Loading ...

Play interactive tourEdit tour

Analysis Report zhAQkCQvME

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:997215
Start date:13.11.2019
Start time:19:26:48
Joe Sandbox Product:Cloud
Overall analysis duration:0h 15m 0s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:zhAQkCQvME (renamed file extension from none to exe)
Cookbook file name:default.jbs
Analysis system description:Windows 7 (Office 2010 SP2, Java 1.8.0_40 1.8.0_191, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:21
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:6
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.bank.troj.spyw.evad.winEXE@25/7@2/4
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 66.9% (good quality ratio 61.7%)
  • Quality average: 77%
  • Quality standard deviation: 31.8%
HCA Information:
  • Successful, ratio: 83%
  • Number of executed functions: 255
  • Number of non-executed functions: 213
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe
  • Excluded IPs from analysis (whitelisted): 93.184.221.240
  • Excluded domains from analysis (whitelisted): wu.ec.azureedge.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, wu.wpc.apr-52dd2.edgecastdns.net, wu.azureedge.net
  • Report creation exceeded maximum time and may have missing disassembly code information.
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtEnumerateValueKey calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtReadVirtualMemory calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100Report FP / FNfalse
Qbot
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Contains functionality to modify the execution of threads in other processes
Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior
Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook
Sample hooks winsock APIs (likely related to a banking trojan), analyze sample with the 'Check if internet explorer is infected by malware' cookbook
Sample is a service DLL but no service has been registered
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid Accounts1Windows Management Instrumentation21Registry Run Keys / Startup Folder1Exploitation for Privilege Escalation1Software Packing22Network Sniffing1System Time Discovery1Remote File Copy2Input Capture11Data Encrypted11Uncommonly Used Port1
Replication Through Removable MediaExecution through API1Hooking21Hooking21Deobfuscate/Decode Files or Information1Hooking21Account Discovery1Remote ServicesClipboard Data1Exfiltration Over Other Network MediumRemote File Copy2
Drive-by CompromiseCommand-Line Interface1Valid Accounts1Valid Accounts1Obfuscated Files or Information2Input Capture11Security Software Discovery341Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Cryptographic Protocol22
Exploit Public-Facing ApplicationService Execution2Scheduled Task1Access Token Manipulation11Rootkit2Credentials in FilesFile and Directory Discovery1Logon ScriptsInput CaptureData EncryptedStandard Non-Application Layer Protocol3
Spearphishing LinkScheduled Task1Modify Existing Service1Process Injection711Valid Accounts1Account ManipulationNetwork Sniffing1Shared WebrootData StagedScheduled TransferStandard Application Layer Protocol13
Spearphishing AttachmentGraphical User InterfaceNew Service3Scheduled Task1Access Token Manipulation11Brute ForceSystem Information Discovery35Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used Port
Spearphishing via ServiceScriptingPath InterceptionNew Service3Process Injection711Two-Factor Authentication InterceptionNetwork Share Discovery1Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used Port
Supply Chain CompromiseThird-party SoftwareLogon ScriptsProcess InjectionIndicator BlockingBash HistoryQuery Registry1Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer Protocol
Trusted RelationshipRundll32DLL Search Order HijackingService Registry Permissions WeaknessProcess InjectionInput PromptProcess Discovery4Windows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer Encryption
Hardware AdditionsPowerShellChange Default File AssociationExploitation for Privilege EscalationScriptingKeychainSystem Owner/User Discovery1Taint Shared ContentAudio CaptureConnection Proxy
Execution through APIFile System Permissions WeaknessValid AccountsIndicator Removal from ToolsPrivate KeysRemote System Discovery11Replication Through Removable MediaVideo CaptureCommunication Through Removable Media
Regsvr32New ServiceBypass User Account ControlIndicator Removal on HostSecurityd MemorySystem Network Configuration Discovery2Pass the TicketMan in the BrowserCustom Command and Control Protocol

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus or Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exeAvira: detection malicious, Label: TR/Crypt.ZPACK.hfoah
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exeJoe Sandbox ML: detected
Antivirus or Machine Learning detection for sampleShow sources
Source: zhAQkCQvME.exeAvira: detection malicious, Label: TR/Crypt.ZPACK.hfoah
Source: zhAQkCQvME.exeJoe Sandbox ML: detected
Genetic Malware detection for sampleShow sources
Source: zhAQkCQvME.exeIntezer: detection malicious, Label: QakbotPerma Link
Genetic detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exeIntezer: detection malicious, Label: QakbotPerma Link
Multi AV Scanner detection for submitted fileShow sources
Source: zhAQkCQvME.exeVirustotal: Detection: 76%Perma Link
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 18.0.jkfkdm.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.hfoah
Source: 12.2.explorer.exe.3f0000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen3
Source: 17.0.jkfkdm.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.hfoah
Source: 5.0.zhAQkCQvME.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.hfoah
Source: 14.2.jkfkdm.exe.400000.1.unpackAvira: Label: TR/Crypt.XPACK.Gen3
Source: 7.0.jkfkdm.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.hfoah
Source: 7.2.jkfkdm.exe.400000.1.unpackAvira: Label: TR/Crypt.XPACK.Gen3
Source: 2.0.jkfkdm.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.hfoah
Source: 1.0.zhAQkCQvME.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.hfoah
Source: 6.2.jkfkdm.exe.400000.1.unpackAvira: Label: TR/Crypt.XPACK.Gen3
Source: 2.2.jkfkdm.exe.400000.1.unpackAvira: Label: TR/Crypt.XPACK.Gen3
Source: 0.2.zhAQkCQvME.exe.400000.1.unpackAvira: Label: TR/Crypt.XPACK.Gen3
Source: 5.2.zhAQkCQvME.exe.400000.1.unpackAvira: Label: TR/Crypt.XPACK.Gen3
Source: 0.0.zhAQkCQvME.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.hfoah
Source: 14.0.jkfkdm.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.hfoah
Source: 18.2.jkfkdm.exe.400000.1.unpackAvira: Label: TR/Crypt.XPACK.Gen3
Source: 1.2.zhAQkCQvME.exe.400000.1.unpackAvira: Label: TR/Crypt.XPACK.Gen3
Source: 17.2.jkfkdm.exe.400000.1.unpackAvira: Label: TR/Crypt.XPACK.Gen3
Source: 6.0.jkfkdm.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.hfoah

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Windows\explorer.exeCode function: 12_2_01510C9E CryptAcquireContextA,12_2_01510C9E

Spreading:

barindex
Contains functionality to enumerate network sharesShow sources
Source: C:\Users\user\Desktop\zhAQkCQvME.exeCode function: 0_2_00410BA0 NetUserEnum,LookupAccountNameW,LookupAccountNameW,Sleep,NetApiBufferFree,0_2_00410BA0
Source: C:\Windows\explorer.exeCode function: 12_2_00400BA0 NetUserEnum,LookupAccountNameW,LookupAccountNameW,Sleep,NetApiBufferFree,12_2_00400BA0
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Windows\explorer.exeCode function: 12_2_0151B870 FindFirstFileW,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,12_2_0151B870

Networking:

barindex
May check the online IP address of the machineShow sources
Source: unknownDNS query: name: www.ip-adress.com
Uses ping.exe to check the status of other devices and networksShow sources
Source: unknownProcess created: C:\Windows\System32\PING.EXE ping.exe -n 6 127.0.0.1
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.1.107:49161 -> 23.49.13.33:7000
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 23.49.13.33 23.49.13.33
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: unknown unknown
JA3 SSL client fingerprint seen in connection with other malwareShow sources
Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Source: Joe Sandbox ViewJA3 fingerprint: eb88d0b3e1961a0562f006e5ce2a0b87
Uses a known web browser user agent for HTTP communicationShow sources
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoHost: www.ip-adress.comCache-Control: no-cache
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 23.49.13.33
Source: unknownTCP traffic detected without corresponding DNS query: 23.49.13.33
Source: unknownTCP traffic detected without corresponding DNS query: 23.49.13.33
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 23.49.13.33
Source: unknownTCP traffic detected without corresponding DNS query: 23.49.13.33
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 23.49.13.33
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknownTCP traffic detected without corresponding DNS query: 23.49.13.33
Source: unknownTCP traffic detected without corresponding DNS query: 23.49.13.33
Downloads filesShow sources
Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TM8F7R7G\Y0S5SGVE.htmJump to behavior
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoHost: www.ip-adress.comCache-Control: no-cache
Found strings which match to known social media urlsShow sources
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: <a href="https://www.facebook.com/whoisip" target="_blank">Visit ip-adress.com on Facebook</a> equals www.facebook.com (Facebook)
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: <aside class="share"><div class="shariff" data-button-style="standard" data-lang="en" data-services="facebook,twitter,googleplus"></div></aside><aside class="ad link no-label"> equals www.twitter.com (Twitter)
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: <p>Your IP is the network protocol in the background that helps you communicate online using websites, sending email, chatting on Facebook, and everything else requiring an Internet connection. An IP Address is required to connect to the Internet, and IP-Adress.com gives you the tools that can help you.</p> equals www.facebook.com (Facebook)
Source: taskhost.exe, 00000013.00000000.541041949.01510000.00000004.00000001.sdmpString found in binary or memory: GMSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365!$ equals www.hotmail.com (Hotmail)
Source: dwm.exe, 00000015.00000002.761332062.01B70000.00000004.00000040.sdmpString found in binary or memory: NTUSER.DAT<%02X>AVAST Softwarei3w1explorer.exef1DELETE.aniEND*/* url=[%s] user=[%s] pass=[%s]LEFT10AvastObtainUserAgentString.lnkPR_SetError000comet.yahoo.com;.hiro.tv;safebrowsing.google.com;geo.query.yahoo.com;googleusercontent.com;salesforce.com;officeapps.live.com;storage.live.com;messenger.live.com;.twimg.com;api.skype.com;mail.google.com;.bing.com;playtoga.com;.mozilla.com;.mozilla.org;hotbar.com;lphbs.com;contacts.msn.com;search.msn.com;clients.mindbodyonline.com;loyaltyconnect.ihg.com;.amazonaws.com;audatexsolutions.com;mail.services.live.com;etsy.com;.king.com;phantomefx.com;facebook.com;.gator.com;doubleclick.;zango.com;180solutions.com;wildtangent.com;webhancer.com;tbreport.bellsouth.net;spamblockerutility.com;internet-optimizer.com;.adworldmedia.com;seekmo.com;r777r.info;sipuku.com;eorezo.com;newasp.com.cn;wpzkq.com;radialpoint.com;owlforce.com;.microsoft.com;localhost;127.0.0.1;securestudies.com;farmville.com;mybrowserbar.com;auditude.com;digitalmediacommunications.com;mapquest.com;kixeye.com;mysh
Source: dwm.exe, 00000015.00000002.761332062.01B70000.00000004.00000040.sdmpString found in binary or memory: comet.yahoo.com;.hiro.tv;safebrowsing.google.com;geo.query.yahoo.com;googleusercontent.com;salesforce.com;officeapps.live.com;storage.live.com;messenger.live.com;.twimg.com;api.skype.com;mail.google.com;.bing.com;playtoga.com;.mozilla.com;.mozilla.org;hotbar.com;lphbs.com;contacts.msn.com;search.msn.com;clients.mindbodyonline.com;loyaltyconnect.ihg.com;.amazonaws.com;audatexsolutions.com;mail.services.live.com;etsy.com;.king.com;phantomefx.com;facebook.com;.gator.com;doubleclick.;zango.com;180solutions.com;wildtangent.com;webhancer.com;tbreport.bellsouth.net;spamblockerutility.com;internet-optimizer.com;.adworldmedia.com;seekmo.com;r777r.info;sipuku.com;eorezo.com;newasp.com.cn;wpzkq.com;radialpoint.com;owlforce.com;.microsoft.com;localhost;127.0.0.1;securestudies.com;farmville.com;mybrowserbar.com;auditude.com;digitalmediacommunications.com;mapquest.com;kixeye.com;myshopres.com;conduit-services.com;zynga.com;.5min.com;netflix.com;tubemogul.com;youtube.com;brightcove.com;mochibot.com;fwmrm.net;mendeley.com equ
Source: zhAQkCQvME.exe, 00000000.00000002.470959957.015D0000.00000004.00000040.sdmp, zhAQkCQvME.exe, 00000001.00000002.452348450.016D0000.00000004.00000040.sdmp, jkfkdm.exe, 00000002.00000002.487446283.01550000.00000004.00000040.sdmp, zhAQkCQvME.exe, 00000005.00000002.485333119.00AA0000.00000004.00000040.sdmp, jkfkdm.exe, 00000006.00000002.478496840.01600000.00000004.00000040.sdmp, jkfkdm.exe, 00000007.00000002.493272674.01630000.00000004.00000040.sdmp, explorer.exe, 0000000C.00000002.753873444.018E0000.00000004.00000040.sdmp, jkfkdm.exe, 0000000E.00000002.491326133.015A0000.00000004.00000040.sdmp, jkfkdm.exe, 00000011.00000002.518700844.016D0000.00000004.00000040.sdmp, jkfkdm.exe, 00000012.00000002.517136665.01490000.00000004.00000040.sdmp, taskhost.exe, 00000013.00000002.759522715.028D0000.00000004.00000040.sdmp, dwm.exe, 00000015.00000002.761332062.01B70000.00000004.00000040.sdmpString found in binary or memory: facebook.com/login equals www.facebook.com (Facebook)
Source: explorer.exe, 0000000C.00000002.752929952.00646000.00000004.00000020.sdmpString found in binary or memory: login.yahoo.com equals www.yahoo.com (Yahoo)
Source: explorer.exe, 0000000C.00000002.752929952.00646000.00000004.00000020.sdmpString found in binary or memory: login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: explorer.exe, 0000000C.00000002.752929952.00646000.00000004.00000020.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: www.ip-adress.com
Urls found in memory or binary dataShow sources
Source: taskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmp, taskhost.exe, 00000013.00000000.541041949.01510000.00000004.00000001.sdmpString found in binary or memory: http://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=true
Source: taskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmpString found in binary or memory: http://cookies.onetrust.mgr.consensu.org/onetrust-logo.svg
Source: explorer.exe, 0000000C.00000002.752929952.00646000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: explorer.exe, 0000000C.00000003.528867765.024F6000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSADomainVal
Source: explorer.exe, 0000000C.00000002.752929952.00646000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl0
Source: explorer.exe, 0000000C.00000002.752929952.00646000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: explorer.exe, 0000000C.00000002.752929952.00646000.00000004.00000020.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: explorer.exe, 0000000C.00000002.752929952.00646000.00000004.00000020.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
Source: explorer.exe, 0000000C.00000002.752929952.00646000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 0000000C.00000002.752929952.00646000.00000004.00000020.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: explorer.exe, 0000000C.00000002.752929952.00646000.00000004.00000020.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: explorer.exe, 0000000C.00000002.752929952.00646000.00000004.00000020.sdmp, explorer.exe, 0000000C.00000002.755364075.0247C000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?5c237a5af5bbb
Source: taskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmpString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjI2NTk3ZDdlZTYwMzFkMzk0ODg0N2Q0ZDdjMDZhM2Y2NDM3M
Source: taskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmpString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjdkZGUzNDRkMmI2YjI4YjRhM2YzOWRiOTcyMzY5Y2EzNzJlY
Source: taskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmpString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6Ijk0Zjk4MDE0NWQzMTY4NzhkNWI2YjZhNDRlYTRiYTdlNzQ4O
Source: taskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmpString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6ImMzZDkyYjY0ZGRiNGYzNjgwYTJjNTY2ZDdmOWEzMGUyZjdjY
Source: taskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmpString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6ImQzZDU5ZjFhY2VmYzk3ZDhjYTk4NDhmMDYwNjk1Y2JiMTA5Z
Source: taskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmpString found in binary or memory: http://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE2MMBW?ver=870f
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE2MRl4?ver=1412
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE2MRl8?ver=7064
Source: taskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmpString found in binary or memory: http://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE2MzIE?ver=198d
Source: taskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmpString found in binary or memory: http://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE2MzIH?ver=cc00
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE2MzIm?ver=d018
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA7XCQ3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA8uJZv?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAFvutY?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jp
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHtTgs?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHtYkG?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHtrJ1?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHuD5P?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHuFNw?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHucYP?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHudP8?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHudWM?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHuzRp?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHv5DU?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHv9aU?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: taskhost.exe, 00000013.00000000.536034759.00490000.00000004.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHvWgM?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHvXhQ?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHvaL6?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHvwNG?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHwCff?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHwESx?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHwGur?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHwOoE?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHwR4s?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: taskhost.exe, 00000013.00000000.536034759.00490000.00000004.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyuliQ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzklAJ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB46JmN?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBGjoVB?h=50&w=50&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBIbTiS?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: taskhost.exe, 00000013.00000000.536034759.00490000.00000004.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBK9Hzy?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBO5Geh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPRPvf?h=50&w=50&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBSDdmG?h=50&w=50&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBTrj40?h=50&w=50&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBUZVvV?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVBUge?h=50&w=50&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVQ7lO?h=50&w=50&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBWoHwx?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: taskhost.exe, 00000013.00000000.536034759.00490000.00000004.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBih5H?m=6&o=true&u=true&n=true&w=30&h=30
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnYSFZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: explorer.exe, 0000000C.00000002.752929952.00646000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0
Source: explorer.exe, 0000000C.00000002.752929952.00646000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
Source: explorer.exe, 0000000C.00000002.752929952.00646000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0)
Source: explorer.exe, 0000000C.00000002.752929952.00646000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
Source: explorer.exe, 0000000C.00000002.752929952.00646000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
Source: explorer.exe, 0000000C.00000002.752929952.00646000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com05
Source: explorer.exe, 0000000C.00000002.752929952.00646000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.entrust.net03
Source: explorer.exe, 0000000C.00000002.752929952.00646000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.entrust.net0D
Source: taskhost.exe, 00000013.00000000.539359532.00216000.00000004.00000020.sdmpString found in binary or memory: http://schemas.micro
Source: zhAQkCQvME.exe, 00000000.00000003.453309642.01B5B000.00000004.00000001.sdmp, zhAQkCQvME.exe, 00000005.00000003.475248063.00F2B000.00000004.00000001.sdmp, explorer.exe, 0000000C.00000003.481716807.0177B000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoa
Source: explorer.exe, 0000000C.00000003.535349218.01779000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: explorer.exe, 0000000C.00000003.535349218.01779000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/865af804/webcore/externalscripts/oneTrust/de-
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/a1438951/webcore/externalscripts/oneTrust/ski
Source: taskhost.exe, 00000013.00000000.556852384.00498000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/3bf20fde-434a1743/directi
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmp, taskhost.exe, 00000013.00000000.536034759.00490000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-2923b6c2/directio
Source: taskhost.exe, 00000013.00000000.556852384.00498000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-72257498/directio
Source: taskhost.exe, 00000013.00000000.541041949.01510000.00000004.00000001.sdmp, taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/44/c08e43.jpg
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/52/8adb60.jpg
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/81/58b810.gif
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/95/8bd8bf.jpg
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA7XCQ3.img?h=16&w=16&m
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA8uJZv.img?h=16&w=16&m
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAFvutY.img?h=368&w=622
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHtTgs.img?h=166&w=310
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHtYkG.img?h=166&w=310
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHtrJ1.img?h=75&w=100&
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHuD5P.img?h=75&w=100&
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHuFNw.img?h=75&w=100&
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHucYP.img?h=75&w=100&
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHudP8.img?h=75&w=100&
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHudWM.img?h=75&w=100&
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHuzRp.img?h=166&w=310
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHv5DU.img?h=166&w=310
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHv9aU.img?h=333&w=311
Source: taskhost.exe, 00000013.00000000.536034759.00490000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHvWgM.img?h=166&w=310
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHvXhQ.img?h=166&w=310
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHvaL6.img?h=166&w=310
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHvwNG.img?h=250&w=300
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHwCff.img?h=333&w=311
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHwESx.img?h=333&w=311
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHwGur.img?h=166&w=310
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHwOoE.img?h=250&w=300
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHwR4s.img?h=333&w=311
Source: taskhost.exe, 00000013.00000000.536034759.00490000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyuliQ.img?h=16&w=16&m
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzklAJ.img?h=16&w=16&m
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB46JmN.img?h=16&w=16&m
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBGjoVB.img?h=50&w=50&m
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBIbTiS.img?h=16&w=16&m
Source: taskhost.exe, 00000013.00000000.536034759.00490000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBK9Hzy.img?h=16&w=16&m
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBO5Geh.img?h=16&w=16&m
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPRPvf.img?h=50&w=50&m
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBSDdmG.img?h=50&w=50&m
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBTrj40.img?h=50&w=50&m
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBUZVvV.img?h=16&w=16&m
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVBUge.img?h=50&w=50&m
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVQ7lO.img?h=50&w=50&m
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBWoHwx.img?h=27&w=27&m
Source: taskhost.exe, 00000013.00000000.536034759.00490000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBih5H.img?m=6&o=true&u
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&m
Source: explorer.exe, 0000000C.00000002.752929952.00646000.00000004.00000020.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: explorer.exe, 0000000C.00000002.752929952.00646000.00000004.00000020.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: zhAQkCQvME.exe, 00000000.00000002.470874320.006C3000.00000004.00000020.sdmp, zhAQkCQvME.exe, 00000001.00000000.447916030.0049E000.00000002.00020000.sdmp, jkfkdm.exe, 00000002.00000000.469403714.0049E000.00000002.00020000.sdmp, zhAQkCQvME.exe, 00000005.00000000.472415467.0049E000.00000002.00020000.sdmp, jkfkdm.exe, 00000006.00000000.473336388.0049E000.00000002.00020000.sdmp, jkfkdm.exe, 00000007.00000000.476350633.0049E000.00000002.00020000.sdmp, jkfkdm.exe, 0000000E.00000000.483322855.0049E000.00000002.00020000.sdmp, jkfkdm.exe, 00000011.00000000.509911255.0049E000.00000002.00020000.sdmp, jkfkdm.exe, 00000012.00000000.513021961.0049E000.00000002.00020000.sdmpString found in binary or memory: http://www.flos-freeware.ch
Source: zhAQkCQvME.exe, 00000000.00000002.470874320.006C3000.00000004.00000020.sdmp, zhAQkCQvME.exe, 00000001.00000000.447916030.0049E000.00000002.00020000.sdmp, jkfkdm.exe, 00000002.00000000.469403714.0049E000.00000002.00020000.sdmp, zhAQkCQvME.exe, 00000005.00000000.472415467.0049E000.00000002.00020000.sdmp, jkfkdm.exe, 00000006.00000000.473336388.0049E000.00000002.00020000.sdmp, jkfkdm.exe, 00000007.00000000.476350633.0049E000.00000002.00020000.sdmp, jkfkdm.exe, 0000000E.00000000.483322855.0049E000.00000002.00020000.sdmp, jkfkdm.exe, 00000011.00000000.509911255.0049E000.00000002.00020000.sdmp, jkfkdm.exe, 00000012.00000000.513021961.0049E000.00000002.00020000.sdmpString found in binary or memory: http://www.flos-freeware.ch.JNo
Source: zhAQkCQvME.exe, 00000000.00000002.470976903.015F7000.00000004.00000040.sdmp, zhAQkCQvME.exe, 00000005.00000002.488530565.00EF0000.00000004.00000001.sdmp, explorer.exeString found in binary or memory: http://www.ip-adress.com
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: http://www.ip-adress.com/
Source: zhAQkCQvME.exe, 00000000.00000002.470976903.015F7000.00000004.00000040.sdmp, zhAQkCQvME.exe, 00000005.00000002.488530565.00EF0000.00000004.00000001.sdmp, explorer.exe, 0000000C.00000003.535349218.01779000.00000004.00000001.sdmpString found in binary or memory: http://www.ip-adress.comIP
Source: taskhost.exe, 00000013.00000000.541041949.01510000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehp
Source: taskhost.exe, 00000013.00000000.549280591.015B0000.00000004.00000001.sdmp, taskhost.exe, 00000013.00000000.541041949.01510000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://162.244.225.30/
Source: explorer.exe, 0000000C.00000002.755328696.02450000.00000004.00000001.sdmp, taskhost.exe, 00000013.00000000.551865684.00262000.00000004.00000020.sdmpString found in binary or memory: https://162.244.225.30/t3
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://162.244.225.30/t3l
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://162.244.225.30/t3rn
Source: explorer.exe, 0000000C.00000002.753929443.0190E000.00000004.00000040.sdmpString found in binary or memory: https://162.244.225.30:443/t3
Source: zhAQkCQvME.exe, 00000000.00000002.470959957.015D0000.00000004.00000040.sdmp, zhAQkCQvME.exe, 00000001.00000002.452348450.016D0000.00000004.00000040.sdmp, jkfkdm.exe, 00000002.00000002.487446283.01550000.00000004.00000040.sdmp, zhAQkCQvME.exe, 00000005.00000002.485333119.00AA0000.00000004.00000040.sdmp, jkfkdm.exe, 00000006.00000002.478496840.01600000.00000004.00000040.sdmp, jkfkdm.exe, 00000007.00000002.493272674.01630000.00000004.00000040.sdmp, explorer.exe, 0000000C.00000002.753873444.018E0000.00000004.00000040.sdmp, jkfkdm.exe, 0000000E.00000002.491326133.015A0000.00000004.00000040.sdmp, jkfkdm.exe, 00000011.00000002.518700844.016D0000.00000004.00000040.sdmp, jkfkdm.exe, 00000012.00000002.517136665.01490000.00000004.00000040.sdmp, taskhost.exe, 00000013.00000002.759522715.028D0000.00000004.00000040.sdmp, dwm.exe, 00000015.00000002.761332062.01B70000.00000004.00000040.sdmpString found in binary or memory: https://9i43.gifabc11application/x-shockwave-flash
Source: explorer.exe, 0000000C.00000003.535537778.01779000.00000004.00000001.sdmp, taskhost.exe, 00000013.00000002.757799892.015D0000.00000040.00000001.sdmp, dwm.exe, 00000015.00000002.760410563.013B0000.00000040.00000001.sdmpString found in binary or memory: https://Content-LengthHostHTTP/1.1.text
Source: taskhost.exe, 00000013.00000002.757756422.015C0000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/__media__/js/util/nrrV4251.js
Source: taskhost.exe, 00000013.00000002.757756422.015C0000.00000004.00000001.sdmp, taskhost.exe, 00000013.00000000.541041949.01510000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: taskhost.exe, 00000013.00000002.757756422.015C0000.00000004.00000001.sdmp, taskhost.exe, 00000013.00000000.541041949.01510000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: taskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmpString found in binary or memory: https://cvision.media.net/new/300x300/2/215/35/104/aa3002d0-2753-44c0-81c6-b4a1cc6b295a.jpg?v=9
Source: taskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmpString found in binary or memory: https://cvision.media.net/new/300x300/2/249/134/240/448cf229-1ded-4c2a-8cfe-21be5d0e9c41.jpg?v=9
Source: taskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmpString found in binary or memory: https://cvision.media.net/new/300x300/2/29/52/32/f97e093e-8f0a-46a8-8138-df7da8ff5790.jpg?v=9
Source: taskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmpString found in binary or memory: https://cvision.media.net/new/300x300/3/74/46/90/d639d099-11d6-4d90-82f4-691ae09aeb85.jpg?v=9
Source: taskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmpString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31
Source: taskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmpString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE2MMCc?ver=931d&q=90&m
Source: taskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmpString found in binary or memory: https://linkmaker.itunes.apple.com/assets/shared/badges/de-de/appstore-lrg.svg
Source: taskhost.exe, 00000013.00000002.757756422.015C0000.00000004.00000001.sdmpString found in binary or memory: https://logincdn.msauth.net/16.000/MeControl_c9aw5DbuWFl6vX_Fomxwrw2.js
Source: taskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmpString found in binary or memory: https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=1
Source: taskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmpString found in binary or memory: https://mem.gfx.ms/scripts/me/MeControl/10.19256.4/en-US/meBoot.min.js
Source: taskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmpString found in binary or memory: https://mem.gfx.ms/scripts/me/MeControl/10.19256.4/en-US/meCore.min.js
Source: taskhost.exe, 00000013.00000002.757756422.015C0000.00000004.00000001.sdmpString found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/css/optanon.c
Source: taskhost.exe, 00000013.00000002.757756422.015C0000.00000004.00000001.sdmpString found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/images/cookie
Source: taskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmpString found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png
Source: explorer.exe, 0000000C.00000002.752929952.00646000.00000004.00000020.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://wh.ip-adress.com/c
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://wh.ip-adress.com/r1
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://www.google-analytics.com/analytics.js
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/maps/embed/v1/view?key=AIzaSyDtXbKhM0BYZn5-zkO-6b1E8DE6UG9vMbo&center=47.3925
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://www.ip-adress.com/
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://www.ip-adress.com/N
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://www.ip-adress.com/about
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://www.ip-adress.com/advertising
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://www.ip-adress.com/contact
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://www.ip-adress.com/glossary/
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://www.ip-adress.com/ip-address-distance
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://www.ip-adress.com/ip-address/ipv4/10.234.25.119
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://www.ip-adress.com/ip-address/ipv4/162.159.133.234
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://www.ip-adress.com/ip-address/ipv4/189.239.190.192
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://www.ip-adress.com/ip-address/ipv4/197.80.130.8
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://www.ip-adress.com/ip-address/ipv4/65.25.55.21
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://www.ip-adress.com/ip-address/ipv4/74.50.111.156
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://www.ip-adress.com/ip-address/ipv4/80.187.107.2
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://www.ip-adress.com/ip-address/lookup
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://www.ip-adress.com/ip-to-zip-code
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://www.ip-adress.com/legal-notice
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://www.ip-adress.com/privacy-policy
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://www.ip-adress.com/proxy-checker
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://www.ip-adress.com/proxy-list
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://www.ip-adress.com/reverse-ip-lookup
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://www.ip-adress.com/search
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://www.ip-adress.com/service/ip-location-api
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://www.ip-adress.com/service/ip-location-database
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://www.ip-adress.com/shariff/shariff.complete.css
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://www.ip-adress.com/shariff/shariff.complete.js
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://www.ip-adress.com/site-list
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://www.ip-adress.com/sitemap
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://www.ip-adress.com/speedtest/
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://www.ip-adress.com/trace-email-address
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://www.ip-adress.com/verify-email-address
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://www.ip-adress.com/website/
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://www.ip-adress.com/website/express.de
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://www.ip-adress.com/website/indoxxi.center
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://www.ip-adress.com/what-is-my-ip-address
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmpString found in binary or memory: https://www.ip-adress.com/whois-lookup
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49160 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49158
Source: unknownNetwork traffic detected: HTTP traffic on port 49163 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49162 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49158 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49164 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49166
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49164
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49163
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49162
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49160
Source: unknownNetwork traffic detected: HTTP traffic on port 49166 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Hooks clipboard functions (used to sniff clipboard data)Show sources
Source: explorer.exeIAT, EAT or inline hook detected: module: USER32.dll function: GetClipboardData
Contains functionality to retrieve information about pressed keystrokesShow sources
Source: C:\Windows\System32\taskhost.exeCode function: 19_2_015D9210 GetModuleHandleA,GetProcAddress,GetKeyboardState,ToAscii,19_2_015D9210

E-Banking Fraud:

barindex
Hooks winsocket function (used for sniffing or altering network traffic)Show sources
Source: explorer.exeFile created: function: HttpSendRequestExW

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: QakBot Payload Author: kevoreilly
Source: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, type: MEMORYMatched rule: QakBot Payload Author: kevoreilly
Source: 12.2.explorer.exe.3f0000.0.unpack, type: UNPACKEDPEMatched rule: QakBot Payload Author: kevoreilly
Source: 12.2.explorer.exe.3f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: QakBot Payload Author: kevoreilly
Source: 14.2.jkfkdm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: QakBot Payload Author: kevoreilly
Source: 12.2.explorer.exe.1500000.3.unpack, type: UNPACKEDPEMatched rule: QakBot Payload Author: kevoreilly
Source: 7.2.jkfkdm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: QakBot Payload Author: kevoreilly
Source: 6.2.jkfkdm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: QakBot Payload Author: kevoreilly
Source: 2.2.jkfkdm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: QakBot Payload Author: kevoreilly
Source: 0.2.zhAQkCQvME.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: QakBot Payload Author: kevoreilly
Source: 12.2.explorer.exe.1500000.3.raw.unpack, type: UNPACKEDPEMatched rule: QakBot Payload Author: kevoreilly
Source: 5.2.zhAQkCQvME.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: QakBot Payload Author: kevoreilly
Source: 18.2.jkfkdm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: QakBot Payload Author: kevoreilly
Source: 1.2.zhAQkCQvME.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: QakBot Payload Author: kevoreilly
Source: 17.2.jkfkdm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: QakBot Payload Author: kevoreilly
Contains functionality to call native functionsShow sources
Source: C:\Users\user\Desktop\zhAQkCQvME.exeCode function: 0_2_0040C370 GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,OpenProcess,NtQuerySystemInformation,GetCurrentProcess,NtDuplicateObject,CloseHandle,_wcscmp,CloseHandle,CloseHandle,CloseHandle,StrStrIW,CloseHandle,CloseHandle,0_2_0040C370
Source: C:\Windows\System32\taskhost.exeCode function: 19_2_015D940B NtQueryInformationThread,GetCurrentProcessId,NtResumeThread,19_2_015D940B
Source: C:\Windows\System32\dwm.exeCode function: 21_2_013B940B NtQueryInformationThread,GetCurrentProcessId,NtResumeThread,21_2_013B940B
Source: C:\Windows\System32\conhost.exeCode function: 24_2_011D940B NtQueryInformationThread,GetCurrentProcessId,NtResumeThread,24_2_011D940B
Source: C:\Windows\System32\notepad.exeCode function: 25_2_011B940B NtQueryInformationThread,GetCurrentProcessId,NtResumeThread,25_2_011B940B
Contains functionality to launch a process as a different userShow sources
Source: C:\Users\user\Desktop\zhAQkCQvME.exeCode function: 0_2_00404400 GetLastError,EqualSid,memset,CreateProcessAsUserW,CloseHandle,0_2_00404400
Creates mutexesShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{D72D0A04-1F72-49F1-8077-3C73EF051907}
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{B9EC2CD2-EC20-4B7F-99E4-9EB20CB3037F}
Source: C:\Users\user\Desktop\zhAQkCQvME.exeMutant created: \BaseNamedObjects\Global\{D72D0A04-1F72-49F1-8077-3C73EF051907}
Source: C:\Users\user\Desktop\zhAQkCQvME.exeMutant created: \Sessions\1\BaseNamedObjects\wuinmr
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\zhAQkCQvME.exeCode function: 0_2_00409C000_2_00409C00
Source: C:\Users\user\Desktop\zhAQkCQvME.exeCode function: 0_2_0040A0900_2_0040A090
Source: C:\Users\user\Desktop\zhAQkCQvME.exeCode function: 0_2_0040F7700_2_0040F770
Source: C:\Users\user\Desktop\zhAQkCQvME.exeCode function: 0_2_004031F00_2_004031F0
Source: C:\Users\user\Desktop\zhAQkCQvME.exeCode function: 0_2_0041280F0_2_0041280F
Source: C:\Users\user\Desktop\zhAQkCQvME.exeCode function: 0_2_004026900_2_00402690
Source: C:\Users\user\Desktop\zhAQkCQvME.exeCode function: 0_2_0040CEA00_2_0040CEA0
Source: C:\Users\user\Desktop\zhAQkCQvME.exeCode function: 0_2_004088B00_2_004088B0
Source: C:\Users\user\Desktop\zhAQkCQvME.exeCode function: 0_2_004131200_2_00413120
Source: C:\Windows\explorer.exeCode function: 12_2_003F269012_2_003F2690
Source: C:\Windows\explorer.exeCode function: 12_2_003F9C0012_2_003F9C00
Source: C:\Windows\explorer.exeCode function: 12_2_0040280F12_2_0040280F
Source: C:\Windows\explorer.exeCode function: 12_2_003F88B012_2_003F88B0
Source: C:\Windows\explorer.exeCode function: 12_2_003FA09012_2_003FA090
Source: C:\Windows\explorer.exeCode function: 12_2_0040312012_2_00403120
Source: C:\Windows\explorer.exeCode function: 12_2_003F31F012_2_003F31F0
Source: C:\Windows\explorer.exeCode function: 12_2_003FCEA012_2_003FCEA0
Source: C:\Windows\explorer.exeCode function: 12_2_003FF77012_2_003FF770
Source: C:\Windows\explorer.exeCode function: 12_2_0151EA5012_2_0151EA50
Source: C:\Windows\explorer.exeCode function: 12_2_0151E5C012_2_0151E5C0
Source: C:\Windows\explorer.exeCode function: 12_2_0151111212_2_01511112
Source: C:\Windows\explorer.exeCode function: 12_2_015131DC12_2_015131DC
Source: C:\Windows\explorer.exeCode function: 12_2_015269AF12_2_015269AF
Source: C:\Windows\explorer.exeCode function: 12_2_01511A1B12_2_01511A1B
Source: C:\Windows\explorer.exeCode function: 12_2_01512AD612_2_01512AD6
Source: C:\Windows\explorer.exeCode function: 12_2_015272C012_2_015272C0
Source: C:\Windows\explorer.exeCode function: 12_2_0151553012_2_01515530
Source: C:\Windows\explorer.exeCode function: 12_2_0151153312_2_01511533
Source: C:\Windows\explorer.exeCode function: 12_2_01523C5012_2_01523C50
Source: C:\Windows\explorer.exeCode function: 12_2_0152065012_2_01520650
Source: C:\Windows\System32\taskhost.exeCode function: 19_2_015E9EC019_2_015E9EC0
Source: C:\Windows\System32\taskhost.exeCode function: 19_2_015E710019_2_015E7100
Source: C:\Windows\System32\taskhost.exeCode function: 19_2_015E51D019_2_015E51D0
Source: C:\Windows\System32\taskhost.exeCode function: 19_2_015EB58019_2_015EB580
Source: C:\Windows\System32\taskhost.exeCode function: 19_2_015E4C0019_2_015E4C00
Source: C:\Windows\System32\taskhost.exeCode function: 19_2_015D143019_2_015D1430
Source: C:\Windows\System32\taskhost.exeCode function: 19_2_015E238219_2_015E2382
Source: C:\Windows\System32\taskhost.exeCode function: 19_2_015E1AD019_2_015E1AD0
Source: C:\Windows\System32\taskhost.exeCode function: 19_2_015E9AF019_2_015E9AF0
Source: C:\Windows\System32\dwm.exeCode function: 21_2_013C9EC021_2_013C9EC0
Source: C:\Windows\System32\dwm.exeCode function: 21_2_013C710021_2_013C7100
Source: C:\Windows\System32\dwm.exeCode function: 21_2_013C51D021_2_013C51D0
Source: C:\Windows\System32\dwm.exeCode function: 21_2_013DA1CF21_2_013DA1CF
Source: C:\Windows\System32\dwm.exeCode function: 21_2_013DA35421_2_013DA354
Source: C:\Windows\System32\dwm.exeCode function: 21_2_013DA35221_2_013DA352
Source: C:\Windows\System32\dwm.exeCode function: 21_2_013C238221_2_013C2382
Source: C:\Windows\System32\dwm.exeCode function: 21_2_013C9AF021_2_013C9AF0
Source: C:\Windows\System32\dwm.exeCode function: 21_2_013C1AD021_2_013C1AD0
Source: C:\Windows\System32\dwm.exeCode function: 21_2_013CB58021_2_013CB580
Source: C:\Windows\System32\dwm.exeCode function: 21_2_013B143021_2_013B1430
Source: C:\Windows\System32\dwm.exeCode function: 21_2_013C4C0021_2_013C4C00
Source: C:\Windows\System32\conhost.exeCode function: 24_2_011E9EC024_2_011E9EC0
Source: C:\Windows\System32\conhost.exeCode function: 24_2_011E710024_2_011E7100
Source: C:\Windows\System32\conhost.exeCode function: 24_2_011E51D024_2_011E51D0
Source: C:\Windows\System32\conhost.exeCode function: 24_2_011FA1CF24_2_011FA1CF
Source: C:\Windows\System32\conhost.exeCode function: 24_2_011FA35424_2_011FA354
Source: C:\Windows\System32\conhost.exeCode function: 24_2_011FA35224_2_011FA352
Source: C:\Windows\System32\conhost.exeCode function: 24_2_011E238224_2_011E2382
Source: C:\Windows\System32\conhost.exeCode function: 24_2_011E1AD024_2_011E1AD0
Source: C:\Windows\System32\conhost.exeCode function: 24_2_011E9AF024_2_011E9AF0
Source: C:\Windows\System32\conhost.exeCode function: 24_2_011EB58024_2_011EB580
Source: C:\Windows\System32\conhost.exeCode function: 24_2_011E4C0024_2_011E4C00
Source: C:\Windows\System32\conhost.exeCode function: 24_2_011D143024_2_011D1430
Source: C:\Windows\System32\notepad.exeCode function: 25_2_011C9EC025_2_011C9EC0
Source: C:\Windows\System32\notepad.exeCode function: 25_2_011C710025_2_011C7100
Source: C:\Windows\System32\notepad.exeCode function: 25_2_011C51D025_2_011C51D0
Source: C:\Windows\System32\notepad.exeCode function: 25_2_011DA1CF25_2_011DA1CF
Source: C:\Windows\System32\notepad.exeCode function: 25_2_011DA35425_2_011DA354
Source: C:\Windows\System32\notepad.exeCode function: 25_2_011DA35225_2_011DA352
Source: C:\Windows\System32\notepad.exeCode function: 25_2_011C238225_2_011C2382
Source: C:\Windows\System32\notepad.exeCode function: 25_2_011C1AD025_2_011C1AD0
Source: C:\Windows\System32\notepad.exeCode function: 25_2_011C9AF025_2_011C9AF0
Source: C:\Windows\System32\notepad.exeCode function: 25_2_011CB58025_2_011CB580
Source: C:\Windows\System32\notepad.exeCode function: 25_2_011C4C0025_2_011C4C00
Source: C:\Windows\System32\notepad.exeCode function: 25_2_011B143025_2_011B1430
Found potential string decryption / allocating functionsShow sources
Source: C:\Windows\explorer.exeCode function: String function: 01510CBC appears 37 times
PE file contains strange resourcesShow sources
Source: zhAQkCQvME.exe.8.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: zhAQkCQvME.exe.8.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: zhAQkCQvME.exe.8.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Reads the hosts fileShow sources
Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample file is different than original file name gathered from version infoShow sources
Source: zhAQkCQvME.exe, 00000000.00000002.470874320.006C3000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamerjrwer.exev vs zhAQkCQvME.exe
Source: zhAQkCQvME.exe, 00000000.00000002.470874320.006C3000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamerjrwer.exe vs zhAQkCQvME.exe
Source: zhAQkCQvME.exe, 00000000.00000002.470376366.002B0000.00000008.00000001.sdmpBinary or memory string: OriginalFilenameSETUPAPI.DLL.MUIj% vs zhAQkCQvME.exe
Source: zhAQkCQvME.exe, 00000001.00000000.447916030.0049E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamerjrwer.exe vs zhAQkCQvME.exe
Source: zhAQkCQvME.exe, 00000001.00000002.451933719.00170000.00000008.00000001.sdmpBinary or memory string: OriginalFilenameSETUPAPI.DLL.MUIj% vs zhAQkCQvME.exe
Source: zhAQkCQvME.exe, 00000005.00000002.489044820.01260000.00000008.00000001.sdmpBinary or memory string: originalfilename vs zhAQkCQvME.exe
Source: zhAQkCQvME.exe, 00000005.00000002.489044820.01260000.00000008.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs zhAQkCQvME.exe
Source: zhAQkCQvME.exe, 00000005.00000002.482849544.002B0000.00000008.00000001.sdmpBinary or memory string: OriginalFilenameSETUPAPI.DLL.MUIj% vs zhAQkCQvME.exe
Source: zhAQkCQvME.exe, 00000005.00000000.472415467.0049E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamerjrwer.exe vs zhAQkCQvME.exe
Source: zhAQkCQvME.exe, 00000005.00000002.485204244.00A60000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs zhAQkCQvME.exe
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\zhAQkCQvME.exeFile read: C:\Users\user\Desktop\zhAQkCQvME.exeJump to behavior
Yara signature matchShow sources
Source: 00000005.00000002.488530565.00EF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Datper author = JPCERT/CC Incident Response Group, description = detect Datper in memory, rule_usage = memory scan, reference = https://blogs.jpcert.or.jp/en/2017/08/detecting-datper-malware-from-proxy-logs.html
Source: 0000000C.00000003.535349218.01779000.00000004.00000001.sdmp, type: MEMORYMatched rule: Datper author = JPCERT/CC Incident Response Group, description = detect Datper in memory, rule_usage = memory scan, reference = https://blogs.jpcert.or.jp/en/2017/08/detecting-datper-malware-from-proxy-logs.html
Source: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 00000000.00000002.470976903.015F7000.00000004.00000040.sdmp, type: MEMORYMatched rule: Datper author = JPCERT/CC Incident Response Group, description = detect Datper in memory, rule_usage = memory scan, reference = https://blogs.jpcert.or.jp/en/2017/08/detecting-datper-malware-from-proxy-logs.html
Source: 00000000.00000002.472365977.01B20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Datper author = JPCERT/CC Incident Response Group, description = detect Datper in memory, rule_usage = memory scan, reference = https://blogs.jpcert.or.jp/en/2017/08/detecting-datper-malware-from-proxy-logs.html
Source: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, type: MEMORYMatched rule: Datper author = JPCERT/CC Incident Response Group, description = detect Datper in memory, rule_usage = memory scan, reference = https://blogs.jpcert.or.jp/en/2017/08/detecting-datper-malware-from-proxy-logs.html
Source: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, type: MEMORYMatched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 00000005.00000002.485394157.00AC7000.00000004.00000040.sdmp, type: MEMORYMatched rule: Datper author = JPCERT/CC Incident Response Group, description = detect Datper in memory, rule_usage = memory scan, reference = https://blogs.jpcert.or.jp/en/2017/08/detecting-datper-malware-from-proxy-logs.html
Source: 12.2.explorer.exe.3f0000.0.unpack, type: UNPACKEDPEMatched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 12.2.explorer.exe.3f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 14.2.jkfkdm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 12.2.explorer.exe.1500000.3.unpack, type: UNPACKEDPEMatched rule: Datper author = JPCERT/CC Incident Response Group, description = detect Datper in memory, rule_usage = memory scan, reference = https://blogs.jpcert.or.jp/en/2017/08/detecting-datper-malware-from-proxy-logs.html
Source: 12.2.explorer.exe.1500000.3.unpack, type: UNPACKEDPEMatched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 7.2.jkfkdm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 6.2.jkfkdm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 2.2.jkfkdm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 0.2.zhAQkCQvME.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 12.2.explorer.exe.1500000.3.raw.unpack, type: UNPACKEDPEMatched rule: Datper author = JPCERT/CC Incident Response Group, description = detect Datper in memory, rule_usage = memory scan, reference = https://blogs.jpcert.or.jp/en/2017/08/detecting-datper-malware-from-proxy-logs.html
Source: 12.2.explorer.exe.1500000.3.raw.unpack, type: UNPACKEDPEMatched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 5.2.zhAQkCQvME.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 18.2.jkfkdm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 1.2.zhAQkCQvME.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 17.2.jkfkdm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
PE file contains an invalid data directoryShow sources
Source: zhAQkCQvME.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_SECURITY size: 0x4 address: 0x0
Source: jkfkdm.exe.0.drStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_SECURITY size: 0x4 address: 0x0
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)Show sources
Source: zhAQkCQvME.exeStatic PE information: Section: CODE ZLIB complexity 0.999666291739
Source: jkfkdm.exe.0.drStatic PE information: Section: CODE ZLIB complexity 0.999666291739
Classification labelShow sources
Source: classification engineClassification label: mal100.bank.troj.spyw.evad.winEXE@25/7@2/4
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Users\user\Desktop\zhAQkCQvME.exeCode function: 0_2_00407340 LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,AdjustTokenPrivileges,GetLastError,CloseHandle,0_2_00407340
Contains functionality to enum processes or threadsShow sources
Source: C:\Users\user\Desktop\zhAQkCQvME.exeCode function: 0_2_00404290 CreateToolhelp32Snapshot,Process32First,CloseHandle,Process32Next,CloseHandle,0_2_00404290
Contains functionality to instantiate COM classesShow sources
Source: C:\Users\user\Desktop\zhAQkCQvME.exeCode function: 0_2_00410920 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,0_2_00410920
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\Desktop\zhAQkCQvME.exeCode function: 0_2_00408290 FindResourceA,SizeofResource,LoadResource,0_2_00408290
Contains functionality to modify services (start/stop/modify)Show sources
Source: C:\Users\user\Desktop\zhAQkCQvME.exeCode function: 0_2_00401420 StartServiceCtrlDispatcherA,0_2_00401420
Contains functionality to register a service control handler (likely the sample is a service DLL)Show sources
Source: C:\Users\user\Desktop\zhAQkCQvME.exeCode function: 0_2_00401420 StartServiceCtrlDispatcherA,0_2_00401420
Source: C:\Windows\explorer.exeCode function: 12_2_003F1420 StartServiceCtrlDispatcherA,12_2_003F1420
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\zhAQkCQvME.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\EacrrvkownJump to behavior
Creates temporary filesShow sources
Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\~jkfkdm.tmpJump to behavior
Found command line outputShow sources
Source: C:\Windows\System32\schtasks.exeConsole Write: ........a..v..0.....d...`...D....f..........................`.L...l.<.n.0.n.......!...L.........0.!.........rp....!.G..uJump to behavior
Source: C:\Windows\System32\schtasks.exeConsole Write: ........a..v..0.........$...L...,n..........................`.....&.x.....(...................................w.....G..uJump to behavior
Launches a second explorer.exe instanceShow sources
Source: unknownProcess created: C:\Windows\explorer.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exeProcess created: C:\Windows\explorer.exeJump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: zhAQkCQvME.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Queries a list of all open handlesShow sources
Source: C:\Users\user\Desktop\zhAQkCQvME.exeSystem information queried: HandleInformationJump to behavior
Queries process information (via WMI, Win32_Process)Show sources
Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Reads software policiesShow sources
Source: C:\Users\user\Desktop\zhAQkCQvME.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: zhAQkCQvME.exeVirustotal: Detection: 76%
Sample requires command line parameters (based on API chain)Show sources
Source: C:\Users\user\Desktop\zhAQkCQvME.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcess
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\zhAQkCQvME.exe 'C:\Users\user\Desktop\zhAQkCQvME.exe'
Source: unknownProcess created: C:\Users\user\Desktop\zhAQkCQvME.exe C:\Users\user\Desktop\zhAQkCQvME.exe /C
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe
Source: unknownProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn ahizzkkevf /tr '\'C:\Users\user\Desktop\zhAQkCQvME.exe\' /I ahizzkkevf' /SC ONCE /Z /ST 19:29 /ET 19:41
Source: unknownProcess created: C:\Users\user\Desktop\zhAQkCQvME.exe C:\Users\user\Desktop\zhAQkCQvME.exe /I ahizzkkevf
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe /C
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c ping.exe -n 6 127.0.0.1 & type 'C:\Windows\System32\calc.exe' > 'C:\Users\user\Desktop\zhAQkCQvME.exe'
Source: unknownProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\system32\schtasks.exe' /DELETE /F /TN ahizzkkevf
Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: unknownProcess created: C:\Windows\System32\PING.EXE ping.exe -n 6 127.0.0.1
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe /C
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe 'C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe'
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe /C
Source: C:\Users\user\Desktop\zhAQkCQvME.exeProcess created: C:\Users\user\Desktop\zhAQkCQvME.exe C:\Users\user\Desktop\zhAQkCQvME.exe /CJump to behavior
Source: C:\Users\user\Desktop\zhAQkCQvME.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exeJump to behavior
Source: C:\Users\user\Desktop\zhAQkCQvME.exeProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn ahizzkkevf /tr '\'C:\Users\user\Desktop\zhAQkCQvME.exe\' /I ahizzkkevf' /SC ONCE /Z /ST 19:29 /ET 19:41Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe /CJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exeJump to behavior
Source: C:\Users\user\Desktop\zhAQkCQvME.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exeJump to behavior
Source: C:\Users\user\Desktop\zhAQkCQvME.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c ping.exe -n 6 127.0.0.1 & type 'C:\Windows\System32\calc.exe' > 'C:\Users\user\Desktop\zhAQkCQvME.exe'Jump to behavior
Source: C:\Users\user\Desktop\zhAQkCQvME.exeProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\system32\schtasks.exe' /DELETE /F /TN ahizzkkevfJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe /CJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping.exe -n 6 127.0.0.1 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe /CJump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\zhAQkCQvME.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32Jump to behavior
PE file contains a debug data directoryShow sources
Source: zhAQkCQvME.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)Show sources
Source: C:\Users\user\Desktop\zhAQkCQvME.exeUnpacked PE file: 0.2.zhAQkCQvME.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;CODE:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\Desktop\zhAQkCQvME.exeUnpacked PE file: 1.2.zhAQkCQvME.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;CODE:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exeUnpacked PE file: 2.2.jkfkdm.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;CODE:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\Desktop\zhAQkCQvME.exeUnpacked PE file: 5.2.zhAQkCQvME.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;CODE:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exeUnpacked PE file: 6.2.jkfkdm.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;CODE:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exeUnpacked PE file: 7.2.jkfkdm.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;CODE:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exeUnpacked PE file: 14.2.jkfkdm.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;CODE:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exeUnpacked PE file: 17.2.jkfkdm.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;CODE:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exeUnpacked PE file: 18.2.jkfkdm.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;CODE:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Detected unpacking (overwrites its own PE header)Show sources
Source: C:\Users\user\Desktop\zhAQkCQvME.exeUnpacked PE file: 0.2.zhAQkCQvME.exe.400000.1.unpack
Source: C:\Users\user\Desktop\zhAQkCQvME.exeUnpacked PE file: 1.2.zhAQkCQvME.exe.400000.1.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exeUnpacked PE file: 2.2.jkfkdm.exe.400000.1.unpack
Source: C:\Users\user\Desktop\zhAQkCQvME.exeUnpacked PE file: 5.2.zhAQkCQvME.exe.400000.1.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exeUnpacked PE file: 6.2.jkfkdm.exe.400000.1.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exeUnpacked PE file: 7.2.jkfkdm.exe.400000.1.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exeUnpacked PE file: 14.2.jkfkdm.exe.400000.1.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exeUnpacked PE file: 17.2.jkfkdm.exe.400000.1.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exeUnpacked PE file: 18.2.jkfkdm.exe.400000.1.unpack
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\zhAQkCQvME.exeCode function: 0_2_00407A30 GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_00407A30
PE file contains an invalid checksumShow sources
Source: jkfkdm.exe.0.drStatic PE information: real checksum: 0x36016 should be: 0xb495e
Source: zhAQkCQvME.exeStatic PE information: real checksum: 0x36016 should be: 0xb495e
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Windows\explorer.exeCode function: 12_2_0040ACE6 push ebx; ret 12_2_0040ACE7
Source: C:\Windows\explorer.exeCode function: 12_2_0040AA34 push cs; iretd 12_2_0040AB0A
Source: C:\Windows\explorer.exeCode function: 12_2_0040AB36 push cs; iretd 12_2_0040AB0A
Source: C:\Windows\explorer.exeCode function: 12_2_0153212C push cs; iretd 12_2_01532202
Source: C:\Windows\explorer.exeCode function: 12_2_0152B043 push 0000006Ah; retf 12_2_0152B11C
Source: C:\Windows\explorer.exeCode function: 12_2_0152B0AB push 0000006Ah; retf 12_2_0152B11C
Source: C:\Windows\explorer.exeCode function: 12_2_0152B0AD push 0000006Ah; retf 12_2_0152B11C
Source: C:\Windows\explorer.exeCode function: 12_2_015323DE push ebx; ret 12_2_015323DF
Source: C:\Windows\explorer.exeCode function: 12_2_01535260 push esp; ret 12_2_01535264
Source: C:\Windows\explorer.exeCode function: 12_2_0153222E push cs; iretd 12_2_01532202
Source: C:\Windows\System32\taskhost.exeCode function: 19_2_015F3D7E push ebx; ret 19_2_015F3D7F
Source: C:\Windows\System32\taskhost.exeCode function: 19_2_015F3BCE push cs; iretd 19_2_015F3BA2
Source: C:\Windows\System32\taskhost.exeCode function: 19_2_015F3ACC push cs; iretd 19_2_015F3BA2
Source: C:\Windows\System32\dwm.exeCode function: 21_2_013D3BCE push cs; iretd 21_2_013D3BA2
Source: C:\Windows\System32\dwm.exeCode function: 21_2_013D3ACC push cs; iretd 21_2_013D3BA2
Source: C:\Windows\System32\dwm.exeCode function: 21_2_013D3D7E push ebx; ret 21_2_013D3D7F
Source: C:\Windows\System32\conhost.exeCode function: 24_2_011F3BCE push cs; iretd 24_2_011F3BA2
Source: C:\Windows\System32\conhost.exeCode function: 24_2_011F3ACC push cs; iretd 24_2_011F3BA2
Source: C:\Windows\System32\conhost.exeCode function: 24_2_011F3D7E push ebx; ret 24_2_011F3D7F
Source: C:\Windows\System32\notepad.exeCode function: 25_2_011D3BCE push cs; iretd 25_2_011D3BA2
Source: C:\Windows\System32\notepad.exeCode function: 25_2_011D3ACC push cs; iretd 25_2_011D3BA2
Source: C:\Windows\System32\notepad.exeCode function: 25_2_011D3D7E push ebx; ret 25_2_011D3D7F

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Windows\System32\cmd.exeFile created: C:\Users\user\Desktop\zhAQkCQvME.exeJump to dropped file
Source: C:\Users\user\Desktop\zhAQkCQvME.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exeJump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
Source: unknownProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn ahizzkkevf /tr '\'C:\Users\user\Desktop\zhAQkCQvME.exe\' /I ahizzkkevf' /SC ONCE /Z /ST 19:29 /ET 19:41
Contains functionality to start windows servicesShow sources
Source: C:\Users\user\Desktop\zhAQkCQvME.exeCode function: 0_2_00401420 StartServiceCtrlDispatcherA,0_2_00401420
Creates an autostart registry keyShow sources
Source: C:\Windows\explorer.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run tjmptzibrJump to behavior
Source: C:\Windows\explorer.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run tjmptzibrJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Modifies the prolog of user mode functions (user mode inline hooks)Show sources
Source: explorer.exeUser mode code has changed: module: USER32.dll function: TranslateMessage new code: 0xE9 0x91 0x10 0x02 0x2F 0xF4
Overwrites code with unconditional jumps - possibly settings hooks in foreign processShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exeMemory written: PID: 2600 base: 5102D value: E9 2E 1A 3A 00 Jump to behavior
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\zhAQkCQvME.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\zhAQkCQvME.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\zhAQkCQvME.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\zhAQkCQvME.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\zhAQkCQvME.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\zhAQkCQvME.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\zhAQkCQvME.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\zhAQkCQvME.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\zhAQkCQvME.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to compare user and computer (likely to detect sandboxes)Show sources
Source: C:\Users\user\Desktop\zhAQkCQvME.exeCode function: GetModuleHandleA,GetModuleFileNameA,StrStrIA,0_2_0040B120
Source: C:\Windows\explorer.exeCode function: GetModuleHandleA,GetModuleFileNameA,StrStrIA,12_2_003FB120
Contains functionality to detect virtual machines (IN, VMware)Show sources
Source: C:\Users\user\Desktop\zhAQkCQvME.exeCode function: 0_2_0040B450 in eax, dx0_2_0040B450
Found evasive API chain (may stop execution after checking mutex)Show sources
Source: C:\Users\user\Desktop\zhAQkCQvME.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcess
Source: C:\Users\user\Desktop\zhAQkCQvME.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleep
Found stalling execution ending in API Sleep callShow sources
Source: C:\Windows\explorer.exeStalling execution: Execution stalls by calling Sleep
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
Source: explorer.exe, 0000000C.00000003.535514712.0161F000.00000004.00000040.sdmp, taskhost.exe, 00000013.00000002.759557288.0294F000.00000004.00000040.sdmp, dwm.exe, 00000015.00000002.761415105.01BEF000.00000004.00000040.sdmpBinary or memory string: OLLYDBG.EXE
Source: dwm.exe, 00000015.00000002.761415105.01BEF000.00000004.00000040.sdmpBinary or memory string: OLLYDBG.EXEP
Source: explorer.exe, 0000000C.00000003.535514712.0161F000.00000004.00000040.sdmpBinary or memory string: OLLYDBG.EXECJ
Source: explorer.exe, 0000000C.00000003.535514712.0161F000.00000004.00000040.sdmp, taskhost.exe, 00000013.00000002.759557288.0294F000.00000004.00000040.sdmp, dwm.exe, 00000015.00000002.761415105.01BEF000.00000004.00000040.sdmpBinary or memory string: WINDBG.EXE
Source: explorer.exe, 0000000C.00000003.535514712.0161F000.00000004.00000040.sdmpBinary or memory string: WINDBG.EXEDJ
Tries to detect virtualization through RDTSC time measurementsShow sources
Source: C:\Users\user\Desktop\zhAQkCQvME.exeRDTSC instruction interceptor: First address: 401330 second address: 401336 instructions: 0x00000000 rdtsc 0x00000002 mov esi, edx 0x00000004 mov edi, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\zhAQkCQvME.exeRDTSC instruction interceptor: First address: 401336 second address: 401330 instructions: 0x00000000 rdtsc 0x00000002 mov ebx, edx 0x00000004 mov ecx, eax 0x00000006 mov eax, dword ptr [esp+44h] 0x0000000a add eax, eax 0x0000000c mov edx, dword ptr [esp+40h] 0x00000010 adc edx, edx 0x00000012 mov dword ptr [esp+70h], eax 0x00000016 mov dword ptr [esp+74h], edx 0x0000001a sub ecx, edi 0x0000001c mov eax, dword ptr [esp+30h] 0x00000020 test eax, eax 0x00000022 mov dword ptr [esp+70h], FF0832F0h 0x0000002a mov dword ptr [esp+74h], FFFFFFFFh 0x00000032 mov edx, dword ptr [esp+34h] 0x00000036 cmove edx, ecx 0x00000039 mov dword ptr [esp+70h], A6C64046h 0x00000041 cmp eax, 00000000h 0x00000044 mov edi, dword ptr [esp+2Ch] 0x00000048 cmove edi, ecx 0x0000004b cmp edi, ecx 0x0000004d cmovnbe edi, ecx 0x00000050 mov dword ptr [esp+58h], edi 0x00000054 mov di, word ptr [esp+6Eh] 0x00000059 cmp edx, ecx 0x0000005b cmovb edx, ecx 0x0000005e mov word ptr [esp+6Eh], di 0x00000063 mov dword ptr [esp+4Ch], edx 0x00000067 add eax, 01h 0x0000006a mov ecx, dw
Source: C:\Users\user\Desktop\zhAQkCQvME.exeRDTSC instruction interceptor: First address: 401336 second address: 401330 instructions: 0x00000000 rdtsc 0x00000002 mov ebx, edx 0x00000004 mov ecx, eax 0x00000006 mov eax, dword ptr [esp+44h] 0x0000000a add eax, eax 0x0000000c mov edx, dword ptr [esp+40h] 0x00000010 adc edx, edx 0x00000012 mov dword ptr [esp+70h], eax 0x00000016 mov dword ptr [esp+74h], edx 0x0000001a sub ecx, edi 0x0000001c mov eax, dword ptr [esp+30h] 0x00000020 test eax, eax 0x00000022 mov dword ptr [esp+70h], FF0832F0h 0x0000002a mov dword ptr [esp+74h], FFFFFFFFh 0x00000032 mov edx, dword ptr [esp+34h] 0x00000036 cmove edx, ecx 0x00000039 mov dword ptr [esp+70h], A6C64046h 0x00000041 cmp eax, 00000000h 0x00000044 mov edi, dword ptr [esp+2Ch] 0x00000048 cmove edi, ecx 0x0000004b cmp edi, ecx 0x0000004d cmovnbe edi, ecx 0x00000050 mov dword ptr [esp+58h], edi 0x00000054 mov di, word ptr [esp+6Eh] 0x00000059 cmp edx, ecx 0x0000005b cmovb edx, ecx 0x0000005e mov word ptr [esp+6Eh], di 0x00000063 mov dword ptr [esp+4Ch], edx 0x00000067 add eax, 01h 0x0000006a mov ecx, dw
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exeRDTSC instruction interceptor: First address: 401330 second address: 401336 instructions: 0x00000000 rdtsc 0x00000002 mov esi, edx 0x00000004 mov edi, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exeRDTSC instruction interceptor: First address: 401336 second address: 401330 instructions: 0x00000000 rdtsc 0x00000002 mov ebx, edx 0x00000004 mov ecx, eax 0x00000006 mov eax, dword ptr [esp+44h] 0x0000000a add eax, eax 0x0000000c mov edx, dword ptr [esp+40h] 0x00000010 adc edx, edx 0x00000012 mov dword ptr [esp+70h], eax 0x00000016 mov dword ptr [esp+74h], edx 0x0000001a sub ecx, edi 0x0000001c mov eax, dword ptr [esp+30h] 0x00000020 test eax, eax 0x00000022 mov dword ptr [esp+70h], FF0832F0h 0x0000002a mov dword ptr [esp+74h], FFFFFFFFh 0x00000032 mov edx, dword ptr [esp+34h] 0x00000036 cmove edx, ecx 0x00000039 mov dword ptr [esp+70h], A6C64046h 0x00000041 cmp eax, 00000000h 0x00000044 mov edi, dword ptr [esp+2Ch] 0x00000048 cmove edi, ecx 0x0000004b cmp edi, ecx 0x0000004d cmovnbe edi, ecx 0x00000050 mov dword ptr [esp+58h], edi 0x00000054 mov di, word ptr [esp+6Eh] 0x00000059 cmp edx, ecx 0x0000005b cmovb edx, ecx 0x0000005e mov word ptr [esp+6Eh], di 0x00000063 mov dword ptr [esp+4Ch], edx 0x00000067 add eax, 01h 0x0000006a mov ecx, dw
Source: C:\Users\user\Desktop\zhAQkCQvME.exeRDTSC instruction interceptor: First address: 401336 second address: 401330 instructions: 0x00000000 rdtsc 0x00000002 mov ebx, edx 0x00000004 mov ecx, eax 0x00000006 mov eax, dword ptr [esp+44h] 0x0000000a add eax, eax 0x0000000c mov edx, dword ptr [esp+40h] 0x00000010 adc edx, edx 0x00000012 mov dword ptr [esp+70h], eax 0x00000016 mov dword ptr [esp+74h], edx 0x0000001a sub ecx, edi 0x0000001c mov eax, dword ptr [esp+30h] 0x00000020 test eax, eax 0x00000022 mov dword ptr [esp+70h], FF0832F0h 0x0000002a mov dword ptr [esp+74h], FFFFFFFFh 0x00000032 mov edx, dword ptr [esp+34h] 0x00000036 cmove edx, ecx 0x00000039 mov dword ptr [esp+70h], A6C64046h 0x00000041 cmp eax, 00000000h 0x00000044 mov edi, dword ptr [esp+2Ch] 0x00000048 cmove edi, ecx 0x0000004b cmp edi, ecx 0x0000004d cmovnbe edi, ecx 0x00000050 mov dword ptr [esp+58h], edi 0x00000054 mov di, word ptr [esp+6Eh] 0x00000059 cmp edx, ecx 0x0000005b cmovb edx, ecx 0x0000005e mov word ptr [esp+6Eh], di 0x00000063 mov dword ptr [esp+4Ch], edx 0x00000067 add eax, 01h 0x0000006a mov ecx, dw
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exeRDTSC instruction interceptor: First address: 401336 second address: 401330 instructions: 0x00000000 rdtsc 0x00000002 mov ebx, edx 0x00000004 mov ecx, eax 0x00000006 mov eax, dword ptr [esp+44h] 0x0000000a add eax, eax 0x0000000c mov edx, dword ptr [esp+40h] 0x00000010 adc edx, edx 0x00000012 mov dword ptr [esp+70h], eax 0x00000016 mov dword ptr [esp+74h], edx 0x0000001a sub ecx, edi 0x0000001c mov eax, dword ptr [esp+30h] 0x00000020 test eax, eax 0x00000022 mov dword ptr [esp+70h], FF0832F0h 0x0000002a mov dword ptr [esp+74h], FFFFFFFFh 0x00000032 mov edx, dword ptr [esp+34h] 0x00000036 cmove edx, ecx 0x00000039 mov dword ptr [esp+70h], A6C64046h 0x00000041 cmp eax, 00000000h 0x00000044 mov edi, dword ptr [esp+2Ch] 0x00000048 cmove edi, ecx 0x0000004b cmp edi, ecx 0x0000004d cmovnbe edi, ecx 0x00000050 mov dword ptr [esp+58h], edi 0x00000054 mov di, word ptr [esp+6Eh] 0x00000059 cmp edx, ecx 0x0000005b cmovb edx, ecx 0x0000005e mov word ptr [esp+6Eh], di 0x00000063 mov dword ptr [esp+4Ch], edx 0x00000067 add eax, 01h 0x0000006a mov ecx, dw
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exeRDTSC instruction interceptor: First address: 401336 second address: 401330 instructions: 0x00000000 rdtsc 0x00000002 mov ebx, edx 0x00000004 mov ecx, eax 0x00000006 mov eax, dword ptr [esp+44h] 0x0000000a add eax, eax 0x0000000c mov edx, dword ptr [esp+40h] 0x00000010 adc edx, edx 0x00000012 mov dword ptr [esp+70h], eax 0x00000016 mov dword ptr [esp+74h], edx 0x0000001a sub ecx, edi 0x0000001c mov eax, dword ptr [esp+30h] 0x00000020 test eax, eax 0x00000022 mov dword ptr [esp+70h], FF0832F0h 0x0000002a mov dword ptr [esp+74h], FFFFFFFFh 0x00000032 mov edx, dword ptr [esp+34h] 0x00000036 cmove edx, ecx 0x00000039 mov dword ptr [esp+70h], A6C64046h 0x00000041 cmp eax, 00000000h 0x00000044 mov edi, dword ptr [esp+2Ch] 0x00000048 cmove edi, ecx 0x0000004b cmp edi, ecx 0x0000004d cmovnbe edi, ecx 0x00000050 mov dword ptr [esp+58h], edi 0x00000054 mov di, word ptr [esp+6Eh] 0x00000059 cmp edx, ecx 0x0000005b cmovb edx, ecx 0x0000005e mov word ptr [esp+6Eh], di 0x00000063 mov dword ptr [esp+4Ch], edx 0x00000067 add eax, 01h 0x0000006a mov ecx, dw
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exeRDTSC instruction interceptor: First address: 401336 second address: 401330 instructions: 0x00000000 rdtsc 0x00000002 mov ebx, edx 0x00000004 mov ecx, eax 0x00000006 mov eax, dword ptr [esp+44h] 0x0000000a add eax, eax 0x0000000c mov edx, dword ptr [esp+40h] 0x00000010 adc edx, edx 0x00000012 mov dword ptr [esp+70h], eax 0x00000016 mov dword ptr [esp+74h], edx 0x0000001a sub ecx, edi 0x0000001c mov eax, dword ptr [esp+30h] 0x00000020 test eax, eax 0x00000022 mov dword ptr [esp+70h], FF0832F0h 0x0000002a mov dword ptr [esp+74h], FFFFFFFFh 0x00000032 mov edx, dword ptr [esp+34h] 0x00000036 cmove edx, ecx 0x00000039 mov dword ptr [esp+70h], A6C64046h 0x00000041 cmp eax, 00000000h 0x00000044 mov edi, dword ptr [esp+2Ch] 0x00000048 cmove edi, ecx 0x0000004b cmp edi, ecx 0x0000004d cmovnbe edi, ecx 0x00000050 mov dword ptr [esp+58h], edi 0x00000054 mov di, word ptr [esp+6Eh] 0x00000059 cmp edx, ecx 0x0000005b cmovb edx, ecx 0x0000005e mov word ptr [esp+6Eh], di 0x00000063 mov dword ptr [esp+4Ch], edx 0x00000067 add eax, 01h 0x0000006a mov ecx, dw
Uses ping.exe to sleepShow sources
Source: unknownProcess created: C:\Windows\System32\PING.EXE ping.exe -n 6 127.0.0.1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping.exe -n 6 127.0.0.1 Jump to behavior
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)Show sources
Source: C:\Users\user\Desktop\zhAQkCQvME.exeCode function: 0_2_0040AE50 GetCurrentProcessId,CreateToolhelp32Snapshot,memset,Process32First,Process32Next,CloseHandle,0_2_0040AE50
Contains functionality to read device registry values (via SetupAPI)Show sources
Source: C:\Users\user\Desktop\zhAQkCQvME.exeCode function: 0_2_0040AC10 SetupDiGetDeviceRegistryPropertyA,GetLastError,0_2_0040AC10
Found dropped PE file which has not been started or loadedShow sources
Source: C:\Windows\System32\cmd.exeDropped PE file which has not been started: C:\Users\user\Desktop\zhAQkCQvME.exeJump to dropped file
Found evasive API chain (date check)Show sources
Source: C:\Users\user\Desktop\zhAQkCQvME.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Windows\explorer.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Windows\System32\dwm.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Windows\System32\conhost.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Windows\System32\notepad.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Windows\System32\taskhost.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found evasive API chain (may stop execution after checking a module file name)Show sources
Source: C:\Users\user\Desktop\zhAQkCQvME.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Found evasive API chain checking for process token informationShow sources
Source: C:\Windows\explorer.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\System32\dwm.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\System32\conhost.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\Desktop\zhAQkCQvME.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\System32\taskhost.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\System32\notepad.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\zhAQkCQvME.exe TID: 1500Thread sleep count: 32 > 30Jump to behavior
Source: C:\Users\user\Desktop\zhAQkCQvME.exe TID: 2376Thread sleep count: 34 > 30Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe TID: 2396Thread sleep count: 31 > 30Jump to behavior
Source: C:\Users\user\Desktop\zhAQkCQvME.exe TID: 2428Thread sleep count: 33 > 30Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe TID: 2440Thread sleep count: 33 > 30Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe TID: 2464Thread sleep count: 34 > 30Jump to behavior
Source: C:\Windows\explorer.exe TID: 1988Thread sleep time: -780000s >= -30000sJump to behavior
Source: C:\Windows\explorer.exe TID: 2112Thread sleep time: -300000s >= -30000sJump to behavior
Source: C:\Windows\explorer.exe TID: 2112Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe TID: 2500Thread sleep count: 38 > 30Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe TID: 2924Thread sleep count: 36 > 30Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe TID: 2056Thread sleep count: 35 > 30Jump to behavior
Source: C:\Windows\explorer.exe TID: 1892Thread sleep time: -6240000s >= -30000sJump to behavior
Source: C:\Windows\explorer.exe TID: 1892Thread sleep time: -60000s >= -30000sJump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)Show sources
Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Windows\explorer.exeCode function: 12_2_0151B870 FindFirstFileW,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,12_2_0151B870
Contains functionality to query system informationShow sources
Source: C:\Users\user\Desktop\zhAQkCQvME.exeCode function: 0_2_00409F40 GetSystemInfo,0_2_00409F40
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: explorer.exe, 00000016.00000000.606027780.031C6000.00000004.00000001.sdmpBinary or memory string: vmbusres.dlld
Program exit pointsShow sources
Source: C:\Windows\explorer.exeAPI call chain: ExitProcess graph end node
Queries a list of all running processesShow sources
Source: C:\Users\user\Desktop\zhAQkCQvME.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)Show sources
Source: C:\Users\user\Desktop\zhAQkCQvME.exeCode function: 0_2_0040AE50 GetCurrentProcessId,CreateToolhelp32Snapshot,memset,Process32First,Process32Next,CloseHandle,0_2_0040AE50
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\zhAQkCQvME.exeCode function: 0_2_00407A30 GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_00407A30
Contains functionality to read the PEBShow sources
Source: C:\Windows\System32\taskhost.exeCode function: 19_2_015FCDB0 mov eax, dword ptr fs:[00000030h]19_2_015FCDB0
Source: C:\Windows\System32\taskhost.exeCode function: 19_2_004C0000 mov eax, dword ptr fs:[00000030h]19_2_004C0000
Source: C:\Windows\System32\dwm.exeCode function: 21_2_013DCDB0 mov eax, dword ptr fs:[00000030h]21_2_013DCDB0
Source: C:\Windows\System32\dwm.exeCode function: 21_2_013DCDB0 mov eax, dword ptr fs:[00000030h]21_2_013DCDB0
Source: C:\Windows\System32\dwm.exeCode function: 21_2_001E0000 mov eax, dword ptr fs:[00000030h]21_2_001E0000
Source: C:\Windows\System32\conhost.exeCode function: 24_2_011FD090 mov eax, dword ptr fs:[00000030h]24_2_011FD090
Source: C:\Windows\System32\conhost.exeCode function: 24_2_011FD090 mov eax, dword ptr fs:[00000030h]24_2_011FD090
Source: C:\Windows\System32\conhost.exeCode function: 24_2_01250000 mov eax, dword ptr fs:[00000030h]24_2_01250000
Source: C:\Windows\System32\notepad.exeCode function: 25_2_011DCDB0 mov eax, dword ptr fs:[00000030h]25_2_011DCDB0
Source: C:\Windows\System32\notepad.exeCode function: 25_2_011DCDB0 mov eax, dword ptr fs:[00000030h]25_2_011DCDB0
Source: C:\Windows\System32\notepad.exeCode function: 25_2_011F0000 mov eax, dword ptr fs:[00000030h]25_2_011F0000
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Windows\explorer.exeCode function: 12_2_0150F10A GetProcessHeap,HeapAlloc,12_2_0150F10A
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\zhAQkCQvME.exeCode function: 0_2_005C2A35 FlsFree,FreeConsole,SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,0_2_005C2A35
Source: C:\Users\user\Desktop\zhAQkCQvME.exeCode function: 1_2_01322A35 FlsFree,FreeConsole,SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,1_2_01322A35
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exeCode function: 2_2_01292A35 FlsFree,FreeConsole,SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,2_2_01292A35
Source: C:\Users\user\Desktop\zhAQkCQvME.exeCode function: 5_2_006D2A35 FlsFree,FreeConsole,SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,5_2_006D2A35
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exeCode function: 6_2_01292A35 FlsFree,FreeConsole,SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,6_2_01292A35
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exeCode function: 7_2_01292A35 FlsFree,FreeConsole,SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,7_2_01292A35
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exeCode function: 14_2_01252A35 FlsFree,FreeConsole,SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,14_2_01252A35
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exeCode function: 17_2_012A2A35 FlsFree,FreeConsole,SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,17_2_012A2A35
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exeCode function: 18_2_01252A35 FlsFree,FreeConsole,SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,18_2_01252A35

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)Show sources
Source: C:\Windows\explorer.exeNetwork Connect: 209.126.124.166 187Jump to behavior
Source: C:\Windows\explorer.exeNetwork Connect: 23.49.13.33 7000Jump to behavior
Source: C:\Windows\explorer.exeNetwork Connect: 162.244.225.30 187Jump to behavior
Allocates memory in foreign processesShow sources
Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\taskhost.exe base: 4A0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\taskhost.exe base: 4B0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\taskhost.exe base: 15D0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\taskhost.exe base: 1F60000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\taskhost.exe base: 4C0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\dwm.exe base: 180000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\dwm.exe base: 1D0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\dwm.exe base: 13B0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\dwm.exe base: 1760000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\dwm.exe base: 1E0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\explorer.exe base: 1E20000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\explorer.exe base: 1E30000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\explorer.exe base: 1E40000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\explorer.exe base: 1E80000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\explorer.exe base: 1ED0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\conhost.exe base: 11B0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\conhost.exe base: 11C0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\conhost.exe base: 11D0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\conhost.exe base: 1210000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\conhost.exe base: 1250000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\notepad.exe base: 1190000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\notepad.exe base: 11A0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\notepad.exe base: 11B0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\notepad.exe base: 12C0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\notepad.exe base: 11F0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\conhost.exe base: 70000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\conhost.exe base: 80000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\conhost.exe base: 1E0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\conhost.exe base: 390000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\conhost.exe base: 90000 protect: page execute and read and writeJump to behavior
Changes memory attributes in foreign processes to executable or writableShow sources
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\taskhost.exe base: 4A0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\taskhost.exe base: 4A0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\taskhost.exe base: 4B0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\taskhost.exe base: 4B0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\taskhost.exe base: 15D0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\taskhost.exe base: 15D0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\taskhost.exe base: 1F60000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\taskhost.exe base: 1F60000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\taskhost.exe base: 4C0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\taskhost.exe base: 4C0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\taskhost.exe base: 4C0000 protect: page execute readJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\dwm.exe base: 180000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\dwm.exe base: 180000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\dwm.exe base: 1D0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\dwm.exe base: 1D0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\dwm.exe base: 13B0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\dwm.exe base: 13B0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\dwm.exe base: 1760000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\dwm.exe base: 1760000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\dwm.exe base: 1E0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\dwm.exe base: 1E0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\dwm.exe base: 1E0000 protect: page execute readJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\explorer.exe base: 1E20000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\explorer.exe base: 1E20000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\explorer.exe base: 1E30000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\explorer.exe base: 1E30000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\explorer.exe base: 1E40000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\explorer.exe base: 1E40000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\explorer.exe base: 1E80000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\explorer.exe base: 1E80000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\explorer.exe base: 1ED0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\explorer.exe base: 1ED0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\explorer.exe base: 1ED0000 protect: page execute readJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\conhost.exe base: 11B0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\conhost.exe base: 11B0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\conhost.exe base: 11C0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\conhost.exe base: 11C0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\conhost.exe base: 11D0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\conhost.exe base: 11D0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\conhost.exe base: 1210000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\conhost.exe base: 1210000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\conhost.exe base: 1250000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\conhost.exe base: 1250000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\conhost.exe base: 1250000 protect: page execute readJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\notepad.exe base: 1190000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\notepad.exe base: 1190000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\notepad.exe base: 11A0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\notepad.exe base: 11A0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\notepad.exe base: 11B0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\notepad.exe base: 11B0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\notepad.exe base: 12C0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\notepad.exe base: 12C0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\notepad.exe base: 11F0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\notepad.exe base: 11F0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\notepad.exe base: 11F0000 protect: page execute readJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\conhost.exe base: 70000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\conhost.exe base: 70000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\conhost.exe base: 80000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\conhost.exe base: 80000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\conhost.exe base: 1E0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\conhost.exe base: 1E0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\conhost.exe base: 390000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\conhost.exe base: 390000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\conhost.exe base: 90000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\conhost.exe base: 90000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\conhost.exe base: 90000 protect: page execute readJump to behavior
Creates a thread in another existing process (thread injection)Show sources
Source: C:\Windows\explorer.exeThread created: C:\Windows\System32\taskhost.exe EIP: 4C0000Jump to behavior
Source: C:\Windows\explorer.exeThread created: C:\Windows\System32\dwm.exe EIP: 1E0000Jump to behavior
Source: C:\Windows\explorer.exeThread created: C:\Windows\explorer.exe EIP: 1ED0000Jump to behavior
Source: C:\Windows\explorer.exeThread created: C:\Windows\System32\conhost.exe EIP: 1250000Jump to behavior
Source: C:\Windows\explorer.exeThread created: C:\Windows\System32\notepad.exe EIP: 11F0000Jump to behavior
Source: C:\Windows\explorer.exeThread created: C:\Windows\System32\conhost.exe EIP: 90000Jump to behavior
Injects code into the Windows Explorer (explorer.exe)Show sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exeMemory written: PID: 2600 base: 5102D value: E9Jump to behavior
Source: C:\Windows\explorer.exeMemory written: PID: 1692 base: 1E20000 value: FEJump to behavior
Source: C:\Windows\explorer.exeMemory written: PID: 1692 base: 1E30000 value: F6Jump to behavior
Source: C:\Windows\explorer.exeMemory written: PID: 1692 base: 1E40000 value: 11Jump to behavior
Source: C:\Windows\explorer.exeMemory written: PID: 1692 base: 1E80000 value: 43