.hfoahDownload File
24.2.conhost.exe.11d0000.2.unpack100%AviraHEUR/AGEN.1007600Download File
7.1.jkfkdm.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%VirustotalBrowse
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
http://www.diginotar.nl/cps/pkioverheid00%VirustotalBrowse
http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
https://9i43.gifabc11application/x-shockwave-flash0%Avira URL Cloudsafe
http://images.outbrainimg.com/transform/v3/eyJpdSI6ImQzZDU5ZjFhY2VmYzk3ZDhjYTk4NDhmMDYwNjk1Y2JiMTA5Z0%Avira URL Cloudsafe
http://images.outbrainimg.com/transform/v3/eyJpdSI6IjI2NTk3ZDdlZTYwMzFkMzk0ODg0N2Q0ZDdjMDZhM2Y2NDM3M0%Avira URL Cloudsafe
https://162.244.225.30/0%VirustotalBrowse
https://162.244.225.30/0%Avira URL Cloudsafe
https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=10%Avira URL Cloudsafe
http://schemas.xmlsoa0%Avira URL Cloudsafe
http://images.outbrainimg.com/transform/v3/eyJpdSI6ImMzZDkyYjY0ZGRiNGYzNjgwYTJjNTY2ZDdmOWEzMGUyZjdjY0%Avira URL Cloudsafe
http://images.outbrainimg.com/transform/v3/eyJpdSI6IjdkZGUzNDRkMmI2YjI4YjRhM2YzOWRiOTcyMzY5Y2EzNzJlY0%Avira URL Cloudsafe
http://ocsp.entrust.net030%URL Reputationsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.488530565.00EF0000.00000004.00000001.sdmpDatperdetect Datper in memoryJPCERT/CC Incident Response Group
  • 0x1c36:$a1: E8 03 00 00
  • 0x268a:$a1: E8 03 00 00
  • 0x27ba:$a1: E8 03 00 00
  • 0x2b5b:$a1: E8 03 00 00
  • 0x3a23:$a1: E8 03 00 00
  • 0xa2d9:$a1: E8 03 00 00
  • 0xab92:$a1: E8 03 00 00
  • 0xdeb9:$a1: E8 03 00 00
  • 0xdeca:$a1: E8 03 00 00
  • 0xded2:$a1: E8 03 00 00
  • 0x11a59:$a1: E8 03 00 00
  • 0x176f6:$a1: E8 03 00 00
  • 0x194cb:$a1: E8 03 00 00
  • 0x1956d:$a1: E8 03 00 00
  • 0x1c31c:$a1: E8 03 00 00
  • 0x206eb:$a1: E8 03 00 00
  • 0x20717:$a1: E8 03 00 00
  • 0x29a54:$b1: |||
  • 0x29a55:$b1: |||
  • 0x2a290:$b1: |||
  • 0x2a291:$b1: |||
0000000C.00000003.535349218.01779000.00000004.00000001.sdmpDatperdetect Datper in memoryJPCERT/CC Incident Response Group
  • 0x2dfe:$a1: E8 03 00 00
  • 0x3852:$a1: E8 03 00 00
  • 0x3982:$a1: E8 03 00 00
  • 0x3d23:$a1: E8 03 00 00
  • 0x4beb:$a1: E8 03 00 00
  • 0xb4a1:$a1: E8 03 00 00
  • 0xbd5a:$a1: E8 03 00 00
  • 0xf081:$a1: E8 03 00 00
  • 0xf092:$a1: E8 03 00 00
  • 0xf09a:$a1: E8 03 00 00
  • 0x12c21:$a1: E8 03 00 00
  • 0x188be:$a1: E8 03 00 00
  • 0x1a693:$a1: E8 03 00 00
  • 0x1a735:$a1: E8 03 00 00
  • 0x1d4e4:$a1: E8 03 00 00
  • 0x218b3:$a1: E8 03 00 00
  • 0x218df:$a1: E8 03 00 00
  • 0x2ac1c:$b1: |||
  • 0x2ac1d:$b1: |||
  • 0x2b458:$b1: |||
  • 0x2b459:$b1: |||
0000000C.00000002.752639572.003F0000.00000040.00000001.sdmpQakBotQakBot Payloadkevoreilly
  • 0xb40e:$anti_sandbox: 8D 4D FC 51 E8 59 CD FF FF 83 C4 04 E8 31 FA FF FF 85 C0 7E 07 C7 45 F8 00 00 00 00 33 D2 74 02 ...
  • 0x5491:$decrypt_config2: 8B 45 08 8B 88 24 04 00 00 51 8B 55 10 83 EA 14 52 8B 45 0C 83 C0 14 50 6A 14 8B 4D 0C 51 E8 6C ...
00000000.00000002.470976903.015F7000.00000004.00000040.sdmpDatperdetect Datper in memoryJPCERT/CC Incident Response Group
  • 0x3376:$a1: E8 03 00 00
  • 0x3dca:$a1: E8 03 00 00
  • 0x3efa:$a1: E8 03 00 00
  • 0x429b:$a1: E8 03 00 00
  • 0x5163:$a1: E8 03 00 00
  • 0xba19:$a1: E8 03 00 00
  • 0xc2d2:$a1: E8 03 00 00
  • 0xf5f9:$a1: E8 03 00 00
  • 0xf60a:$a1: E8 03 00 00
  • 0xf612:$a1: E8 03 00 00
  • 0x13199:$a1: E8 03 00 00
  • 0x18e36:$a1: E8 03 00 00
  • 0x1ac0b:$a1: E8 03 00 00
  • 0x1acad:$a1: E8 03 00 00
  • 0x1da5c:$a1: E8 03 00 00
  • 0x21e2b:$a1: E8 03 00 00
  • 0x21e57:$a1: E8 03 00 00
  • 0x2bf94:$b1: |||
  • 0x2bf95:$b1: |||
  • 0x2c7d0:$b1: |||
  • 0x2c7d1:$b1: |||
00000000.00000002.472365977.01B20000.00000004.00000001.sdmpDatperdetect Datper in memoryJPCERT/CC Incident Response Group
  • 0x1c36:$a1: E8 03 00 00
  • 0x268a:$a1: E8 03 00 00
  • 0x27ba:$a1: E8 03 00 00
  • 0x2b5b:$a1: E8 03 00 00
  • 0x3a23:$a1: E8 03 00 00
  • 0xa2d9:$a1: E8 03 00 00
  • 0xab92:$a1: E8 03 00 00
  • 0xdeb9:$a1: E8 03 00 00
  • 0xdeca:$a1: E8 03 00 00
  • 0xded2:$a1: E8 03 00 00
  • 0x11a59:$a1: E8 03 00 00
  • 0x176f6:$a1: E8 03 00 00
  • 0x194cb:$a1: E8 03 00 00
  • 0x1956d:$a1: E8 03 00 00
  • 0x1c31c:$a1: E8 03 00 00
  • 0x206eb:$a1: E8 03 00 00
  • 0x20717:$a1: E8 03 00 00
  • 0x29a54:$b1: |||
  • 0x29a55:$b1: |||
  • 0x2a290:$b1: |||
  • 0x2a291:$b1: |||
0000000C.00000002.753280657.01500000.00000040.00000001.sdmpDatperdetect Datper in memoryJPCERT/CC Incident Response Group
  • 0x239e:$a1: E8 03 00 00
  • 0x2df2:$a1: E8 03 00 00
  • 0x2f22:$a1: E8 03 00 00
  • 0x32c3:$a1: E8 03 00 00
  • 0x418b:$a1: E8 03 00 00
  • 0xaa41:$a1: E8 03 00 00
  • 0xb2fa:$a1: E8 03 00 00
  • 0xe621:$a1: E8 03 00 00
  • 0xe632:$a1: E8 03 00 00
  • 0xe63a:$a1: E8 03 00 00
  • 0x121c1:$a1: E8 03 00 00
  • 0x17e5e:$a1: E8 03 00 00
  • 0x19c33:$a1: E8 03 00 00
  • 0x19cd5:$a1: E8 03 00 00
  • 0x1ca84:$a1: E8 03 00 00
  • 0x20e53:$a1: E8 03 00 00
  • 0x20e7f:$a1: E8 03 00 00
  • 0x2afbc:$b1: |||
  • 0x2afbd:$b1: |||
  • 0x2b7f8:$b1: |||
  • 0x2b7f9:$b1: |||
0000000C.00000002.753280657.01500000.00000040.00000001.sdmpQakBotQakBot Payloadkevoreilly
  • 0x17951:$decrypt_config2: 8B 45 08 8B 88 24 04 00 00 51 8B 55 10 83 EA 14 52 8B 45 0C 83 C0 14 50 6A 14 8B 4D 0C 51 E8 6C ...
00000005.00000002.485394157.00AC7000.00000004.00000040.sdmpDatperdetect Datper in memoryJPCERT/CC Incident Response Group
  • 0x3376:$a1: E8 03 00 00
  • 0x3dca:$a1: E8 03 00 00
  • 0x3efa:$a1: E8 03 00 00
  • 0x429b:$a1: E8 03 00 00
  • 0x5163:$a1: E8 03 00 00
  • 0xba19:$a1: E8 03 00 00
  • 0xc2d2:$a1: E8 03 00 00
  • 0xf5f9:$a1: E8 03 00 00
  • 0xf60a:$a1: E8 03 00 00
  • 0xf612:$a1: E8 03 00 00
  • 0x13199:$a1: E8 03 00 00
  • 0x18e36:$a1: E8 03 00 00
  • 0x1ac0b:$a1: E8 03 00 00
  • 0x1acad:$a1: E8 03 00 00
  • 0x1da5c:$a1: E8 03 00 00
  • 0x21e2b:$a1: E8 03 00 00
  • 0x21e57:$a1: E8 03 00 00
  • 0x2bf94:$b1: |||
  • 0x2bf95:$b1: |||
  • 0x2c7d0:$b1: |||
  • 0x2c7d1:$b1: |||
Process Memory Space: zhAQkCQvME.exe PID: 2444JoeSecurity_QbotYara detected QbotJoe Security

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    12.2.explorer.exe.3f0000.0.unpackQakBotQakBot Payloadkevoreilly
    • 0xa80e:$anti_sandbox: 8D 4D FC 51 E8 59 CD FF FF 83 C4 04 E8 31 FA FF FF 85 C0 7E 07 C7 45 F8 00 00 00 00 33 D2 74 02 ...
    • 0x4891:$decrypt_config2: 8B 45 08 8B 88 24 04 00 00 51 8B 55 10 83 EA 14 52 8B 45 0C 83 C0 14 50 6A 14 8B 4D 0C 51 E8 6C ...
    12.2.explorer.exe.3f0000.0.raw.unpackQakBotQakBot Payloadkevoreilly
    • 0xb40e:$anti_sandbox: 8D 4D FC 51 E8 59 CD FF FF 83 C4 04 E8 31 FA FF FF 85 C0 7E 07 C7 45 F8 00 00 00 00 33 D2 74 02 ...
    • 0x5491:$decrypt_config2: 8B 45 08 8B 88 24 04 00 00 51 8B 55 10 83 EA 14 52 8B 45 0C 83 C0 14 50 6A 14 8B 4D 0C 51 E8 6C ...
    14.2.jkfkdm.exe.400000.1.unpackQakBotQakBot Payloadkevoreilly
    • 0xa80e:$anti_sandbox: 8D 4D FC 51 E8 59 CD FF FF 83 C4 04 E8 31 FA FF FF 85 C0 7E 07 C7 45 F8 00 00 00 00 33 D2 74 02 ...
    • 0x4891:$decrypt_config2: 8B 45 08 8B 88 24 04 00 00 51 8B 55 10 83 EA 14 52 8B 45 0C 83 C0 14 50 6A 14 8B 4D 0C 51 E8 6C ...
    12.2.explorer.exe.1500000.3.unpackDatperdetect Datper in memoryJPCERT/CC Incident Response Group
    • 0x179e:$a1: E8 03 00 00
    • 0x21f2:$a1: E8 03 00 00
    • 0x2322:$a1: E8 03 00 00
    • 0x26c3:$a1: E8 03 00 00
    • 0x358b:$a1: E8 03 00 00
    • 0x9e41:$a1: E8 03 00 00
    • 0xa6fa:$a1: E8 03 00 00
    • 0xda21:$a1: E8 03 00 00
    • 0xda32:$a1: E8 03 00 00
    • 0xda3a:$a1: E8 03 00 00
    • 0x115c1:$a1: E8 03 00 00
    • 0x1725e:$a1: E8 03 00 00
    • 0x19033:$a1: E8 03 00 00
    • 0x190d5:$a1: E8 03 00 00
    • 0x1be84:$a1: E8 03 00 00
    • 0x20253:$a1: E8 03 00 00
    • 0x2027f:$a1: E8 03 00 00
    • 0x295bc:$b1: |||
    • 0x295bd:$b1: |||
    • 0x29df8:$b1: |||
    • 0x29df9:$b1: |||
    12.2.explorer.exe.1500000.3.unpackQakBotQakBot Payloadkevoreilly
    • 0x16d51:$decrypt_config2: 8B 45 08 8B 88 24 04 00 00 51 8B 55 10 83 EA 14 52 8B 45 0C 83 C0 14 50 6A 14 8B 4D 0C 51 E8 6C ...
    7.2.jkfkdm.exe.400000.1.unpackQakBotQakBot Payloadkevoreilly
    • 0xa80e:$anti_sandbox: 8D 4D FC 51 E8 59 CD FF FF 83 C4 04 E8 31 FA FF FF 85 C0 7E 07 C7 45 F8 00 00 00 00 33 D2 74 02 ...
    • 0x4891:$decrypt_config2: 8B 45 08 8B 88 24 04 00 00 51 8B 55 10 83 EA 14 52 8B 45 0C 83 C0 14 50 6A 14 8B 4D 0C 51 E8 6C ...
    6.2.jkfkdm.exe.400000.1.unpackQakBotQakBot Payloadkevoreilly
    • 0xa80e:$anti_sandbox: 8D 4D FC 51 E8 59 CD FF FF 83 C4 04 E8 31 FA FF FF 85 C0 7E 07 C7 45 F8 00 00 00 00 33 D2 74 02 ...
    • 0x4891:$decrypt_config2: 8B 45 08 8B 88 24 04 00 00 51 8B 55 10 83 EA 14 52 8B 45 0C 83 C0 14 50 6A 14 8B 4D 0C 51 E8 6C ...
    2.2.jkfkdm.exe.400000.1.unpackQakBotQakBot Payloadkevoreilly
    • 0xa80e:$anti_sandbox: 8D 4D FC 51 E8 59 CD FF FF 83 C4 04 E8 31 FA FF FF 85 C0 7E 07 C7 45 F8 00 00 00 00 33 D2 74 02 ...
    • 0x4891:$decrypt_config2: 8B 45 08 8B 88 24 04 00 00 51 8B 55 10 83 EA 14 52 8B 45 0C 83 C0 14 50 6A 14 8B 4D 0C 51 E8 6C ...
    0.2.zhAQkCQvME.exe.400000.1.unpackQakBotQakBot Payloadkevoreilly
    • 0xa80e:$anti_sandbox: 8D 4D FC 51 E8 59 CD FF FF 83 C4 04 E8 31 FA FF FF 85 C0 7E 07 C7 45 F8 00 00 00 00 33 D2 74 02 ...
    • 0x4891:$decrypt_config2: 8B 45 08 8B 88 24 04 00 00 51 8B 55 10 83 EA 14 52 8B 45 0C 83 C0 14 50 6A 14 8B 4D 0C 51 E8 6C ...
    12.2.explorer.exe.1500000.3.raw.unpackDatperdetect Datper in memoryJPCERT/CC Incident Response Group
    • 0x239e:$a1: E8 03 00 00
    • 0x2df2:$a1: E8 03 00 00
    • 0x2f22:$a1: E8 03 00 00
    • 0x32c3:$a1: E8 03 00 00
    • 0x418b:$a1: E8 03 00 00
    • 0xaa41:$a1: E8 03 00 00
    • 0xb2fa:$a1: E8 03 00 00
    • 0xe621:$a1: E8 03 00 00
    • 0xe632:$a1: E8 03 00 00
    • 0xe63a:$a1: E8 03 00 00
    • 0x121c1:$a1: E8 03 00 00
    • 0x17e5e:$a1: E8 03 00 00
    • 0x19c33:$a1: E8 03 00 00
    • 0x19cd5:$a1: E8 03 00 00
    • 0x1ca84:$a1: E8 03 00 00
    • 0x20e53:$a1: E8 03 00 00
    • 0x20e7f:$a1: E8 03 00 00
    • 0x2afbc:$b1: |||
    • 0x2afbd:$b1: |||
    • 0x2b7f8:$b1: |||
    • 0x2b7f9:$b1: |||
    12.2.explorer.exe.1500000.3.raw.unpackQakBotQakBot Payloadkevoreilly
    • 0x17951:$decrypt_config2: 8B 45 08 8B 88 24 04 00 00 51 8B 55 10 83 EA 14 52 8B 45 0C 83 C0 14 50 6A 14 8B 4D 0C 51 E8 6C ...
    5.2.zhAQkCQvME.exe.400000.1.unpackQakBotQakBot Payloadkevoreilly
    • 0xa80e:$anti_sandbox: 8D 4D FC 51 E8 59 CD FF FF 83 C4 04 E8 31 FA FF FF 85 C0 7E 07 C7 45 F8 00 00 00 00 33 D2 74 02 ...
    • 0x4891:$decrypt_config2: 8B 45 08 8B 88 24 04 00 00 51 8B 55 10 83 EA 14 52 8B 45 0C 83 C0 14 50 6A 14 8B 4D 0C 51 E8 6C ...
    18.2.jkfkdm.exe.400000.1.unpackQakBotQakBot Payloadkevoreilly
    • 0xa80e:$anti_sandbox: 8D 4D FC 51 E8 59 CD FF FF 83 C4 04 E8 31 FA FF FF 85 C0 7E 07 C7 45 F8 00 00 00 00 33 D2 74 02 ...
    • 0x4891:$decrypt_config2: 8B 45 08 8B 88 24 04 00 00 51 8B 55 10 83 EA 14 52 8B 45 0C 83 C0 14 50 6A 14 8B 4D 0C 51 E8 6C ...
    1.2.zhAQkCQvME.exe.400000.1.unpackQakBotQakBot Payloadkevoreilly
    • 0xa80e:$anti_sandbox: 8D 4D FC 51 E8 59 CD FF FF 83 C4 04 E8 31 FA FF FF 85 C0 7E 07 C7 45 F8 00 00 00 00 33 D2 74 02 ...
    • 0x4891:$decrypt_config2: 8B 45 08 8B 88 24 04 00 00 51 8B 55 10 83 EA 14 52 8B 45 0C 83 C0 14 50 6A 14 8B 4D 0C 51 E8 6C ...
    17.2.jkfkdm.exe.400000.1.unpackQakBotQakBot Payloadkevoreilly
    • 0xa80e:$anti_sandbox: 8D 4D FC 51 E8 59 CD FF FF 83 C4 04 E8 31 FA FF FF 85 C0 7E 07 C7 45 F8 00 00 00 00 33 D2 74 02 ...
    • 0x4891:$decrypt_config2: 8B 45 08 8B 88 24 04 00 00 51 8B 55 10 83 EA 14 52 8B 45 0C 83 C0 14 50 6A 14 8B 4D 0C 51 E8 6C ...

    Sigma Overview

    No Sigma rule has matched

    Joe Sandbox View / Context

    IPs

    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
    23.49.13.33vlltike.exeGet hashmaliciousBrowse
      103237972.62.exeGet hashmaliciousBrowse
        Operating Agreement 0102282019c02.docGet hashmaliciousBrowse
          Operating Agreement 0102282019c02.docGet hashmaliciousBrowse
            Operating Agreement 0102282019a00.docGet hashmaliciousBrowse
              Operating Agreement 0102282019a00.docGet hashmaliciousBrowse
                957043_6ZK2400309.xmlGet hashmaliciousBrowse
                  Agreement_01142019b.docGet hashmaliciousBrowse
                    Agreement_01142019b.docGet hashmaliciousBrowse
                      162.244.225.30http://jeevanmate.com/assets/plugins/bootstrap-modal/img/_vti_cnf/CO7221619133069235401.zipGet hashmaliciousBrowse
                        209.126.124.166103237972.62.exeGet hashmaliciousBrowse
                        • www.ip-adress.com/
                        Operating Agreement 0102282019c02.docGet hashmaliciousBrowse
                        • www.ip-adress.com/
                        Operating Agreement 0102282019c02.docGet hashmaliciousBrowse
                        • www.ip-adress.com/
                        957043_6ZK2400309.xmlGet hashmaliciousBrowse
                        • www.ip-adress.com/

                        Domains

                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                        www.ip-adress.comvlltike.exeGet hashmaliciousBrowse
                        • 85.93.89.6
                        103237972.62.exeGet hashmaliciousBrowse
                        • 209.126.124.166
                        Operating Agreement 0102282019c02.docGet hashmaliciousBrowse
                        • 209.126.124.166
                        Operating Agreement 0102282019c02.docGet hashmaliciousBrowse
                        • 209.126.124.166
                        Operating Agreement 0102282019a00.docGet hashmaliciousBrowse
                        • 85.93.88.251
                        Operating Agreement 0102282019a00.docGet hashmaliciousBrowse
                        • 85.93.88.251
                        957043_6ZK2400309.xmlGet hashmaliciousBrowse
                        • 209.126.124.166
                        Agreement_01142019b.docGet hashmaliciousBrowse
                        • 85.93.89.6
                        Agreement_01142019b.docGet hashmaliciousBrowse
                        • 85.93.88.251

                        ASN

                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                        CARSON-RTCA-CarsonCommunicationsLLCUShttp://jeevanmate.com/assets/plugins/bootstrap-modal/img/_vti_cnf/CO7221619133069235401.zipGet hashmaliciousBrowse
                        • 162.244.225.30
                        roil_rvdpf.vbsGet hashmaliciousBrowse
                        • 162.244.224.166
                        unknownhttp://pingclock.netGet hashmaliciousBrowse
                        • 172.241.69.28
                        http://pingclock.net/21db1c5c8b372aecca.jsGet hashmaliciousBrowse
                        • 172.241.69.28
                        http://mbsal.com/MBSRS.exeGet hashmaliciousBrowse
                        • 52.232.106.174
                        219_1.docGet hashmaliciousBrowse
                        • 5.188.108.58
                        rSBnYh8OgeGet hashmaliciousBrowse
                        • 216.58.201.74
                        virus.docGet hashmaliciousBrowse
                        • 148.66.136.217
                        aaaaa.exeGet hashmaliciousBrowse
                        • 127.0.0.1
                        https://invoicingpaymentdue.blogspot.com/b/post-preview?token=APq4FmBZb1KT8BdomnzOR8fVp5TDdBzuBlrL9V9MVrbzx_R1qA4JV386U4orUlu_29p3fG4cJH3QsRmby7NHmri2UuX1YVuvwqMarGeiSqfLO7cQx6iAbqyZGSGx7ojzQ660lLUlWlid&postId=2643391519197208988&type=POSTGet hashmaliciousBrowse
                        • 216.58.201.65
                        https://vmail.trifalga.com/loading.html#pankit.desai@sequretek.comGet hashmaliciousBrowse
                        • 185.87.187.198
                        https://jjcardsandgifts.com/wp-content/plugins/apikey/download/6922.zipGet hashmaliciousBrowse
                        • 198.187.28.167
                        Remittance Advice.htmlGet hashmaliciousBrowse
                        • 13.224.96.17
                        https://jinanherbs.com/db/mobile/htmlGet hashmaliciousBrowse
                        • 138.128.170.10
                        http://getapp.paradiskus.com/up/dl/1495373619430762/pupdate.exeGet hashmaliciousBrowse
                        • 68.183.19.241
                        Cover_letter1244486564.docGet hashmaliciousBrowse
                        • 5.188.108.58
                        Cover_letter1244486564.docGet hashmaliciousBrowse
                        • 93.189.149.187
                        cas.exeGet hashmaliciousBrowse
                        • 77.88.21.158
                        http://pingclock.net/21db1c5c8b372aecca.jsGet hashmaliciousBrowse
                        • 172.241.69.28
                        2019204938483922_11_13_2019.pdf.htmGet hashmaliciousBrowse
                        • 152.199.23.37
                        N_910 del 06_10_19.xlsGet hashmaliciousBrowse
                        • 173.232.146.171
                        Cover_letter1225776086.docGet hashmaliciousBrowse
                        • 5.188.108.58
                        unknownhttp://pingclock.netGet hashmaliciousBrowse
                        • 172.241.69.28
                        http://pingclock.net/21db1c5c8b372aecca.jsGet hashmaliciousBrowse
                        • 172.241.69.28
                        http://mbsal.com/MBSRS.exeGet hashmaliciousBrowse
                        • 52.232.106.174
                        219_1.docGet hashmaliciousBrowse
                        • 5.188.108.58
                        rSBnYh8OgeGet hashmaliciousBrowse
                        • 216.58.201.74
                        virus.docGet hashmaliciousBrowse
                        • 148.66.136.217
                        aaaaa.exeGet hashmaliciousBrowse
                        • 127.0.0.1
                        https://invoicingpaymentdue.blogspot.com/b/post-preview?token=APq4FmBZb1KT8BdomnzOR8fVp5TDdBzuBlrL9V9MVrbzx_R1qA4JV386U4orUlu_29p3fG4cJH3QsRmby7NHmri2UuX1YVuvwqMarGeiSqfLO7cQx6iAbqyZGSGx7ojzQ660lLUlWlid&postId=2643391519197208988&type=POSTGet hashmaliciousBrowse
                        • 216.58.201.65
                        https://vmail.trifalga.com/loading.html#pankit.desai@sequretek.comGet hashmaliciousBrowse
                        • 185.87.187.198
                        https://jjcardsandgifts.com/wp-content/plugins/apikey/download/6922.zipGet hashmaliciousBrowse
                        • 198.187.28.167
                        Remittance Advice.htmlGet hashmaliciousBrowse
                        • 13.224.96.17
                        https://jinanherbs.com/db/mobile/htmlGet hashmaliciousBrowse
                        • 138.128.170.10
                        http://getapp.paradiskus.com/up/dl/1495373619430762/pupdate.exeGet hashmaliciousBrowse
                        • 68.183.19.241
                        Cover_letter1244486564.docGet hashmaliciousBrowse
                        • 5.188.108.58
                        Cover_letter1244486564.docGet hashmaliciousBrowse
                        • 93.189.149.187
                        cas.exeGet hashmaliciousBrowse
                        • 77.88.21.158
                        http://pingclock.net/21db1c5c8b372aecca.jsGet hashmaliciousBrowse
                        • 172.241.69.28
                        2019204938483922_11_13_2019.pdf.htmGet hashmaliciousBrowse
                        • 152.199.23.37
                        N_910 del 06_10_19.xlsGet hashmaliciousBrowse
                        • 173.232.146.171
                        Cover_letter1225776086.docGet hashmaliciousBrowse
                        • 5.188.108.58

                        JA3 Fingerprints

                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                        7dcce5b76c8b17472d024758970a406bRemittance Advice.htmlGet hashmaliciousBrowse
                        • 209.126.124.166
                        test.docGet hashmaliciousBrowse
                        • 209.126.124.166
                        Anuncio importante.docGet hashmaliciousBrowse
                        • 209.126.124.166
                        University College Dublin Shared Document.docxGet hashmaliciousBrowse
                        • 209.126.124.166
                        Bonus Plan.docGet hashmaliciousBrowse
                        • 209.126.124.166
                        Anuncio importante.docGet hashmaliciousBrowse
                        • 209.126.124.166
                        AccountInvoice8472.xlsmGet hashmaliciousBrowse
                        • 209.126.124.166
                        AccountInvoice8472.xlsmGet hashmaliciousBrowse
                        • 209.126.124.166
                        test.docGet hashmaliciousBrowse
                        • 209.126.124.166
                        JHE-004673889596.xlsGet hashmaliciousBrowse
                        • 209.126.124.166
                        Shasta resume.docGet hashmaliciousBrowse
                        • 209.126.124.166
                        http://info-iconplc.comGet hashmaliciousBrowse
                        • 209.126.124.166
                        John Azbill - Harassment complaint letter (212-546-4000).docGet hashmaliciousBrowse
                        • 209.126.124.166
                        OneDrive (1).pdfGet hashmaliciousBrowse
                        • 209.126.124.166
                        John Azbill - Harassment complaint letter (212-546-4000).docGet hashmaliciousBrowse
                        • 209.126.124.166
                        John Azbill - Harassment complaint letter (212-546-4000).docGet hashmaliciousBrowse
                        • 209.126.124.166
                        Agreement.docxGet hashmaliciousBrowse
                        • 209.126.124.166
                        John Azbill - Harassment complaint letter (212-546-4000).docGet hashmaliciousBrowse
                        • 209.126.124.166
                        Harassment complaint letter.docGet hashmaliciousBrowse
                        • 209.126.124.166
                        OneDrive.pdfGet hashmaliciousBrowse
                        • 209.126.124.166
                        eb88d0b3e1961a0562f006e5ce2a0b87vlltike.exeGet hashmaliciousBrowse
                        • 162.244.225.30
                        103237972.62.exeGet hashmaliciousBrowse
                        • 162.244.225.30
                        957043_6ZK2400309.xmlGet hashmaliciousBrowse
                        • 162.244.225.30

                        Dropped Files

                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                        C:\Users\user\Desktop\zhAQkCQvME.exevlltike.exeGet hashmaliciousBrowse
                          103237972.62.exeGet hashmaliciousBrowse
                            vlltike.exeGet hashmaliciousBrowse
                              103237972.62.exeGet hashmaliciousBrowse
                                Operating Agreement 0102282019c02.docGet hashmaliciousBrowse
                                  Operating Agreement 0102282019c02.docGet hashmaliciousBrowse
                                    Operating Agreement 0102282019a00.docGet hashmaliciousBrowse
                                      Operating Agreement 0102282019a00.docGet hashmaliciousBrowse
                                        957043_6ZK2400309.xmlGet hashmaliciousBrowse
                                          Agreement_01142019b.docGet hashmaliciousBrowse
                                            Agreement_01142019b.docGet hashmaliciousBrowse
                                              sYd4FTqbr6.exeGet hashmaliciousBrowse
                                                uyrieaj.exeGet hashmaliciousBrowse
                                                  jbtblo.exeGet hashmaliciousBrowse
                                                    XFrEhB8Kir.exeGet hashmaliciousBrowse
                                                      qfcluop.exeGet hashmaliciousBrowse
                                                        nqpug.exeGet hashmaliciousBrowse
                                                          ufeqqukv.exeGet hashmaliciousBrowse

                                                            Screenshots

                                                            Thumbnails

                                                            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                                                            windows-stand

                                                            Startup

                                                            • System is w7_1
                                                            • zhAQkCQvME.exe (PID: 2276 cmdline: 'C:\Users\user\Desktop\zhAQkCQvME.exe' MD5: E7DE0CC04F0A433FCE5336B7C7504D2C)
                                                              • zhAQkCQvME.exe (PID: 2380 cmdline: C:\Users\user\Desktop\zhAQkCQvME.exe /C MD5: E7DE0CC04F0A433FCE5336B7C7504D2C)
                                                              • jkfkdm.exe (PID: 2340 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe MD5: E7DE0CC04F0A433FCE5336B7C7504D2C)
                                                                • jkfkdm.exe (PID: 2424 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe /C MD5: E7DE0CC04F0A433FCE5336B7C7504D2C)
                                                                • explorer.exe (PID: 2600 cmdline: C:\Windows\explorer.exe MD5: 6DDCA324434FFA506CF7DC4E51DB7935)
                                                                  • taskhost.exe (PID: 1432 cmdline: taskhost.exe MD5: 72E953215CADE1A726C04AAFDF6B463D)
                                                                  • dwm.exe (PID: 1612 cmdline: C:\Windows\system32\Dwm.exe MD5: 505BF4D1CADEB8D4F8BCD08D944DE25D)
                                                                  • explorer.exe (PID: 1692 cmdline: C:\Windows\Explorer.EXE MD5: 6DDCA324434FFA506CF7DC4E51DB7935)
                                                                  • conhost.exe (PID: 3208 cmdline: C:\Windows\system32\conhost.exe '-1424767469172410782218338736475073951151716783479-3432011951180489686930716817 MD5: 761D6906DE888CF832606CFCDC9E7C47)
                                                                  • notepad.exe (PID: 3240 cmdline: notepad MD5: A4F6DF0E33E644E802C8798ED94D80EA)
                                                                  • conhost.exe (PID: 3608 cmdline: C:\Windows\system32\conhost.exe '-1474411583-1677719561-3844903701797535695-949774581987480516-1169154459-1441374392 MD5: 761D6906DE888CF832606CFCDC9E7C47)
                                                              • schtasks.exe (PID: 2416 cmdline: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn ahizzkkevf /tr '\'C:\Users\user\Desktop\zhAQkCQvME.exe\' /I ahizzkkevf' /SC ONCE /Z /ST 19:29 /ET 19:41 MD5: 2003E9B15E1C502B146DAD2E383AC1E3)
                                                            • zhAQkCQvME.exe (PID: 2444 cmdline: C:\Users\user\Desktop\zhAQkCQvME.exe /I ahizzkkevf MD5: E7DE0CC04F0A433FCE5336B7C7504D2C)
                                                              • jkfkdm.exe (PID: 2480 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe MD5: E7DE0CC04F0A433FCE5336B7C7504D2C)
                                                                • jkfkdm.exe (PID: 2660 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe /C MD5: E7DE0CC04F0A433FCE5336B7C7504D2C)
                                                              • cmd.exe (PID: 2460 cmdline: 'C:\Windows\System32\cmd.exe' /c ping.exe -n 6 127.0.0.1 & type 'C:\Windows\System32\calc.exe' > 'C:\Users\user\Desktop\zhAQkCQvME.exe' MD5: AD7B9C14083B52BC532FBA5948342B98)
                                                                • PING.EXE (PID: 2592 cmdline: ping.exe -n 6 127.0.0.1 MD5: 6242E3D67787CCBF4E06AD2982853144)
                                                              • schtasks.exe (PID: 2532 cmdline: 'C:\Windows\system32\schtasks.exe' /DELETE /F /TN ahizzkkevf MD5: 2003E9B15E1C502B146DAD2E383AC1E3)
                                                            • jkfkdm.exe (PID: 696 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe' MD5: E7DE0CC04F0A433FCE5336B7C7504D2C)
                                                              • jkfkdm.exe (PID: 1864 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe /C MD5: E7DE0CC04F0A433FCE5336B7C7504D2C)
                                                            • cleanup

                                                            Created / dropped Files

                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TM8F7R7G\Y0S5SGVE.htm
                                                            Process:C:\Windows\explorer.exe
                                                            File Type:HTML document, UTF-8 Unicode text, with very long lines
                                                            Size (bytes):28550
                                                            Entropy (8bit):5.617695193208009
                                                            Encrypted:false
                                                            MD5:096632DFB3832AB9296351FFF6D3DF8D
                                                            SHA1:22981727C6E1452281E14DD74618FA895984EE9E
                                                            SHA-256:0558F37D987D887F55172E3BAC6F2B7131F7AFC473C096A2A971F79B396094CC
                                                            SHA-512:ECA9AAB8AE3808381B10C11AD74642F938645D328A94CE2BB589A78BEFD59038F01E85B1FD08D5A62619A1F037549D0896675AFEA8F1593E5541272E9BE2EDE4
                                                            Malicious:false
                                                            Preview: <!DOCTYPE html>.<html>.<head>.<link rel="canonical" href="https://www.ip-adress.com/"/>.<title>What Is My IP Address? Find Your IP, Whois And More On IP-Adress.com</title>.<meta name="description" content="Find out what your IP address is or use free website tools like our Whois lookup, proxy checker, and services to trace or verify an email.">.<meta charset="utf-8">.<meta http-equiv="X-UA-Compatible" content="IE=edge">.<meta name="viewport" content="width=device-width,initial-scale=1">.<link rel="shortcut icon" href="https://www.ip-adress.com/favicon.ico">.<link rel="icon" sizes="16x16 32x32 64x64" href="https://www.ip-adress.com/favicon.ico">.<link rel="icon" type="image/png" sizes="196x196" href="https://www.ip-adress.com/favicons/favicon-192.png">.<link rel="icon" type="image/png" sizes="160x160" href="https://www.ip-adress.com/favicons/favicon-160.png">.<link rel="icon" type="image/png" sizes="96x96" href="https://www.ip-adress.com/favicons/favicon-96.png">.<link rel="icon" type="
                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TM8F7R7G\t3[1]
                                                            Process:C:\Windows\explorer.exe
                                                            File Type:ASCII text, with very long lines, with no line terminators
                                                            Size (bytes):1008
                                                            Entropy (8bit):5.979490138693068
                                                            Encrypted:false
                                                            MD5:0B247F3DE093BFE93909368192FD3F2F
                                                            SHA1:B259C32FD8073B7C5655D1133429A3805542614B
                                                            SHA-256:E16FF59A24C527A7DB7C8B40318F587D84C2897635DD94F055D068252326788C
                                                            SHA-512:FA5C8C05768320E4921198566E71EDA3748221775B65CA20B7B2D2F3843F149BF59159DA08783F4ED521FD8F7F3E5F998FF7FDF174ACA576C5471E273916E74A
                                                            Malicious:false
                                                            Preview: SdED1xR0M8I4qbZFxETEgV0TtJFt3n4+GBkNtGif6ruKyy7aWwdsC/HiHAZoo11dykzqLQ0KpA0oVNibAjNWJe/q+C/cjUvUkfHidPxQwAZah7zZQCtJnTMPfoE=h1nlyjXtM4FKCYieTOpsdI2HhA3ZncFI0RhyybVE7zy2Oa7z06C+R2z5wUZJz59iVVaUoI9CkNJft1hQlgPkYZdEralaPvS2C/ZY9zXSQCj49HEeLLhLvafNp7zVQIR8dA0DRVqliMdhDxYfVPZqqAzEZA+AiGlwV5VYqa4CFuvknVs=OUy/euCqkBMneeLvHsWz/uaXqEJu5BT8dz+PubwOmpsJywrP87NhKHGiCJEqoYb2RNf6Jn3oWBLNYaX6AuJRs1z5D+rQlR86Z3OstXDDj1qiI57EDkIWmNsTidQtHAVEX0GEl2M445l4ELj+rbXvMmomFw1e00R9esSfT/3FFppubBFo0AQgqcluAUrqb084GOgKRmCwhaKvsjzNK8SF4gsESPMZIzx+XqNvOfdLCS5Tiki+8QL96Ts9ls9lbiQKuhI/ifgBtGiaPJ3W9ZQ3SOFBWOk/U15BlCSpkoZ/MQEP8aBdkzQW6DNjJHEhgROQPJ5RbZ55nF2dZZJ2r7Mve2Ts24YUkYMHyUBFySTiNSa6CEr2KB3UKnTYc63jE0cPZrh+FuoJraHcPZOF7UUC9bb3MHo28LN2Fjy7s32WD9AhW2I5maOavnwvUkYhi92G64Nb0I6rpFiXpmsbuWKnjErSQwzZ5lfDPSE8UEZCuKpfIamb68bJkLmeiA2YM3hC145VSWs+ZlkiqzfUEer6HgeJaEqppZslMNgqhLJIeNAzT8cxeqcWBP5QxDe2xIW1uGG+Ebv5FowcyvdD++bxf6CEYwxCmWggG/OHTapFcmPBgqi6o/o/OWacjz+NCZuVaZmtkBIO8/wEXfMiXalpky4IMDHTrl5sg3wqkhvGktKp15xxEn68QAgOl9qp
                                                            C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.dat
                                                            Process:C:\Windows\explorer.exe
                                                            File Type:data
                                                            Size (bytes):1569
                                                            Entropy (8bit):7.250934087925775
                                                            Encrypted:false
                                                            MD5:3D5F9EA4EAF4D7172EA28E601BA4DC90
                                                            SHA1:022F7416F2B62B1CB7D42533EBE473864788D1BA
                                                            SHA-256:C4D326D3353FC2CF1226792E2C3CBD508E089B93C627861DB9C7868CC13DC70D
                                                            SHA-512:9346D9B3543CBC2F63739AE664C1E4FDDDF2975B3B89DC2D13E6283079B4827831CDE288F943703ABE61F7486979E7A0101C2A1B8EFECCE4D5D530E7C033FB4E
                                                            Malicious:false
                                                            Preview: ...p/.0.<..T2I|.F...=B..........B4...MQt.2.q4_.'...n.}.M......+LFS.].2...!L..."...L|.5..].....=B..........B4...MQt.2.q4_.'...n.}.M......+LFS.].2...!...)Ot.D$J..d3..QA.........j]....\*.....% .s.}.Z...DoH@{..[...l..Sk.o.... .....R.0....elS.......|Z t......)3.>}.......K.....\..9..(Jp.....b=B..........B4...MQt.2.q4_.'...n.}.M......+LFS.].2...!...)Ot.D$J..d3..QA.........j]....\*.....% .s.}.Z...DoH@{..[...l..Sk.o.... .....R.0....elS.......|Z t......)3.>}.......K`.mI.to.tB...F..T{..m.g"..,?.....00=B..........B4...MQt.2.q4_.'...n.}.M......+LFS.].2...!...)Ot.D$J..d3..QA.........j]....\*.....% .s.}.Z...DoH@{..[...l..Sk.o.... .....R.0....elS.......|Z t......)3.>}.......K`.mI.to.tB...F.B9......*J...S.e...\.Yo..=B..........B4...MQt.2.q4_.'...n.}.M......+LFS.].2...!...)Ot.D$J..d3..QA.........j]....\*.....% .s.}.Z...DoH@{..[...l..Sk.o.... .....R.0....elS.......|Z t......)3.>}.......K`.mI.to.tB...F.B9..............).
                                                            C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe
                                                            Process:C:\Users\user\Desktop\zhAQkCQvME.exe
                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                            Size (bytes):676352
                                                            Entropy (8bit):7.853188857056287
                                                            Encrypted:false
                                                            MD5:E7DE0CC04F0A433FCE5336B7C7504D2C
                                                            SHA1:FF44818AF235DA435F601532ACD29043B6A37AB0
                                                            SHA-256:E736CF964B998E582FD2C191A0C9865814B632A315435F80798DD2A239A5E5F5
                                                            SHA-512:43B273A7570D6F0A9DC328913E330A16EC64D1768736D93FEE21824050A2F3FEAC5F64E99601543CF31D03E13784D0ACB5DDEC0BD063A3C870A4CB130CB54442
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: Avira, Detection: 100%
                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                            • Antivirus: Intezer, Detection: 100%, Browse
                                                            Preview: MZ......................@...................................,...........!..L.!This program cannot be run in DOS mode....$...........k}..k}..k}....k}......k}..6...k}.....k}......k}.....k}......k}......k}.15~..k}.....k}..9..k}......k}......k}....#k}.I.x..k}......k}.....k}..9.k}.Rich.k}.....PE..L......].................J..........N#.......`....@..................................`.......................................b.......................................................................................`...............................text....I.......J.................. ..`.rdata.......`.......N..............@..@.data...(Y...p...,...V..............@...CODE....Y...........................@....rsrc...............................@..@............................................................................................................................................................................................................................................................
                                                            C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe:Zone.Identifier
                                                            Process:C:\Users\user\Desktop\zhAQkCQvME.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Size (bytes):26
                                                            Entropy (8bit):3.95006375643621
                                                            Encrypted:false
                                                            MD5:187F488E27DB4AF347237FE461A079AD
                                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                            Malicious:true
                                                            Preview: [ZoneTransfer]....ZoneId=0
                                                            C:\Users\user\Desktop\zhAQkCQvME.exe
                                                            Process:C:\Windows\System32\cmd.exe
                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                            Size (bytes):776192
                                                            Entropy (8bit):7.15627507937909
                                                            Encrypted:false
                                                            MD5:60B7C0FEAD45F2066E5B805A91F4F0FC
                                                            SHA1:9018A7D6CDBE859A430E8794E73381F77C840BE0
                                                            SHA-256:80C10EE5F21F92F89CBC293A59D2FD4C01C7958AACAD15642558DB700943FA22
                                                            SHA-512:68B9F9C00FC64DF946684CE81A72A2624F0FC07E07C0C8B3DB2FAE8C9C0415BD1B4A03AD7FFA96985AF0CC5E0410F6C5E29A30200EFFF21AB4B01369A3C59B58
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: Metadefender, Detection: 0%, Browse
                                                            Joe Sandbox View:
                                                            • Filename: vlltike.exe, Detection: malicious, Browse
                                                            • Filename: 103237972.62.exe, Detection: malicious, Browse
                                                            • Filename: vlltike.exe, Detection: malicious, Browse
                                                            • Filename: 103237972.62.exe, Detection: malicious, Browse
                                                            • Filename: Operating Agreement 0102282019c02.doc, Detection: malicious, Browse
                                                            • Filename: Operating Agreement 0102282019c02.doc, Detection: malicious, Browse
                                                            • Filename: Operating Agreement 0102282019a00.doc, Detection: malicious, Browse
                                                            • Filename: Operating Agreement 0102282019a00.doc, Detection: malicious, Browse
                                                            • Filename: 957043_6ZK2400309.xml, Detection: malicious, Browse
                                                            • Filename: Agreement_01142019b.doc, Detection: malicious, Browse
                                                            • Filename: Agreement_01142019b.doc, Detection: malicious, Browse
                                                            • Filename: sYd4FTqbr6.exe, Detection: malicious, Browse
                                                            • Filename: uyrieaj.exe, Detection: malicious, Browse
                                                            • Filename: jbtblo.exe, Detection: malicious, Browse
                                                            • Filename: XFrEhB8Kir.exe, Detection: malicious, Browse
                                                            • Filename: qfcluop.exe, Detection: malicious, Browse
                                                            • Filename: nqpug.exe, Detection: malicious, Browse
                                                            • Filename: ufeqqukv.exe, Detection: malicious, Browse
                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s.SL...L...L...Ej].E...L.......Ej[.m...EjK.W...EjL.....Ej\.M...EjY.M...RichL...........PE..L......L............................l-....... ......................................0.....@...... ..............................T........'......................<;..D<..8...........................0...@...p...T.......0...x...@....................text....,.......................... ..`.data....@...@...B...2..............@....rsrc....'.......(...t..............@..@.reloc..<;.......<..................@..B..L......L.......L.......L....n..L....r..L..../..L....o..L.......L....n..L......L....n..L....&..L.......L....B..L&...%..L0......L<.....LF...........SHELL32.dll.SHLWAPI.dll.gdiplus.dll.ADVAPI32.dll.ntdll.DLL.OLEAUT32.dll.UxTheme.dll.ole32.dll.COMCTL32.dll.KERNEL32.dll.USER32.dll.RPCRT4.dll.WINMM.dll.VERSION.dll.GDI32.dll.msvcrt.dll........................................

                                                            Domains and IPs

                                                            Contacted Domains

                                                            NameIPActiveMaliciousAntivirus DetectionReputation
                                                            www.ip-adress.com
                                                            		209.126.124.166
                                                            		truefalse
                                                              		high
                                                              164.136.132.91.in-addr.arpa
                                                              		unknown
                                                              		unknowntrue
                                                                		low

                                                                URLs from Memory and Binaries

                                                                NameSourceMaliciousAntivirus DetectionReputation
                                                                http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHwESx.img?h=333&w=311taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpfalse
                                                                  		high
                                                                  http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzklAJ.img?h=16&w=16&mtaskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpfalse
                                                                    		high
                                                                    http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnYSFZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=pngtaskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpfalse
                                                                      		high
                                                                      http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVQ7lO.img?h=50&w=50&mtaskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpfalse
                                                                        		high
                                                                        http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHuD5P?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpgtaskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpfalse
                                                                          		high
                                                                          https://www.ip-adress.com/glossary/explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpfalse
                                                                            		high
                                                                            http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHwR4s?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jptaskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpfalse
                                                                              		high
                                                                              http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHtTgs.img?h=166&w=310taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpfalse
                                                                                		high
                                                                                https://www.ip-adress.com/shariff/shariff.complete.jsexplorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpfalse
                                                                                  		high
                                                                                  http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA8uJZv?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=pngtaskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpfalse
                                                                                    		high
                                                                                    http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&mtaskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpfalse
                                                                                      		high
                                                                                      http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHuFNw.img?h=75&w=100&taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpfalse
                                                                                        		high
                                                                                        http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB46JmN?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=pngtaskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpfalse
                                                                                          		high
                                                                                          https://www.ip-adress.com/website/indoxxi.centerexplorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpfalse
                                                                                            		high
                                                                                            http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0explorer.exe, 0000000C.00000002.752929952.00646000.00000004.00000020.sdmpfalse
                                                                                            • 0%, Virustotal, Browse
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            http://www.diginotar.nl/cps/pkioverheid0explorer.exe, 0000000C.00000002.752929952.00646000.00000004.00000020.sdmpfalse
                                                                                            • 0%, Virustotal, Browse
                                                                                            • URL Reputation: safe
                                                                                            		low
                                                                                            https://www.ip-adress.com/proxy-checkerexplorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpfalse
                                                                                              		high
                                                                                              https://www.ip-adress.com/legal-noticeexplorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpfalse
                                                                                                		high
                                                                                                https://contextual.media.net/__media__/js/util/nrrV4251.jstaskhost.exe, 00000013.00000002.757756422.015C0000.00000004.00000001.sdmpfalse
                                                                                                  		high
                                                                                                  https://www.ip-adress.com/ip-address/ipv4/189.239.190.192explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpfalse
                                                                                                    		high
                                                                                                    http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHvaL6.img?h=166&w=310taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpfalse
                                                                                                      		high
                                                                                                      http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHudWM?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpgtaskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpfalse
                                                                                                        		high
                                                                                                        https://cvision.media.net/new/300x300/2/249/134/240/448cf229-1ded-4c2a-8cfe-21be5d0e9c41.jpg?v=9taskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmpfalse
                                                                                                          		high
                                                                                                          http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHvaL6?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jptaskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpfalse
                                                                                                            		high
                                                                                                            http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPRPvf?h=50&w=50&m=6&q=60&u=t&o=t&l=f&f=jpgtaskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpfalse
                                                                                                              		high
                                                                                                              http://static-global-s-msn-com.akamaized.net/hp-neu/sc/81/58b810.giftaskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpfalse
                                                                                                                		high
                                                                                                                http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyuliQ.img?h=16&w=16&mtaskhost.exe, 00000013.00000000.536034759.00490000.00000004.00000001.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://9i43.gifabc11application/x-shockwave-flashzhAQkCQvME.exe, 00000000.00000002.470959957.015D0000.00000004.00000040.sdmp, zhAQkCQvME.exe, 00000001.00000002.452348450.016D0000.00000004.00000040.sdmp, jkfkdm.exe, 00000002.00000002.487446283.01550000.00000004.00000040.sdmp, zhAQkCQvME.exe, 00000005.00000002.485333119.00AA0000.00000004.00000040.sdmp, jkfkdm.exe, 00000006.00000002.478496840.01600000.00000004.00000040.sdmp, jkfkdm.exe, 00000007.00000002.493272674.01630000.00000004.00000040.sdmp, explorer.exe, 0000000C.00000002.753873444.018E0000.00000004.00000040.sdmp, jkfkdm.exe, 0000000E.00000002.491326133.015A0000.00000004.00000040.sdmp, jkfkdm.exe, 00000011.00000002.518700844.016D0000.00000004.00000040.sdmp, jkfkdm.exe, 00000012.00000002.517136665.01490000.00000004.00000040.sdmp, taskhost.exe, 00000013.00000002.759522715.028D0000.00000004.00000040.sdmp, dwm.exe, 00000015.00000002.761332062.01B70000.00000004.00000040.sdmpfalse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  		unknown
                                                                                                                  http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHv9aU.img?h=333&w=311taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://www.ip-adress.com/contactexplorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://www.ip-adress.com/aboutexplorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://images.outbrainimg.com/transform/v3/eyJpdSI6ImQzZDU5ZjFhY2VmYzk3ZDhjYTk4NDhmMDYwNjk1Y2JiMTA5Ztaskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmpfalse
                                                                                                                        • Avira URL Cloud: safe
                                                                                                                        		unknown
                                                                                                                        https://cvision.media.net/new/300x300/2/29/52/32/f97e093e-8f0a-46a8-8138-df7da8ff5790.jpg?v=9taskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://www.msn.com/?ocid=iehptaskhost.exe, 00000013.00000000.541041949.01510000.00000004.00000001.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE2MRl8?ver=7064taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBTrj40?h=50&w=50&m=6&q=60&u=t&o=t&l=f&f=jpgtaskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://www.ip-adress.com/ip-to-zip-codeexplorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://images.outbrainimg.com/transform/v3/eyJpdSI6IjI2NTk3ZDdlZTYwMzFkMzk0ODg0N2Q0ZDdjMDZhM2Y2NDM3Mtaskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmpfalse
                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                  		unknown
                                                                                                                                  http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBIbTiS.img?h=16&w=16&mtaskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=pngtaskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB46JmN.img?h=16&w=16&mtaskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://www.ip-adress.com/site-listexplorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHv5DU?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jptaskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://static-global-s-msn-com.akamaized.net/hp-neu/sc/44/c08e43.jpgtaskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              https://www.ip-adress.com/explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBIbTiS?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=pngtaskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHucYP?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpgtaskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    https://162.244.225.30/explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpfalse
                                                                                                                                                    • 0%, Virustotal, Browse
                                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                                    		unknown
                                                                                                                                                    https://www.ip-adress.com/proxy-listexplorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBih5H?m=6&o=true&u=true&n=true&w=30&h=30taskhost.exe, 00000013.00000000.536034759.00490000.00000004.00000001.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        https://www.ip-adress.com/ip-address-distanceexplorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          http://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE2MRl4?ver=1412taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.giftaskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              http://schemas.xmlsoap.org/soap/encoding/explorer.exe, 0000000C.00000003.535349218.01779000.00000004.00000001.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31taskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHv5DU.img?h=166&w=310taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHvWgM.img?h=166&w=310taskhost.exe, 00000013.00000000.536034759.00490000.00000004.00000001.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/css/optanon.ctaskhost.exe, 00000013.00000002.757756422.015C0000.00000004.00000001.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHtTgs?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jptaskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHvwNG.img?h=250&w=300taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            https://cvision.media.net/new/300x300/2/215/35/104/aa3002d0-2753-44c0-81c6-b4a1cc6b295a.jpg?v=9taskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmpfalse
                                                                                                                                                                              		high
                                                                                                                                                                              https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE2MMCc?ver=931d&q=90&mtaskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmpfalse
                                                                                                                                                                                		high
                                                                                                                                                                                http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA8uJZv.img?h=16&w=16&mtaskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  https://www.ip-adress.com/trace-email-addressexplorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    https://www.ip-adress.com/ip-address/ipv4/197.80.130.8explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      https://www.ip-adress.com/ip-address/ipv4/74.50.111.156explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBUZVvV?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=pngtaskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpfalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1taskhost.exe, 00000013.00000002.757756422.015C0000.00000004.00000001.sdmp, taskhost.exe, 00000013.00000000.541041949.01510000.00000004.00000001.sdmpfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHtYkG?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jptaskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpfalse
                                                                                                                                                                                              		high
                                                                                                                                                                                              https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/images/cookietaskhost.exe, 00000013.00000002.757756422.015C0000.00000004.00000001.sdmpfalse
                                                                                                                                                                                                		high
                                                                                                                                                                                                https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=1taskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmpfalse
                                                                                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                                                                                		low
                                                                                                                                                                                                http://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE2MzIH?ver=cc00taskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmpfalse
                                                                                                                                                                                                  		high
                                                                                                                                                                                                  http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVBUge.img?h=50&w=50&mtaskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpfalse
                                                                                                                                                                                                    		high
                                                                                                                                                                                                    http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHtrJ1?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpgtaskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpfalse
                                                                                                                                                                                                      		high
                                                                                                                                                                                                      https://www.ip-adress.com/what-is-my-ip-addressexplorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpfalse
                                                                                                                                                                                                        		high
                                                                                                                                                                                                        http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVQ7lO?h=50&w=50&m=6&q=60&u=t&o=t&l=f&f=jpgtaskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpfalse
                                                                                                                                                                                                          		high
                                                                                                                                                                                                          https://www.ip-adress.com/ip-address/ipv4/80.187.107.2explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpfalse
                                                                                                                                                                                                            		high
                                                                                                                                                                                                            https://www.ip-adress.com/verify-email-addressexplorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpfalse
                                                                                                                                                                                                              		high
                                                                                                                                                                                                              http://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE2MzIm?ver=d018taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpfalse
                                                                                                                                                                                                                		high
                                                                                                                                                                                                                http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHwR4s.img?h=333&w=311taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpfalse
                                                                                                                                                                                                                  		high
                                                                                                                                                                                                                  http://schemas.xmlsoazhAQkCQvME.exe, 00000000.00000003.453309642.01B5B000.00000004.00000001.sdmp, zhAQkCQvME.exe, 00000005.00000003.475248063.00F2B000.00000004.00000001.sdmp, explorer.exe, 0000000C.00000003.481716807.0177B000.00000004.00000001.sdmpfalse
                                                                                                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                                                                                                  		unknown
                                                                                                                                                                                                                  http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-72257498/directiotaskhost.exe, 00000013.00000000.556852384.00498000.00000008.00000001.sdmpfalse
                                                                                                                                                                                                                    		high
                                                                                                                                                                                                                    http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBih5H.img?m=6&o=true&utaskhost.exe, 00000013.00000000.536034759.00490000.00000004.00000001.sdmpfalse
                                                                                                                                                                                                                      		high
                                                                                                                                                                                                                      http://static-global-s-msn-com.akamaized.net/hp-neu/sc/52/8adb60.jpgtaskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpfalse
                                                                                                                                                                                                                        		high
                                                                                                                                                                                                                        https://wh.ip-adress.com/r1explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpfalse
                                                                                                                                                                                                                          		high
                                                                                                                                                                                                                          http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHvXhQ.img?h=166&w=310taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpfalse
                                                                                                                                                                                                                            		high
                                                                                                                                                                                                                            http://www.ip-adress.comzhAQkCQvME.exe, 00000000.00000002.470976903.015F7000.00000004.00000040.sdmp, zhAQkCQvME.exe, 00000005.00000002.488530565.00EF0000.00000004.00000001.sdmp, explorer.exefalse
                                                                                                                                                                                                                              		high
                                                                                                                                                                                                                              http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyuliQ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=pngtaskhost.exe, 00000013.00000000.536034759.00490000.00000004.00000001.sdmpfalse
                                                                                                                                                                                                                                		high
                                                                                                                                                                                                                                http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHuzRp?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jptaskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpfalse
                                                                                                                                                                                                                                  		high
                                                                                                                                                                                                                                  http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHwGur?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jptaskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpfalse
                                                                                                                                                                                                                                    		high
                                                                                                                                                                                                                                    http://crl.entrust.net/2048ca.crl0explorer.exe, 0000000C.00000002.752929952.00646000.00000004.00000020.sdmpfalse
                                                                                                                                                                                                                                      		high
                                                                                                                                                                                                                                      http://images.outbrainimg.com/transform/v3/eyJpdSI6ImMzZDkyYjY0ZGRiNGYzNjgwYTJjNTY2ZDdmOWEzMGUyZjdjYtaskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmpfalse
                                                                                                                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                                                                                                                      		unknown
                                                                                                                                                                                                                                      http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&mtaskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpfalse
                                                                                                                                                                                                                                        		high
                                                                                                                                                                                                                                        https://cvision.media.net/new/300x300/3/74/46/90/d639d099-11d6-4d90-82f4-691ae09aeb85.jpg?v=9taskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmpfalse
                                                                                                                                                                                                                                          		high
                                                                                                                                                                                                                                          https://www.ip-adress.com/Nexplorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpfalse
                                                                                                                                                                                                                                            		high
                                                                                                                                                                                                                                            https://www.ip-adress.com/shariff/shariff.complete.cssexplorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpfalse
                                                                                                                                                                                                                                              		high
                                                                                                                                                                                                                                              http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHvXhQ?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jptaskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpfalse
                                                                                                                                                                                                                                                		high
                                                                                                                                                                                                                                                http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHuzRp.img?h=166&w=310taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpfalse
                                                                                                                                                                                                                                                  		high
                                                                                                                                                                                                                                                  http://images.outbrainimg.com/transform/v3/eyJpdSI6IjdkZGUzNDRkMmI2YjI4YjRhM2YzOWRiOTcyMzY5Y2EzNzJlYtaskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmpfalse
                                                                                                                                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                                                                                                                                  		unknown
                                                                                                                                                                                                                                                  http://ocsp.entrust.net03explorer.exe, 0000000C.00000002.752929952.00646000.00000004.00000020.sdmpfalse
                                                                                                                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                                                                                                                  		unknown

                                                                                                                                                                                                                                                  Contacted IPs

                                                                                                                                                                                                                                                  • No. of IPs < 25%
                                                                                                                                                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                                                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                                                                                                                                                  • 75% < No. of IPs

                                                                                                                                                                                                                                                  Public

                                                                                                                                                                                                                                                  IPCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                                                  23.49.13.33
                                                                                                                                                                                                                                                  		United States
                                                                                                                                                                                                                                                  		16625unknowntrue
                                                                                                                                                                                                                                                  162.244.225.30
                                                                                                                                                                                                                                                  		United States
                                                                                                                                                                                                                                                  		1423CARSON-RTCA-CarsonCommunicationsLLCUStrue
                                                                                                                                                                                                                                                  209.126.124.166
                                                                                                                                                                                                                                                  		United States
                                                                                                                                                                                                                                                  		30083unknownfalse

                                                                                                                                                                                                                                                  Private

                                                                                                                                                                                                                                                  IP
                                                                                                                                                                                                                                                  127.0.0.1

                                                                                                                                                                                                                                                  Static File Info

                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                  Entropy (8bit):7.853188857056287
                                                                                                                                                                                                                                                  TrID:
                                                                                                                                                                                                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                                                                  File name:zhAQkCQvME.exe
                                                                                                                                                                                                                                                  File size:676352
                                                                                                                                                                                                                                                  MD5:e7de0cc04f0a433fce5336b7c7504d2c
                                                                                                                                                                                                                                                  SHA1:ff44818af235da435f601532acd29043b6a37ab0
                                                                                                                                                                                                                                                  SHA256:e736cf964b998e582fd2c191a0c9865814b632a315435f80798dd2a239a5e5f5
                                                                                                                                                                                                                                                  SHA512:43b273a7570d6f0a9dc328913e330a16ec64d1768736d93fee21824050a2f3feac5f64e99601543cf31d03e13784d0acb5ddec0bd063a3c870a4cb130cb54442
                                                                                                                                                                                                                                                  SSDEEP:12288:/18kn+Q2MbyreC+7ZWCXBnqZADLQlz1GoUGUjZA2zopz9wiGLa9/8JQSaSZ:/oMbyrQ51qZZEoQjZAMt2187
                                                                                                                                                                                                                                                  File Content Preview:MZ......................@...................................,...........!..L.!This program cannot be run in DOS mode....$............k}..k}..k}......k}......k}..6...k}......k}......k}......k}......k}......k}.15~..k}......k}..9...k}......k}......k}.....#k}

                                                                                                                                                                                                                                                  File Icon

                                                                                                                                                                                                                                                  Icon Hash:8c8c80928292a60e

                                                                                                                                                                                                                                                  Static PE Info

                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                  Entrypoint:0x40234e
                                                                                                                                                                                                                                                  Entrypoint Section:.text
                                                                                                                                                                                                                                                  Digitally signed:false
                                                                                                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                                                                                                  Subsystem:windows gui
                                                                                                                                                                                                                                                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
                                                                                                                                                                                                                                                  DLL Characteristics:GUARD_CF, TERMINAL_SERVER_AWARE, NX_COMPAT
                                                                                                                                                                                                                                                  Time Stamp:0x5DA4F8D4 [Mon Oct 14 22:38:12 2019 UTC]
                                                                                                                                                                                                                                                  TLS Callbacks:
                                                                                                                                                                                                                                                  CLR (.Net) Version:
                                                                                                                                                                                                                                                  OS Version Major:5
                                                                                                                                                                                                                                                  OS Version Minor:0
                                                                                                                                                                                                                                                  File Version Major:5
                                                                                                                                                                                                                                                  File Version Minor:0
                                                                                                                                                                                                                                                  Subsystem Version Major:5
                                                                                                                                                                                                                                                  Subsystem Version Minor:0
                                                                                                                                                                                                                                                  Import Hash:5e1df473304da895e634216143b56c18

                                                                                                                                                                                                                                                  Entrypoint Preview

                                                                                                                                                                                                                                                  Instruction
                                                                                                                                                                                                                                                  call 00007F7278B5AC7Dh
                                                                                                                                                                                                                                                  jmp 00007F7278B5A6D3h
                                                                                                                                                                                                                                                  mov edi, edi
                                                                                                                                                                                                                                                  push ebp
                                                                                                                                                                                                                                                  mov ebp, esp
                                                                                                                                                                                                                                                  mov eax, dword ptr [ebp+08h]
                                                                                                                                                                                                                                                  mov eax, dword ptr [eax]
                                                                                                                                                                                                                                                  cmp dword ptr [eax], E06D7363h
                                                                                                                                                                                                                                                  jne 00007F7278B5A98Dh
                                                                                                                                                                                                                                                  cmp dword ptr [eax+10h], 03h
                                                                                                                                                                                                                                                  jne 00007F7278B5A987h
                                                                                                                                                                                                                                                  mov eax, dword ptr [eax+14h]
                                                                                                                                                                                                                                                  cmp eax, 19930520h
                                                                                                                                                                                                                                                  je 00007F7278B5A977h
                                                                                                                                                                                                                                                  cmp eax, 19930521h
                                                                                                                                                                                                                                                  je 00007F7278B5A970h
                                                                                                                                                                                                                                                  cmp eax, 19930522h
                                                                                                                                                                                                                                                  je 00007F7278B5A969h
                                                                                                                                                                                                                                                  cmp eax, 01994000h
                                                                                                                                                                                                                                                  jne 00007F7278B5A968h
                                                                                                                                                                                                                                                  call dword ptr [00406078h]
                                                                                                                                                                                                                                                  xor eax, eax
                                                                                                                                                                                                                                                  pop ebp
                                                                                                                                                                                                                                                  retn 0004h
                                                                                                                                                                                                                                                  push 00402358h
                                                                                                                                                                                                                                                  call dword ptr [00406034h]
                                                                                                                                                                                                                                                  xor eax, eax
                                                                                                                                                                                                                                                  ret
                                                                                                                                                                                                                                                  int3
                                                                                                                                                                                                                                                  int3
                                                                                                                                                                                                                                                  int3
                                                                                                                                                                                                                                                  int3
                                                                                                                                                                                                                                                  int3
                                                                                                                                                                                                                                                  int3
                                                                                                                                                                                                                                                  int3
                                                                                                                                                                                                                                                  mov edi, edi
                                                                                                                                                                                                                                                  push ebp
                                                                                                                                                                                                                                                  mov ebp, esp
                                                                                                                                                                                                                                                  mov ecx, dword ptr [ebp+08h]
                                                                                                                                                                                                                                                  mov eax, 00005A4Dh
                                                                                                                                                                                                                                                  cmp word ptr [ecx], ax
                                                                                                                                                                                                                                                  je 00007F7278B5A966h
                                                                                                                                                                                                                                                  xor eax, eax
                                                                                                                                                                                                                                                  pop ebp
                                                                                                                                                                                                                                                  ret
                                                                                                                                                                                                                                                  mov eax, dword ptr [ecx+3Ch]
                                                                                                                                                                                                                                                  add eax, ecx
                                                                                                                                                                                                                                                  cmp dword ptr [eax], 00004550h
                                                                                                                                                                                                                                                  jne 00007F7278B5A951h
                                                                                                                                                                                                                                                  xor edx, edx
                                                                                                                                                                                                                                                  mov ecx, 0000010Bh
                                                                                                                                                                                                                                                  cmp word ptr [eax+18h], cx
                                                                                                                                                                                                                                                  sete dl
                                                                                                                                                                                                                                                  mov eax, edx
                                                                                                                                                                                                                                                  pop ebp
                                                                                                                                                                                                                                                  ret
                                                                                                                                                                                                                                                  int3
                                                                                                                                                                                                                                                  int3
                                                                                                                                                                                                                                                  int3
                                                                                                                                                                                                                                                  int3
                                                                                                                                                                                                                                                  int3
                                                                                                                                                                                                                                                  int3
                                                                                                                                                                                                                                                  int3
                                                                                                                                                                                                                                                  int3
                                                                                                                                                                                                                                                  int3
                                                                                                                                                                                                                                                  int3
                                                                                                                                                                                                                                                  int3
                                                                                                                                                                                                                                                  mov edi, edi
                                                                                                                                                                                                                                                  push ebp
                                                                                                                                                                                                                                                  mov ebp, esp
                                                                                                                                                                                                                                                  mov eax, dword ptr [ebp+08h]
                                                                                                                                                                                                                                                  mov ecx, dword ptr [eax+3Ch]
                                                                                                                                                                                                                                                  add ecx, eax
                                                                                                                                                                                                                                                  movzx eax, word ptr [ecx+14h]
                                                                                                                                                                                                                                                  push ebx
                                                                                                                                                                                                                                                  push esi
                                                                                                                                                                                                                                                  movzx esi, word ptr [ecx+06h]
                                                                                                                                                                                                                                                  xor edx, edx
                                                                                                                                                                                                                                                  push edi
                                                                                                                                                                                                                                                  lea eax, dword ptr [eax+ecx+18h]
                                                                                                                                                                                                                                                  test esi, esi
                                                                                                                                                                                                                                                  jbe 00007F7278B5A97Dh
                                                                                                                                                                                                                                                  mov edi, dword ptr [ebp+0Ch]

                                                                                                                                                                                                                                                  Rich Headers

                                                                                                                                                                                                                                                  Programming Language:
                                                                                                                                                                                                                                                  • [C++] VS2012 UPD1 build 51106
                                                                                                                                                                                                                                                  • [ C ] VS2013 UPD2 build 30501
                                                                                                                                                                                                                                                  • [ C ] VS2013 UPD5 build 40629
                                                                                                                                                                                                                                                  • [ASM] VS2005 build 50727
                                                                                                                                                                                                                                                  • [ASM] VS2015 UPD3 build 24213
                                                                                                                                                                                                                                                  • [RES] VS2015 UPD2 build 23918
                                                                                                                                                                                                                                                  • [C++] VS2013 UPD2 build 30501
                                                                                                                                                                                                                                                  • [ASM] VS2012 UPD4 build 61030
                                                                                                                                                                                                                                                  • [RES] VS2008 build 21022
                                                                                                                                                                                                                                                  • [ASM] VS2010 SP1 build 40219
                                                                                                                                                                                                                                                  • [IMP] VS2010 SP1 build 40219
                                                                                                                                                                                                                                                  • [RES] VS2012 UPD4 build 61030
                                                                                                                                                                                                                                                  • [EXP] VS2008 SP1 build 30729
                                                                                                                                                                                                                                                  • [RES] VS2012 build 50727

                                                                                                                                                                                                                                                  Data Directories

                                                                                                                                                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x40x3
                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x62a40x8c.rdata
                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x9e0000xcdb0.rsrc
                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x4
                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0xa00x1c
                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x60000xb0.rdata
                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                                                  Sections

                                                                                                                                                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                                                  .text0x10000x490c0x4a00False0.627375422297data6.20789976151IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                  .rdata0x60000xaa50x800False0.49072265625data4.63372863295IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_LNK_COMDAT, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                  .data0x70000x59280x2c00False0.608487215909data6.93693441659IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                  CODE0xd0000x900590x90200False0.999666291739data7.99951263317IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                  .rsrc0x9e0000xcffa0xce00False0.262439320388data3.80618140741IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                                                                  Resources

                                                                                                                                                                                                                                                  NameRVASizeTypeLanguageCountry
                                                                                                                                                                                                                                                  RT_ICON0x9ed900x2e8dataEnglishUnited States
                                                                                                                                                                                                                                                  RT_ICON0x9f0780x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 1317570696, next used block 204EnglishUnited States
                                                                                                                                                                                                                                                  RT_MENU0x9f3600x1c5cdataEnglishUnited States
                                                                                                                                                                                                                                                  RT_MENU0xa0fc00x154dataEnglishUnited States
                                                                                                                                                                                                                                                  RT_DIALOG0xa11180x260dataEnglishUnited States
                                                                                                                                                                                                                                                  RT_DIALOG0xa13780x1dcdataEnglishUnited States
                                                                                                                                                                                                                                                  RT_DIALOG0xa15580x1b8dataEnglishUnited States
                                                                                                                                                                                                                                                  RT_DIALOG0xa17100x244dataEnglishUnited States
                                                                                                                                                                                                                                                  RT_DIALOG0xa19580x154dataEnglishUnited States
                                                                                                                                                                                                                                                  RT_DIALOG0xa1ab00x164dataEnglishUnited States
                                                                                                                                                                                                                                                  RT_DIALOG0xa1c180x1fcdataEnglishUnited States
                                                                                                                                                                                                                                                  RT_DIALOG0xa1e180x1c8dataEnglishUnited States
                                                                                                                                                                                                                                                  RT_DIALOG0xa1fe00x144dataEnglishUnited States
                                                                                                                                                                                                                                                  RT_DIALOG0xa21280x160dataEnglishUnited States
                                                                                                                                                                                                                                                  RT_DIALOG0xa22880x1e4dataEnglishUnited States
                                                                                                                                                                                                                                                  RT_DIALOG0xa24700x180dataEnglishUnited States
                                                                                                                                                                                                                                                  RT_DIALOG0xa25f00x198dataEnglishUnited States
                                                                                                                                                                                                                                                  RT_DIALOG0xa27880x1b4dataEnglishUnited States
                                                                                                                                                                                                                                                  RT_DIALOG0xa29400x1d0dataEnglishUnited States
                                                                                                                                                                                                                                                  RT_DIALOG0xa2b100xfcdataEnglishUnited States
                                                                                                                                                                                                                                                  RT_DIALOG0xa2c100x134dataEnglishUnited States
                                                                                                                                                                                                                                                  RT_DIALOG0xa2d480x428dataEnglishUnited States
                                                                                                                                                                                                                                                  RT_DIALOG0xa31700x4bedataEnglishUnited States
                                                                                                                                                                                                                                                  RT_DIALOG0xa36300x1ccdataEnglishUnited States
                                                                                                                                                                                                                                                  RT_DIALOG0xa38000x5eedataEnglishUnited States
                                                                                                                                                                                                                                                  RT_DIALOG0xa3df00x56cdataEnglishUnited States
                                                                                                                                                                                                                                                  RT_DIALOG0xa43600x1a4dataEnglishUnited States
                                                                                                                                                                                                                                                  RT_DIALOG0xa45080x220dataEnglishUnited States
                                                                                                                                                                                                                                                  RT_DIALOG0xa47280x680dataEnglishUnited States
                                                                                                                                                                                                                                                  RT_DIALOG0xa4da80x11cdataEnglishUnited States
                                                                                                                                                                                                                                                  RT_DIALOG0xa4ec80x148dataEnglishUnited States
                                                                                                                                                                                                                                                  RT_DIALOG0xa50100x148dataEnglishUnited States
                                                                                                                                                                                                                                                  RT_STRING0xa51580x2dadataEnglishUnited States
                                                                                                                                                                                                                                                  RT_STRING0xa54380x176dataEnglishUnited States
                                                                                                                                                                                                                                                  RT_STRING0xa55b00x42dataEnglishUnited States
                                                                                                                                                                                                                                                  RT_STRING0xa55f80xfcdataEnglishUnited States
                                                                                                                                                                                                                                                  RT_STRING0xa56f80x5cdataEnglishUnited States
                                                                                                                                                                                                                                                  RT_STRING0xa57580x76dataEnglishUnited States
                                                                                                                                                                                                                                                  RT_STRING0xa57d00xad2dataEnglishUnited States
                                                                                                                                                                                                                                                  RT_STRING0xa62a80x6c0dataEnglishUnited States
                                                                                                                                                                                                                                                  RT_STRING0xa69680x542dataEnglishUnited States
                                                                                                                                                                                                                                                  RT_STRING0xa6eb00x84adataEnglishUnited States
                                                                                                                                                                                                                                                  RT_STRING0xa77000x200dataEnglishUnited States
                                                                                                                                                                                                                                                  RT_STRING0xa79000x45adataEnglishUnited States
                                                                                                                                                                                                                                                  RT_STRING0xa7d600x400dataEnglishUnited States
                                                                                                                                                                                                                                                  RT_STRING0xa81600x42adataEnglishUnited States
                                                                                                                                                                                                                                                  RT_STRING0xa85900x4b0dataEnglishUnited States
                                                                                                                                                                                                                                                  RT_STRING0xa8a400x6cdataEnglishUnited States
                                                                                                                                                                                                                                                  RT_STRING0xa8ab00x60AmigaOS bitmap fontEnglishUnited States
                                                                                                                                                                                                                                                  RT_STRING0xa8b100xfcdataEnglishUnited States
                                                                                                                                                                                                                                                  RT_STRING0xa8c100x198dataEnglishUnited States
                                                                                                                                                                                                                                                  RT_STRING0xa8da80xb2dataEnglishUnited States
                                                                                                                                                                                                                                                  RT_STRING0xa8e600x342dataEnglishUnited States
                                                                                                                                                                                                                                                  RT_STRING0xa91a80x22edataEnglishUnited States
                                                                                                                                                                                                                                                  RT_STRING0xa93d80x1c0dataEnglishUnited States
                                                                                                                                                                                                                                                  RT_STRING0xa95980x198dataEnglishUnited States
                                                                                                                                                                                                                                                  RT_STRING0xa97300x1c0dataEnglishUnited States
                                                                                                                                                                                                                                                  RT_STRING0xa98f00x1beAmigaOS bitmap fontEnglishUnited States
                                                                                                                                                                                                                                                  RT_STRING0xa9ab00x1bedataEnglishUnited States
                                                                                                                                                                                                                                                  RT_STRING0xa9c700x268dataEnglishUnited States
                                                                                                                                                                                                                                                  RT_STRING0xa9ed80x1ccdataEnglishUnited States
                                                                                                                                                                                                                                                  RT_STRING0xaa0a80x100dataEnglishUnited States
                                                                                                                                                                                                                                                  RT_ACCELERATOR0xaa1a80x4c0dataEnglishUnited States
                                                                                                                                                                                                                                                  RT_ACCELERATOR0xaa6680x20dataEnglishUnited States
                                                                                                                                                                                                                                                  RT_GROUP_ICON0xaa6880x14dataEnglishUnited States
                                                                                                                                                                                                                                                  RT_GROUP_ICON0xaa6a00x14dataEnglishUnited States
                                                                                                                                                                                                                                                  RT_VERSION0xaa6b80x378dataEnglishUnited States
                                                                                                                                                                                                                                                  RT_MANIFEST0xaaa300x37bXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States

                                                                                                                                                                                                                                                  Imports

                                                                                                                                                                                                                                                  DLLImport
                                                                                                                                                                                                                                                  MSACM32.dllacmDriverID
                                                                                                                                                                                                                                                  msvcrt.dll__p__fmode, _onexit, _lock, __dllonexit, _unlock, _controlfp, _except_handler4_common, ?terminate@@YAXXZ, __set_app_type, __getmainargs, __p__commode, __setusermatherr, _amsg_exit, _initterm, exit, _XcptFilter, _exit, _cexit
                                                                                                                                                                                                                                                  ole32.dllCreateStreamOnHGlobal
                                                                                                                                                                                                                                                  KERNEL32.dllGetModuleHandleA, UnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, GetSystemTimeAsFileTime, GetCurrentProcessId, GetCurrentThreadId, GetTickCount, QueryPerformanceCounter, SetUnhandledExceptionFilter, InterlockedCompareExchange, Sleep, InterlockedExchange, DeleteCriticalSection, GetLastError, IsValidLanguageGroup
                                                                                                                                                                                                                                                  ADVAPI32.dllOpenThreadToken
                                                                                                                                                                                                                                                  GDI32.dllFlattenPath

                                                                                                                                                                                                                                                  Version Infos

                                                                                                                                                                                                                                                  DescriptionData
                                                                                                                                                                                                                                                  LegalCopyrightCopyright 2004
                                                                                                                                                                                                                                                  InternalNameJava(TM) Control Panel
                                                                                                                                                                                                                                                  FileVersion5.0.60.5
                                                                                                                                                                                                                                                  Full Version7.8.7.7
                                                                                                                                                                                                                                                  CompanyNameSun Microsystems, Inc.
                                                                                                                                                                                                                                                  ProductNameJava(TM) 2 Platform Standard Edition 5.0 Urdate 6
                                                                                                                                                                                                                                                  ProductVersion7.8.7.7
                                                                                                                                                                                                                                                  FileDescriptionJava(TM) Control Panel
                                                                                                                                                                                                                                                  OriginalFilenamerjrwer.exe
                                                                                                                                                                                                                                                  Translation0x0409 0x04b0

                                                                                                                                                                                                                                                  Possible Origin

                                                                                                                                                                                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                                                                                  EnglishUnited States

                                                                                                                                                                                                                                                  Network Behavior

                                                                                                                                                                                                                                                  Network Port Distribution

                                                                                                                                                                                                                                                  TCP Packets

                                                                                                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:42.624562025 CET49158443192.168.1.107162.244.225.30
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:42.626492023 CET4915980192.168.1.107209.126.124.166
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:42.770479918 CET8049159209.126.124.166192.168.1.107
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:42.770936012 CET4915980192.168.1.107209.126.124.166
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:42.794912100 CET44349158162.244.225.30192.168.1.107
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:42.796547890 CET49158443192.168.1.107162.244.225.30
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:42.806310892 CET4915980192.168.1.107209.126.124.166
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:42.875567913 CET49158443192.168.1.107162.244.225.30
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:42.951075077 CET8049159209.126.124.166192.168.1.107
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:42.951359987 CET8049159209.126.124.166192.168.1.107
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:42.951508999 CET4915980192.168.1.107209.126.124.166
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:42.961119890 CET49160443192.168.1.107209.126.124.166
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:43.046484947 CET44349158162.244.225.30192.168.1.107
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:43.046669960 CET49158443192.168.1.107162.244.225.30
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:43.097728014 CET49158443192.168.1.107162.244.225.30
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:43.105570078 CET44349160209.126.124.166192.168.1.107
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:43.105843067 CET49160443192.168.1.107209.126.124.166
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:43.108867884 CET49160443192.168.1.107209.126.124.166
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:43.254031897 CET44349160209.126.124.166192.168.1.107
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:43.254745960 CET44349160209.126.124.166192.168.1.107
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:43.254879951 CET44349160209.126.124.166192.168.1.107
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:43.254910946 CET44349160209.126.124.166192.168.1.107
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:43.254951954 CET49160443192.168.1.107209.126.124.166
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:43.255145073 CET49160443192.168.1.107209.126.124.166
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:43.255285025 CET44349160209.126.124.166192.168.1.107
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:43.255436897 CET49160443192.168.1.107209.126.124.166
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:43.264657974 CET44349160209.126.124.166192.168.1.107
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:43.264863968 CET49160443192.168.1.107209.126.124.166
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:43.265147924 CET44349160209.126.124.166192.168.1.107
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:43.265316010 CET49160443192.168.1.107209.126.124.166
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:43.281600952 CET44349158162.244.225.30192.168.1.107
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:43.281770945 CET49158443192.168.1.107162.244.225.30
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:43.307698011 CET49160443192.168.1.107209.126.124.166
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:43.452955008 CET44349160209.126.124.166192.168.1.107
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:43.453205109 CET49160443192.168.1.107209.126.124.166
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:45.954377890 CET8049159209.126.124.166192.168.1.107
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:45.954531908 CET4915980192.168.1.107209.126.124.166
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:46.256136894 CET49160443192.168.1.107209.126.124.166
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:46.415179968 CET44349160209.126.124.166192.168.1.107
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:46.415218115 CET44349160209.126.124.166192.168.1.107
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:46.415240049 CET44349160209.126.124.166192.168.1.107
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:46.415268898 CET44349160209.126.124.166192.168.1.107
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:46.415330887 CET44349160209.126.124.166192.168.1.107
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:46.415422916 CET44349160209.126.124.166192.168.1.107
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:46.415436983 CET49160443192.168.1.107209.126.124.166
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:46.415452003 CET44349160209.126.124.166192.168.1.107
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:46.415473938 CET44349160209.126.124.166192.168.1.107
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:46.415553093 CET44349160209.126.124.166192.168.1.107
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:46.415574074 CET44349160209.126.124.166192.168.1.107
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:46.415664911 CET49160443192.168.1.107209.126.124.166
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:46.448227882 CET49160443192.168.1.107209.126.124.166
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:46.559580088 CET44349160209.126.124.166192.168.1.107
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:46.559607029 CET44349160209.126.124.166192.168.1.107
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:46.559648037 CET44349160209.126.124.166192.168.1.107
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:46.559684038 CET44349160209.126.124.166192.168.1.107
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:46.559736013 CET44349160209.126.124.166192.168.1.107
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:46.559770107 CET44349160209.126.124.166192.168.1.107
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:46.559773922 CET49160443192.168.1.107209.126.124.166
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:46.559799910 CET44349160209.126.124.166192.168.1.107
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:46.559850931 CET44349160209.126.124.166192.168.1.107
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:46.559998035 CET49160443192.168.1.107209.126.124.166
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:46.560097933 CET44349160209.126.124.166192.168.1.107
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:46.560139894 CET44349160209.126.124.166192.168.1.107
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:46.560234070 CET49160443192.168.1.107209.126.124.166
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:46.560255051 CET44349160209.126.124.166192.168.1.107
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:46.560276985 CET44349160209.126.124.166192.168.1.107
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:46.560291052 CET44349160209.126.124.166192.168.1.107
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:46.560318947 CET44349160209.126.124.166192.168.1.107
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:46.560353994 CET44349160209.126.124.166192.168.1.107
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:46.560417891 CET49160443192.168.1.107209.126.124.166
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:46.634526968 CET49160443192.168.1.107209.126.124.166
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:46.646748066 CET49160443192.168.1.107209.126.124.166
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:47.018258095 CET491617000192.168.1.10723.49.13.33
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:49.563240051 CET44349160209.126.124.166192.168.1.107
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:49.563359976 CET49160443192.168.1.107209.126.124.166
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:50.026355982 CET491617000192.168.1.10723.49.13.33
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:56.026453018 CET491617000192.168.1.10723.49.13.33
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:58.841746092 CET49158443192.168.1.107162.244.225.30
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:59.210062981 CET44349158162.244.225.30192.168.1.107
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:59.308619022 CET44349158162.244.225.30192.168.1.107
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:59.308957100 CET49158443192.168.1.107162.244.225.30
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:59.318762064 CET49162443192.168.1.107162.244.225.30
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:59.475634098 CET44349162162.244.225.30192.168.1.107
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:59.475799084 CET49162443192.168.1.107162.244.225.30
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:59.477355003 CET49162443192.168.1.107162.244.225.30
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:59.633157969 CET44349162162.244.225.30192.168.1.107
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:59.633220911 CET49162443192.168.1.107162.244.225.30
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:59.633922100 CET49162443192.168.1.107162.244.225.30
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:59.900111914 CET49162443192.168.1.107162.244.225.30
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:59.900342941 CET49162443192.168.1.107162.244.225.30
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:59.987313032 CET44349162162.244.225.30192.168.1.107
                                                                                                                                                                                                                                                  Nov 13, 2019 19:29:00.056915998 CET44349162162.244.225.30192.168.1.107
                                                                                                                                                                                                                                                  Nov 13, 2019 19:29:00.057086945 CET49162443192.168.1.107162.244.225.30
                                                                                                                                                                                                                                                  Nov 13, 2019 19:29:00.213268042 CET44349162162.244.225.30192.168.1.107
                                                                                                                                                                                                                                                  Nov 13, 2019 19:29:00.632309914 CET44349162162.244.225.30192.168.1.107
                                                                                                                                                                                                                                                  Nov 13, 2019 19:29:00.632488966 CET49162443192.168.1.107162.244.225.30
                                                                                                                                                                                                                                                  Nov 13, 2019 19:29:00.665554047 CET49158443192.168.1.107162.244.225.30
                                                                                                                                                                                                                                                  Nov 13, 2019 19:29:00.669272900 CET49163443192.168.1.107162.244.225.30
                                                                                                                                                                                                                                                  Nov 13, 2019 19:29:00.827689886 CET44349163162.244.225.30192.168.1.107
                                                                                                                                                                                                                                                  Nov 13, 2019 19:29:00.828440905 CET49163443192.168.1.107162.244.225.30
                                                                                                                                                                                                                                                  Nov 13, 2019 19:29:00.830498934 CET49163443192.168.1.107162.244.225.30
                                                                                                                                                                                                                                                  Nov 13, 2019 19:29:00.838584900 CET44349158162.244.225.30192.168.1.107
                                                                                                                                                                                                                                                  Nov 13, 2019 19:29:00.838615894 CET44349158162.244.225.30192.168.1.107
                                                                                                                                                                                                                                                  Nov 13, 2019 19:29:00.838638067 CET44349158162.244.225.30192.168.1.107
                                                                                                                                                                                                                                                  Nov 13, 2019 19:29:00.840482950 CET49158443192.168.1.107162.244.225.30
                                                                                                                                                                                                                                                  Nov 13, 2019 19:29:00.840548038 CET49158443192.168.1.107162.244.225.30
                                                                                                                                                                                                                                                  Nov 13, 2019 19:29:01.004271984 CET44349163162.244.225.30192.168.1.107
                                                                                                                                                                                                                                                  Nov 13, 2019 19:29:01.004460096 CET49163443192.168.1.107162.244.225.30
                                                                                                                                                                                                                                                  Nov 13, 2019 19:29:01.005711079 CET49163443192.168.1.107162.244.225.30
                                                                                                                                                                                                                                                  Nov 13, 2019 19:29:01.373788118 CET49163443192.168.1.107162.244.225.30
                                                                                                                                                                                                                                                  Nov 13, 2019 19:29:01.378357887 CET44349163162.244.225.30192.168.1.107
                                                                                                                                                                                                                                                  Nov 13, 2019 19:29:01.737212896 CET44349163162.244.225.30192.168.1.107
                                                                                                                                                                                                                                                  Nov 13, 2019 19:29:01.833918095 CET44349163162.244.225.30192.168.1.107
                                                                                                                                                                                                                                                  Nov 13, 2019 19:29:01.834053040 CET49163443192.168.1.107162.244.225.30
                                                                                                                                                                                                                                                  Nov 13, 2019 19:29:30.751434088 CET44349162162.244.225.30192.168.1.107
                                                                                                                                                                                                                                                  Nov 13, 2019 19:29:30.751468897 CET44349162162.244.225.30192.168.1.107
                                                                                                                                                                                                                                                  Nov 13, 2019 19:29:30.751566887 CET49162443192.168.1.107162.244.225.30
                                                                                                                                                                                                                                                  Nov 13, 2019 19:29:31.838704109 CET44349163162.244.225.30192.168.1.107
                                                                                                                                                                                                                                                  Nov 13, 2019 19:29:31.838741064 CET44349163162.244.225.30192.168.1.107
                                                                                                                                                                                                                                                  Nov 13, 2019 19:29:31.838890076 CET49163443192.168.1.107162.244.225.30
                                                                                                                                                                                                                                                  Nov 13, 2019 19:29:35.582350016 CET49162443192.168.1.107162.244.225.30
                                                                                                                                                                                                                                                  Nov 13, 2019 19:29:35.583807945 CET49162443192.168.1.107162.244.225.30
                                                                                                                                                                                                                                                  Nov 13, 2019 19:29:35.754169941 CET44349162162.244.225.30192.168.1.107
                                                                                                                                                                                                                                                  Nov 13, 2019 19:29:35.754298925 CET49162443192.168.1.107162.244.225.30
                                                                                                                                                                                                                                                  Nov 13, 2019 19:29:35.869213104 CET49164443192.168.1.107162.244.225.30
                                                                                                                                                                                                                                                  Nov 13, 2019 19:29:36.036416054 CET44349164162.244.225.30192.168.1.107
                                                                                                                                                                                                                                                  Nov 13, 2019 19:29:36.036578894 CET49164443192.168.1.107162.244.225.30
                                                                                                                                                                                                                                                  Nov 13, 2019 19:29:43.635901928 CET49164443192.168.1.107162.244.225.30
                                                                                                                                                                                                                                                  Nov 13, 2019 19:29:43.792982101 CET44349164162.244.225.30192.168.1.107
                                                                                                                                                                                                                                                  Nov 13, 2019 19:29:43.793158054 CET49164443192.168.1.107162.244.225.30
                                                                                                                                                                                                                                                  Nov 13, 2019 19:29:50.418800116 CET49164443192.168.1.107162.244.225.30
                                                                                                                                                                                                                                                  Nov 13, 2019 19:29:50.781721115 CET44349164162.244.225.30192.168.1.107
                                                                                                                                                                                                                                                  Nov 13, 2019 19:30:15.245270014 CET491657000192.168.1.10723.49.13.33
                                                                                                                                                                                                                                                  Nov 13, 2019 19:30:18.245536089 CET491657000192.168.1.10723.49.13.33
                                                                                                                                                                                                                                                  Nov 13, 2019 19:30:20.374777079 CET44349164162.244.225.30192.168.1.107
                                                                                                                                                                                                                                                  Nov 13, 2019 19:30:20.374811888 CET44349164162.244.225.30192.168.1.107
                                                                                                                                                                                                                                                  Nov 13, 2019 19:30:20.375180006 CET49164443192.168.1.107162.244.225.30
                                                                                                                                                                                                                                                  Nov 13, 2019 19:30:24.260863066 CET491657000192.168.1.10723.49.13.33
                                                                                                                                                                                                                                                  Nov 13, 2019 19:30:34.072216988 CET49164443192.168.1.107162.244.225.30
                                                                                                                                                                                                                                                  Nov 13, 2019 19:30:34.072432041 CET49164443192.168.1.107162.244.225.30
                                                                                                                                                                                                                                                  Nov 13, 2019 19:30:34.074356079 CET49160443192.168.1.107209.126.124.166
                                                                                                                                                                                                                                                  Nov 13, 2019 19:30:34.074486971 CET4915980192.168.1.107209.126.124.166
                                                                                                                                                                                                                                                  Nov 13, 2019 19:30:34.076313019 CET49166443192.168.1.107162.244.225.30
                                                                                                                                                                                                                                                  Nov 13, 2019 19:30:34.229058027 CET44349164162.244.225.30192.168.1.107
                                                                                                                                                                                                                                                  Nov 13, 2019 19:30:34.229368925 CET44349164162.244.225.30192.168.1.107
                                                                                                                                                                                                                                                  Nov 13, 2019 19:30:34.231313944 CET44349166162.244.225.30192.168.1.107
                                                                                                                                                                                                                                                  Nov 13, 2019 19:30:34.231434107 CET49166443192.168.1.107162.244.225.30
                                                                                                                                                                                                                                                  Nov 13, 2019 19:30:34.495193958 CET4915980192.168.1.107209.126.124.166
                                                                                                                                                                                                                                                  Nov 13, 2019 19:30:34.692689896 CET49160443192.168.1.107209.126.124.166
                                                                                                                                                                                                                                                  Nov 13, 2019 19:30:35.245215893 CET4915980192.168.1.107209.126.124.166
                                                                                                                                                                                                                                                  Nov 13, 2019 19:30:35.464284897 CET49160443192.168.1.107209.126.124.166
                                                                                                                                                                                                                                                  Nov 13, 2019 19:30:36.304990053 CET491677000192.168.1.10723.49.13.33
                                                                                                                                                                                                                                                  Nov 13, 2019 19:30:36.792114973 CET4915980192.168.1.107209.126.124.166
                                                                                                                                                                                                                                                  Nov 13, 2019 19:30:36.885718107 CET49160443192.168.1.107209.126.124.166
                                                                                                                                                                                                                                                  Nov 13, 2019 19:30:39.354396105 CET491677000192.168.1.10723.49.13.33
                                                                                                                                                                                                                                                  Nov 13, 2019 19:30:39.729300976 CET49160443192.168.1.107209.126.124.166
                                                                                                                                                                                                                                                  Nov 13, 2019 19:30:39.755330086 CET4915980192.168.1.107209.126.124.166

                                                                                                                                                                                                                                                  UDP Packets

                                                                                                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:42.550585985 CET5766353192.168.1.1078.8.8.8
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:42.576579094 CET53576638.8.8.8192.168.1.107
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:46.532025099 CET5402453192.168.1.1078.8.8.8
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:46.567949057 CET53540248.8.8.8192.168.1.107
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:46.681453943 CET5973453192.168.1.1078.8.8.8
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:46.708089113 CET53597348.8.8.8192.168.1.107
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:47.526586056 CET5402453192.168.1.1078.8.8.8
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:47.562509060 CET53540248.8.8.8192.168.1.107
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:48.526597977 CET5402453192.168.1.1078.8.8.8
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:48.562614918 CET53540248.8.8.8192.168.1.107
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:50.526807070 CET5402453192.168.1.1078.8.8.8
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:50.563119888 CET53540248.8.8.8192.168.1.107
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:54.526880026 CET5402453192.168.1.1078.8.8.8
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:54.563188076 CET53540248.8.8.8192.168.1.107
                                                                                                                                                                                                                                                  Nov 13, 2019 19:30:15.654793024 CET5930653192.168.1.1078.8.8.8
                                                                                                                                                                                                                                                  Nov 13, 2019 19:30:15.690959930 CET53593068.8.8.8192.168.1.107
                                                                                                                                                                                                                                                  Nov 13, 2019 19:30:16.652389050 CET5930653192.168.1.1078.8.8.8
                                                                                                                                                                                                                                                  Nov 13, 2019 19:30:16.688600063 CET53593068.8.8.8192.168.1.107
                                                                                                                                                                                                                                                  Nov 13, 2019 19:30:17.652887106 CET5930653192.168.1.1078.8.8.8
                                                                                                                                                                                                                                                  Nov 13, 2019 19:30:17.688945055 CET53593068.8.8.8192.168.1.107
                                                                                                                                                                                                                                                  Nov 13, 2019 19:30:34.038424969 CET5930653192.168.1.1078.8.8.8
                                                                                                                                                                                                                                                  Nov 13, 2019 19:30:34.074563980 CET53593068.8.8.8192.168.1.107
                                                                                                                                                                                                                                                  Nov 13, 2019 19:30:38.026937962 CET5930653192.168.1.1078.8.8.8
                                                                                                                                                                                                                                                  Nov 13, 2019 19:30:38.063720942 CET53593068.8.8.8192.168.1.107

                                                                                                                                                                                                                                                  DNS Queries

                                                                                                                                                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:42.550585985 CET192.168.1.1078.8.8.80xe53Standard query (0)www.ip-adress.comA (IP address)IN (0x0001)
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:46.681453943 CET192.168.1.1078.8.8.80x8df9Standard query (0)164.136.132.91.in-addr.arpaPTR (Pointer record)IN (0x0001)

                                                                                                                                                                                                                                                  DNS Answers

                                                                                                                                                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:42.576579094 CET8.8.8.8192.168.1.1070xe53No error (0)www.ip-adress.com209.126.124.166A (IP address)IN (0x0001)
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:42.576579094 CET8.8.8.8192.168.1.1070xe53No error (0)www.ip-adress.com85.93.88.251A (IP address)IN (0x0001)
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:42.576579094 CET8.8.8.8192.168.1.1070xe53No error (0)www.ip-adress.com85.93.89.6A (IP address)IN (0x0001)
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:42.576579094 CET8.8.8.8192.168.1.1070xe53No error (0)www.ip-adress.com207.38.89.115A (IP address)IN (0x0001)
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:46.708089113 CET8.8.8.8192.168.1.1070x8df9Name error (3)164.136.132.91.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)

                                                                                                                                                                                                                                                  HTTP Request Dependency Graph

                                                                                                                                                                                                                                                  • www.ip-adress.com

                                                                                                                                                                                                                                                  HTTP Packets

                                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                                                                                  0192.168.1.10749159209.126.124.16680C:\Windows\explorer.exe
                                                                                                                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:42.806310892 CET0OUTGET / HTTP/1.1
                                                                                                                                                                                                                                                  Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
                                                                                                                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                                                                                                                  Host: www.ip-adress.com
                                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:42.951359987 CET1INHTTP/1.1 301 Moved Permanently
                                                                                                                                                                                                                                                  Date: Wed, 13 Nov 2019 18:29:03 GMT
                                                                                                                                                                                                                                                  Server: Apache
                                                                                                                                                                                                                                                  Location: https://www.ip-adress.com/
                                                                                                                                                                                                                                                  Cache-Control: max-age=1
                                                                                                                                                                                                                                                  Expires: Wed, 13 Nov 2019 18:29:04 GMT
                                                                                                                                                                                                                                                  Content-Length: 234
                                                                                                                                                                                                                                                  Content-Type: text/html; charset=iso-8859-1
                                                                                                                                                                                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 69 70 2d 61 64 72 65 73 73 2e 63 6f 6d 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                                                                                                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.ip-adress.com/">here</a>.</p></body></html>


                                                                                                                                                                                                                                                  HTTPS Packets

                                                                                                                                                                                                                                                  TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:43.046484947 CET162.244.225.30443192.168.1.10749158CN=hcutk.org, OU=Gaqitkxu Meafniku, C=CACN=hcutk.org, O=Umkeu Zraskepud Inc., L=Pchijdiht, ST=NV, C=CASat Oct 05 14:43:07 CEST 2019Wed Oct 04 15:31:05 CEST 2023771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0eb88d0b3e1961a0562f006e5ce2a0b87
                                                                                                                                                                                                                                                  Nov 13, 2019 19:28:43.264657974 CET209.126.124.166443192.168.1.10749160CN=*.ip-adress.com, OU=PositiveSSL Wildcard, OU=Domain Control Validated CN=COMODO RSA Domain Validation Secure Server CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBCN=COMODO RSA Domain Validation Secure Server CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SEWed May 16 02:00:00 CEST 2018 Wed Feb 12 01:00:00 CET 2014 Tue May 30 12:48:38 CEST 2000Thu May 21 01:59:59 CEST 2020 Mon Feb 12 00:59:59 CET 2029 Sat May 30 12:48:38 CEST 2020771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,07dcce5b76c8b17472d024758970a406b
                                                                                                                                                                                                                                                  CN=COMODO RSA Domain Validation Secure Server CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBCN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBWed Feb 12 01:00:00 CET 2014Mon Feb 12 00:59:59 CET 2029
                                                                                                                                                                                                                                                  CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBCN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SETue May 30 12:48:38 CEST 2000Sat May 30 12:48:38 CEST 2020

                                                                                                                                                                                                                                                  Code Manipulations

                                                                                                                                                                                                                                                  User Modules

                                                                                                                                                                                                                                                  Hook Summary

                                                                                                                                                                                                                                                  Function NameHook TypeActive in Processes
                                                                                                                                                                                                                                                  TranslateMessageINLINEexplorer.exe
                                                                                                                                                                                                                                                  GetClipboardDataINLINEexplorer.exe
                                                                                                                                                                                                                                                  HttpSendRequestExWINLINEexplorer.exe
                                                                                                                                                                                                                                                  HttpOpenRequestWINLINEexplorer.exe
                                                                                                                                                                                                                                                  HttpOpenRequestAINLINEexplorer.exe
                                                                                                                                                                                                                                                  InternetReadFileINLINEexplorer.exe
                                                                                                                                                                                                                                                  InternetQueryDataAvailableINLINEexplorer.exe
                                                                                                                                                                                                                                                  InternetCloseHandleINLINEexplorer.exe
                                                                                                                                                                                                                                                  InternetWriteFileINLINEexplorer.exe
                                                                                                                                                                                                                                                  InternetReadFileExAINLINEexplorer.exe
                                                                                                                                                                                                                                                  HttpSendRequestAINLINEexplorer.exe
                                                                                                                                                                                                                                                  HttpSendRequestWINLINEexplorer.exe
                                                                                                                                                                                                                                                  LdrLoadDllINLINEexplorer.exe
                                                                                                                                                                                                                                                  ZwResumeThreadINLINEexplorer.exe
                                                                                                                                                                                                                                                  NtResumeThreadINLINEexplorer.exe
                                                                                                                                                                                                                                                  connectINLINEexplorer.exe
                                                                                                                                                                                                                                                  WSASendINLINEexplorer.exe
                                                                                                                                                                                                                                                  WSAConnectINLINEexplorer.exe
                                                                                                                                                                                                                                                  sendINLINEexplorer.exe

                                                                                                                                                                                                                                                  Processes

                                                                                                                                                                                                                                                  Process: explorer.exe, Module: USER32.dll
                                                                                                                                                                                                                                                  Function NameHook TypeNew Data
                                                                                                                                                                                                                                                  TranslateMessageINLINE0xE9 0x91 0x10 0x02 0x2F 0xF4
                                                                                                                                                                                                                                                  GetClipboardDataINLINE0xE9 0x9F 0xF0 0x0F 0xFA 0xA4
                                                                                                                                                                                                                                                  Process: explorer.exe, Module: WININET.dll
                                                                                                                                                                                                                                                  Function NameHook TypeNew Data
                                                                                                                                                                                                                                                  HttpSendRequestExWINLINE0xE9 0x96 0x6A 0xAC 0xC4 0x49
                                                                                                                                                                                                                                                  HttpOpenRequestWINLINE0xE9 0x9A 0xAC 0xC9 0x90 0x0A
                                                                                                                                                                                                                                                  HttpOpenRequestAINLINE0xE9 0x9E 0xE2 0x2D 0xD8 0x89
                                                                                                                                                                                                                                                  InternetReadFileINLINE0xE9 0x96 0x6F 0xFC 0xC7 0x7A
                                                                                                                                                                                                                                                  InternetQueryDataAvailableINLINE0xE9 0x95 0x53 0x37 0x72 0x2A
                                                                                                                                                                                                                                                  InternetCloseHandleINLINE0xE9 0x9B 0xBC 0xCC 0xC0 0x0A
                                                                                                                                                                                                                                                  InternetWriteFileINLINE0xE9 0x93 0x36 0x6C 0xC3 0x39
                                                                                                                                                                                                                                                  InternetReadFileExAINLINE0xE9 0x9E 0xE0 0x0F 0xFC 0xCA
                                                                                                                                                                                                                                                  HttpSendRequestAINLINE0xE9 0x92 0x23 0x33 0x36 0x69
                                                                                                                                                                                                                                                  HttpSendRequestWINLINE0xE9 0x99 0x9D 0xD5 0x5B 0xBA
                                                                                                                                                                                                                                                  Process: explorer.exe, Module: ntdll.dll
                                                                                                                                                                                                                                                  Function NameHook TypeNew Data
                                                                                                                                                                                                                                                  LdrLoadDllINLINE0xE9 0x92 0x27 0x70 0x0D 0xD4
                                                                                                                                                                                                                                                  ZwResumeThreadINLINE0xE9 0x99 0x96 0x63 0x33 0x35
                                                                                                                                                                                                                                                  NtResumeThreadINLINE0xE9 0x99 0x96 0x63 0x33 0x35
                                                                                                                                                                                                                                                  Process: explorer.exe, Module: WS2_32.dll
                                                                                                                                                                                                                                                  Function NameHook TypeNew Data
                                                                                                                                                                                                                                                  connectINLINE0xE9 0x9B 0xB4 0x48 0x8F 0xF0
                                                                                                                                                                                                                                                  WSASendINLINE0xE9 0x90 0x0D 0xDB 0xB2 0x20
                                                                                                                                                                                                                                                  WSAConnectINLINE0xE9 0x95 0x52 0x23 0x3B 0xB0
                                                                                                                                                                                                                                                  sendINLINE0xE9 0x97 0x7E 0xE8 0x8A 0xA0

                                                                                                                                                                                                                                                  Statistics

                                                                                                                                                                                                                                                  CPU Usage

                                                                                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                                                                                  Memory Usage

                                                                                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                                                                                  High Level Behavior Distribution

                                                                                                                                                                                                                                                  Click to dive into process behavior distribution

                                                                                                                                                                                                                                                  Behavior

                                                                                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                                                                                  System Behavior

                                                                                                                                                                                                                                                  Analysis Process: zhAQkCQvME.exe PID: 2276 Parent PID: 3600

                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                  Start time:19:27:47
                                                                                                                                                                                                                                                  Start date:13/11/2019
                                                                                                                                                                                                                                                  Path:C:\Users\user\Desktop\zhAQkCQvME.exe
                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                  Commandline:'C:\Users\user\Desktop\zhAQkCQvME.exe'
                                                                                                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                                                                                                  File size:676352 bytes
                                                                                                                                                                                                                                                  MD5 hash:E7DE0CC04F0A433FCE5336B7C7504D2C
                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                  Yara matches:
                                                                                                                                                                                                                                                  • Rule: Datper, Description: detect Datper in memory, Source: 00000000.00000002.470976903.015F7000.00000004.00000040.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                                                                                  • Rule: Datper, Description: detect Datper in memory, Source: 00000000.00000002.472365977.01B20000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                                                                                  Antivirus matches:
                                                                                                                                                                                                                                                  • Detection: 0%, Metadefender, Browse
                                                                                                                                                                                                                                                  Reputation:low

                                                                                                                                                                                                                                                  Chronological Activities

                                                                                                                                                                                                                                                  Analysis Process: zhAQkCQvME.exe PID: 2380 Parent PID: 2276

                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                  Start time:19:27:49
                                                                                                                                                                                                                                                  Start date:13/11/2019
                                                                                                                                                                                                                                                  Path:C:\Users\user\Desktop\zhAQkCQvME.exe
                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                  Commandline:C:\Users\user\Desktop\zhAQkCQvME.exe /C
                                                                                                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                                                                                                  File size:676352 bytes
                                                                                                                                                                                                                                                  MD5 hash:E7DE0CC04F0A433FCE5336B7C7504D2C
                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                  Reputation:low

                                                                                                                                                                                                                                                  Chronological Activities

                                                                                                                                                                                                                                                  Analysis Process: jkfkdm.exe PID: 2340 Parent PID: 2276

                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                  Start time:19:27:58
                                                                                                                                                                                                                                                  Start date:13/11/2019
                                                                                                                                                                                                                                                  Path:C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe
                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                  Commandline:C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe
                                                                                                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                                                                                                  File size:676352 bytes
                                                                                                                                                                                                                                                  MD5 hash:E7DE0CC04F0A433FCE5336B7C7504D2C
                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                  Antivirus matches:
                                                                                                                                                                                                                                                  • Detection: 100%, Avira
                                                                                                                                                                                                                                                  • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                                                                                  • Detection: 100%, Intezer, Browse
                                                                                                                                                                                                                                                  Reputation:low

                                                                                                                                                                                                                                                  Chronological Activities

                                                                                                                                                                                                                                                  Analysis Process: schtasks.exe PID: 2416 Parent PID: 2276

                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                  Start time:19:27:58
                                                                                                                                                                                                                                                  Start date:13/11/2019
                                                                                                                                                                                                                                                  Path:C:\Windows\System32\schtasks.exe
                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                  Commandline:'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn ahizzkkevf /tr '\'C:\Users\user\Desktop\zhAQkCQvME.exe\' /I ahizzkkevf' /SC ONCE /Z /ST 19:29 /ET 19:41
                                                                                                                                                                                                                                                  Imagebase:0x4b0000
                                                                                                                                                                                                                                                  File size:179712 bytes
                                                                                                                                                                                                                                                  MD5 hash:2003E9B15E1C502B146DAD2E383AC1E3
                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                  Reputation:moderate

                                                                                                                                                                                                                                                  Chronological Activities

                                                                                                                                                                                                                                                  Analysis Process: zhAQkCQvME.exe PID: 2444 Parent PID: 1488

                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                  Start time:19:41:01
                                                                                                                                                                                                                                                  Start date:13/11/2019
                                                                                                                                                                                                                                                  Path:C:\Users\user\Desktop\zhAQkCQvME.exe
                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                  Commandline:C:\Users\user\Desktop\zhAQkCQvME.exe /I ahizzkkevf
                                                                                                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                                                                                                  File size:676352 bytes
                                                                                                                                                                                                                                                  MD5 hash:E7DE0CC04F0A433FCE5336B7C7504D2C
                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                  Yara matches:
                                                                                                                                                                                                                                                  • Rule: Datper, Description: detect Datper in memory, Source: 00000005.00000002.488530565.00EF0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                                                                                  • Rule: Datper, Description: detect Datper in memory, Source: 00000005.00000002.485394157.00AC7000.00000004.00000040.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                                                                                  Reputation:low

                                                                                                                                                                                                                                                  Chronological Activities

                                                                                                                                                                                                                                                  Analysis Process: jkfkdm.exe PID: 2424 Parent PID: 2340

                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                  Start time:19:41:01
                                                                                                                                                                                                                                                  Start date:13/11/2019
                                                                                                                                                                                                                                                  Path:C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe
                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                  Commandline:C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe /C
                                                                                                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                                                                                                  File size:676352 bytes
                                                                                                                                                                                                                                                  MD5 hash:E7DE0CC04F0A433FCE5336B7C7504D2C
                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                  Reputation:low

                                                                                                                                                                                                                                                  Chronological Activities

                                                                                                                                                                                                                                                  Analysis Process: jkfkdm.exe PID: 2480 Parent PID: 2444

                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                  Start time:19:41:02
                                                                                                                                                                                                                                                  Start date:13/11/2019
                                                                                                                                                                                                                                                  Path:C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe
                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                  Commandline:C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe
                                                                                                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                                                                                                  File size:676352 bytes
                                                                                                                                                                                                                                                  MD5 hash:E7DE0CC04F0A433FCE5336B7C7504D2C
                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                  Reputation:low

                                                                                                                                                                                                                                                  Chronological Activities

                                                                                                                                                                                                                                                  Analysis Process: cmd.exe PID: 2460 Parent PID: 2444

                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                  Start time:19:41:03
                                                                                                                                                                                                                                                  Start date:13/11/2019
                                                                                                                                                                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                  Commandline:'C:\Windows\System32\cmd.exe' /c ping.exe -n 6 127.0.0.1 & type 'C:\Windows\System32\calc.exe' > 'C:\Users\user\Desktop\zhAQkCQvME.exe'
                                                                                                                                                                                                                                                  Imagebase:0x49d90000
                                                                                                                                                                                                                                                  File size:302592 bytes
                                                                                                                                                                                                                                                  MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                  Reputation:high

                                                                                                                                                                                                                                                  Chronological Activities

                                                                                                                                                                                                                                                  Analysis Process: schtasks.exe PID: 2532 Parent PID: 2444

                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                  Start time:19:41:04
                                                                                                                                                                                                                                                  Start date:13/11/2019
                                                                                                                                                                                                                                                  Path:C:\Windows\System32\schtasks.exe
                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                  Commandline:'C:\Windows\system32\schtasks.exe' /DELETE /F /TN ahizzkkevf
                                                                                                                                                                                                                                                  Imagebase:0x810000
                                                                                                                                                                                                                                                  File size:179712 bytes
                                                                                                                                                                                                                                                  MD5 hash:2003E9B15E1C502B146DAD2E383AC1E3
                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                  Reputation:moderate

                                                                                                                                                                                                                                                  Chronological Activities

                                                                                                                                                                                                                                                  Analysis Process: explorer.exe PID: 2600 Parent PID: 2340

                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                  Start time:19:41:04
                                                                                                                                                                                                                                                  Start date:13/11/2019
                                                                                                                                                                                                                                                  Path:C:\Windows\explorer.exe
                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                  Commandline:C:\Windows\explorer.exe
                                                                                                                                                                                                                                                  Imagebase:0x20000
                                                                                                                                                                                                                                                  File size:2972672 bytes
                                                                                                                                                                                                                                                  MD5 hash:6DDCA324434FFA506CF7DC4E51DB7935
                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                  Yara matches:
                                                                                                                                                                                                                                                  • Rule: Datper, Description: detect Datper in memory, Source: 0000000C.00000003.535349218.01779000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                                                                                  • Rule: QakBot, Description: QakBot Payload, Source: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, Author: kevoreilly
                                                                                                                                                                                                                                                  • Rule: Datper, Description: detect Datper in memory, Source: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                                                                                  • Rule: QakBot, Description: QakBot Payload, Source: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Author: kevoreilly
                                                                                                                                                                                                                                                  Reputation:high

                                                                                                                                                                                                                                                  Chronological Activities

                                                                                                                                                                                                                                                  Analysis Process: PING.EXE PID: 2592 Parent PID: 2460

                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                  Start time:19:41:04
                                                                                                                                                                                                                                                  Start date:13/11/2019
                                                                                                                                                                                                                                                  Path:C:\Windows\System32\PING.EXE
                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                  Commandline:ping.exe -n 6 127.0.0.1
                                                                                                                                                                                                                                                  Imagebase:0x990000
                                                                                                                                                                                                                                                  File size:15360 bytes
                                                                                                                                                                                                                                                  MD5 hash:6242E3D67787CCBF4E06AD2982853144
                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                  Reputation:moderate

                                                                                                                                                                                                                                                  Chronological Activities

                                                                                                                                                                                                                                                  Analysis Process: jkfkdm.exe PID: 2660 Parent PID: 2480

                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                  Start time:19:41:05
                                                                                                                                                                                                                                                  Start date:13/11/2019
                                                                                                                                                                                                                                                  Path:C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe
                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                  Commandline:C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe /C
                                                                                                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                                                                                                  File size:676352 bytes
                                                                                                                                                                                                                                                  MD5 hash:E7DE0CC04F0A433FCE5336B7C7504D2C
                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                  Reputation:low

                                                                                                                                                                                                                                                  Chronological Activities

                                                                                                                                                                                                                                                  Analysis Process: jkfkdm.exe PID: 696 Parent PID: 1692

                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                  Start time:19:41:17
                                                                                                                                                                                                                                                  Start date:13/11/2019
                                                                                                                                                                                                                                                  Path:C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe
                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                  Commandline:'C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe'
                                                                                                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                                                                                                  File size:676352 bytes
                                                                                                                                                                                                                                                  MD5 hash:E7DE0CC04F0A433FCE5336B7C7504D2C
                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                  Reputation:low

                                                                                                                                                                                                                                                  Chronological Activities

                                                                                                                                                                                                                                                  Analysis Process: jkfkdm.exe PID: 1864 Parent PID: 696

                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                  Start time:19:41:18
                                                                                                                                                                                                                                                  Start date:13/11/2019
                                                                                                                                                                                                                                                  Path:C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe
                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                  Commandline:C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe /C
                                                                                                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                                                                                                  File size:676352 bytes
                                                                                                                                                                                                                                                  MD5 hash:E7DE0CC04F0A433FCE5336B7C7504D2C
                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                  Reputation:low

                                                                                                                                                                                                                                                  Chronological Activities

                                                                                                                                                                                                                                                  Analysis Process: taskhost.exe PID: 1432 Parent PID: 2600

                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                  Start time:19:41:28
                                                                                                                                                                                                                                                  Start date:13/11/2019
                                                                                                                                                                                                                                                  Path:C:\Windows\System32\taskhost.exe
                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                  Commandline:taskhost.exe
                                                                                                                                                                                                                                                  Imagebase:0x830000
                                                                                                                                                                                                                                                  File size:49152 bytes
                                                                                                                                                                                                                                                  MD5 hash:72E953215CADE1A726C04AAFDF6B463D
                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                  Reputation:moderate

                                                                                                                                                                                                                                                  Chronological Activities

                                                                                                                                                                                                                                                  Analysis Process: dwm.exe PID: 1612 Parent PID: 2600

                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                  Start time:19:41:38
                                                                                                                                                                                                                                                  Start date:13/11/2019
                                                                                                                                                                                                                                                  Path:C:\Windows\System32\dwm.exe
                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\Dwm.exe
                                                                                                                                                                                                                                                  Imagebase:0x90000
                                                                                                                                                                                                                                                  File size:92672 bytes
                                                                                                                                                                                                                                                  MD5 hash:505BF4D1CADEB8D4F8BCD08D944DE25D
                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                  Reputation:moderate

                                                                                                                                                                                                                                                  Chronological Activities

                                                                                                                                                                                                                                                  Analysis Process: explorer.exe PID: 1692 Parent PID: 2600

                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                  Start time:19:41:44
                                                                                                                                                                                                                                                  Start date:13/11/2019
                                                                                                                                                                                                                                                  Path:C:\Windows\explorer.exe
                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                  Commandline:C:\Windows\Explorer.EXE
                                                                                                                                                                                                                                                  Imagebase:0x20000
                                                                                                                                                                                                                                                  File size:2972672 bytes
                                                                                                                                                                                                                                                  MD5 hash:6DDCA324434FFA506CF7DC4E51DB7935
                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                  Reputation:high

                                                                                                                                                                                                                                                  Chronological Activities

                                                                                                                                                                                                                                                  Analysis Process: conhost.exe PID: 3208 Parent PID: 2600

                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                  Start time:19:42:02
                                                                                                                                                                                                                                                  Start date:13/11/2019
                                                                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe '-1424767469172410782218338736475073951151716783479-3432011951180489686930716817
                                                                                                                                                                                                                                                  Imagebase:0x3f0000
                                                                                                                                                                                                                                                  File size:271360 bytes
                                                                                                                                                                                                                                                  MD5 hash:761D6906DE888CF832606CFCDC9E7C47
                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                  Reputation:moderate

                                                                                                                                                                                                                                                  Chronological Activities

                                                                                                                                                                                                                                                  Analysis Process: notepad.exe PID: 3240 Parent PID: 2600

                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                  Start time:19:42:22
                                                                                                                                                                                                                                                  Start date:13/11/2019
                                                                                                                                                                                                                                                  Path:C:\Windows\System32\notepad.exe
                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                  Commandline:notepad
                                                                                                                                                                                                                                                  Imagebase:0x30000
                                                                                                                                                                                                                                                  File size:179712 bytes
                                                                                                                                                                                                                                                  MD5 hash:A4F6DF0E33E644E802C8798ED94D80EA
                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                  Reputation:moderate

                                                                                                                                                                                                                                                  Chronological Activities

                                                                                                                                                                                                                                                  Analysis Process: conhost.exe PID: 3608 Parent PID: 2600

                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                  Start time:19:42:34
                                                                                                                                                                                                                                                  Start date:13/11/2019
                                                                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe '-1474411583-1677719561-3844903701797535695-949774581987480516-1169154459-1441374392
                                                                                                                                                                                                                                                  Imagebase:0x3f0000
                                                                                                                                                                                                                                                  File size:271360 bytes
                                                                                                                                                                                                                                                  MD5 hash:761D6906DE888CF832606CFCDC9E7C47
                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                                                                                                                                                  Chronological Activities

                                                                                                                                                                                                                                                  Disassembly

                                                                                                                                                                                                                                                  Code Analysis

                                                                                                                                                                                                                                                  Reset < >