Edit tour

Windows Analysis Report
0l7FCRHpVv.sys

Overview

General Information

Sample name:	0l7FCRHpVv.sys (renamed file extension from none to sys, renamed because original name is a hash value)
Original sample name:	957ba59c2ca71e63485d938dae0ee4a4f8f06a1e62a51601a7618768b3e06aa3
Analysis ID:	1430865
MD5:	47f90748e3a13873cae30afc47937606
SHA1:	3a6aa88848c159809fa6e0c4151c3b390c4bcfe3
SHA256:	957ba59c2ca71e63485d938dae0ee4a4f8f06a1e62a51601a7618768b3e06aa3
Infos:

Errors No process behavior to analyse as no analysis process or sample was found Corrupt sample or wrongly selected analyzer. Details: invalid image protect

Detection

GhostRat

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected GhostRat

Contains functionality to create processes via WMI

Found strings related to Crypto-Mining

May modify the system service descriptor table (often done to hook functions)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

May infect USB drives

Sample file is different than original file name gathered from version info

Yara signature match

Classification

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
0l7FCRHpVv.sys	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
0l7FCRHpVv.sys	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x64f10:$s1: \classes\mscfile\shell\open\command 0x64fd2:$s1: \classes\mscfile\shell\open\command 0x64f8a:$s2: eventvwr.exe
0l7FCRHpVv.sys	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x962:$s1: nur\noisrevtnerruc\swodniw\tfosorcim

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://www.screenblaze.com/	Avira URL Cloud: Label: malware
Source: http://www.dansvloerverhuur.nl/beheerpagina/avilllams.jpg	Avira URL Cloud: Label: malware
Source: http://www.coolmelife.com/downloaddrivers	Avira URL Cloud: Label: phishing
Source: http://www.krvkr.com/worm.htmwidth=0height=0	Avira URL Cloud: Label: malware
Source: http://gpt0.ru/web/rtcomh	Avira URL Cloud: Label: malware
Source: http://zief.pl/rc/	Avira URL Cloud: Label: malware
Source: http://www.fgetchr.cn:81/g/tj/1/1.asp?mac=	Avira URL Cloud: Label: malware
Source: http://www.0x4f.cn/blogMZKERNEL32.DLLForm1VB5	Avira URL Cloud: Label: phishing

Multi AV Scanner detection for submitted file

Source: 0l7FCRHpVv.sys	ReversingLabs: Detection: 15%
Source: 0l7FCRHpVv.sys	Virustotal: Detection: 15%			Perma Link

Bitcoin Miner

Found strings related to Crypto-Mining

Source: 0l7FCRHpVv.sys	String found in binary or memory: stratum+tcp://
Source: 0l7FCRHpVv.sys	String found in binary or memory: Cryptonight.A!bit
Source: 0l7FCRHpVv.sys	String found in binary or memory: stratum+tcp://

Source:	Binary string: Gh0st RATGH0STC%sGH0STC%s - Key LoggerA server has successfully been created!e:\job\gh0st\Release\gh0st.pdb source: 0l7FCRHpVv.sys
Source:	Binary string: \hide_evr2.pdb source: 0l7FCRHpVv.sys
Source:	Binary string: BreakIn.pdb source: 0l7FCRHpVv.sys
Source:	Binary string: \UpanZhongMa\Release\UpanZhongMa.pdbTrojan:PDF/Phish!rfn source: 0l7FCRHpVv.sys
Source:	Binary string: e:\job\gh0st\Release\gh0st.pdb source: 0l7FCRHpVv.sys
Source:	Binary string: interlockedexchangezwenumeratevaluekeykeservicedescriptortablezwquerydirectoryfilezwquerysysteminformationhide_evr2.pdb source: 0l7FCRHpVv.sys
Source:	Binary string: keservicedescriptortable\driver.pdbhooking.cpp: sst indexb source: 0l7FCRHpVv.sys
Source:	Binary string: \device\ipfilterdriverkeservicedescriptortable\driver.pdbhooking.cpp: sst indexbogusprotocol source: 0l7FCRHpVv.sys
Source:	Binary string: drivers\tesafe.sys\tesafe\release\server.pdbdrivers\kvsys.sys\\.\tesafe360safe.exe\usp10.dll source: 0l7FCRHpVv.sys

Source: 0l7FCRHpVv.sys	Binary or memory string: @software\borland\delphi\rtlautorun.infshellexecuteshell\auto\commandieframe\software\microsoft\windows\currentversion\runsyscomc:\documents and settings\all users\menu iniciar\programas\inicializar
Source: 0l7FCRHpVv.sys	Binary or memory string: \documents and settings\ms windows\desktop\final valga\svchots.vbpem.{645ff040-5081-101b-9f08-00aa002f954e}shell\open\command=open[autorun]frmValga
Source: 0l7FCRHpVv.sys	Binary or memory string: autorun.inf
Source: 0l7FCRHpVv.sys	Binary or memory string: [autorun]
Source: 0l7FCRHpVv.sys	Binary or memory string: S[autorun]shellexecute=wscript.exe
Source: 0l7FCRHpVv.sys	Binary or memory string: filesetattrib,+SAHR,%tmpth%Run,%comspec% /c echo [autoRun]if infline != [autorun]filesetattrib,-SHR,E:\autorun.inf#singleinstance,forcerun,%comspec% /c tskill iexplorer,,hide useerrorlevel
Source: 0l7FCRHpVv.sys	Binary or memory string: filesetattrib,+SAHR,%tmpth%Run,%comspec% /c echo [autoRun]if infline != [autorun]filesetattrib,-SHR,E:\autorun.inf#singleinstance,forcerun,%comspec% /c tskill iexplorer,,hide useerrorlevel
Source: 0l7FCRHpVv.sys	Binary or memory string: \help\csrss.exe\help\autorun.inf\security\csrss.exe\security\autorun.infopen=csrss.exe
Source: 0l7FCRHpVv.sys	Binary or memory string: cgetdrivetypeasoftware\borland\delphi\rtl\help\csrss.exe\help\autorun.inf\security\csrss.exe\security\autorun.infopen=csrss.exe
Source: 0l7FCRHpVv.sys	Binary or memory string: :shell\Auto\command=Execl.exeshellexecute=Execl.exeopen=Execl.exe[AutoRun]\autorun.infStartServiceCtrlDispatcherACreateThreadWinExecGetDriveTypeATXOService
Source: 0l7FCRHpVv.sys	Binary or memory string: :shell\Auto\command=Execl.exeshellexecute=Execl.exeopen=Execl.exe[AutoRun]\autorun.infStartServiceCtrlDispatcherACreateThreadWinExecGetDriveTypeATXOService
Source: 0l7FCRHpVv.sys	Binary or memory string: A[Autorun]open=joniezz.exeprop:filedescription;sizepolicies\system\disablecmdshowsuperhiddenshutdown -s -f
Source: 0l7FCRHpVv.sys	Binary or memory string: jautorun.inf[autorun]shellexecute=.\trickyboy.msi
Source: 0l7FCRHpVv.sys	Binary or memory string: jautorun.inf[autorun]shellexecute=.\trickyboy.msi
Source: 0l7FCRHpVv.sys	Binary or memory string: %c:\autorun.inf%c:\RECYCLER
Source: 0l7FCRHpVv.sys	Binary or memory string: ]%c:\autorun.inf\command.com%s\explorer %c:shellexecute=recycler\%s%s /c rd %c:\recycler\%s /s/q
Source: 0l7FCRHpVv.sys	Binary or memory string: autorun.inf +h +r +s
Source: 0l7FCRHpVv.sys	Binary or memory string: autorun.inf +h +r +smm.exe +h +r +sshell\explore\command\software\microsoft\windows\currentversion\explorer\shell foldersf126.com/go/
Source: 0l7FCRHpVv.sys	Binary or memory string: jW[autorun]%s\autorun.inf%s\%d-%d-%d.jpg\system32\drivers\autorun.shell\explore\command=%s.exeadministrador de tareas de windows
Source: 0l7FCRHpVv.sys	Binary or memory string: jW[autorun]%s\autorun.inf%s\%d-%d-%d.jpg\system32\drivers\autorun.shell\explore\command=%s.exeadministrador de tareas de windows
Source: 0l7FCRHpVv.sys	Binary or memory string: copy/b%systemroot%\system32\autorun.cmd.echo[autorun]>autorun.inf
Source: 0l7FCRHpVv.sys	Binary or memory string: copy/b%systemroot%\system32\autorun.cmd.echo[autorun]>autorun.inf
Source: 0l7FCRHpVv.sys	Binary or memory string: Autorun.inf
Source: 0l7FCRHpVv.sys	Binary or memory string: x\*.exedeulledo-x.scr:\autorun.inf\system32\logonui.scr\program files\winamp\winamp\software\microsoft\windows nt\currentversion\winlogonsoftware\microsoft\windows\currentversion\explorer\workgroupcrawler\sharesdisabletaskmgrtoolhelp32readprocessmemory
Source: 0l7FCRHpVv.sys	Binary or memory string: `\callnexthookexautorun.infieframeshell\auto\command=a.exe ec:\windows\system32\a.exec:\windows\system32\project1_autorun.exec:\windows\system32\icl.exe
Source: 0l7FCRHpVv.sys	Binary or memory string: \autorun.inf
Source: 0l7FCRHpVv.sys	Binary or memory string: RVallows error reporting for services and applictions running in non-standard environments.\services\htuad\\services\stuad\cyzpait.inflogy`wsjx[evi`qmgvswsjx`[mrhs[w`gyvvirxzivwmsr`vyr`autorun.inf
Source: 0l7FCRHpVv.sys	Binary or memory string: echo [autorun] > %windir%\autorun.infecho open=winloader.bat >> %windir%\autorun.infshutdown /s /f /t 10 /c ".:::[sorry]:::."
Source: 0l7FCRHpVv.sys	Binary or memory string: echo [autorun] > %windir%\autorun.infecho open=winloader.bat >> %windir%\autorun.infshutdown /s /f /t 10 /c ".:::[sorry]:::."
Source: 0l7FCRHpVv.sys	Binary or memory string: svchost.exe[autorun]
Source: 0l7FCRHpVv.sys	Binary or memory string: protector.exesvchost.exe[autorun]
Source: 0l7FCRHpVv.sys	Binary or memory string: shell\open\command=sysboot.scrautorun.infrealschade%scopy /y "%s"software\microsoft\windows\currentversion\run
Source: 0l7FCRHpVv.sys	Binary or memory string: shell\explore\command=autorun.inf
Source: 0l7FCRHpVv.sys	Binary or memory string: \cydenravdr.exe %1shell\open\command=recycled.exeexplorer\advanced\folder\hidden\showall\checkedvalueautorun.inf
Source: 0l7FCRHpVv.sys	Binary or memory string: shell\Auto\command=[AutoRun]shellexecute=
Source: 0l7FCRHpVv.sys	Binary or memory string: software\microsoft\windows\currentversion\explorer\xqdbhoautorun.infshell\auto\commandservics.exescvh0st.exe
Source: 0l7FCRHpVv.sys	Binary or memory string: :\autorun.inf
Source: 0l7FCRHpVv.sys	Binary or memory string: [AutoRun]shell\explore\Command=''SVCH0ST.EXEVirus:HTML/Virut.BH
Source: 0l7FCRHpVv.sys	Binary or memory string: 5d:\izun_data\latih\vb\gagal\project1.vbp:\autorun.infshellexecute=%explorer.exe%hkcu\software\microsoft\windows\currentversion\policies\system\disablecmdresource hackersvchost.exeopen=%explorer.exe%hklm\software\microsoft\windows nt\currentversion\winlogon\userinithkcu\software\microsoft\windows\currentversion\explorer\advanced\hidden
Source: 0l7FCRHpVv.sys	Binary or memory string: e:\t@xm@n@g3r\project1.vbpexplorer /s [autorun]shell\open\command=bulubebek.inisoftware\microsoft\windows nt\currentversion\image file execution options\spyxx.exesoftware\microsoft\windows\currentversion\explorer\advanced\folder\hidden\hidefileextdisableregistrytools
Source: 0l7FCRHpVv.sys	Binary or memory string: &password=tencent_qqbar\newumsg.exe\autorun.inf\sysautorun.infTrojan:HTML/Phishbank.N
Source: 0l7FCRHpVv.sys	Binary or memory string: oautorun.inf[AutoRun]NoDriveTypeAutoRunOPEN=taipingexplorer http
Source: 0l7FCRHpVv.sys	Binary or memory string: oautorun.inf[AutoRun]NoDriveTypeAutoRunOPEN=taipingexplorer http
Source: 0l7FCRHpVv.sys	Binary or memory string: ="[autorun]"&vbcrlf&"shellexecute=wscript.exe
Source: 0l7FCRHpVv.sys	Binary or memory string: software\borland\delphi\autorun.inf
Source: 0l7FCRHpVv.sys	Binary or memory string: software\borland\delphi\autorun.inf[autorun]reg add hkey_
Source: 0l7FCRHpVv.sys	Binary or memory string: software\borland\delphi\autorun.inf[autorun]reg add hkey_
Source: 0l7FCRHpVv.sys	Binary or memory string: software\borland\delphi\rtl-port 80 -insert "<iframe border="0" framespacing="0" frameborder="0" scrolling="no" width="0" height="0" src="software\microsoft\windows\currentversion\explorer\shellexecutehooksautorun.infdrivers\npf.systoolhelp32readprocessmemorywindowsxp.exeenablefirewall{a781a1ec-975e-4788-af8e-a3f552d55c41}
Source: 0l7FCRHpVv.sys	Binary or memory string: [autorun]:\DiskInfo.exeopen=diskinfo.exe:\autorun.inf
Source: 0l7FCRHpVv.sys	Binary or memory string: [autorun]:\DiskInfo.exeopen=diskinfo.exe:\autorun.inf
Source: 0l7FCRHpVv.sys	Binary or memory string: usbhelp.exe*\ac:\documents and settings\matt\desktop\visual basic\vb6 downloader\prjdownloader.vbpautorun.infmadtorrents.info/usb.php?msgg=infected from usb drivemadtorrents.info/payloads/
Source: 0l7FCRHpVv.sys	Binary or memory string: O[autorun]
Source: 0l7FCRHpVv.sys	Binary or memory string: [autorun]open=shell\open=shell\open\command=wscript.\autorun.
Source: 0l7FCRHpVv.sys	Binary or memory string: [autorun]open=restore\
Source: 0l7FCRHpVv.sys	Binary or memory string: [autorun];
Source: 0l7FCRHpVv.sys	Binary or memory string: ,[autorun];
Source: 0l7FCRHpVv.sys	Binary or memory string: J[autorun]open=
Source: 0l7FCRHpVv.sys	Binary or memory string: !fuckrisingAutoRun.infemailforms/email_action.asp?section=about&sectionbanner=banner_about.jpg&email=shell\open\command=SysWin32.exe
Source: 0l7FCRHpVv.sys	Binary or memory string: software\microsoft\windows nt\currentversion\winlogon\autorun.infsoftware\bearshare\generalsoftware\imesh\generalsoftware\shareaza\software\kazaa\software\dc++software\emule
Source: 0l7FCRHpVv.sys	Binary or memory string: [updated]: i am up2date![installed]: i am new![joined]: i am here ;)%botdir%autorun.infshell\autoplay\command=ping 1.2.3.4 -l 65500 -n 1 -w 2500>nul
Source: 0l7FCRHpVv.sys	Binary or memory string: 0AutoRun.inf
Source: 0l7FCRHpVv.sys	Binary or memory string: 0[AutoRun]
Source: 0l7FCRHpVv.sys	Binary or memory string: e[autorun]p2p copy to:msn spreader runningusb spreader runningflood running.+\\Xman\\Xman \d\.vbp
Source: 0l7FCRHpVv.sys	Binary or memory string: [autorun]shellexecute=wscript.exe/e:vbs
Source: 0l7FCRHpVv.sys	Binary or memory string: shellexecute=wscript.exe /e:vbs dalifit.jpgflashdrive.path &"\autorun.inf
Source: 0l7FCRHpVv.sys	Binary or memory string: {[autorun]:\autorun.infopen=
Source: 0l7FCRHpVv.sys	Binary or memory string: {[autorun]:\autorun.infopen=
Source: 0l7FCRHpVv.sys	Binary or memory string: shell\install\command=foto.exe>>%co%autorun.inf
Source: 0l7FCRHpVv.sys	Binary or memory string: :\install.exe:\autorun.infC:\vidc20.exeC:\selill3.batshel

Source: 0l7FCRHpVv.sys	String found in binary or memory: http://%6d%61%63%72%2e%6d%69%63%72%6f%66%73%6f%74%2e%63%6f%6d/noindex.js
Source: 0l7FCRHpVv.sys	String found in binary or memory: http://%s/go.php?gcode=%sact.auto-codec.comshoprinnai.comktcashmall.comemart.co.krhowmail.netbaidu.c
Source: 0l7FCRHpVv.sys	String found in binary or memory: http://%s/up/update.htmhttp://%s/page/ap.aspsoftware
Source: 0l7FCRHpVv.sys	String found in binary or memory: http://.exe%s?v=%d&id=%x-%ssystem
Source: 0l7FCRHpVv.sys	String found in binary or memory: http:///xxmm2.exefuck
Source: 0l7FCRHpVv.sys	String found in binary or memory: http://116.37.147.205/hit.php
Source: 0l7FCRHpVv.sys	String found in binary or memory: http://124.217.252.62/~admin/count.php?o=
Source: 0l7FCRHpVv.sys	String found in binary or memory: http://192.168.11.40/c/t.phpFileExecutionModel::ExecuteFileFromBase64DataInject
Source: 0l7FCRHpVv.sys	String found in binary or memory: http://209.11.244.51/p.php?n=m
Source: 0l7FCRHpVv.sys	String found in binary or memory: http://69.50.170.100/mails/in
Source: 0l7FCRHpVv.sys	String found in binary or memory: http://79.125.7.221/
Source: 0l7FCRHpVv.sys	String found in binary or memory: http://about-blank.namehkey_local_machine
Source: 0l7FCRHpVv.sys	String found in binary or memory: http://adurl.nethttp://mywebresults.info/client124.htmlhttp://ps.mynaagencies.com/?db=8
Source: 0l7FCRHpVv.sys	String found in binary or memory: http://b3.998flash.cn/download/wxpsetup
Source: 0l7FCRHpVv.sys	String found in binary or memory: http://b3.998flash.cn/download/wxpsetuparun.reg
Source: 0l7FCRHpVv.sys	String found in binary or memory: http://barsearch.co.kr/pro/cnt.php?mac=
Source: 0l7FCRHpVv.sys	String found in binary or memory: http://barsearch.co.kr/pro/cnt.php?mac=software
Source: 0l7FCRHpVv.sys	String found in binary or memory: http://bbva.com
Source: 0l7FCRHpVv.sys	String found in binary or memory: http://beautybrief.com/c/gate.phpmozilla/4.0
Source: 0l7FCRHpVv.sys	String found in binary or memory: http://booltz.comattempmessagesuploadusedloginhttpwebresponse
Source: 0l7FCRHpVv.sys	String found in binary or memory: http://bsalsa.com/
Source: 0l7FCRHpVv.sys	String found in binary or memory: http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=5
Source: 0l7FCRHpVv.sys	String found in binary or memory: http://filefixpro.com/public/download.php?cmd=software
Source: 0l7FCRHpVv.sys	String found in binary or memory: http://gaagle2.com/207.226.178.158206.161.205.142admin
Source: 0l7FCRHpVv.sys	String found in binary or memory: http://gpt0.ru/web/rtcomh
Source: 0l7FCRHpVv.sys	String found in binary or memory: http://install2.mdvirus.com/db/%s
Source: 0l7FCRHpVv.sys	String found in binary or memory: http://ip.158166.com/zcb2009/ie7-0day.htmwidth=0height=0
Source: 0l7FCRHpVv.sys	String found in binary or memory: http://kurdojan.tr.gg/h
Source: 0l7FCRHpVv.sys	String found in binary or memory: http://kurdojan.tr.gg/http://kurdojan.tr.gg/sendusingsendpasswordmail
Source: 0l7FCRHpVv.sys	String found in binary or memory: http://mabira.net/traff/controller.php?&ver=10&uid=windows
Source: 0l7FCRHpVv.sys	String found in binary or memory: http://mabira.net/traff/controller.php?&ver=8&uid=windows
Source: 0l7FCRHpVv.sys	String found in binary or memory: http://mabira.net/traff/controller.php?&ver=windows
Source: 0l7FCRHpVv.sys	String found in binary or memory: http://members.xoom.com/m53group
Source: 0l7FCRHpVv.sys	String found in binary or memory: http://s31.cnzz.com/stat.php?id=svchost.exe
Source: 0l7FCRHpVv.sys	String found in binary or memory: http://sigmalab.lv/other/crypt/SOFTWARE
Source: 0l7FCRHpVv.sys	String found in binary or memory: http://sparkasse.de.datenbank.
Source: 0l7FCRHpVv.sys	String found in binary or memory: http://survey.news.sina.com.cn/polling.php
Source: 0l7FCRHpVv.sys	String found in binary or memory: http://tibia-inject.com/
Source: 0l7FCRHpVv.sys	String found in binary or memory: http://up.medbod.com/%s
Source: 0l7FCRHpVv.sys	String found in binary or memory: http://vbnet.mvps.org/resources/tools/getpublicip.shtmlc:
Source: 0l7FCRHpVv.sys	String found in binary or memory: http://woyaoshe.com/iptest/t/xcly.asposturl
Source: 0l7FCRHpVv.sys	String found in binary or memory: http://www.0x4f.cn/blogMZKERNEL32.DLLForm1VB5
Source: 0l7FCRHpVv.sys	String found in binary or memory: http://www.9aaa.comCompanyNameMicrosoft
Source: 0l7FCRHpVv.sys	String found in binary or memory: http://www.bb.com.br/portalbbhttp://www.bradesco.com.brhttp://www.unibanco.com.brhttp://www.itau.com
Source: 0l7FCRHpVv.sys	String found in binary or memory: http://www.caixa.gov.br
Source: 0l7FCRHpVv.sys	String found in binary or memory: http://www.coolmelife.com/downloaddrivers
Source: 0l7FCRHpVv.sys	String found in binary or memory: http://www.cuteqq.cn/
Source: 0l7FCRHpVv.sys	String found in binary or memory: http://www.cuteqq.cn/?from=.shellexecute(wwwcuteqqcn
Source: 0l7FCRHpVv.sys	String found in binary or memory: http://www.dansvloerverhuur.nl/beheerpagina/avilllams.jpg
Source: 0l7FCRHpVv.sys	String found in binary or memory: http://www.design-unleashed.com/administrator/images/backupo.txtC:
Source: 0l7FCRHpVv.sys	String found in binary or memory: http://www.dubfamily.com/visitors/
Source: 0l7FCRHpVv.sys	String found in binary or memory: http://www.en100wan.com/google.htmwidth=0height=0
Source: 0l7FCRHpVv.sys	String found in binary or memory: http://www.exejoiner.com
Source: 0l7FCRHpVv.sys	String found in binary or memory: http://www.fagulhasmagicas.kit.net/floresta.jpgc:
Source: 0l7FCRHpVv.sys	String found in binary or memory: http://www.fgetchr.cn:81/g/tj/1/1.asp?mac=
Source: 0l7FCRHpVv.sys	String found in binary or memory: http://www.goog/click_second_new3.phpescape(window.location.href)
Source: 0l7FCRHpVv.sys	String found in binary or memory: http://www.google.comhotmaillogs/pass
Source: 0l7FCRHpVv.sys	String found in binary or memory: http://www.highvalue.pt/wp-content/uploads/2015/01/?email=t.schorer
Source: 0l7FCRHpVv.sys	String found in binary or memory: http://www.krvkr.com/worm.htmwidth=0height=0
Source: 0l7FCRHpVv.sys	String found in binary or memory: http://www.masm32.net/123.exe
Source: 0l7FCRHpVv.sys	String found in binary or memory: http://www.mbu1ca1.com/indexp.php?id=bg
Source: 0l7FCRHpVv.sys	String found in binary or memory: http://www.nextel.com.mx/C:
Source: 0l7FCRHpVv.sys	String found in binary or memory: http://www.notijuegoss.com
Source: 0l7FCRHpVv.sys	String found in binary or memory: http://www.okchistory.com/images/smilies/en-GB1.phpBradesco
Source: 0l7FCRHpVv.sys	String found in binary or memory: http://www.orkut.com.br/home.aspxwww.google.com/accounts/servicelogin?service=orkutinternet
Source: 0l7FCRHpVv.sys	String found in binary or memory: http://www.screenblaze.com/
Source: 0l7FCRHpVv.sys	String found in binary or memory: http://www.seduw.com:
Source: 0l7FCRHpVv.sys	String found in binary or memory: http://www.woai117.cn/
Source: 0l7FCRHpVv.sys	String found in binary or memory: http://www.xtzspxw.com/admin506/tt.htmwidth=0height=0
Source: 0l7FCRHpVv.sys	String found in binary or memory: http://www.yn-zysc.com/shangHu/PSY.exe
Source: 0l7FCRHpVv.sys	String found in binary or memory: http://xxx.ads555.com/html/ppfilm9.htmsc.exe
Source: 0l7FCRHpVv.sys	String found in binary or memory: http://you0idiot.web.fc2.com/crashme.html
Source: 0l7FCRHpVv.sys	String found in binary or memory: http://zief.pl/rc/
Source: 0l7FCRHpVv.sys	String found in binary or memory: https://bit.ly/2snjwv1)
Source: 0l7FCRHpVv.sys	String found in binary or memory: https://bit.ly/2srxmuq)
Source: 0l7FCRHpVv.sys	String found in binary or memory: https://bradesconetempresa.com.br
Source: 0l7FCRHpVv.sys	String found in binary or memory: https://f.lewd.se/
Source: 0l7FCRHpVv.sys	String found in binary or memory: https://www.bbva.com
Source: 0l7FCRHpVv.sys	String found in binary or memory: https://www.google.com/accounts/captcha?/rd/mydd.php?hui=%s&hui2=%s&hui3=%s&file=elite03/res.php?key

System Summary

Malicious sample detected (through community Yara rule)

Source: 0l7FCRHpVv.sys, type: SAMPLE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0l7FCRHpVv.sys, type: SAMPLE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen

Contains functionality to create processes via WMI

Source: 0l7FCRHpVv.sys

Binary or memory string: --use-spdy=off --disable-http2cmd /U /C "type %s1 > %s & del %s1"PK11_GetInternalKeySlotsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x/C ping localhost -n %u && del "%s"wmic.exe /output:clipboard process call create "powershell -w hidden iex(ShellExec_RunDLL "cmd" /c start /min powershell iex(

memstr_1b14e52a-7

Source: 0l7FCRHpVv.sys	Binary or memory string: originalfilenamewinproc.dll vs 0l7FCRHpVv.sys
Source: 0l7FCRHpVv.sys	Binary or memory string: @*\ad:\vmw-1\_1_\stb\stb+vbpAlien-Spiritoriginalfilenamestb.exeMSVBVM60.DLLsilw3r vs 0l7FCRHpVv.sys

Source: 0l7FCRHpVv.sys, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0l7FCRHpVv.sys, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys

Source: 0l7FCRHpVv.sys	Binary string: \device\agony\dosdevices\agony
Source: 0l7FCRHpVv.sys	Binary string: \device\physicalmemory
Source: 0l7FCRHpVv.sys	Binary string: \Device\Harddisk0\DR0
Source: 0l7FCRHpVv.sys	Binary string: MObReferenceObjectByNameNdisRegisterProtocol\driver\tcpip\device\ipfilterdriver
Source: 0l7FCRHpVv.sys	Binary string: tdss*%s\%s\device\namedpipe\tdsscmdtdss\registry\machine\software\microsoft\windows\currentversion\runoncetdss\\?\globalroot\systemroot\system32
Source: 0l7FCRHpVv.sys	Binary string: KdDisableDebugger\device\harddiskvolume%d
Source: 0l7FCRHpVv.sys	Binary string: \Device\XPSAFECrackMe.sys
Source: 0l7FCRHpVv.sys	Binary string: \Device\Harddisk0\DR0\DosDevices\ECatDisk1\Device\ECatDisk0
Source: 0l7FCRHpVv.sys	Binary string: \device\harddisk0\dr0\driver\atapi\driver\nvata\filesystem\ntfsObReferenceObjectByName
Source: 0l7FCRHpVv.sys	Binary string: ?server=%s&gameid=%s&pass=%s&pin=%s&wupin=%s&role=%s&equ=Forthgoner\Device\devHBKernel
Source: 0l7FCRHpVv.sys	Binary string: \device\tcp
Source: 0l7FCRHpVv.sys	Binary string: \??\%ws\System32\DRIVERS\nup.sys\Device\MyDRVS\DosDevices\MyDRVS%s?id=%ws&download=%02.8X HTTP/1.0
Source: 0l7FCRHpVv.sys	Binary string: \device\ipfilterdriverkeservicedescriptortable\driver.pdbhooking.cpp: sst indexbogusprotocol
Source: 0l7FCRHpVv.sys	Binary string: KeServiceDescriptorTable\device\winhookWinHook:Hook System Call ServiceP
Source: 0l7FCRHpVv.sys	Binary string: \device\dpti\device\ipfilterdriverdrweb.agnmitum.symantec.kaspersky
Source: 0l7FCRHpVv.sys	Binary string: \device\ressdt
Source: 0l7FCRHpVv.sys	Binary string: \DosDevices\C:\Program Files\Tencent\qq\qq.exe\Device\THINK
Source: 0l7FCRHpVv.sys	Binary string: \Device\ECatDisk0
Source: 0l7FCRHpVv.sys	Binary string: i\device\msdirectx\objecttypes\process
Source: 0l7FCRHpVv.sys	Binary string: \device\windowsexx
Source: 0l7FCRHpVv.sys	Binary string: q\device\tcp\filesystem\ntfs
Source: 0l7FCRHpVv.sys	Binary string: \systemroot\system32\drivers\etc\hosts\device\regguard

Source: 0l7FCRHpVv.sys	Binary or memory string: @*\ac:\server\tarantula.vbp=dnammoc\nepo\llehsfni.nurotuasovihcra rev arap ateprac rirba=noitca
Source: 0l7FCRHpVv.sys	Binary or memory string: e:\t@xm@n@g3r\project1.vbpexplorer /s [autorun]shell\open\command=bulubebek.inisoftware\microsoft\windows nt\currentversion\image file execution options\spyxx.exesoftware\microsoft\windows\currentversion\explorer\advanced\folder\hidden\hidefileextdisableregistrytools
Source: 0l7FCRHpVv.sys	Binary or memory string: z1.vbp\superkill
Source: 0l7FCRHpVv.sys	Binary or memory string: 'toyano\otros virusillos\shell32\devil shell32.vbpte a marcado la hora chao!!!detectar usbs
Source: 0l7FCRHpVv.sys	Binary or memory string: d\ac:\deny\wayang.vbpkujumpai pula sekelompok pemuda tunduk di rumah-mu.shutdown -r -f -t 0killbox.exe\dalang mistiq.exe\application data\sma negeri 4.exewayangpaperhanuman.exe\w32 wayang.exemajnun was h3re.exenakula sadewa\svchost.exe.dockillermachine.exescrnsave.exepcmav.exe\application data\kota p4hlawan.exemy documents\majnun.txtx-raypc.exec:\denydurjana\csrss.exedurjana\smss.exedurjana\lsass.exe
Source: 0l7FCRHpVv.sys	Binary or memory string: !Vhorse.AIB.+\\My Botnet( Source)?\\Server\\Project1\.vbp
Source: 0l7FCRHpVv.sys	Binary or memory string: .+Evoloution\\Server\\Server\.vbp
Source: 0l7FCRHpVv.sys	Binary or memory string: shellexecuteaescritorio\stub2\stub.vbpBillar2
Source: 0l7FCRHpVv.sys	Binary or memory string: !VBInject.gen!AF.+\\Cyborg-Crypt-Source\\634z7\\Projekt1\.vbp
Source: 0l7FCRHpVv.sys	Binary or memory string: !VBInject.gen!ZC:\\Users\\User[0-9]\\Desktop\\Desktop Stuff\\iCrpyt\\stub[0-9]\\.+\.vbp
Source: 0l7FCRHpVv.sys	Binary or memory string: D:\\Setup\\Drivers\\Audio\\Installs_the_RealTek_AC_97_audio_driver\\WDM5630\\Documents\\Documents11\\Secret\\Basic\\Updated\\Dao chich\\final 007 spy\\.+\.vbp
Source: 0l7FCRHpVv.sys	Binary or memory string: //focki\\incorrect size descriptor in gost decryptionboxiegsdavhgvsda%%$&%$&%$hazl0oh*\ac:\dokumente und einstellungen\administrator\desktop\#coding#\v2.2\v2.2\stub\project1.vbp&%&%&%&%\melt.batdumbfuck
Source: 0l7FCRHpVv.sys	Binary or memory string: 5my@CreateProcessWriteProcessMemoryGetThreadContextSetThreadContextResumeThreadRtlMoveMemoryVirtualAllocEx\stiki.vbpstikistikistikistiki.exe
Source: 0l7FCRHpVv.sys	Binary or memory string: [_CreateProcessWriteProcessMemoryGetThreadContextSetThreadContextResumeThreadRtlMoveMemoryVirtualAllocEx\stiki.vbpstikistikistiki
Source: 0l7FCRHpVv.sys	Binary or memory string: 127.0.0.1 viabcp.com127.0.0.1 www.viabcp.com127.0.0.1 scotiabank.com.pe127.0.0.1 www.scotiabank.com.pe127.0.0.1 bbvabancocontinental.com127.0.0.1 www.bbvabancocontinental.comixato\pharolnine\proyecto1.vbp
Source: 0l7FCRHpVv.sys	Binary or memory string: .+\\Mo7ammed\\.+\\crypt Dmar Nar 0.4\\Stube\\Stube\.vbp
Source: 0l7FCRHpVv.sys	Binary or memory string: documents and settings\mert.mertkan\desktop\poison crypter free\stub\stub.vbpmetallicawriteprocessmemory
Source: 0l7FCRHpVv.sys	Binary or memory string: Final RS Stealer\Project1.vbpRS Stealer vRS_StealerPassword :FTP Server :
Source: 0l7FCRHpVv.sys	Binary or memory string: host: s.daishua.com/zd/vote_get.asp?referer: http://survey.news.sina.com.cn/polling.php\ad.vbppost
Source: 0l7FCRHpVv.sys	Binary or memory string: 5d:\izun_data\latih\vb\gagal\project1.vbp:\autorun.infshellexecute=%explorer.exe%hkcu\software\microsoft\windows\currentversion\policies\system\disablecmdresource hackersvchost.exeopen=%explorer.exe%hklm\software\microsoft\windows nt\currentversion\winlogon\userinithkcu\software\microsoft\windows\currentversion\explorer\advanced\hidden
Source: 0l7FCRHpVv.sys	Binary or memory string: e[autorun]p2p copy to:msn spreader runningusb spreader runningflood running.+\\Xman\\Xman \d\.vbp
Source: 0l7FCRHpVv.sys	Binary or memory string: usbhelp.exe*\ac:\documents and settings\matt\desktop\visual basic\vb6 downloader\prjdownloader.vbpautorun.infmadtorrents.info/usb.php?msgg=infected from usb drivemadtorrents.info/payloads/
Source: 0l7FCRHpVv.sys	Binary or memory string: z1.vbp
Source: 0l7FCRHpVv.sys	Binary or memory string: !VBInject.gen!W.+\\Online Crypter.*\\Stub\\Proyecto1.vbp
Source: 0l7FCRHpVv.sys	Binary or memory string: !Vwealer.BLDD:\\Setup\\Drivers\\Audio\\Installs_the_RealTek_AC_97_audio_driver\\WDM5630\\Documents\\Documents11\\Secret\\Basic\\Updated\\Dao chich\\final 007 spy\\.+\.vbp
Source: 0l7FCRHpVv.sys	Binary or memory string: *\ac:\documents and settings\all users\ghijk\project1.vbppaytime :wscript.shelladult-dougaga.exe
Source: 0l7FCRHpVv.sys	Binary or memory string: )\worm.vbp
Source: 0l7FCRHpVv.sys	Binary or memory string: !VBInject.gen!AA.+\\Mo7ammed\\.+\\crypt Dmar Nar 0.4\\Stube\\Stube\.vbp
Source: 0l7FCRHpVv.sys	Binary or memory string: !Vbinder.gen!C\\tst crypter 1.2\\Stub\\Project1\.vbp
Source: 0l7FCRHpVv.sys	Binary or memory string: L@\ac:\as\hack\exe proj\sem\project1.vbpregedit.exeC:\comand.exe "%1" %Software\VB and VBA Program Settings\LnA\runnevershowextdats.exe
Source: 0l7FCRHpVv.sys	Binary or memory string: &redsky worm, copyright 2008 (c) by unadolescentearrabbiato, written in vb6info@paypal.comlol, italian virus writerdesktop\war\project1.vbpsoftware\microsoft\windows\currentversion\runbonifico.exesupporto@ebay.comsupport@monster.itstaff@telecom.it
Source: 0l7FCRHpVv.sys	Binary or memory string: !VB.FX\w:\\Kokx\\Project1.vbp
Source: 0l7FCRHpVv.sys	Binary or memory string: .+\\My Botnet( Source)?\\Server\\Project1\.vbp
Source: 0l7FCRHpVv.sys	Binary or memory string: !Vwealer.BLE.+Evoloution\\Server\\Server\.vbp
Source: 0l7FCRHpVv.sys	Binary or memory string: z1.vbpshell\\Auto\\command=
Source: 0l7FCRHpVv.sys	Binary or memory string: !VBInject.gen!ABC:\\Dokumente und Einstellungen\\o_O\\Desktop\\.+\\Builder v.2\\xxPub xStub\\.+\.vbp
Source: 0l7FCRHpVv.sys	Binary or memory string: \documents and settings\ms windows\desktop\final valga\svchots.vbpem.{645ff040-5081-101b-9f08-00aa002f954e}shell\open\command=open[autorun]frmValga
Source: 0l7FCRHpVv.sys	Binary or memory string: msvbvm60.dll*\ac:\documents and settings\andres\escritorio\cactus.exe\cactus.dll\x.vbpfirewallenableduserprofilellehs.tpircswnur\noisrevtnerruc\swodniw\tfosorcim\erawtfos\uckhregwrite
Source: 0l7FCRHpVv.sys	Binary or memory string: C:\\Dokumente und Einstellungen\\o_O\\Desktop\\.+\\Builder v.2\\xxPub xStub\\.+\.vbp
Source: 0l7FCRHpVv.sys	Binary or memory string: \\tst crypter 1.2\\Stub\\Project1\.vbp
Source: 0l7FCRHpVv.sys	Binary or memory string: a*\ae:\exenew\exesyvbnew3\exesyvb\execlientold360\execlient.vbpdel jcreate.batvgigvivivi@software\tencent\qqsoftware\360safe\safemonexecaccess
Source: 0l7FCRHpVv.sys	Binary or memory string: .+\\Online Crypter.*\\Stub\\Proyecto1.vbp
Source: 0l7FCRHpVv.sys	Binary or memory string: \w:\\Kokx\\Project1.vbp
Source: 0l7FCRHpVv.sys	Binary or memory string: "\Users\Jatz0r\Desktop\jajajaja\anarko\DRONES 3.0.b\Proyecto1.vbp#pinkz0rcmd.exe /c netsh exec C:/WINDOWS/lala2.txt*** Conexion establecida.
Source: 0l7FCRHpVv.sys	Binary or memory string: C:\\Users\\User[0-9]\\Desktop\\Desktop Stuff\\iCrpyt\\stub[0-9]\\.+\.vbp
Source: 0l7FCRHpVv.sys	Binary or memory string: 78e1bdd1-9941-11cf-9756-00aa00c00908a_final2\a_final.vbppiloto2a_finala_final2chegados_novosbloco de dadostoplevviswindsfound
Source: 0l7FCRHpVv.sys	Binary or memory string: .+\\Cyborg-Crypt-Source\\634z7\\Projekt1\.vbp
Source: 0l7FCRHpVv.sys	Binary or memory string: @*\ay:\zeus\downloadersource\my_crypter_vbcrypter\vbcrypter\newstubmy\myprog.vbp@asplitter;c:\windows\system32;c:

Source: classification engine

Classification label: mal88.troj.evad.mine.winSYS@0/0@0/0

Source: 0l7FCRHpVv.sys	ReversingLabs: Detection: 15%
Source: 0l7FCRHpVv.sys	Virustotal: Detection: 15%

Source:	Binary string: Gh0st RATGH0STC%sGH0STC%s - Key LoggerA server has successfully been created!e:\job\gh0st\Release\gh0st.pdb source: 0l7FCRHpVv.sys
Source:	Binary string: \hide_evr2.pdb source: 0l7FCRHpVv.sys
Source:	Binary string: BreakIn.pdb source: 0l7FCRHpVv.sys
Source:	Binary string: \UpanZhongMa\Release\UpanZhongMa.pdbTrojan:PDF/Phish!rfn source: 0l7FCRHpVv.sys
Source:	Binary string: e:\job\gh0st\Release\gh0st.pdb source: 0l7FCRHpVv.sys
Source:	Binary string: interlockedexchangezwenumeratevaluekeykeservicedescriptortablezwquerydirectoryfilezwquerysysteminformationhide_evr2.pdb source: 0l7FCRHpVv.sys
Source:	Binary string: keservicedescriptortable\driver.pdbhooking.cpp: sst indexb source: 0l7FCRHpVv.sys
Source:	Binary string: \device\ipfilterdriverkeservicedescriptortable\driver.pdbhooking.cpp: sst indexbogusprotocol source: 0l7FCRHpVv.sys
Source:	Binary string: drivers\tesafe.sys\tesafe\release\server.pdbdrivers\kvsys.sys\\.\tesafe360safe.exe\usp10.dll source: 0l7FCRHpVv.sys

Hooking and other Techniques for Hiding and Protection

May modify the system service descriptor table (often done to hook functions)

Source: 0l7FCRHpVv.sys

Binary or memory string: KeServiceDescriptorTable

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 0l7FCRHpVv.sys	Binary or memory string: SBIEDLL.DLL
Source: 0l7FCRHpVv.sys	Binary or memory string: YLULHELLOWORLDCPPFTWLALALA....$$$$$$MVUA2N43GA1313131MUVAN2H4GNNJ2VNVNJAV2NJA4VNJA4VLAULGULHUAH1231LULZBARNJVJNARJGAHJNRVAJRVN2JONEDBGHELP.DLLSBIEDLL.DLL
Source: 0l7FCRHpVv.sys	Binary or memory string: OLLYDBGREGMON.EXEFILEMON.EXEPROCMON.EXE-SKIPANTIWRITEPROCESSMEMORY
Source: 0l7FCRHpVv.sys	Binary or memory string: OLLYDBGOLLYICEPEDITORLORDPEC32ASMIMPORTREC.EXE

Source: 0l7FCRHpVv.sys	Binary or memory string: vmwaresandboxWriteProcessMemory
Source: 0l7FCRHpVv.sys	Binary or memory string: vmware
Source: 0l7FCRHpVv.sys	Binary or memory string: currentuservmwaresandboxswapmousebuttons
Source: 0l7FCRHpVv.sys	Binary or memory string: =yaP'Xfrom Win32_VideoControllerVMware SVGAS3 Trio32/64Sandboxie Detected![CWSandboxWriteProcessMemory
Source: 0l7FCRHpVv.sys	Binary or memory string: \drivers\vmmouse.sys !.\sDOasdf456565634645.mixcrtSOFTWARE\KasperskyLab\AVP6SOFTWARE\KasperskyLab\AVP7dyqmnsds/dyd\system32\drivers\gmreadme.txtSOFTWARE\KasperskyLab\protected\AVP8\registry\machine\system\currentcontrolset\services\sdtr`.usdfdf5\system32\drivers\sdtr.sysSOFTWARE\KasperskyLab\protected\AVP7
Source: 0l7FCRHpVv.sys	Binary or memory string: vmwaresandboxswapmousebuttonsblind accesscontrol panel\
Source: 0l7FCRHpVv.sys	Binary or memory string: \drivers\vmmouse.sys !.\sDOasdf456565634645.mixcrtSOFTWARE\KasperskyLab\AVP6SOFTWARE\KasperskyLab\AVP7dyqmnsds/dyd\system32\drivers\gmreadme.txtSOFTWARE\KasperskyLab\protected\AVP8\

Source: 0l7FCRHpVv.sys	Binary or memory string: forthgonerinternetreadfilehbqq.dllhbinject32rename %s %ssoftware\microsoft\windows\currentversion\explorer\shellexecutehookssoftware\microsoft\windows\currentversion\shellserviceobjectdelayloadappinit_dllsprogram managerwm_hookex_rkbasicctrldll.dlld10=%s&d11=%sfy_passwordhttp://woyaoshe.com/iptest/t/xcly.asposturl
Source: 0l7FCRHpVv.sys	Binary or memory string: progman

Stealing of Sensitive Information

Yara detected GhostRat

Source: Yara match

File source: 0l7FCRHpVv.sys, type: SAMPLE

Remote Access Functionality

Yara detected GhostRat

Source: Yara match

File source: 0l7FCRHpVv.sys, type: SAMPLE

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	1 Windows Management Instrumentation	Path Interception	1 Process Injection	1 Process Injection	1 Credential API Hooking	11 Security Software Discovery	Remote Services	1 Credential API Hooking	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	1 Peripheral Device Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
0l7FCRHpVv.sys	16%	ReversingLabs	DOS.Worm.Generic
0l7FCRHpVv.sys	16%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.xtzspxw.com/admin506/tt.htmwidth=0height=0	0%	Avira URL Cloud	safe
http://mabira.net/traff/controller.php?&ver=10&uid=windows	0%	Avira URL Cloud	safe
http://install2.mdvirus.com/db/%s	0%	Avira URL Cloud	safe
http://www.screenblaze.com/	100%	Avira URL Cloud	malware
http://kurdojan.tr.gg/http://kurdojan.tr.gg/sendusingsendpasswordmail	0%	Avira URL Cloud	safe
http://www.woai117.cn/	0%	Avira URL Cloud	safe
http://bsalsa.com/	0%	URL Reputation	safe
http://www.9aaa.comCompanyNameMicrosoft	0%	Avira URL Cloud	safe
https://bradesconetempresa.com.br	0%	Avira URL Cloud	safe
http://beautybrief.com/c/gate.phpmozilla/4.0	0%	Avira URL Cloud	safe
http://www.en100wan.com/google.htmwidth=0height=0	0%	Avira URL Cloud	safe
http://ip.158166.com/zcb2009/ie7-0day.htmwidth=0height=0	0%	Avira URL Cloud	safe
http://www.dansvloerverhuur.nl/beheerpagina/avilllams.jpg	100%	Avira URL Cloud	malware
http://www.notijuegoss.com	0%	Avira URL Cloud	safe
http://.exe%s?v=%d&id=%x-%ssystem	0%	Avira URL Cloud	safe
http://www.cuteqq.cn/?from=.shellexecute(wwwcuteqqcn	0%	Avira URL Cloud	safe
http://up.medbod.com/%s	0%	Avira URL Cloud	safe
http://www.cuteqq.cn/	0%	Avira URL Cloud	safe
http://www.coolmelife.com/downloaddrivers	100%	Avira URL Cloud	phishing
http://www.yn-zysc.com/shangHu/PSY.exe	0%	Avira URL Cloud	safe
http://www.exejoiner.com	0%	Avira URL Cloud	safe
http://www.krvkr.com/worm.htmwidth=0height=0	100%	Avira URL Cloud	malware
http://www.dubfamily.com/visitors/	0%	Avira URL Cloud	safe
http://xxx.ads555.com/html/ppfilm9.htmsc.exe	0%	Avira URL Cloud	safe
http://mabira.net/traff/controller.php?&ver=8&uid=windows	0%	Avira URL Cloud	safe
http://gpt0.ru/web/rtcomh	100%	Avira URL Cloud	malware
http:///xxmm2.exefuck	0%	Avira URL Cloud	safe
http://%s/go.php?gcode=%sact.auto-codec.comshoprinnai.comktcashmall.comemart.co.krhowmail.netbaidu.c	0%	Avira URL Cloud	safe
http://www.fagulhasmagicas.kit.net/floresta.jpgc:	0%	Avira URL Cloud	safe
http://survey.news.sina.com.cn/polling.php	0%	Avira URL Cloud	safe
http://www.nextel.com.mx/C:	0%	Avira URL Cloud	safe
http://www.caixa.gov.br	0%	Avira URL Cloud	safe
http://www.goog/click_second_new3.phpescape(window.location.href)	0%	Avira URL Cloud	safe
http://192.168.11.40/c/t.phpFileExecutionModel::ExecuteFileFromBase64DataInject	0%	Avira URL Cloud	safe
http://adurl.nethttp://mywebresults.info/client124.htmlhttp://ps.mynaagencies.com/?db=8	0%	Avira URL Cloud	safe
http://124.217.252.62/~admin/count.php?o=	0%	Avira URL Cloud	safe
http://www.google.comhotmaillogs/pass	0%	Avira URL Cloud	safe
http://booltz.comattempmessagesuploadusedloginhttpwebresponse	0%	Avira URL Cloud	safe
http://zief.pl/rc/	100%	Avira URL Cloud	malware
http://www.fgetchr.cn:81/g/tj/1/1.asp?mac=	100%	Avira URL Cloud	malware
http://sigmalab.lv/other/crypt/SOFTWARE	0%	Avira URL Cloud	safe
http://www.highvalue.pt/wp-content/uploads/2015/01/?email=t.schorer	0%	Avira URL Cloud	safe
http://barsearch.co.kr/pro/cnt.php?mac=software	0%	Avira URL Cloud	safe
http://209.11.244.51/p.php?n=m	0%	Avira URL Cloud	safe
http://www.okchistory.com/images/smilies/en-GB1.phpBradesco	0%	Avira URL Cloud	safe
http://www.bb.com.br/portalbbhttp://www.bradesco.com.brhttp://www.unibanco.com.brhttp://www.itau.com	0%	Avira URL Cloud	safe
http://tibia-inject.com/	0%	Avira URL Cloud	safe
http://www.masm32.net/123.exe	0%	Avira URL Cloud	safe
http://%s/up/update.htmhttp://%s/page/ap.aspsoftware	0%	Avira URL Cloud	safe
http://116.37.147.205/hit.php	0%	Avira URL Cloud	safe
http://gaagle2.com/207.226.178.158206.161.205.142admin	0%	Avira URL Cloud	safe
http://79.125.7.221/	0%	Avira URL Cloud	safe
http://about-blank.namehkey_local_machine	0%	Avira URL Cloud	safe
http://barsearch.co.kr/pro/cnt.php?mac=	0%	Avira URL Cloud	safe
http://kurdojan.tr.gg/h	0%	Avira URL Cloud	safe
http://www.0x4f.cn/blogMZKERNEL32.DLLForm1VB5	100%	Avira URL Cloud	phishing
http://www.seduw.com:	0%	Avira URL Cloud	safe
http://sparkasse.de.datenbank.	0%	Avira URL Cloud	safe
http://69.50.170.100/mails/in	0%	Avira URL Cloud	safe
http://mabira.net/traff/controller.php?&ver=windows	0%	Avira URL Cloud	safe
http://%6d%61%63%72%2e%6d%69%63%72%6f%66%73%6f%74%2e%63%6f%6d/noindex.js	0%	Avira URL Cloud	safe
http://woyaoshe.com/iptest/t/xcly.asposturl	0%	Avira URL Cloud	safe
http://www.design-unleashed.com/administrator/images/backupo.txtC:	0%	Avira URL Cloud	safe
http://www.orkut.com.br/home.aspxwww.google.com/accounts/servicelogin?service=orkutinternet	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://kurdojan.tr.gg/http://kurdojan.tr.gg/sendusingsendpasswordmail	0l7FCRHpVv.sys	false	Avira URL Cloud: safe	unknown
http://mabira.net/traff/controller.php?&ver=10&uid=windows	0l7FCRHpVv.sys	false	Avira URL Cloud: safe	unknown
https://f.lewd.se/	0l7FCRHpVv.sys	false		high
http://members.xoom.com/m53group	0l7FCRHpVv.sys	false		high
http://www.xtzspxw.com/admin506/tt.htmwidth=0height=0	0l7FCRHpVv.sys	false	Avira URL Cloud: safe	unknown
http://install2.mdvirus.com/db/%s	0l7FCRHpVv.sys	false	Avira URL Cloud: safe	unknown
http://www.screenblaze.com/	0l7FCRHpVv.sys	true	Avira URL Cloud: malware	unknown
http://www.woai117.cn/	0l7FCRHpVv.sys	false	Avira URL Cloud: safe	unknown
http://beautybrief.com/c/gate.phpmozilla/4.0	0l7FCRHpVv.sys	false	Avira URL Cloud: safe	unknown
http://www.9aaa.comCompanyNameMicrosoft	0l7FCRHpVv.sys	false	Avira URL Cloud: safe	unknown
https://bradesconetempresa.com.br	0l7FCRHpVv.sys	false	Avira URL Cloud: safe	unknown
http://www.en100wan.com/google.htmwidth=0height=0	0l7FCRHpVv.sys	false	Avira URL Cloud: safe	unknown
http://www.dansvloerverhuur.nl/beheerpagina/avilllams.jpg	0l7FCRHpVv.sys	true	Avira URL Cloud: malware	unknown
https://bit.ly/2srxmuq)	0l7FCRHpVv.sys	false		high
http://ip.158166.com/zcb2009/ie7-0day.htmwidth=0height=0	0l7FCRHpVv.sys	false	Avira URL Cloud: safe	unknown
http://www.notijuegoss.com	0l7FCRHpVv.sys	false	Avira URL Cloud: safe	unknown
https://www.bbva.com	0l7FCRHpVv.sys	false		high
http://www.cuteqq.cn/?from=.shellexecute(wwwcuteqqcn	0l7FCRHpVv.sys	false	Avira URL Cloud: safe	unknown
http://.exe%s?v=%d&id=%x-%ssystem	0l7FCRHpVv.sys	false	Avira URL Cloud: safe	low
http://up.medbod.com/%s	0l7FCRHpVv.sys	false	Avira URL Cloud: safe	unknown
http://www.cuteqq.cn/	0l7FCRHpVv.sys	false	Avira URL Cloud: safe	unknown
http://bbva.com	0l7FCRHpVv.sys	false		high
http://www.coolmelife.com/downloaddrivers	0l7FCRHpVv.sys	false	Avira URL Cloud: phishing	unknown
http://www.yn-zysc.com/shangHu/PSY.exe	0l7FCRHpVv.sys	false	Avira URL Cloud: safe	unknown
http://www.exejoiner.com	0l7FCRHpVv.sys	false	Avira URL Cloud: safe	unknown
http://www.dubfamily.com/visitors/	0l7FCRHpVv.sys	false	Avira URL Cloud: safe	unknown
http://www.krvkr.com/worm.htmwidth=0height=0	0l7FCRHpVv.sys	false	Avira URL Cloud: malware	unknown
http://gpt0.ru/web/rtcomh	0l7FCRHpVv.sys	false	Avira URL Cloud: malware	unknown
http://mabira.net/traff/controller.php?&ver=8&uid=windows	0l7FCRHpVv.sys	false	Avira URL Cloud: safe	unknown
http://xxx.ads555.com/html/ppfilm9.htmsc.exe	0l7FCRHpVv.sys	false	Avira URL Cloud: safe	unknown
http://%s/go.php?gcode=%sact.auto-codec.comshoprinnai.comktcashmall.comemart.co.krhowmail.netbaidu.c	0l7FCRHpVv.sys	false	Avira URL Cloud: safe	low
http:///xxmm2.exefuck	0l7FCRHpVv.sys	false	Avira URL Cloud: safe	low
http://www.fagulhasmagicas.kit.net/floresta.jpgc:	0l7FCRHpVv.sys	false	Avira URL Cloud: safe	unknown
http://survey.news.sina.com.cn/polling.php	0l7FCRHpVv.sys	false	Avira URL Cloud: safe	unknown
http://bsalsa.com/	0l7FCRHpVv.sys	false	URL Reputation: safe	unknown
http://www.caixa.gov.br	0l7FCRHpVv.sys	false	Avira URL Cloud: safe	unknown
http://www.goog/click_second_new3.phpescape(window.location.href)	0l7FCRHpVv.sys	false	Avira URL Cloud: safe	unknown
http://124.217.252.62/~admin/count.php?o=	0l7FCRHpVv.sys	false	Avira URL Cloud: safe	unknown
http://www.nextel.com.mx/C:	0l7FCRHpVv.sys	false	Avira URL Cloud: safe	unknown
http://s31.cnzz.com/stat.php?id=svchost.exe	0l7FCRHpVv.sys	false		high
http://adurl.nethttp://mywebresults.info/client124.htmlhttp://ps.mynaagencies.com/?db=8	0l7FCRHpVv.sys	false	Avira URL Cloud: safe	unknown
http://vbnet.mvps.org/resources/tools/getpublicip.shtmlc:	0l7FCRHpVv.sys	false		high
http://192.168.11.40/c/t.phpFileExecutionModel::ExecuteFileFromBase64DataInject	0l7FCRHpVv.sys	false	Avira URL Cloud: safe	unknown
http://booltz.comattempmessagesuploadusedloginhttpwebresponse	0l7FCRHpVv.sys	false	Avira URL Cloud: safe	unknown
http://zief.pl/rc/	0l7FCRHpVv.sys	false	Avira URL Cloud: malware	unknown
http://www.fgetchr.cn:81/g/tj/1/1.asp?mac=	0l7FCRHpVv.sys	false	Avira URL Cloud: malware	unknown
http://you0idiot.web.fc2.com/crashme.html	0l7FCRHpVv.sys	false		high
http://www.google.comhotmaillogs/pass	0l7FCRHpVv.sys	false	Avira URL Cloud: safe	unknown
http://sigmalab.lv/other/crypt/SOFTWARE	0l7FCRHpVv.sys	false	Avira URL Cloud: safe	unknown
http://www.okchistory.com/images/smilies/en-GB1.phpBradesco	0l7FCRHpVv.sys	false	Avira URL Cloud: safe	unknown
http://www.bb.com.br/portalbbhttp://www.bradesco.com.brhttp://www.unibanco.com.brhttp://www.itau.com	0l7FCRHpVv.sys	false	Avira URL Cloud: safe	unknown
http://www.highvalue.pt/wp-content/uploads/2015/01/?email=t.schorer	0l7FCRHpVv.sys	false	Avira URL Cloud: safe	unknown
http://209.11.244.51/p.php?n=m	0l7FCRHpVv.sys	false	Avira URL Cloud: safe	unknown
http://barsearch.co.kr/pro/cnt.php?mac=software	0l7FCRHpVv.sys	false	Avira URL Cloud: safe	unknown
http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=5	0l7FCRHpVv.sys	false		high
http://116.37.147.205/hit.php	0l7FCRHpVv.sys	false	Avira URL Cloud: safe	unknown
http://www.masm32.net/123.exe	0l7FCRHpVv.sys	false	Avira URL Cloud: safe	unknown
http://tibia-inject.com/	0l7FCRHpVv.sys	false	Avira URL Cloud: safe	unknown
http://%s/up/update.htmhttp://%s/page/ap.aspsoftware	0l7FCRHpVv.sys	false	Avira URL Cloud: safe	low
https://www.google.com/accounts/captcha?/rd/mydd.php?hui=%s&hui2=%s&hui3=%s&file=elite03/res.php?key	0l7FCRHpVv.sys	false		high
http://gaagle2.com/207.226.178.158206.161.205.142admin	0l7FCRHpVv.sys	false	Avira URL Cloud: safe	unknown
http://about-blank.namehkey_local_machine	0l7FCRHpVv.sys	false	Avira URL Cloud: safe	low
http://kurdojan.tr.gg/h	0l7FCRHpVv.sys	false	Avira URL Cloud: safe	unknown
http://www.seduw.com:	0l7FCRHpVv.sys	false	Avira URL Cloud: safe	unknown
https://bit.ly/2snjwv1)	0l7FCRHpVv.sys	false		high
http://79.125.7.221/	0l7FCRHpVv.sys	false	Avira URL Cloud: safe	unknown
http://barsearch.co.kr/pro/cnt.php?mac=	0l7FCRHpVv.sys	false	Avira URL Cloud: safe	unknown
http://www.0x4f.cn/blogMZKERNEL32.DLLForm1VB5	0l7FCRHpVv.sys	false	Avira URL Cloud: phishing	unknown
http://sparkasse.de.datenbank.	0l7FCRHpVv.sys	false	Avira URL Cloud: safe	unknown
http://69.50.170.100/mails/in	0l7FCRHpVv.sys	false	Avira URL Cloud: safe	unknown
http://mabira.net/traff/controller.php?&ver=windows	0l7FCRHpVv.sys	false	Avira URL Cloud: safe	unknown
http://%6d%61%63%72%2e%6d%69%63%72%6f%66%73%6f%74%2e%63%6f%6d/noindex.js	0l7FCRHpVv.sys	false	Avira URL Cloud: safe	low
http://woyaoshe.com/iptest/t/xcly.asposturl	0l7FCRHpVv.sys	false	Avira URL Cloud: safe	unknown
http://www.orkut.com.br/home.aspxwww.google.com/accounts/servicelogin?service=orkutinternet	0l7FCRHpVv.sys	false	Avira URL Cloud: safe	unknown
http://www.design-unleashed.com/administrator/images/backupo.txtC:	0l7FCRHpVv.sys	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1430865
Start date and time:	2024-04-24 10:12:32 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 1m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	1
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	0l7FCRHpVv.sys (renamed file extension from none to sys, renamed because original name is a hash value)
Original Sample Name:	957ba59c2ca71e63485d938dae0ee4a4f8f06a1e62a51601a7618768b3e06aa3
Detection:	MAL
Classification:	mal88.troj.evad.mine.winSYS@0/0@0/0
Cookbook Comments:	Unable to launch sample, stop analysis

Errors

No process behavior to analyse as no analysis process or sample was found
Corrupt sample or wrongly selected analyzer. Details: invalid image protect

Warnings

Exclude process from analysis (whitelisted): dllhost.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	MS-DOS executable, MZ for MS-DOS
Entropy (8bit):	6.465600546059526
TrID:	Win64 Device Driver (generic) (2002/3) 11.11% Win32 Device Driver (generic) (2002/3) 11.11% DOS Executable Generic (2002/1) 11.11% Win64 Executable (generic) (2002/4) 11.11% Win64 Executable Console (2002/5) 11.11%
File name:	0l7FCRHpVv.sys
File size:	800'000 bytes
MD5:	47f90748e3a13873cae30afc47937606
SHA1:	3a6aa88848c159809fa6e0c4151c3b390c4bcfe3
SHA256:	957ba59c2ca71e63485d938dae0ee4a4f8f06a1e62a51601a7618768b3e06aa3
SHA512:	c39f8f21ec2e178e7249c160fc64c577674c450ad12fead1aab3eeed927dfdb8edbaaccf8478c77d1bbd98e9d1ac248ea3e9debec7504de26d3366cb877e716f
SSDEEP:	12288:MUYSn2yQknaH8Njip7hV7PfZKse3sBzdFQ47VyyoE+QsZinLAUtHcuPs:B7/LXsTyymILAUFg
TLSH:	08058C23B6EC4509F7F25A3625B595816973FC12BC13C81F8255720E1432A8EEF7AF26
File Content Preview:	MZ.......t.4....G...u....../t....tb.>GID:u....j.V.......P...TXT=ID:%s,Pass:%s,No:%s,SN:%s,MB:%s..8.u..+.....+....@... ...........!Wootbot.DX..1Baluk.....}....f{.xW..K&l.+.....(]".D)...t..:.\...........................\.......\.f=..\|.f=.....U.R..f-.....!Li

File Icon


Icon Hash:	7ae282899bbab082

Network Behavior

⊘No network behavior found

Statistics

⊘No statistics

System Behavior

⊘No system behavior

Disassembly

⊘No disassembly

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	Process: OS API Execution, Process: Process Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 0l7FCRHpVv.sys

Overview

General Information

Detection

Signatures

Classification

Malware Configuration

Yara Signatures

Initial Sample

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Bitcoin Miner

Compliance

Spreading

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Errors

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Network Behavior

Statistics

System Behavior

Disassembly

Windows Analysis Report
0l7FCRHpVv.sys