Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.bat

Overview

General Information

Sample Name:#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.bat (renamed file extension from bat to exe)
Analysis ID:343504
MD5:6665909a2652c5860fd874cb15c3991c
SHA1:84a5a2e920e8165634e510766eaa51662401a227
SHA256:1ef7ae3509e71c3cd0904a7396831e6bd2c021f14dc5d4b2485a38ebefc3dd3d

Most interesting Screenshot:

Detection

Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Contains functionality to bypass UAC (CMSTPLUA)
Multi AV Scanner detection for submitted file
Connects to many ports of the same IP (likely port scanning)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses known network protocols on non-standard ports
Abnormal high CPU Usage
Checks for available system drives (often done to infect USB drives)
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to retrieve information about pressed keystrokes
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Enables security privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
PE file contains strange resources
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe (PID: 4164 cmdline: 'C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe' MD5: 6665909A2652C5860FD874CB15C3991C)
    • zr.exe (PID: 6340 cmdline: 'C:\Users\user\zT6Nm@i4\zr.exe' a 'C:\Users\user\zT6Nm@i4\111.7z' 'C:\Users\user\zT6Nm@i4\TXP\*' MD5: 045FCBE6C174AFA9A6A998BDD6F9FAD7)
      • conhost.exe (PID: 6356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 6648 cmdline: 'C:\Windows\System32\cmd.exe' /C 'C:\Users\user\zT6Nm@i4\copy.bat' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • conhost.exe (PID: 6700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • PMRunner64.exe (PID: 7120 cmdline: 'C:\Users\user\zT6Nm@i4\PMRunner64.exe' MD5: 65DBB57517611D9DE8CE522022DCD727)
  • zr.exe (PID: 6800 cmdline: 'C:\ProgramData\Microsoft\zr.exe' x C:\ProgramData\Microsoft\111.7z -y MD5: 045FCBE6C174AFA9A6A998BDD6F9FAD7)
    • conhost.exe (PID: 6656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • PMRunner64.exe (PID: 6492 cmdline: 'C:\Users\user\zT6Nm@i4\PMRunner64.exe' MD5: 65DBB57517611D9DE8CE522022DCD727)
  • PMRunner64.exe (PID: 6972 cmdline: 'C:\Users\user\zT6Nm@i4\PMRunner64.exe' MD5: 65DBB57517611D9DE8CE522022DCD727)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\zT6Nm@i4\ru2.urlMethodology_Suspicious_Shortcut_Local_URLDetects local script usage for .URL persistence@itsreallynick (Nick Carr), @QW5kcmV3 (Andrew Thompson)
  • 0x13:$file: URL=file:///
  • 0x0:$url_explicit: [InternetShortcut]

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeVirustotal: Detection: 15%Perma Link
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeReversingLabs: Detection: 22%

Privilege Escalation:

barindex
Contains functionality to bypass UAC (CMSTPLUA)Show sources
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_0000000180002D40 CoGetObject,CoGetObject,Sleep,SleepEx,

Compliance:

barindex
Binary contains paths to debug symbolsShow sources
Source: Binary string: C:\sourcetree\CortexCommon\Razer.ProcessManager\PMManager\x64\Release\PMRunner.pdb source: PMRunner64.exe, 0000000C.00000000.685253001.00007FF7A5177000.00000002.00020000.sdmp, PMRunner64.exe, 0000000E.00000000.707315840.00007FF7A5177000.00000002.00020000.sdmp, PMRunner64.exe, 0000000F.00000000.724614077.00007FF7A5177000.00000002.00020000.sdmp, PMRunner64.exe.0.dr
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exeFile opened: z:
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exeFile opened: x:
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exeFile opened: v:
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exeFile opened: t:
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exeFile opened: r:
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exeFile opened: p:
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exeFile opened: n:
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exeFile opened: l:
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exeFile opened: j:
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exeFile opened: h:
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exeFile opened: f:
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exeFile opened: b:
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exeFile opened: y:
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exeFile opened: w:
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exeFile opened: u:
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exeFile opened: s:
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exeFile opened: q:
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exeFile opened: o:
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exeFile opened: m:
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exeFile opened: k:
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exeFile opened: i:
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exeFile opened: g:
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exeFile opened: e:
Source: C:\Windows\System32\conhost.exeFile opened: c:
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exeFile opened: [:
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_00000001400223C0 GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,
Source: C:\Users\user\zT6Nm@i4\zr.exeCode function: 1_2_00405BD6 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,
Source: C:\Users\user\zT6Nm@i4\zr.exeCode function: 1_2_0040755D FindFirstFileW,
Source: C:\Users\user\zT6Nm@i4\zr.exeCode function: 1_2_00406532 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeFile opened: C:\Users\user\zT6Nm@i4\
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeFile opened: C:\Users\user\zT6Nm@i4\TXP\
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeFile opened: C:\Users\user\zT6Nm@i4\TXP\Windows\Start Menu\Programs\
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeFile opened: C:\Users\user\zT6Nm@i4\TXP\Windows\Start Menu\Programs\Startup\Realtek???????? .lnk
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeFile opened: C:\Users\user\
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeFile opened: C:\Users\user\zT6Nm@i4\TXP\Windows\Start Menu\

Networking:

barindex
Connects to many ports of the same IP (likely port scanning)Show sources
Source: global trafficTCP traffic: 110.92.66.246 ports 1,2,13527,3,5,7
Uses known network protocols on non-standard portsShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 13527
Source: unknownNetwork traffic detected: HTTP traffic on port 13527 -> 49744
Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 13527
Source: unknownNetwork traffic detected: HTTP traffic on port 13527 -> 49745
Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 13527
Source: unknownNetwork traffic detected: HTTP traffic on port 13527 -> 49746
Source: global trafficTCP traffic: 192.168.2.4:49744 -> 110.92.66.246:13527
Source: global trafficHTTP traffic detected: GET /\ HTTP/1.1Connection: UpgradeSec-WebSocket-Key: FCzEFfJJGECxZCsRaGKFlJqHWSec-WebSocket-Version: 13Upgrade: websocketSec-WebSocket-Extensions: permessage-deflate; client_max_window_bitsHost: 110.92.66.246:13527
Source: global trafficHTTP traffic detected: GET /\ HTTP/1.1Connection: UpgradeSec-WebSocket-Key: hVvGEJDDITDIJDJeQLtIKCsnCSec-WebSocket-Version: 13Upgrade: websocketSec-WebSocket-Extensions: permessage-deflate; client_max_window_bitsHost: 110.92.66.246:13527
Source: global trafficHTTP traffic detected: GET /\ HTTP/1.1Connection: UpgradeSec-WebSocket-Key: IKBXBepAaaBfkIYjnCKuMRKkFSec-WebSocket-Version: 13Upgrade: websocketSec-WebSocket-Extensions: permessage-deflate; client_max_window_bitsHost: 110.92.66.246:13527
Source: Joe Sandbox ViewIP Address: 204.79.197.200 204.79.197.200
Source: Joe Sandbox ViewASN Name: HKKFGL-AS-APHKKwaifongGroupLimitedHK HKKFGL-AS-APHKKwaifongGroupLimitedHK
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.135
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.135
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.135
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.135
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.135
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.135
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.135
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.135
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.135
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.135
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.135
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.135
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.135
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.135
Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknownTCP traffic detected without corresponding DNS query: 104.79.89.181
Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.135
Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_0000000140002220 recv,SendMessageW,_cwprintf_s_l,inet_ntoa,_cwprintf_s_l,inet_ntoa,_cwprintf_s_l,_cwprintf_s_l,_cwprintf_s_l,htons,_cwprintf_s_l,
Source: global trafficHTTP traffic detected: GET /\ HTTP/1.1Connection: UpgradeSec-WebSocket-Key: FCzEFfJJGECxZCsRaGKFlJqHWSec-WebSocket-Version: 13Upgrade: websocketSec-WebSocket-Extensions: permessage-deflate; client_max_window_bitsHost: 110.92.66.246:13527
Source: global trafficHTTP traffic detected: GET /\ HTTP/1.1Connection: UpgradeSec-WebSocket-Key: hVvGEJDDITDIJDJeQLtIKCsnCSec-WebSocket-Version: 13Upgrade: websocketSec-WebSocket-Extensions: permessage-deflate; client_max_window_bitsHost: 110.92.66.246:13527
Source: global trafficHTTP traffic detected: GET /\ HTTP/1.1Connection: UpgradeSec-WebSocket-Key: IKBXBepAaaBfkIYjnCKuMRKkFSec-WebSocket-Version: 13Upgrade: websocketSec-WebSocket-Extensions: permessage-deflate; client_max_window_bitsHost: 110.92.66.246:13527
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643759945.0000000000691000.00000004.00000001.sdmp, PMRunner64.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643759945.0000000000691000.00000004.00000001.sdmp, PMRunner64.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp, zr.exe.3.drString found in binary or memory: http://crl.thawte.com/ThawtePCA.crl0
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp, zr.exe.3.drString found in binary or memory: http://crl.thawte.com/ThawtePremiumServerCA.crl0
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp, zr.exe.3.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643759945.0000000000691000.00000004.00000001.sdmp, PMRunner64.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643759945.0000000000691000.00000004.00000001.sdmp, PMRunner64.exe.0.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643759945.0000000000691000.00000004.00000001.sdmp, PMRunner64.exe.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643759945.0000000000691000.00000004.00000001.sdmp, PMRunner64.exe.0.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643759945.0000000000691000.00000004.00000001.sdmp, PMRunner64.exe.0.drString found in binary or memory: http://ocsp.digicert.com0C
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643759945.0000000000691000.00000004.00000001.sdmp, PMRunner64.exe.0.drString found in binary or memory: http://ocsp.digicert.com0O
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp, zr.exe.3.drString found in binary or memory: http://ocsp.thawte.com0
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643759945.0000000000691000.00000004.00000001.sdmp, PMRunner64.exe.0.drString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643759945.0000000000691000.00000004.00000001.sdmp, PMRunner64.exe.0.drString found in binary or memory: http://s2.symcb.com0
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643759945.0000000000691000.00000004.00000001.sdmp, PMRunner64.exe.0.drString found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643759945.0000000000691000.00000004.00000001.sdmp, PMRunner64.exe.0.drString found in binary or memory: http://sv.symcb.com/sv.crt0
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643759945.0000000000691000.00000004.00000001.sdmp, PMRunner64.exe.0.drString found in binary or memory: http://sv.symcd.com0&
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp, zr.exe.3.drString found in binary or memory: http://th.symcb.com/th.crl0
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp, zr.exe.3.drString found in binary or memory: http://th.symcb.com/th.crt0
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp, zr.exe.3.drString found in binary or memory: http://th.symcd.com0&
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp, zr.exe.3.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp, zr.exe.3.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp, zr.exe.3.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643759945.0000000000691000.00000004.00000001.sdmp, PMRunner64.exe.0.drString found in binary or memory: http://www.digicert.com/CPS0
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp, zr.exe.3.drString found in binary or memory: http://www.nsecsoft.com
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643759945.0000000000691000.00000004.00000001.sdmp, PMRunner64.exe.0.drString found in binary or memory: http://www.symauth.com/cps0(
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643759945.0000000000691000.00000004.00000001.sdmp, PMRunner64.exe.0.drString found in binary or memory: http://www.symauth.com/rpa00
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643759945.0000000000691000.00000004.00000001.sdmp, PMRunner64.exe.0.drString found in binary or memory: https://d.symcb.com/cps0%
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643759945.0000000000691000.00000004.00000001.sdmp, PMRunner64.exe.0.drString found in binary or memory: https://d.symcb.com/rpa0
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643759945.0000000000691000.00000004.00000001.sdmp, PMRunner64.exe.0.drString found in binary or memory: https://www.digicert.com/CPS0
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp, zr.exe.3.drString found in binary or memory: https://www.thawte.com/cps0
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp, zr.exe.3.drString found in binary or memory: https://www.thawte.com/cps0/
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp, zr.exe.3.drString found in binary or memory: https://www.thawte.com/repository0W
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49698
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49696
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49683
Source: unknownNetwork traffic detected: HTTP traffic on port 49696 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49682
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49681
Source: unknownNetwork traffic detected: HTTP traffic on port 49683 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
Source: unknownNetwork traffic detected: HTTP traffic on port 49682 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49681 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_00000001400DC700 CreateCompatibleDC,CreateCompatibleBitmap,FillRect,OpenClipboard,EmptyClipboard,CloseClipboard,SetClipboardData,CloseClipboard,
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_00000001400900A0 IsWindow,GetFocus,IsChild,SendMessageW,IsChild,SendMessageW,GetFocus,IsIconic,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,IsWindowVisible,
Source: zr.exe, 00000001.00000002.653437096.0000000000708000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_000000014007AAC4 MessageBeep,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_0000000140085328 GetParent,ScreenToClient,free,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_000000014000F35C GetKeyState,GetKeyState,GetKeyState,SendMessageW,
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_000000014008F93C GetKeyState,GetKeyState,GetKeyState,
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exeProcess Stats: CPU usage > 98%
Source: C:\Users\user\zT6Nm@i4\zr.exeCode function: 1_2_00406D20: __EH_prolog,GetFileInformationByHandle,DeviceIoControl,memcpy,
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_000000014002007C
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_0000000140011818
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_0000000140076074
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_000000014010E08C
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_00000001400BE1D0
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_000000014005A1C4
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_0000000140162354
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_000000014005C3D4
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_000000014007A4D8
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_00000001400365D8
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_0000000140046614
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_000000014003C644
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_000000014005A694
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_00000001400DE6A4
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_000000014004472C
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_000000014000A760
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_00000001400BE798
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_000000014006C8BC
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_00000001400768F8
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_0000000140074934
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_000000014002C960
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_0000000140018AB8
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_0000000140014AD0
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_000000014005EAE4
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_0000000140040B54
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_0000000140092B98
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_0000000140024BFC
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_0000000140084BF4
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_0000000140090C1C
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_000000014005AD18
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_0000000140078D58
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_0000000140042E18
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_0000000140018EA0
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_00000001400F0FA4
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_0000000140021100
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_000000014003910C
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_0000000140029308
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_000000014005F304
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_00000001400BF304
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_0000000140097328
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_00000001400DF350
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_000000014009140C
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_00000001400CB4B4
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_000000014003754C
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_000000014007564C
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_0000000140081668
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_000000014001D68C
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_00000001401636B0
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_00000001400476E4
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_000000014002377C
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_00000001400577E8
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_00000001400F1800
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_0000000140051880
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_00000001400798A4
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_00000001400638BC
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_00000001401578AC
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_00000001400A38D0
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_00000001400918D4
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_000000014007DA44
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_0000000140161B54
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_0000000140087CCC
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_0000000140067CE4
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_0000000140159CFC
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_00000001400BBD90
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_00000001400DFD94
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_0000000140041DE4
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_00000001400A1E3C
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_0000000140043E5C
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_000000014005BE90
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_0000000140079EC0
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_0000000140161ED4
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_00000001400B9ED4
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_00000001400BDED8
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_000000014006FF0C
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_0000000140047F40
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_000000014000DF9C
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_000000014006BFC4
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_000000018000C380
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_00000001800088E0
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_00000001800090C0
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_000000018000E274
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_00000001800104F0
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_0000000180016900
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_0000000180006AE0
Source: C:\Users\user\zT6Nm@i4\zr.exeCode function: 1_2_004292EC
Source: C:\Users\user\zT6Nm@i4\zr.exeCode function: 1_2_004419AF
Source: C:\Users\user\zT6Nm@i4\zr.exeCode function: 1_2_0044C0C8
Source: C:\Users\user\zT6Nm@i4\zr.exeCode function: 1_2_0044C0A0
Source: C:\Users\user\zT6Nm@i4\zr.exeCode function: 1_2_0044017B
Source: C:\Users\user\zT6Nm@i4\zr.exeCode function: 1_2_0045A190
Source: C:\Users\user\zT6Nm@i4\zr.exeCode function: 1_2_0041C3CB
Source: C:\Users\user\zT6Nm@i4\zr.exeCode function: 1_2_0041A459
Source: C:\Users\user\zT6Nm@i4\zr.exeCode function: 1_2_00456650
Source: C:\Users\user\zT6Nm@i4\zr.exeCode function: 1_2_0043674E
Source: C:\Users\user\zT6Nm@i4\zr.exeCode function: 1_2_0044C8A0
Source: C:\Users\user\zT6Nm@i4\zr.exeCode function: 1_2_004509E8
Source: C:\Users\user\zT6Nm@i4\zr.exeCode function: 1_2_0044C9B0
Source: C:\Users\user\zT6Nm@i4\zr.exeCode function: 1_2_0044AC50
Source: C:\Users\user\zT6Nm@i4\zr.exeCode function: 1_2_00454F00
Source: C:\Users\user\zT6Nm@i4\zr.exeCode function: 1_2_00452FB0
Source: C:\Users\user\zT6Nm@i4\zr.exeCode function: 1_2_00451150
Source: C:\Users\user\zT6Nm@i4\zr.exeCode function: 1_2_0045B423
Source: C:\Users\user\zT6Nm@i4\zr.exeCode function: 1_2_004575D0
Source: C:\Users\user\zT6Nm@i4\zr.exeCode function: 1_2_0045B5B1
Source: C:\Users\user\zT6Nm@i4\zr.exeCode function: 1_2_004015BE
Source: C:\Users\user\zT6Nm@i4\zr.exeCode function: 1_2_0045B68B
Source: C:\Users\user\zT6Nm@i4\zr.exeCode function: 1_2_0045B771
Source: C:\Users\user\zT6Nm@i4\zr.exeCode function: 1_2_004159D7
Source: C:\Users\user\zT6Nm@i4\zr.exeCode function: 1_2_00401999
Source: C:\Users\user\zT6Nm@i4\zr.exeCode function: 1_2_00459AE0
Source: C:\Users\user\zT6Nm@i4\zr.exeCode function: 1_2_00451B10
Source: C:\Users\user\zT6Nm@i4\zr.exeCode function: 1_2_00459CA0
Source: C:\Users\user\zT6Nm@i4\zr.exeCode function: 1_2_0040DDF1
Source: C:\Users\user\zT6Nm@i4\zr.exeCode function: 1_2_0044BF30
Source: C:\Users\user\zT6Nm@i4\zr.exeProcess token adjusted: Security
Source: C:\Users\user\zT6Nm@i4\zr.exeCode function: String function: 00401CC2 appears 153 times
Source: C:\Users\user\zT6Nm@i4\zr.exeCode function: String function: 0045AD30 appears 480 times
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: K_FPS64.dll.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: K_FPS64.dll.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: K_FPS64.dll.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PMRunner64.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmpBinary or memory string: OriginalFilename7zr.exe, vs #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000002.686343189.0000000002530000.00000002.00000001.sdmpBinary or memory string: originalfilename vs #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000002.686343189.0000000002530000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000002.686174201.0000000002430000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000002.686004489.00000000020D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000002.686469830.00000000026C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameWindows.Storage.dll.MUIj% vs #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000002.686358301.0000000002550000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameSHELL32.DLL.MUIj% vs #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exeSection loaded: dhcpcsvc.dll
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exeSection loaded: devenum.dll
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exeSection loaded: devobj.dll
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exeSection loaded: msdmo.dll
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exeSection loaded: netapi32.dll
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exeSection loaded: samcli.dll
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exeSection loaded: wtsapi32.dll
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exeSection loaded: dhcpcsvc.dll
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exeSection loaded: dhcpcsvc.dll
Source: C:\Users\user\zT6Nm@i4\ru2.url, type: DROPPEDMatched rule: Methodology_Suspicious_Shortcut_Local_URL author = @itsreallynick (Nick Carr), @QW5kcmV3 (Andrew Thompson), description = Detects local script usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: classification engineClassification label: mal72.troj.expl.evad.winEXE@13/17@0/5
Source: C:\Users\user\zT6Nm@i4\zr.exeCode function: 1_2_00414942 __EH_prolog,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,
Source: C:\Users\user\zT6Nm@i4\zr.exeCode function: 1_2_00407CF5 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_000000014001E7FC CoInitialize,CoCreateInstance,
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_00000001400081A8 FindResourceW,LoadResource,LockResource,FreeResource,
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeFile created: C:\Users\user\zT6Nm@i4Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exeMutant created: \Sessions\1\BaseNamedObjects\V 5i
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exeMutant created: \Sessions\1\BaseNamedObjects\Random name
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6700:120:WilError_01
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C 'C:\Users\user\zT6Nm@i4\copy.bat'
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeVirustotal: Detection: 15%
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeReversingLabs: Detection: 22%
Source: unknownProcess created: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe 'C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe'
Source: unknownProcess created: C:\Users\user\zT6Nm@i4\zr.exe 'C:\Users\user\zT6Nm@i4\zr.exe' a 'C:\Users\user\zT6Nm@i4\111.7z' 'C:\Users\user\zT6Nm@i4\TXP\*'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C 'C:\Users\user\zT6Nm@i4\copy.bat'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\ProgramData\Microsoft\zr.exe 'C:\ProgramData\Microsoft\zr.exe' x C:\ProgramData\Microsoft\111.7z -y
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Users\user\zT6Nm@i4\PMRunner64.exe 'C:\Users\user\zT6Nm@i4\PMRunner64.exe'
Source: unknownProcess created: C:\Users\user\zT6Nm@i4\PMRunner64.exe 'C:\Users\user\zT6Nm@i4\PMRunner64.exe'
Source: unknownProcess created: C:\Users\user\zT6Nm@i4\PMRunner64.exe 'C:\Users\user\zT6Nm@i4\PMRunner64.exe'
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeProcess created: C:\Users\user\zT6Nm@i4\zr.exe 'C:\Users\user\zT6Nm@i4\zr.exe' a 'C:\Users\user\zT6Nm@i4\111.7z' 'C:\Users\user\zT6Nm@i4\TXP\*'
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C 'C:\Users\user\zT6Nm@i4\copy.bat'
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeProcess created: C:\Users\user\zT6Nm@i4\PMRunner64.exe 'C:\Users\user\zT6Nm@i4\PMRunner64.exe'
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeStatic file information: File size 3150336 > 1048576
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x179c00
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeStatic PE information: More than 200 imports for USER32.dll
Source: Binary string: C:\sourcetree\CortexCommon\Razer.ProcessManager\PMManager\x64\Release\PMRunner.pdb source: PMRunner64.exe, 0000000C.00000000.685253001.00007FF7A5177000.00000002.00020000.sdmp, PMRunner64.exe, 0000000E.00000000.707315840.00007FF7A5177000.00000002.00020000.sdmp, PMRunner64.exe, 0000000F.00000000.724614077.00007FF7A5177000.00000002.00020000.sdmp, PMRunner64.exe.0.dr
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_0000000140032378 GetModuleHandleW,LoadLibraryW,GetProcAddress,
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeStatic PE information: section name: text
Source: zr.exe.0.drStatic PE information: section name: .sxdata
Source: zr.exe.3.drStatic PE information: section name: .sxdata
Source: C:\Users\user\zT6Nm@i4\zr.exeCode function: 1_2_0044C2D0 push ecx; mov dword ptr [esp], ecx
Source: C:\Users\user\zT6Nm@i4\zr.exeCode function: 1_2_0045AD30 push eax; ret
Source: C:\Users\user\zT6Nm@i4\zr.exeCode function: 1_2_0045B0E0 push eax; ret
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeFile created: C:\Users\user\zT6Nm@i4\PMRunner64.exeJump to dropped file
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeFile created: C:\Users\user\zT6Nm@i4\zr.exeJump to dropped file
Source: C:\Windows\System32\cmd.exeFile created: C:\ProgramData\Microsoft\zr.exeJump to dropped file
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeFile created: C:\Users\user\zT6Nm@i4\K_FPS64.dllJump to dropped file
Source: C:\Windows\System32\cmd.exeFile created: C:\ProgramData\Microsoft\zr.exeJump to dropped file
Source: C:\ProgramData\Microsoft\zr.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Realtek???????? .lnkJump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeFile created: C:\Users\user\zT6Nm@i4\TXP\Windows\Start MenuJump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeFile created: C:\Users\user\zT6Nm@i4\TXP\Windows\Start Menu\ProgramsJump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeFile created: C:\Users\user\zT6Nm@i4\TXP\Windows\Start Menu\Programs\StartupJump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeFile created: C:\Users\user\zT6Nm@i4\TXP\Windows\Start Menu\Programs\Startup\Realtek???????? .lnkJump to behavior
Source: C:\ProgramData\Microsoft\zr.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Realtek???????? .lnkJump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NULLJump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NULLJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Uses known network protocols on non-standard portsShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 13527
Source: unknownNetwork traffic detected: HTTP traffic on port 13527 -> 49744
Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 13527
Source: unknownNetwork traffic detected: HTTP traffic on port 13527 -> 49745
Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 13527
Source: unknownNetwork traffic detected: HTTP traffic on port 13527 -> 49746
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_00000001400025A0 IsIconic,SendMessageW,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_0000000140038030 IsIconic,
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_00000001400900A0 IsWindow,GetFocus,IsChild,SendMessageW,IsChild,SendMessageW,GetFocus,IsIconic,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,IsWindowVisible,
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_00000001400926C4 IsIconic,PostMessageW,
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_00000001400668D4 IsWindowVisible,IsIconic,
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_0000000140090DC0 GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_0000000140090DC0 GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_0000000140090DC0 GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_0000000140091184 IsWindowVisible,ScreenToClient,GetSystemMetrics,GetSystemMetrics,IsIconic,GetSystemMetrics,PtInRect,PtInRect,GetSystemMetrics,PtInRect,
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_0000000140045388 SetRectEmpty,RedrawWindow,ReleaseCapture,SetCapture,ReleaseCapture,SetCapture,GetParent,SendMessageW,UpdateWindow,GetParent,SendMessageW,IsWindow,IsIconic,IsZoomed,IsWindow,UpdateWindow,
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_00000001400918D4 IsWindowVisible,GetWindowRect,PtInRect,GetAsyncKeyState,ScreenToClient,PtInRect,SendMessageW,IsWindow,IsWindow,GetWindowRect,PtInRect,SendMessageW,ScreenToClient,PtInRect,GetParent,SendMessageW,SendMessageW,GetFocus,WindowFromPoint,GetSystemMenu,IsMenu,EnableMenuItem,EnableMenuItem,IsZoomed,IsIconic,EnableMenuItem,TrackPopupMenu,SendMessageW,
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_0000000140037F50 SetForegroundWindow,IsIconic,
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_000000018000C380 RtlEncodePointer,_initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)Show sources
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
Source: K_FPS64.dll.0.drBinary or memory string: OLLYDBG.EXEPROCESSHACKER.EXETCPVIEW.EXEAUTORUNS.EXEAUTORUNSC.EXEFILEMON.EXEPROCMON.EXEREGMON.EXEPROCEXP.EXEIDAQ.EXEIDAQ64.EXEIMMUNITYDEBUGGER.EXEWIRESHARK.EXEDUMPCAP.EXEHOOKEXPLORER.EXEIMPORTREC.EXEPETOOLS.EXELORDPE.EXESYSINSPECTOR.EXEPROC_ANALYZER.EXESYSANALYZER.EXESNIFF_HIT.EXEWINDBG.EXEJOEBOXCONTROL.EXEJOEBOXSERVER.EXERESOURCEHACKER.EXEX32DBG.EXEX64DBG.EXEFIDDLER.EXEHTTPDEBUGGER.EXERANDOM NAMEI AM CRITICAL FUNCTION, YOU SHOULD PROTECT AGAINST INT3 BPS %DPRL_CC.EXEPRL_TOOLS.EXECHECKING PARALLELS PROCESSES: %SHARDWARE\DEVICEMAP\SCSI\SCSI PORT 0\SCSI BUS 0\TARGET ID 0\LOGICAL UNIT ID 0IDENTIFIERQEMUCHECKING REG KEY %S QEMU-GA.EXECHECKING QEMU PROCESSES %S VBOXHARDWARE\DESCRIPTION\SYSTEMSYSTEMBIOSDATE06/23/99HARDWARE\ACPI\DSDT\VBOX__HARDWARE\ACPI\FADT\VBOX__HARDWARE\ACPI\RSDT\VBOX__SYSTEM\CONTROLSET001\SERVICES\VBOXGUESTSYSTEM\CONTROLSET001\SERVICES\VBOXMOUSESYSTEM\CONTROLSET001\SERVICES\VBOXSERVICESYSTEM\CONTROLSET001\SERVICES\VBOXSFSYSTEM\CONTROLSET001\SERVICES\VBOXVIDEOVBOXSERVICE.EXEVBOXTRAY.EXEVMSRVC.EXEVMUSRVC.EXECHECKING VIRTUAL PC PROCESSES %S SOFTWARE\MICROSOFT\VIRTUAL MACHINE\GUEST\PARAMETERSVMWAREHARDWARE\DEVICEMAP\SCSI\SCSI PORT 1\SCSI BUS 0\TARGET ID 0\LOGICAL UNIT ID 0HARDWARE\DEVICEMAP\SCSI\SCSI PORT 2\SCSI BUS 0\TARGET ID 0\LOGICAL UNIT ID 0SYSTEM\CONTROLSET001\CONTROL\SYSTEMINFORMATIONSYSTEMMANUFACTURERSYSTEMPRODUCTNAMECHECKING REG KEY %S
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: Identifier
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosDate
Source: C:\Windows\System32\conhost.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeAPI coverage: 4.5 %
Source: C:\Users\user\zT6Nm@i4\zr.exeAPI coverage: 7.3 %
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe TID: 6568Thread sleep count: 342 > 30
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe TID: 6876Thread sleep count: 60 > 30
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe TID: 6884Thread sleep count: 45 > 30
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_00000001400223C0 GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,
Source: C:\Users\user\zT6Nm@i4\zr.exeCode function: 1_2_00405BD6 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,
Source: C:\Users\user\zT6Nm@i4\zr.exeCode function: 1_2_0040755D FindFirstFileW,
Source: C:\Users\user\zT6Nm@i4\zr.exeCode function: 1_2_00406532 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_000000014015892C VirtualQuery,GetSystemInfo,SetThreadStackGuarantee,VirtualAlloc,VirtualProtect,
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeFile opened: C:\Users\user\zT6Nm@i4\
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeFile opened: C:\Users\user\zT6Nm@i4\TXP\
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeFile opened: C:\Users\user\zT6Nm@i4\TXP\Windows\Start Menu\Programs\
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeFile opened: C:\Users\user\zT6Nm@i4\TXP\Windows\Start Menu\Programs\Startup\Realtek???????? .lnk
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeFile opened: C:\Users\user\
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeFile opened: C:\Users\user\zT6Nm@i4\TXP\Windows\Start Menu\
Source: K_FPS64.dll.0.drBinary or memory string: ollydbg.exeProcessHacker.exetcpview.exeautoruns.exeautorunsc.exefilemon.exeprocmon.exeregmon.exeprocexp.exeidaq.exeidaq64.exeImmunityDebugger.exeWireshark.exedumpcap.exeHookExplorer.exeImportREC.exePETools.exeLordPE.exeSysInspector.exeproc_analyzer.exesysAnalyzer.exesniff_hit.exewindbg.exejoeboxcontrol.exejoeboxserver.exeResourceHacker.exex32dbg.exex64dbg.exeFiddler.exehttpdebugger.exeRandom nameI am critical function, you should protect against int3 bps %dprl_cc.exeprl_tools.exeChecking Parallels processes: %sHARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierQEMUChecking reg key %s qemu-ga.exeChecking qemu processes %s VBOXHARDWARE\Description\SystemSystemBiosDate06/23/99HARDWARE\ACPI\DSDT\VBOX__HARDWARE\ACPI\FADT\VBOX__HARDWARE\ACPI\RSDT\VBOX__SYSTEM\ControlSet001\Services\VBoxGuestSYSTEM\ControlSet001\Services\VBoxMouseSYSTEM\ControlSet001\Services\VBoxServiceSYSTEM\ControlSet001\Services\VBoxSFSYSTEM\ControlSet001\Services\VBoxVideovboxservice.exevboxtray.exeVMSrvc.exeVMUSrvc.exeChecking Virtual PC processes %s SOFTWARE\Microsoft\Virtual Machine\Guest\ParametersVMWAREHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0SYSTEM\ControlSet001\Control\SystemInformationSystemManufacturerSystemProductNameChecking reg key %s
Source: K_FPS64.dll.0.drBinary or memory string: 00:1C:14PV00:50:56Checking MAC starting with %svmtoolsd.exevmwaretray.exevmwareuser.exeVGAuthService.exevmacthlp.exeChecking VWware process %s kernel32.dllntdll.dllRtlGetVersionRtlAddFunctionTablentdll
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000002.685826678.0000000000641000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeAPI call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeAPI call chain: ExitProcess graph end node
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exeProcess information queried: ProcessInformation
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_000000014015C7A0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_0000000180014870 RtlEncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_0000000140032378 GetModuleHandleW,LoadLibraryW,GetProcAddress,
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_0000000140002BFC VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualAlloc,
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exeProcess token adjusted: Debug
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_000000014015C7A0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_0000000140154B40 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_00000001800090C0 SetFileAttributesW,Sleep,SleepEx,ShellExecuteExW,Sleep,SleepEx,DeleteFileW,ShellExecuteW,Sleep,SleepEx,DeleteFileW,DeleteFileW,DeleteFileW,Sleep,SleepEx,DeleteFileW,DeleteFileW,DeleteFileW,Sleep,SleepEx,ShellExecuteExW,DeleteFileW,DeleteFileW,DeleteFileW,
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeProcess created: C:\Users\user\zT6Nm@i4\zr.exe 'C:\Users\user\zT6Nm@i4\zr.exe' a 'C:\Users\user\zT6Nm@i4\111.7z' 'C:\Users\user\zT6Nm@i4\TXP\*'
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C 'C:\Users\user\zT6Nm@i4\copy.bat'
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeProcess created: C:\Users\user\zT6Nm@i4\PMRunner64.exe 'C:\Users\user\zT6Nm@i4\PMRunner64.exe'
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: _cwprintf_s_l,GetNumberFormatW,GetLocaleInfoW,lstrlenW,
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: GetProcAddress,_errno,GetUserDefaultUILanguage,ConvertDefaultLocale,ConvertDefaultLocale,GetSystemDefaultUILanguage,ConvertDefaultLocale,ConvertDefaultLocale,GetModuleFileNameW,GetLocaleInfoW,_errno,_errno,_snwprintf_s,_errno,_errno,_errno,LoadLibraryW,
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_0000000140154D44 GetSystemTimeAsFileTime,
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_0000000140161ED4 _lock,_get_daylight,_get_daylight,_get_daylight,___lc_codepage_func,free,free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_00000001400206A8 GetVersionExW,GetSystemMetrics,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCode function: 0_2_0000000140001D04 WSAStartup,WSASocketW,gethostname,gethostbyname,inet_ntoa,htons,bind,WSAIoctl,

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Replication Through Removable Media1Scripting1Startup Items1Startup Items1Deobfuscate/Decode Files or Information1Input Capture31System Time Discovery2Replication Through Removable Media1Archive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsNative API2DLL Side-Loading1Exploitation for Privilege Escalation1Scripting1LSASS MemoryPeripheral Device Discovery11Remote Desktop ProtocolInput Capture31Exfiltration Over BluetoothEncrypted Channel12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Application Shimming1DLL Side-Loading1Obfuscated Files or Information2Security Account ManagerFile and Directory Discovery4SMB/Windows Admin SharesClipboard Data1Automated ExfiltrationNon-Standard Port11Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Registry Run Keys / Startup Folder21Application Shimming1DLL Side-Loading1NTDSSystem Information Discovery25Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptBypass User Access Control1Bypass User Access Control1LSA SecretsQuery Registry1SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol2Manipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonAccess Token Manipulation1Masquerading1Cached Domain CredentialsSecurity Software Discovery241VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsProcess Injection11Virtualization/Sandbox Evasion2DCSyncVirtualization/Sandbox Evasion2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobRegistry Run Keys / Startup Folder21Access Token Manipulation1Proc FilesystemProcess Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection11/etc/passwd and /etc/shadowApplication Window Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 343504 Sample: #U5e74#U7ec8#U63d0#U6210#U5... Startdate: 24/01/2021 Architecture: WINDOWS Score: 72 49 Multi AV Scanner detection for submitted file 2->49 51 Connects to many ports of the same IP (likely port scanning) 2->51 53 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->53 55 Uses known network protocols on non-standard ports 2->55 7 #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe 3 17 2->7         started        12 PMRunner64.exe 2->12         started        14 PMRunner64.exe 2->14         started        16 zr.exe 10 2->16         started        process3 dnsIp4 43 204.79.197.200, 443, 49696, 49698 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 7->43 45 40.126.31.135, 443, 49681, 49682 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 7->45 47 2 other IPs or domains 7->47 35 C:\Users\user\zT6Nm@i4\PMRunner64.exe, PE32+ 7->35 dropped 37 C:\Users\user\zT6Nm@i4\K_FPS64.dll, PE32+ 7->37 dropped 39 C:\Users\user\zT6Nm@i4\zr.exe, PE32 7->39 dropped 59 Contains functionality to bypass UAC (CMSTPLUA) 7->59 18 PMRunner64.exe 2 1 7->18         started        22 cmd.exe 3 7->22         started        25 zr.exe 2 7->25         started        61 Tries to detect sandboxes / dynamic malware analysis system (registry check) 12->61 27 conhost.exe 1 16->27         started        file5 signatures6 process7 dnsIp8 41 110.92.66.246, 13527, 49744, 49745 HKKFGL-AS-APHKKwaifongGroupLimitedHK Hong Kong 18->41 57 Tries to detect sandboxes / dynamic malware analysis system (registry check) 18->57 33 C:\ProgramData\Microsoft\zr.exe, PE32 22->33 dropped 29 conhost.exe 22->29         started        31 conhost.exe 1 25->31         started        file9 signatures10 process11

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe15%VirustotalBrowse
#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe22%ReversingLabsWin64.Trojan.CrypterX

Dropped Files

SourceDetectionScannerLabelLink
C:\ProgramData\Microsoft\zr.exe0%VirustotalBrowse
C:\ProgramData\Microsoft\zr.exe0%MetadefenderBrowse
C:\ProgramData\Microsoft\zr.exe0%ReversingLabs
C:\Users\user\zT6Nm@i4\K_FPS64.dll6%VirustotalBrowse
C:\Users\user\zT6Nm@i4\K_FPS64.dll10%ReversingLabsWin64.Trojan.Wacatac
C:\Users\user\zT6Nm@i4\PMRunner64.exe0%VirustotalBrowse
C:\Users\user\zT6Nm@i4\PMRunner64.exe0%MetadefenderBrowse
C:\Users\user\zT6Nm@i4\PMRunner64.exe0%ReversingLabs
C:\Users\user\zT6Nm@i4\zr.exe0%VirustotalBrowse
C:\Users\user\zT6Nm@i4\zr.exe0%MetadefenderBrowse
C:\Users\user\zT6Nm@i4\zr.exe0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://www.nsecsoft.com0%VirustotalBrowse
http://www.nsecsoft.com0%Avira URL Cloudsafe
http://ocsp.thawte.com00%URL Reputationsafe
http://ocsp.thawte.com00%URL Reputationsafe
http://ocsp.thawte.com00%URL Reputationsafe
http://ocsp.thawte.com00%URL Reputationsafe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

NameMaliciousAntivirus DetectionReputation
http://110.92.66.246:13527/\true
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://crl.thawte.com/ThawtePremiumServerCA.crl0#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp, zr.exe.3.drfalse
      		high
      http://crl.thawte.com/ThawteTimestampingCA.crl0#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp, zr.exe.3.drfalse
        		high
        https://www.thawte.com/cps0/#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp, zr.exe.3.drfalse
          		high
          http://crl.thawte.com/ThawtePCA.crl0#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp, zr.exe.3.drfalse
            		high
            http://www.symauth.com/cps0(#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643759945.0000000000691000.00000004.00000001.sdmp, PMRunner64.exe.0.drfalse
              		high
              http://www.symauth.com/rpa00#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643759945.0000000000691000.00000004.00000001.sdmp, PMRunner64.exe.0.drfalse
                		high
                https://www.thawte.com/cps0#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp, zr.exe.3.drfalse
                  		high
                  http://www.nsecsoft.com#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp, zr.exe.3.drfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.thawte.com/repository0W#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp, zr.exe.3.drfalse
                    		high
                    http://ocsp.thawte.com0#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp, zr.exe.3.drfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown

                    Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public

                    IPDomainCountryFlagASNASN NameMalicious
                    40.126.31.135
                    		unknownUnited States
                    		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                    204.79.197.200
                    		unknownUnited States
                    		8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                    110.92.66.246
                    		unknownHong Kong
                    		133115HKKFGL-AS-APHKKwaifongGroupLimitedHKtrue

                    Private

                    IP
                    192.168.2.1
                    192.168.2.4

                    General Information

                    Joe Sandbox Version:31.0.0 Red Diamond
                    Analysis ID:343504
                    Start date:24.01.2021
                    Start time:10:22:33
                    Joe Sandbox Product:CloudBasic
                    Overall analysis duration:0h 9m 19s
                    Hypervisor based Inspection enabled:false
                    Report type:light
                    Sample file name:#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.bat (renamed file extension from bat to exe)
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                    Number of analysed new started processes analysed:17
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • HDC enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Detection:MAL
                    Classification:mal72.troj.expl.evad.winEXE@13/17@0/5
                    EGA Information:
                    • Successful, ratio: 66.7%
                    HDC Information:
                    • Successful, ratio: 12.2% (good quality ratio 9.2%)
                    • Quality average: 39.6%
                    • Quality standard deviation: 29.1%
                    HCA Information:
                    • Successful, ratio: 59%
                    • Number of executed functions: 0
                    • Number of non-executed functions: 0
                    Cookbook Comments:
                    • Adjust boot time
                    • Enable AMSI
                    Warnings:
                    Show All
                    • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                    • TCP Packets have been reduced to 100
                    • Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe
                    • Excluded IPs from analysis (whitelisted): 40.88.32.150, 104.43.139.144, 51.104.139.180, 92.122.213.194, 92.122.213.247, 8.248.141.254, 8.253.204.249, 8.241.121.126, 67.27.157.254, 8.248.113.254
                    • Excluded domains from analysis (whitelisted): skypedataprdcoleus15.cloudapp.net, arc.msn.com.nsatc.net, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, auto.au.download.windowsupdate.com.c.footprint.net, a1449.dscg2.akamai.net, arc.msn.com, au-bg-shim.trafficmanager.net
                    • Report size exceeded maximum capacity and may have missing disassembly code.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    10:23:40AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\user\zT6Nm@i4\PMRunner64.exe
                    10:23:48AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\user\zT6Nm@i4\PMRunner64.exe

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                    204.79.197.2006.htmlGet hashmaliciousBrowse
                    • www.bing.com/favicon.ico
                    6.htmlGet hashmaliciousBrowse
                    • www.bing.com/favicon.ico

                    Domains

                    No context

                    ASN

                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                    HKKFGL-AS-APHKKwaifongGroupLimitedHKinsz.exeGet hashmaliciousBrowse
                    • 88.218.145.49
                    DOCUMENTO_MEDICO.docGet hashmaliciousBrowse
                    • 154.221.28.167
                    NI3651011817UL.docGet hashmaliciousBrowse
                    • 103.210.237.241
                    BAL_46979369.docGet hashmaliciousBrowse
                    • 103.210.237.241
                    427424855528075826480424.docGet hashmaliciousBrowse
                    • 103.210.237.241
                    FILE_81380052.docGet hashmaliciousBrowse
                    • 103.210.237.241
                    FILE_PO_09152020EX.docGet hashmaliciousBrowse
                    • 103.210.237.241
                    DOC_PO_09152020EX.docGet hashmaliciousBrowse
                    • 103.210.237.241
                    KH3117818420XX.docGet hashmaliciousBrowse
                    • 103.210.237.241
                    XCP_87353228.docGet hashmaliciousBrowse
                    • 103.210.237.241
                    BAL_PO_09152020EX.docGet hashmaliciousBrowse
                    • 103.210.237.241
                    IO3812758081JW.docGet hashmaliciousBrowse
                    • 103.210.237.241
                    BAL_53345761.docGet hashmaliciousBrowse
                    • 103.210.237.241
                    FILE_PO_09152020EX.docGet hashmaliciousBrowse
                    • 103.210.237.241
                    FILE_YZGLOSASM.docGet hashmaliciousBrowse
                    • 103.210.237.241
                    BAL_3105782760272.docGet hashmaliciousBrowse
                    • 103.210.237.241
                    VCG4PMFIB0AR.docGet hashmaliciousBrowse
                    • 103.210.237.241
                    4502009880852.docGet hashmaliciousBrowse
                    • 103.210.237.241
                    INV_PO_09152020EX.docGet hashmaliciousBrowse
                    • 103.210.237.241
                    W_RS5947693334AJ.docGet hashmaliciousBrowse
                    • 103.210.237.241
                    MICROSOFT-CORP-MSN-AS-BLOCKUSShipping Document PL&BL Draft.exeGet hashmaliciousBrowse
                    • 52.165.230.236
                    397282_BHJ.LNKGet hashmaliciousBrowse
                    • 157.55.165.21
                    075782_NGD.LNKGet hashmaliciousBrowse
                    • 157.55.165.21
                    118.apkGet hashmaliciousBrowse
                    • 52.177.138.113
                    oHqMFmPndx.exeGet hashmaliciousBrowse
                    • 52.110.67.58
                    ID652411022142.vbsGet hashmaliciousBrowse
                    • 104.41.44.79
                    FileZilla_3.52.2_win64_sponsored-setup.exeGet hashmaliciousBrowse
                    • 104.208.16.0
                    mfpVTSmyz-Fichero.msiGet hashmaliciousBrowse
                    • 40.112.173.153
                    Proforma Invoice.exeGet hashmaliciousBrowse
                    • 52.97.170.34
                    ID196619484.vbsGet hashmaliciousBrowse
                    • 104.41.44.79
                    #Ud83d#Udcde stephane.viard@colt.net @ 1200 PM 1200 PM.pff.HTMGet hashmaliciousBrowse
                    • 104.41.163.16
                    57229937-122020-4-7676523.docGet hashmaliciousBrowse
                    • 52.165.155.237
                    20202237F.htmlGet hashmaliciousBrowse
                    • 52.239.172.132
                    demo.jsGet hashmaliciousBrowse
                    • 191.233.233.157
                    demo.jsGet hashmaliciousBrowse
                    • 191.233.233.157
                    E-DEKONT.exeGet hashmaliciousBrowse
                    • 52.97.144.178
                    PO-RY 001-21 Accuri.jarGet hashmaliciousBrowse
                    • 23.98.35.163
                    ID32256523109.vbsGet hashmaliciousBrowse
                    • 104.41.44.79
                    SHIPPING DOCUMENTS.exeGet hashmaliciousBrowse
                    • 20.190.63.69
                    DHL Notification -AWB DHL-2021011293002.exeGet hashmaliciousBrowse
                    • 52.97.201.82
                    MICROSOFT-CORP-MSN-AS-BLOCKUSShipping Document PL&BL Draft.exeGet hashmaliciousBrowse
                    • 52.165.230.236
                    397282_BHJ.LNKGet hashmaliciousBrowse
                    • 157.55.165.21
                    075782_NGD.LNKGet hashmaliciousBrowse
                    • 157.55.165.21
                    118.apkGet hashmaliciousBrowse
                    • 52.177.138.113
                    oHqMFmPndx.exeGet hashmaliciousBrowse
                    • 52.110.67.58
                    ID652411022142.vbsGet hashmaliciousBrowse
                    • 104.41.44.79
                    FileZilla_3.52.2_win64_sponsored-setup.exeGet hashmaliciousBrowse
                    • 104.208.16.0
                    mfpVTSmyz-Fichero.msiGet hashmaliciousBrowse
                    • 40.112.173.153
                    Proforma Invoice.exeGet hashmaliciousBrowse
                    • 52.97.170.34
                    ID196619484.vbsGet hashmaliciousBrowse
                    • 104.41.44.79
                    #Ud83d#Udcde stephane.viard@colt.net @ 1200 PM 1200 PM.pff.HTMGet hashmaliciousBrowse
                    • 104.41.163.16
                    57229937-122020-4-7676523.docGet hashmaliciousBrowse
                    • 52.165.155.237
                    20202237F.htmlGet hashmaliciousBrowse
                    • 52.239.172.132
                    demo.jsGet hashmaliciousBrowse
                    • 191.233.233.157
                    demo.jsGet hashmaliciousBrowse
                    • 191.233.233.157
                    E-DEKONT.exeGet hashmaliciousBrowse
                    • 52.97.144.178
                    PO-RY 001-21 Accuri.jarGet hashmaliciousBrowse
                    • 23.98.35.163
                    ID32256523109.vbsGet hashmaliciousBrowse
                    • 104.41.44.79
                    SHIPPING DOCUMENTS.exeGet hashmaliciousBrowse
                    • 20.190.63.69
                    DHL Notification -AWB DHL-2021011293002.exeGet hashmaliciousBrowse
                    • 52.97.201.82

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Created / dropped Files

                    C:\ProgramData\Microsoft\111.7z
                    Process:C:\Windows\System32\cmd.exe
                    File Type:7-zip archive data, version 0.4
                    Category:dropped
                    Size (bytes):871
                    Entropy (8bit):7.6751333998200835
                    Encrypted:false
                    SSDEEP:24:CIOegEZhc5iZzVT78nOwNDSxEqrohfoi4:CLegEZnf8nhmtURoT
                    MD5:23AEFC140636655BE400C41403524704
                    SHA1:BD581B29370FD93ABF63BD2C02998A0EF2DFD2A4
                    SHA-256:D37575E0B66A925ACB5432CC7B706DA8985635B80B3D60C6C90F748D1F743505
                    SHA-512:2517137ABEE797FCA5E597A3826B7C02B1CB1EC045DAE4C1B493C8EE2070D6473DA9E7C584F8302D598DF11C687EE11BF2DDE9E33616243C6F94986CBD0A7AA0
                    Malicious:false
                    Reputation:low
                    Preview: 7z..'....A`.$.......#.........8.....l].&.0.!?...o..1b..V..pS.G.U.>............Gg..1>....;....>|*.P..D.H.ta......0ur4..F6..f.d.2..Vzr.....#.%..a...?.6.j8KM..$...Uh..{.{._.21.!....ui8..Y*..M...K.L+.6zE0.....S=..c......4.H...E}..z. D......k...P:3...c9.......7."....V........>..l......R.a.i.Pk.....?*.2.c...,.L.. .VC...ui...y^..[.$..%.ea........B...l-.....w.Ao.0.`.....Z>.......,\>.x...l..d......B.v.#P....a.8V.9`lw.f..J"r.._."9j...r".C.......?.L@..=.....9%...-..4...".[.....I...-...').(Dj.....`0L.Jq.;yZ.!w.i./..\2.e.....iCg...P....xr..9^...*....."..Q...V.V......... 0..M...q.).?uB...H.D..{Q.......[.4C..5....(:.{!\.u}5....*..{..'-..X=T.....3....Ed^.$...p..@.p.u/..........#.,..o.(iAk.HY-.}1./vF...].%...W.z@.@l.......gS........{...*.E.i.n..q.*]Y....H.=<.R.[..V%.!K-}.....v...y.M&..^....T..@....s...AZP.....t..........#....]......r...*...
                    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Realtek???????? .lnk
                    Process:C:\ProgramData\Microsoft\zr.exe
                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Icon number=0, Archive, ctime=Thu Jan 14 15:39:10 2021, mtime=Thu Jan 14 15:39:10 2021, atime=Thu Jan 14 15:39:10 2021, length=271704, window=hide
                    Category:dropped
                    Size (bytes):1791
                    Entropy (8bit):3.466273590595946
                    Encrypted:false
                    SSDEEP:24:8Z3AX3ighdUAfmqpdoe7KODlWJdo7aB6m:8Z3AnisOqjl2k0B6
                    MD5:5FF572CBE6B366349A9D3389D4A60CAC
                    SHA1:497C442D14F4A09D00C3294784ECA1DC43A6F4A2
                    SHA-256:16731A0D7B072BE60F580E93797D2E91F2DE970CF45C31EE7B9BAE52D4824B6E
                    SHA-512:6DF6B097BFF0B76EC465A886ABE72EBC7DB3C850E4FA7D8CE1D60A36F57E04E3063507D3F23F059AA7024E7E7162F8F298610AA1702E16217730B1EF79D176B8
                    Malicious:false
                    Reputation:low
                    Preview: L..................F.@.. ....K......K......K.....X%......................,.:..DG..Yr?.D..U..k0.&...&...........-....k.2...X,~.2.......t...CFSF..1.....8R.J7.zT6Nm@i4....t.Y^...H.g.3..(.....gVA.G..k...B......8R.J8R.J....3X.......................z.T.6.N.m.@.i.4...D.j.2.X%...R. .PMRUNN~1.EXE..N.......R..R......W........................P.M.R.u.n.n.e.r.6.4...e.x.e.......U...............-.......T..............w.....C:\Users\user\zT6Nm@i4\PMRunner64.exe........\.....\.....\.....\.....\.P.M.R.u.n.n.e.r.6.4...e.x.e...C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.z.T.6.N.m.@.i.4.&.C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.z.T.6.N.m.@.i.4.\.P.M.R.u.n.n.e.r.6.4...e.x.e.........%USERPROFILE%\zT6Nm@i4\PMRunner64.exe...............................................................................................................................................................................................................................%.U.S.E.R.P.R.O.F.I.L.E.%.\.z.T.6.N.m.@.i.4.\.P.M.R.u.n.n.e.r.6.4...e.x.e..........
                    C:\ProgramData\Microsoft\zr.exe
                    Process:C:\Windows\System32\cmd.exe
                    File Type:PE32 executable (console) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):461088
                    Entropy (8bit):6.581027593342649
                    Encrypted:false
                    SSDEEP:12288:tUBwDn0mdLrMkNpj6hTEXRrn9VsArg1xi:tUu7t3GTEhrn9VsA+i
                    MD5:045FCBE6C174AFA9A6A998BDD6F9FAD7
                    SHA1:9F477006DC176608E953EF44902FCE17DDF8FCA3
                    SHA-256:08E510EF41795B4192650452D8E5482DBF71CEFAF9D67CFE02F60253D6023F96
                    SHA-512:59CE53DDA80567A3B3E19FA2FBE404B655CB4203170B1295B1E6C33B9EBD0B6D2526FB568255610E64FA5C29A6F5C464766CDD746E207FFD2D48DA36811D717B
                    Malicious:false
                    Antivirus:
                    • Antivirus: Virustotal, Detection: 0%, Browse
                    • Antivirus: Metadefender, Detection: 0%, Browse
                    • Antivirus: ReversingLabs, Detection: 0%
                    Reputation:low
                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........................G..............J.......L..G............|.....H........Rich..........................PE..L......W........../..........X....................@..................................W..........................................x.......(............... ............................................................................................text...u........................... ..`.rdata..............................@..@.data...\k..........................@....sxdata......p......................@....rsrc...(...........................@..@........................................................................................................................................................................................................................................................................................
                    C:\Users\user\AppData\Roaming\Plugin32.dll
                    Process:C:\Users\user\zT6Nm@i4\PMRunner64.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):191488
                    Entropy (8bit):7.99619087524627
                    Encrypted:true
                    SSDEEP:3072:SGtyjkUNHHoDhFMFI0rciHPgZwkndg0WU15pI9SmDCPAuE1L3kaF/F1Dmq:S0yjkKHHAh9t4EbHI9SmDiAQWd1Dmq
                    MD5:F6773A1C5D1566F4BEBDBF81BDDDC57D
                    SHA1:38CC9D3391DE6AE3773076E23B528F9534E40471
                    SHA-256:5B672EE64618CCCBC94011E1BA713E5B6EFA574A8CCA18CC3653C499B2AF2202
                    SHA-512:63E4BE550A66783ADFA6D064BA4912A6440986D3AF396F608F3C7B0B9F830DB8BB718216824689E1CA23D636AE67838ADB49DC0DA3263C9D64D823FB15CC964C
                    Malicious:false
                    Reputation:low
                    Preview: U...u].Z....u.....D<(.8x.S....L..N..*.+^...^.r.!.........!.|u.N).Fa...L.;..{b..F.t.<.#.2=.}.r|.!l....KnR.F..4{Ih..5..\......L...Fm...4F)J..%(q..<...zE8..8...A..#.b...&*...\..Y.+^.,.......0..oi..`.g.kD.48.G....L.QNor..+2.&"..r.!.Q...".V....l7.@.)8!..h.C8.....:&=.@.1.I..~....bg.r..Z....vK..h.D\8..8....sBM..^..*5+^...~.r.!...u... .|.|..@V)8.%..+*.8......-..B{1.)..j..=.B..._.Z.....v...(.D.(.p8......L@.N/.*.+^.....rN!............|..@.)8.%.(+*.8.t..s:&}.@.1....>....b%.r..Z.U<`.v.....D.8..8.g..7.L..N..*.+^r...rNv&)9.5..}..<..Q.@.+8A).+*d8.....:&.B@;....L.....r..r..Z....^i....D|(.08...4.....N..*U+^....r.!............|..@v)8.%..+*.8.4..3:&=.@.1.......].b..r..Z.....v...H.D.(..8.'....L`.NO.*.+^2....rn!.1.....=....|..@.)8.%.H+*$8.....:&..@.1.9..^....bE.r..Zs..p.v+....D<(..8....S.L..N..*.+^...^.r.!...U.....\.|u.@6)8a%.+*.8.....:&..@[1.......b..rN.Z.....v.....D.(.P8......L .N..*u+^....r.!............|..@.)8.%..+*.8.T..S:&].@.1.......}.b..r..Z3..0.v...h.D.(..8.GN"*8L.\.N.N.3
                    C:\Users\user\zT6Nm@i4\111.7z
                    Process:C:\Users\user\zT6Nm@i4\zr.exe
                    File Type:7-zip archive data, version 0.4
                    Category:dropped
                    Size (bytes):895
                    Entropy (8bit):7.58674925006426
                    Encrypted:false
                    SSDEEP:24:7OegEZhc5iZzVT78nOwNDSxEqrohfoiQ3T:KegEZnf8nhmtURo/3T
                    MD5:8B8E701F0984126214856AEA7B49A3E1
                    SHA1:BC4995ABD24C3451D3AF427F7CE03FA484055157
                    SHA-256:D4714CBC4612E14FA5D62B26274411A435396094EFECAAC6D82325FA2400FD04
                    SHA-512:7049B6C1ED94B5F10138C3971598A7C98D2E25F340A3C914F4E0D27074AF70A51FF53A7652CE4373140054B0E16A484D1083483CFEB105F6DF5D313C3FAF35E5
                    Malicious:false
                    Reputation:low
                    Preview: 7z..'...............................l].&.0.!?...o..1b..V..pS.G.U.>............Gg..1>....;....>|*.P..D.H.ta......0ur4..F6..f.d.2..Vzr.....#.%..a...?.6.j8KM..$...Uh..{.{._.21.!....ui8..Y*..M...K.L+.6zE0.....S=..c......4.H...E}..z. D......k...P:3...c9.......7."....V........>..l......R.a.i.Pk.....?*.2.c...,.L.. .VC...ui...y^..[.$..%.ea........B...l-.....w.Ao.0.`.....Z>.......,\>.x...l..d......B.v.#P....a.8V.9`lw.f..J"r.._."9j...r".C.......?.L@..=.....9%...-..4...".[.....I...-...').(Dj.....`0L.Jq.;yZ.!w.i./..\2.e.....iCg...P....xr..9^...*....."..Q...V.V......... 0..M...q.).?uB...H.D..{Q.......[.4C..5....(:.{!\.u}5....*..{..'-..X=T.....3....Ed^.$...p..@.p.u/..........#.,..o.(iAk.HY-.}1./vF...].%...W.z@.@l.......gS........{...*.E.i.n..q.*]Y....H.=<.R.[..V%.!K-}.....v...y.M&..^....T..@....s...AZP.....t..........#....]......r...*....A`.$.......#.........8.
                    C:\Users\user\zT6Nm@i4\KK.txt
                    Process:C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):224323
                    Entropy (8bit):7.996498851977439
                    Encrypted:true
                    SSDEEP:6144:5SDdKtn3KwKa9xg8LIzF9yWeSBvd+tResBuYU:4Dde3xKhOIzOGBF
                    MD5:7B30F5D321E85813F5E5835F92FFA0FC
                    SHA1:369474EA5BFFA01DAC8C663EDE08D7D0D8967054
                    SHA-256:445E5B49DA01A0D99AFD84EF3D9C5238E02D5E4FBC546D43C619005A622C9917
                    SHA-512:8797E96456F2C822DA7B79486784BA49ED7A4CC85FF74F76D097339EA8C2FDC945E1EB51BEF28F7E1358EA38BD6BBB8D1C35D63A54F5000A1D75C5E90DDAB0FD
                    Malicious:false
                    Reputation:low
                    Preview: rc(.%c.Q.q....<cfW.&.-...SP#....|O.%'q5.XrVN\....@J..)F.YZ.....%...,...y.s.x.....C...L.y.'....V.Ck....I.4'L.b....e'.Q..QS...w.xgF...L.Q......../.....'v6=.yj..t.h.n.i.a%g..:#.\.Q.lN...r.ht....y..I..k.ATu/.._..j._B...?%....-..N|.G....|1.V..&..^..8.L..E.y.PQ.....j|fhfm 2....e..k..\. ...Q.......'}u....<.AW".I.a6..Dv.....G.j#..f...^..6.)...ky..yI.X..vv.....v.....*.....$..4...I..........S..Zoz..n).....%....\...TFg...`~.@V.....E.Q....L.._.PnR4OI...^ .Av.y.d.....2.t2...-.D....Y.2.T!.Pl6...@;...[..q.o..'./.3..[k.E :....i.+%....c.@.o......eL....1.cig....?rP.O.C'....Ak...7..R....EG......Q.ey.._.k.r./..TOCe.y......q..<.I:9#+5...^..&.A..........U`v.w..t...A7m.Jg..m..".mz.......#....gW.^...q.z..HbX.......2..iH.!...#H.9..>W....S..&e..k..h<2..c.........b._..0.D1.Bno.q.$bP...*.o8[.Lq.bCG.E3g.W2.^.{.."n.........N4..(.....=E..R..O....|......._L...IX.._.%.....x...`;...]Nm...Q.s7..i..QW.B...h.u.3.~..).#."&..(X.....l0.............X......z...b'..34.
                    C:\Users\user\zT6Nm@i4\K_FPS64.dll
                    Process:C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe
                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                    Category:dropped
                    Size (bytes):302592
                    Entropy (8bit):5.94262128533878
                    Encrypted:false
                    SSDEEP:6144:YDVMbwz0W4gWqPcjwhum9o34Ec2x1tRuf+X4zNEP:YDGO0WTWq4wYb34Ec2vupEP
                    MD5:B8477E4DF0F24A96BBAFD2F13C31A4A2
                    SHA1:E4548C10552B1906BBE4A7EED90E97D24C958CF5
                    SHA-256:5EFD269CA1CD474F68ECE50E6AC3F88F1831ACA273DE9789C17DD8A46AEA8D71
                    SHA-512:6FE6FF9E3BD95CE0583AA2BBB06B8AB123363D94AFEEAB3CCE377B1FB5EABB0BA58F1107E822C39FF2D186E788783262EFFAB8270519A2A118C055013BEEC6B3
                    Malicious:true
                    Antivirus:
                    • Antivirus: Virustotal, Detection: 6%, Browse
                    • Antivirus: ReversingLabs, Detection: 10%
                    Reputation:low
                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......sl..7.@.7.@.7.@.B..6.@...-.0.@...;.,.@.7.A...@.>u...@.>u..=.@.>u..H.@.>u..+.@.>u..6.@.)_..6.@.>u..6.@.Rich7.@.................PE..d......`.........." ................4........................................@......=.....@.........................................@...................x....@..............................................h$..(....................................................text...h........................... ..`.rdata..G...........................@..@.data..............................@....pdata.......@...0..................@..@.tls.........p......................@....rsrc...x...........................@..@.reloc...(.......*...t..............@..B........................................................................................................................................................................................................
                    C:\Users\user\zT6Nm@i4\PMRunner64.exe
                    Process:C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe
                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                    Category:dropped
                    Size (bytes):271704
                    Entropy (8bit):5.761811520401724
                    Encrypted:false
                    SSDEEP:3072:wWHyRIh1NDBeEOqDhPbsuB35WlP+7l1MYMb3URvwgwWwBHNFs:nrrNDBeJwhbh3mU9wgw
                    MD5:65DBB57517611D9DE8CE522022DCD727
                    SHA1:B33E6DB5C460E5E38DD636C4D48E9D4523E2838F
                    SHA-256:0525B815E61D3CD83FD4C87032DE7C1DCBA5E8D2619539F925E43624EB6E1D77
                    SHA-512:D8D34BC3642255DFF395CB47A0EA58CC07D911B3535A0A6D972CC4E501F6CCAB200A7D636FCDEE77DC6E7AD6B735918BCDF48EA6F0EA0E26804C31F2D175490D
                    Malicious:true
                    Antivirus:
                    • Antivirus: Virustotal, Detection: 0%, Browse
                    • Antivirus: Metadefender, Detection: 0%, Browse
                    • Antivirus: ReversingLabs, Detection: 0%
                    Reputation:low
                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........$..eJ.eJ.eJ.....eJ.....+eJ.....eJ.;I.eJ.;O.eJ.;N.eJ.d...eJ.eK.>eJ..;C.eJ..;J.eJ.+;..eJ.e..eJ..;H.eJ.Rich.eJ.........................PE..d....S.^.........."......`..........l0.........@.............................`............`................................................. ...P....... ....`..........X#...P.. ...`...p............................................p..x............................text....^.......`.................. ..`.rdata.......p.......d..............@..@.data....*...0......................@....pdata.......`.......&..............@..@.gfids...............<..............@..@.rsrc... ............>..............@..@.reloc.. ....P......................@..B................................................................................................................................................................................
                    C:\Users\user\zT6Nm@i4\TXP\Windows\Start Menu\Programs\Startup\Realtek???????? .lnk
                    Process:C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe
                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Icon number=0, Archive, ctime=Thu Jan 14 15:39:10 2021, mtime=Thu Jan 14 15:39:10 2021, atime=Thu Jan 14 15:39:10 2021, length=271704, window=hide
                    Category:dropped
                    Size (bytes):1791
                    Entropy (8bit):3.466273590595946
                    Encrypted:false
                    SSDEEP:24:8Z3AX3ighdUAfmqpdoe7KODlWJdo7aB6m:8Z3AnisOqjl2k0B6
                    MD5:5FF572CBE6B366349A9D3389D4A60CAC
                    SHA1:497C442D14F4A09D00C3294784ECA1DC43A6F4A2
                    SHA-256:16731A0D7B072BE60F580E93797D2E91F2DE970CF45C31EE7B9BAE52D4824B6E
                    SHA-512:6DF6B097BFF0B76EC465A886ABE72EBC7DB3C850E4FA7D8CE1D60A36F57E04E3063507D3F23F059AA7024E7E7162F8F298610AA1702E16217730B1EF79D176B8
                    Malicious:false
                    Reputation:low
                    Preview: L..................F.@.. ....K......K......K.....X%......................,.:..DG..Yr?.D..U..k0.&...&...........-....k.2...X,~.2.......t...CFSF..1.....8R.J7.zT6Nm@i4....t.Y^...H.g.3..(.....gVA.G..k...B......8R.J8R.J....3X.......................z.T.6.N.m.@.i.4...D.j.2.X%...R. .PMRUNN~1.EXE..N.......R..R......W........................P.M.R.u.n.n.e.r.6.4...e.x.e.......U...............-.......T..............w.....C:\Users\user\zT6Nm@i4\PMRunner64.exe........\.....\.....\.....\.....\.P.M.R.u.n.n.e.r.6.4...e.x.e...C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.z.T.6.N.m.@.i.4.&.C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.z.T.6.N.m.@.i.4.\.P.M.R.u.n.n.e.r.6.4...e.x.e.........%USERPROFILE%\zT6Nm@i4\PMRunner64.exe...............................................................................................................................................................................................................................%.U.S.E.R.P.R.O.F.I.L.E.%.\.z.T.6.N.m.@.i.4.\.P.M.R.u.n.n.e.r.6.4...e.x.e..........
                    C:\Users\user\zT6Nm@i4\copy.bat
                    Process:C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe
                    File Type:ASCII text, with CR, LF line terminators
                    Category:dropped
                    Size (bytes):148
                    Entropy (8bit):4.859584238440697
                    Encrypted:false
                    SSDEEP:3:55Pt+ZIgUAdkdZkRErG+ffbNQdi25Pt+ZIrUhFmRdZkRErG+fUNhn:PwZIPAra3ZQdi2wZIroakn
                    MD5:7EE919ABFE2EBEFCDD420D0E0784F1C9
                    SHA1:760A5A935E7453C7C3D0CFE786975F97931382BB
                    SHA-256:21C285FD608237D8B329AD8266FDCC0E9C671BAEB956E9544CAEC712944EF8A9
                    SHA-512:0327C9A5500BEF65DFF1501553F0471B7CF2584CAA56CBF15673AC4AF10E748C08E15C5878F0C792907F2F777C6393925A22AB36BDBB70C29963FEC9A07AFFF5
                    Malicious:false
                    Reputation:low
                    Preview: copy "C:\Users\user\zT6Nm@i4\zr.exe" "C:\ProgramData\Microsoft\zr.exe"..copy "C:\Users\user\zT6Nm@i4\111.7z" "C:\ProgramData\Microsoft\111.7z"..
                    C:\Users\user\zT6Nm@i4\ru2.url
                    Process:C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe
                    File Type:MS Windows 95 Internet shortcut text (URL=<file:///C:\Users\user\zT6Nm@i4\run001.lnk>), ASCII text, with CR line terminators
                    Category:dropped
                    Size (bytes):65
                    Entropy (8bit):4.934228490671524
                    Encrypted:false
                    SSDEEP:3:HRAbABGQVuOt+ZIo7g:HRYF5OwZIig
                    MD5:004A6C48B0C8EE5A854123B30016589A
                    SHA1:E491D660E83A6DC76EDFB00A8750B98E6F66C665
                    SHA-256:2CF3CC8BCD1655AE232418CCFEBBF8D0AA5EFB062F95DF320C27B5C3A69E9A7C
                    SHA-512:02CD3B044426D6CE89CECBFD16D294882AF867C33F53E6AE71104A4D4E2D57C9A551E659616B7D331CD8714E55DED39538796AD4A1F076483E619CF49E864E7E
                    Malicious:false
                    Yara Hits:
                    • Rule: Methodology_Suspicious_Shortcut_Local_URL, Description: Detects local script usage for .URL persistence, Source: C:\Users\user\zT6Nm@i4\ru2.url, Author: @itsreallynick (Nick Carr), @QW5kcmV3 (Andrew Thompson)
                    Reputation:low
                    Preview: [InternetShortcut].URL=file:///C:\Users\user\zT6Nm@i4\run001.lnk
                    C:\Users\user\zT6Nm@i4\run.lnk
                    Process:C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe
                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Wed Apr 11 22:34:14 2018, mtime=Wed Sep 30 06:35:53 2020, atime=Wed Apr 11 22:34:14 2018, length=273920, window=hide
                    Category:dropped
                    Size (bytes):1845
                    Entropy (8bit):3.204025472281673
                    Encrypted:false
                    SSDEEP:24:8PHjJW6PV7Mmc7S6MAdx+/5+fUt+/g4I0Z57aB6m:8PMYdCXLiu8sIrB6
                    MD5:BE3AF8B163611E11E35121A9C0DE546F
                    SHA1:DFEEE23EAE5794D9C6D7B54A00CB0E42800AFAA3
                    SHA-256:271541E40261A329ED49F004A2ABAAA533009C1E94B9F7CA3CED62756E59912B
                    SHA-512:495C1D2427C943DFBC3739CFC3E104934449E629B39FEF81074F21151345DBA06A96DFE766B03F8CF74CDE5EB8D52CB8F00FA969186E8CECDFCF3B37346739EF
                    Malicious:false
                    Reputation:low
                    Preview: L..................F.@.. ...].......J..S....]...............................5....P.O. .:i.....+00.../C:\...................V.1.....>Qz<..Windows.@......L..8R.J..............................W.i.n.d.o.w.s.....Z.1.....8R.J..System32..B......L..8R.J..........................e...S.y.s.t.e.m.3.2.....V.2......LH. .cmd.exe.@......LH.>Qx<...............t...........&.c.m.d...e.x.e.......J...............-.......I..............w.....C:\Windows\System32\cmd.exe..!.....\.....\.....\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.c.m.d...e.x.e...C.:.\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.&. ./.c. .C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.z.T.6.N.m.@.i.4.\.r.u.n.0.0.1...l.n.k...C.:.\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.c.m.d...e.x.e.........%SystemRoot%\System32\cmd.exe.......................................................................................................................................................................................................................................%.S.y.s.t.e.m.R.o.o.t.%.\.S.y
                    C:\Users\user\zT6Nm@i4\run001.lnk
                    Process:C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe
                    File Type:MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
                    Category:dropped
                    Size (bytes):1457
                    Entropy (8bit):1.9452446037061828
                    Encrypted:false
                    SSDEEP:12:8zM0i/kdvrHjHbQbfnbB5baP0yZ3ZrwPH:8AIzD7kzzk0yZ3Zk
                    MD5:95A5332A3DE1AE6E16F7E139EE968E9B
                    SHA1:9E7DD05E15FCAC8C1B8E91978B7EFEB923CD6A88
                    SHA-256:5D0904F70763CA9D1118EFD2171BA4A0CF0D7C10B8D121836F95CE16A3E03C5A
                    SHA-512:53A9CA5C5754D742BD568953B8B4A5AB58BDEA9C9CFC7E49C921484883BCF93CA9E5B6758FDFF72FF98BD0C5D1B70B97B264C89912880A7BB179CE26E8A768B0
                    Malicious:false
                    Reputation:low
                    Preview: L..................F.@......................................................A....P.O. .:i.....+00.../C:\...................b.1...........ProgramData.H............................................P.r.o.g.r.a.m.D.a.t.a.....\.1...........Microsoft.D............................................M.i.c.r.o.s.o.f.t.....T.2...........zr.exe..>............................................z.r...e.x.e.......%.....\.....\.....\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.z.r...e.x.e...C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.%. .x. .C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.1.1.1...7.z. .-.y...C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.z.r...e.x.e.........%ALLUSERSPROFILE%\Microsoft\zr.exe..................................................................................................................................................................................................................................%.A.L.L.U.S.E.R.S.P.R.O.F.I.L.E.%.\.M.i.c.r.o.s.o.f.t.\.z.r...e.x.e
                    C:\Users\user\zT6Nm@i4\run003.lnk
                    Process:C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe
                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Sun Apr 30 07:53:46 2017, mtime=Sun Apr 30 07:53:46 2017, atime=Sun Apr 30 07:53:46 2017, length=461088, window=hide
                    Category:dropped
                    Size (bytes):1837
                    Entropy (8bit):3.401424786774406
                    Encrypted:false
                    SSDEEP:24:8hJ3AX3igX1AnxQfouopHO8jAIM7aB6m:8/3AniRyfouopHdB6
                    MD5:4AC952055902E20C748E96234BF2F56C
                    SHA1:9B0BADF7DE8286543D6D5C45CD19E834E76E671F
                    SHA-256:0D7B6A444BFA014BEE1DC4769FB66663BB1F0FC0B3327EC41AB9F5342BF571EF
                    SHA-512:80639E1E8B2C4DD3BEC66CBEF87B7E1293D9CCE7E8B34C71B9011400E536CBA39801155CAC3C691B096F2B2B55254CF53FB402B7D843E429196C8B5484DD83DA
                    Malicious:false
                    Preview: L..................F.@.. ......i.......i.......i.... .........................:..DG..Yr?.D..U..k0.&...&...........-....k.2...X,~.2.......t...CFSF..1.....8R.J7.zT6Nm@i4....t.Y^...H.g.3..(.....gVA.G..k...B......8R.J8R.J....3X........................z.T.6.N.m.@.i.4...D.T.2. ....J.F .zr.exe..>......J.F.J.F....:X........................z.r...e.x.e.......M...............-.......L..............w.....C:\Users\user\zT6Nm@i4\zr.exe......\.z.r...e.x.e...C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.z.T.6.N.m.@.i.4.B.a. .".C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.z.T.6.N.m.@.i.4.\.1.1.1...7.z.". .".C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.z.T.6.N.m.@.i.4.\.T.X.P.\.*."...C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.z.T.6.N.m.@.i.4.\.z.r...e.x.e.........%USERPROFILE%\zT6Nm@i4\zr.exe.......................................................................................................................................................................................................................................%.U.S.E.R.P.R.O.F.I.L.E.%.\.z.T.6.N.m
                    C:\Users\user\zT6Nm@i4\zr.exe
                    Process:C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe
                    File Type:PE32 executable (console) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):461088
                    Entropy (8bit):6.581027593342649
                    Encrypted:false
                    SSDEEP:12288:tUBwDn0mdLrMkNpj6hTEXRrn9VsArg1xi:tUu7t3GTEhrn9VsA+i
                    MD5:045FCBE6C174AFA9A6A998BDD6F9FAD7
                    SHA1:9F477006DC176608E953EF44902FCE17DDF8FCA3
                    SHA-256:08E510EF41795B4192650452D8E5482DBF71CEFAF9D67CFE02F60253D6023F96
                    SHA-512:59CE53DDA80567A3B3E19FA2FBE404B655CB4203170B1295B1E6C33B9EBD0B6D2526FB568255610E64FA5C29A6F5C464766CDD746E207FFD2D48DA36811D717B
                    Malicious:false
                    Antivirus:
                    • Antivirus: Virustotal, Detection: 0%, Browse
                    • Antivirus: Metadefender, Detection: 0%, Browse
                    • Antivirus: ReversingLabs, Detection: 0%
                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........................G..............J.......L..G............|.....H........Rich..........................PE..L......W........../..........X....................@..................................W..........................................x.......(............... ............................................................................................text...u........................... ..`.rdata..............................@..@.data...\k..........................@....sxdata......p......................@....rsrc...(...........................@..@........................................................................................................................................................................................................................................................................................
                    \Device\ConDrv
                    Process:C:\ProgramData\Microsoft\zr.exe
                    File Type:ASCII text, with CRLF, CR line terminators
                    Category:dropped
                    Size (bytes):484
                    Entropy (8bit):4.98831110003937
                    Encrypted:false
                    SSDEEP:12:pltQzsBRwgaQH7pyTkaHo8ajFsQcE5+svhJAISLGN2Gy:pYzsDwXQboTjUZH+svhJAI9wv
                    MD5:70C66FCD7F376B7EC9AD79053CA63030
                    SHA1:E3AE64762463879E0B8C91713A291B540131E423
                    SHA-256:3FD565B1794F89DB8FFA179D9EBF283A0AC7B37BD9E8AD8DE94BB1443B0416BA
                    SHA-512:0B07E9206A5B8D60D93AE7AE826605FFBC2DE13B072DB3EEF2A74E0E05485B8ADDA1E5D6231CC9965FD34093739603566841098631FBD89B8F7CC8889A2FBDA0
                    Malicious:false
                    Preview: ..7-Zip (r) [32] 16.04 : Igor Pavlov : Public domain : 2016-10-04....Scanning the drive for archives:.. 0M Scan C:\ProgramData\Microsoft\. .1 file, 871 bytes (1 KiB)....Extracting archive: C:\ProgramData\Microsoft\111.7z..--..Path = C:\ProgramData\Microsoft\111.7z..Type = 7z..Physical Size = 871..Headers Size = 243..Method = LZMA2:12..Solid = -..Blocks = 1.... 0%. .Everything is Ok....Folders: 4..Files: 1..Size: 1791..Compressed: 871..

                    Static File Info

                    General

                    File type:PE32+ executable (GUI) x86-64, for MS Windows
                    Entropy (8bit):6.805779435598225
                    TrID:
                    • Win64 Executable GUI (202006/5) 92.65%
                    • Win64 Executable (generic) (12005/4) 5.51%
                    • Generic Win/DOS Executable (2004/3) 0.92%
                    • DOS Executable Generic (2002/1) 0.92%
                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                    File name:#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe
                    File size:3150336
                    MD5:6665909a2652c5860fd874cb15c3991c
                    SHA1:84a5a2e920e8165634e510766eaa51662401a227
                    SHA256:1ef7ae3509e71c3cd0904a7396831e6bd2c021f14dc5d4b2485a38ebefc3dd3d
                    SHA512:c7ca90037a3e67b443fe6b8f8a8df510eb2794d53a80a416b7234de123703cf5b590f3314f1e0acf749156ce40cc176182d521679c83afceb18b60d39e07c6a5
                    SSDEEP:49152:jwBFRHHY3rC5IgDAI9q8xCFEXlZ40nqSvLcUhGcwKEAX/ivWPlGbjtGysnISnvpZ:jwlHYm5IML9hGvTWlGnUysnISnBdu2
                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........c`7...d...d...dFL.d...d.z.d...d.z.d...d.z.d...d...d...d.t.dd..d.t.d...d.t.d...d.t.d...d.t.d...dRich...d................PE..d..

                    File Icon

                    Icon Hash:74cac4d4d4d0c4d4

                    Static PE Info

                    General

                    Entrypoint:0x1401543b0
                    Entrypoint Section:.text
                    Digitally signed:false
                    Imagebase:0x140000000
                    Subsystem:windows gui
                    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, RELOCS_STRIPPED
                    DLL Characteristics:TERMINAL_SERVER_AWARE, NX_COMPAT
                    Time Stamp:0x600BDCC7 [Sat Jan 23 08:22:31 2021 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:
                    OS Version Major:5
                    OS Version Minor:2
                    File Version Major:5
                    File Version Minor:2
                    Subsystem Version Major:5
                    Subsystem Version Minor:2
                    Import Hash:5894f7ecf05bebd0f6f297d29b91f916

                    Entrypoint Preview

                    Instruction
                    dec eax
                    sub esp, 28h
                    call 00007F7DAC8515DCh
                    dec eax
                    add esp, 28h
                    jmp 00007F7DAC84AA97h
                    int3
                    int3
                    dec eax
                    mov dword ptr [esp+08h], ebx
                    push edi
                    dec eax
                    sub esp, 20h
                    dec eax
                    lea eax, dword ptr [00076193h]
                    mov ebx, edx
                    dec eax
                    mov edi, ecx
                    dec eax
                    mov dword ptr [ecx], eax
                    call 00007F7DAC851667h
                    test bl, 00000001h
                    je 00007F7DAC84AC4Ah
                    dec eax
                    mov ecx, edi
                    call 00007F7DAC6F960Eh
                    dec eax
                    mov eax, edi
                    dec eax
                    mov ebx, dword ptr [esp+30h]
                    dec eax
                    add esp, 20h
                    pop edi
                    ret
                    int3
                    int3
                    int3
                    dec eax
                    sub esp, 28h
                    dec eax
                    mov eax, edx
                    dec eax
                    lea edx, dword ptr [ecx+11h]
                    dec eax
                    lea ecx, dword ptr [eax+11h]
                    call 00007F7DAC8516B1h
                    test eax, eax
                    sete al
                    dec eax
                    add esp, 28h
                    ret
                    int3
                    int3
                    dec eax
                    mov dword ptr [esp+10h], ebx
                    dec eax
                    mov dword ptr [esp+18h], ebp
                    dec eax
                    mov dword ptr [esp+20h], esi
                    push edi
                    inc ecx
                    push esp
                    inc ecx
                    push ebp
                    inc ecx
                    push esi
                    inc ecx
                    push edi
                    dec eax
                    sub esp, 20h
                    dec ecx
                    arpl word ptr [eax+0Ch], di
                    dec esp
                    mov edi, ecx
                    dec ecx
                    mov ecx, eax
                    dec ecx
                    mov ebp, ecx
                    dec ebp
                    mov ebp, eax
                    dec esp
                    mov esi, edx
                    call 00007F7DAC8517ADh
                    dec ebp
                    mov edx, dword ptr [edi]
                    dec esp
                    mov dword ptr [ebp+00h], edx
                    inc esp
                    mov esp, eax
                    test edi, edi
                    je 00007F7DAC84ACCAh
                    dec eax
                    lea ecx, dword ptr [edi+edi*4]
                    dec eax
                    lea esi, dword ptr [FFFFFFECh+ecx*4]
                    dec ecx
                    arpl word ptr [ebp+10h], bx
                    dec ecx

                    Rich Headers

                    Programming Language:
                    • [ C ] VS2008 SP1 build 30729
                    • [ASM] VS2010 build 30319
                    • [ C ] VS2010 build 30319
                    • [C++] VS2010 build 30319
                    • [RES] VS2010 build 30319
                    • [IMP] VS2008 SP1 build 30729
                    • [LNK] VS2010 build 30319

                    Data Directories

                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IMPORT0x1ff9380x17c.rdata
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x3060000xb0f8.rsrc
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x2f00000x13518.pdata
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0x17b0000x1350.rdata
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                    Sections

                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    .text0x10000x179a480x179c00False0.519473729112data6.37063911403IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    .rdata0x17b0000x886cc0x88800False0.253088870765data4.38109791814IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .data0x2040000xeb2900xdee00False0.944429595485data7.74292213666IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                    .pdata0x2f00000x135180x13600False0.497505040323data6.14754754116IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    text0x3040000xbbd0xc00False0.466796875data5.50929008744IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA
                    data0x3050000x7600x800False0.6806640625data5.89712002279IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .rsrc0x3060000xb0f80xb200False0.413031074438data5.68750375192IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                    Resources

                    NameRVASizeTypeLanguageCountry
                    RT_CURSOR0x306c100x134dataChineseChina
                    RT_CURSOR0x306d440xb4dataChineseChina
                    RT_CURSOR0x306df80x134AmigaOS bitmap fontChineseChina
                    RT_CURSOR0x306f2c0x134dataChineseChina
                    RT_CURSOR0x3070600x134dataChineseChina
                    RT_CURSOR0x3071940x134dataChineseChina
                    RT_CURSOR0x3072c80x134dataChineseChina
                    RT_CURSOR0x3073fc0x134dataChineseChina
                    RT_CURSOR0x3075300x134dataChineseChina
                    RT_CURSOR0x3076640x134dataChineseChina
                    RT_CURSOR0x3077980x134dataChineseChina
                    RT_CURSOR0x3078cc0x134dataChineseChina
                    RT_CURSOR0x307a000x134AmigaOS bitmap fontChineseChina
                    RT_CURSOR0x307b340x134dataChineseChina
                    RT_CURSOR0x307c680x134dataChineseChina
                    RT_CURSOR0x307d9c0x134dataChineseChina
                    RT_BITMAP0x307ed00xb8dataChineseChina
                    RT_BITMAP0x307f880x144dataChineseChina
                    RT_ICON0x3080cc0xea8dataChineseChina
                    RT_ICON0x308f740x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0ChineseChina
                    RT_ICON0x30981c0x568GLS_BINARY_LSB_FIRSTChineseChina
                    RT_ICON0x309d840x25adPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedChineseChina
                    RT_ICON0x30c3340x25a8dataChineseChina
                    RT_ICON0x30e8dc0x10a8dataChineseChina
                    RT_ICON0x30f9840x468GLS_BINARY_LSB_FIRSTChineseChina
                    RT_DIALOG0x30fdec0xdedataChineseChina
                    RT_DIALOG0x30fecc0x210dataChineseChina
                    RT_DIALOG0x3100dc0xe2dataChineseChina
                    RT_DIALOG0x3101c00x34dataChineseChina
                    RT_STRING0x3101f40x6adataChineseChina
                    RT_STRING0x3102600x4edataChineseChina
                    RT_STRING0x3102b00x2cdataChineseChina
                    RT_STRING0x3102dc0x84dataChineseChina
                    RT_STRING0x3103600x1c4dataChineseChina
                    RT_STRING0x3105240x14edataChineseChina
                    RT_STRING0x3106740x10edataChineseChina
                    RT_STRING0x3107840x50dataChineseChina
                    RT_STRING0x3107d40x44dataChineseChina
                    RT_STRING0x3108180x68dataChineseChina
                    RT_STRING0x3108800x1b2dataChineseChina
                    RT_STRING0x310a340xf4dataChineseChina
                    RT_STRING0x310b280x24dataChineseChina
                    RT_STRING0x310b4c0x1a6dataChineseChina
                    RT_GROUP_CURSOR0x310cf40x22Lotus unknown worksheet or configuration, revision 0x2ChineseChina
                    RT_GROUP_CURSOR0x310d180x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                    RT_GROUP_CURSOR0x310d2c0x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                    RT_GROUP_CURSOR0x310d400x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                    RT_GROUP_CURSOR0x310d540x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                    RT_GROUP_CURSOR0x310d680x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                    RT_GROUP_CURSOR0x310d7c0x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                    RT_GROUP_CURSOR0x310d900x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                    RT_GROUP_CURSOR0x310da40x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                    RT_GROUP_CURSOR0x310db80x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                    RT_GROUP_CURSOR0x310dcc0x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                    RT_GROUP_CURSOR0x310de00x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                    RT_GROUP_CURSOR0x310df40x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                    RT_GROUP_CURSOR0x310e080x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                    RT_GROUP_CURSOR0x310e1c0x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                    RT_GROUP_ICON0x310e300x68dataChineseChina
                    RT_MANIFEST0x310e980x25fASCII text, with very long lines, with no line terminatorsEnglishUnited States

                    Imports

                    DLLImport
                    KERNEL32.dllIsValidCodePage, GetTimeZoneInformation, LCMapStringW, GetConsoleCP, GetConsoleMode, WriteConsoleW, SetEnvironmentVariableA, RtlCaptureContext, RtlVirtualUnwind, IsDebuggerPresent, UnhandledExceptionFilter, TerminateProcess, QueryPerformanceCounter, HeapCreate, GetVersion, HeapSetInformation, FlsAlloc, FlsFree, FlsSetValue, FlsGetValue, SetHandleCount, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetStdHandle, SizeofResource, SetUnhandledExceptionFilter, GetFileType, SetStdHandle, VirtualQuery, GetSystemInfo, SetThreadStackGuarantee, HeapSize, HeapQueryInformation, RtlPcToFileHeader, GetOEMCP, CreateThread, ExitThread, HeapReAlloc, GetSystemTimeAsFileTime, DecodePointer, EncodePointer, RtlUnwindEx, RtlLookupFunctionEntry, GetStartupInfoW, GetCommandLineW, FindResourceExW, SearchPathW, Sleep, GetProfileIntW, InitializeCriticalSectionAndSpinCount, GetTickCount, GetNumberFormatW, GetWindowsDirectoryW, GetTempPathW, GetTempFileNameW, GetFileTime, GetFileSizeEx, GetFileAttributesW, FileTimeToLocalFileTime, GetFileAttributesExW, SetErrorMode, FileTimeToSystemTime, GlobalGetAtomNameW, lstrlenA, GetFullPathNameW, GetACP, GetCPInfo, RaiseException, GetStringTypeW, GetVolumeInformationW, FindFirstFileW, FindClose, GetCurrentProcess, DuplicateHandle, GetFileSize, SetEndOfFile, UnlockFile, LockFile, FlushFileBuffers, SetFilePointer, WriteFile, ReadFile, CreateFileW, lstrcmpiW, GetThreadLocale, lstrcpyW, DeleteFileW, TlsFree, DeleteCriticalSection, LocalReAlloc, TlsSetValue, GlobalHandle, GlobalReAlloc, TlsAlloc, InitializeCriticalSection, EnterCriticalSection, TlsGetValue, LeaveCriticalSection, LocalAlloc, GlobalFlags, GetCurrentDirectoryW, ReleaseActCtx, CreateActCtxW, CopyFileW, GlobalSize, FormatMessageW, LocalFree, MulDiv, GlobalFindAtomW, GetVersionExW, CompareStringW, GlobalUnlock, GlobalFree, FreeResource, GetCurrentProcessId, GlobalAddAtomW, GetPrivateProfileStringW, lstrlenW, WritePrivateProfileStringW, GetPrivateProfileIntW, CreateEventW, SuspendThread, SetEvent, WaitForSingleObject, ResumeThread, SetThreadPriority, CloseHandle, lstrcmpA, GlobalDeleteAtom, GetCurrentThread, GetCurrentThreadId, GetUserDefaultUILanguage, ConvertDefaultLocale, GetSystemDefaultUILanguage, GetModuleFileNameW, GetLocaleInfoW, ActivateActCtx, LoadLibraryW, GetLastError, DeactivateActCtx, SetLastError, WideCharToMultiByte, GlobalLock, lstrcmpW, GlobalAlloc, GetModuleHandleW, HeapAlloc, FreeLibrary, GetProcessHeap, HeapFree, IsBadReadPtr, LoadLibraryA, GetProcAddress, VirtualFree, VirtualProtect, VirtualAlloc, MultiByteToWideChar, TerminateThread, ExitProcess, FindResourceW, LoadResource, LockResource
                    USER32.dllSetMenuDefaultItem, PostThreadMessageW, CreateMenu, IsMenu, UpdateLayeredWindow, UnionRect, MonitorFromPoint, TranslateMDISysAccel, DrawMenuBar, DefMDIChildProcW, DefFrameProcW, RegisterClipboardFormatW, CopyImage, GetIconInfo, EnableScrollBar, HideCaret, InvertRect, GetMenuDefaultItem, UnpackDDElParam, ReuseDDElParam, LoadImageW, InsertMenuItemW, TranslateAcceleratorW, LockWindowUpdate, BringWindowToTop, SetCursorPos, CreateAcceleratorTableW, LoadAcceleratorsW, GetKeyboardState, GetKeyboardLayout, ToUnicodeEx, DrawFocusRect, DrawFrameControl, DrawEdge, DrawIconEx, DrawStateW, SetClassLongPtrW, GetAsyncKeyState, NotifyWinEvent, CreatePopupMenu, DestroyAcceleratorTable, SetParent, RedrawWindow, SetWindowRgn, IsZoomed, UnregisterClassW, MessageBeep, GetNextDlgGroupItem, InvalidateRgn, SetRect, IsRectEmpty, CopyAcceleratorTableW, OffsetRect, CharNextW, IntersectRect, LoadMenuW, CharUpperW, DestroyIcon, WaitMessage, ReleaseCapture, WindowFromPoint, SetCapture, GetSysColorBrush, LoadCursorW, SetLayeredWindowAttributes, SetRectEmpty, KillTimer, SetTimer, InvalidateRect, RealChildWindowFromPoint, DeleteMenu, EndPaint, BeginPaint, GetWindowDC, ClientToScreen, GrayStringW, DrawTextExW, DrawTextW, TabbedTextOutW, FillRect, SystemParametersInfoW, DestroyMenu, IsClipboardFormatAvailable, InflateRect, GetMenuStringW, InsertMenuW, RemoveMenu, ShowWindow, SetWindowTextW, IsDialogMessageW, SetDlgItemTextW, CheckDlgButton, RegisterWindowMessageW, SendDlgItemMessageW, SendDlgItemMessageA, WinHelpW, IsChild, GetCapture, GetClassNameW, GetClassLongPtrW, SetPropW, GetPropW, RemovePropW, SetFocus, GetWindowTextLengthW, GetWindowTextW, GetForegroundWindow, BeginDeferWindowPos, EndDeferWindowPos, GetTopWindow, GetWindowLongPtrW, SetWindowLongPtrW, UnhookWindowsHookEx, GetMessageTime, GetMessagePos, MonitorFromWindow, GetMonitorInfoW, MapWindowPoints, ScrollWindow, TrackPopupMenu, SetMenu, SetScrollRange, GetScrollRange, SetScrollPos, GetScrollPos, SetForegroundWindow, ShowScrollBar, UpdateWindow, GetSubMenu, GetMenuItemID, GetMenuItemCount, CreateWindowExW, GetClassInfoExW, GetClassInfoW, RegisterClassW, GetSysColor, AdjustWindowRectEx, GetWindowRect, ScreenToClient, EqualRect, DeferWindowPos, GetScrollInfo, SetScrollInfo, PtInRect, SetWindowPlacement, GetWindowPlacement, GetDlgCtrlID, DefWindowProcW, CallWindowProcW, GetMenu, GetWindow, SetWindowContextHelpId, FrameRect, GetUpdateRect, GetWindowRgn, DestroyCursor, SubtractRect, MapVirtualKeyExW, IsCharLowerW, GetDoubleClickTime, MapDialogRect, SetWindowPos, MapVirtualKeyW, GetKeyNameTextW, ReleaseDC, GetDC, CopyRect, GetDesktopWindow, SetActiveWindow, CreateDialogIndirectParamW, CharUpperBuffW, CopyIcon, EmptyClipboard, CloseClipboard, SetClipboardData, GetMenuItemInfoW, OpenClipboard, DestroyWindow, IsWindow, GetDlgItem, GetNextDlgTabItem, EndDialog, GetWindowThreadProcessId, GetLastActivePopup, IsWindowEnabled, MessageBoxW, ShowOwnedPopups, SetCursor, SetWindowsHookExW, CallNextHookEx, GetMessageW, TranslateMessage, DispatchMessageW, GetActiveWindow, IsWindowVisible, GetKeyState, PeekMessageW, GetCursorPos, ValidateRect, SetMenuItemBitmaps, GetMenuCheckMarkDimensions, LoadBitmapW, GetFocus, GetParent, ModifyMenuW, GetMenuState, EnableMenuItem, CheckMenuItem, PostMessageW, PostQuitMessage, GetSystemMetrics, LoadIconW, EnableWindow, GetClientRect, IsIconic, GetSystemMenu, SendMessageW, AppendMenuW, DrawIcon, MoveWindow, GetWindowLongW, SetWindowLongW, EnumDisplayMonitors
                    GDI32.dllCreateSolidBrush, CreateHatchBrush, CreateDIBitmap, CreateCompatibleBitmap, GetTextMetricsW, EnumFontFamiliesW, GetTextCharsetInfo, SetRectRgn, CombineRgn, GetMapMode, DPtoLP, GetBkColor, GetTextColor, GetRgnBox, CreateDIBSection, CreateRoundRectRgn, CreatePolygonRgn, CreateEllipticRgn, Polyline, Ellipse, Polygon, CreatePalette, GetPaletteEntries, GetNearestPaletteIndex, RealizePalette, GetSystemPaletteEntries, OffsetRgn, SetDIBColorTable, CreatePen, SetPixel, Rectangle, EnumFontFamiliesExW, LPtoDP, GetWindowOrgEx, GetViewportOrgEx, PtInRegion, FillRgn, FrameRgn, GetBoundsRect, ExtFloodFill, SetPaletteEntries, GetTextFaceW, SetPixelV, RectVisible, PtVisible, GetPixel, GetObjectType, TextOutW, SelectPalette, GetStockObject, CreatePatternBrush, DeleteDC, ExtSelectClipRgn, ScaleWindowExtEx, SetWindowExtEx, OffsetWindowOrgEx, SetWindowOrgEx, ScaleViewportExtEx, SetViewportExtEx, OffsetViewportOrgEx, SetViewportOrgEx, SelectObject, StretchBlt, CreateBitmap, GetWindowExtEx, GetViewportExtEx, CreateRectRgn, SelectClipRgn, DeleteObject, SetLayout, GetLayout, SetTextAlign, MoveToEx, LineTo, IntersectClipRect, ExcludeClipRect, GetClipBox, SetMapMode, SetROP2, SetPolyFillMode, SetBkMode, RestoreDC, SaveDC, GetTextExtentPoint32W, ExtTextOutW, BitBlt, CreateCompatibleDC, CreateFontIndirectW, CreateDCW, CopyMetaFileW, GetDeviceCaps, GetObjectW, SetBkColor, SetTextColor, PatBlt, CreateRectRgnIndirect, Escape
                    MSIMG32.dllAlphaBlend, TransparentBlt
                    COMDLG32.dllGetFileTitleW
                    WINSPOOL.DRVClosePrinter, OpenPrinterW, DocumentPropertiesW
                    ADVAPI32.dllRegEnumKeyExW, RegQueryValueExW, RegOpenKeyExW, RegCreateKeyExW, RegSetValueExW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyW, RegQueryValueW, RegCloseKey, RegEnumValueW
                    SHELL32.dllSHAppBarMessage, SHGetFileInfoW, ShellExecuteW, DragFinish, DragQueryFileW, SHBrowseForFolderW, SHGetSpecialFolderLocation, SHGetPathFromIDListW, SHGetDesktopFolder
                    COMCTL32.dllImageList_GetIconSize
                    SHLWAPI.dllPathFindFileNameW, PathStripToRootW, PathIsUNCW, PathFindExtensionW, PathRemoveFileSpecW
                    ole32.dllOleInitialize, CoFreeUnusedLibraries, OleUninitialize, CoInitializeEx, CreateILockBytesOnHGlobal, StgCreateDocfileOnILockBytes, StgOpenStorageOnILockBytes, CoGetClassObject, CoInitialize, CoUninitialize, OleCreateMenuDescriptor, CoTaskMemAlloc, ReleaseStgMedium, CoTaskMemFree, OleDestroyMenuDescriptor, OleTranslateAccelerator, IsAccelerator, OleLockRunning, CreateStreamOnHGlobal, OleIsCurrentClipboard, OleFlushClipboard, DoDragDrop, CLSIDFromString, CLSIDFromProgID, CoCreateGuid, RevokeDragDrop, CoLockObjectExternal, RegisterDragDrop, OleGetClipboard, OleDuplicateData, CoRegisterMessageFilter, CoCreateInstance, CoRevokeClassObject
                    OLEAUT32.dllSysFreeString, VarBstrFromDate, VariantCopy, SafeArrayDestroy, SystemTimeToVariantTime, VariantTimeToSystemTime, OleCreateFontIndirect, SysStringLen, VariantInit, VariantChangeType, VariantClear, SysAllocStringLen, SysAllocString
                    oledlg.dllOleUIBusyW
                    WS2_32.dllWSAIoctl, htons, inet_ntoa, gethostbyname, gethostname, WSASocketW, WSAStartup, ntohs, recv, bind
                    OLEACC.dllLresultFromObject, AccessibleObjectFromWindow, CreateStdAccessibleObject
                    gdiplus.dllGdipGetImagePixelFormat, GdipGetImageHeight, GdipGetImageWidth, GdipCloneImage, GdipDrawImageRectI, GdipSetInterpolationMode, GdipGetImagePaletteSize, GdiplusShutdown, GdiplusStartup, GdipCreateBitmapFromHBITMAP, GdipDisposeImage, GdipDeleteGraphics, GdipAlloc, GdipFree, GdipGetImagePalette, GdipCreateBitmapFromStream, GdipCreateBitmapFromScan0, GdipBitmapLockBits, GdipBitmapUnlockBits, GdipGetImageGraphicsContext, GdipCreateFromHDC, GdipDrawImageI
                    IMM32.dllImmGetOpenStatus, ImmReleaseContext, ImmGetContext
                    WINMM.dllPlaySoundW

                    Possible Origin

                    Language of compilation systemCountry where language is spokenMap
                    ChineseChina
                    EnglishUnited States

                    Network Behavior

                    Network Port Distribution

                    TCP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Jan 24, 2021 10:23:23.492737055 CET49696443192.168.2.4204.79.197.200
                    Jan 24, 2021 10:23:23.493050098 CET49696443192.168.2.4204.79.197.200
                    Jan 24, 2021 10:23:23.493232012 CET49696443192.168.2.4204.79.197.200
                    Jan 24, 2021 10:23:23.493341923 CET49696443192.168.2.4204.79.197.200
                    Jan 24, 2021 10:23:23.493448019 CET49696443192.168.2.4204.79.197.200
                    Jan 24, 2021 10:23:23.493484020 CET49696443192.168.2.4204.79.197.200
                    Jan 24, 2021 10:23:23.493712902 CET49696443192.168.2.4204.79.197.200
                    Jan 24, 2021 10:23:23.493824005 CET49696443192.168.2.4204.79.197.200
                    Jan 24, 2021 10:23:23.493865967 CET49696443192.168.2.4204.79.197.200
                    Jan 24, 2021 10:23:23.503756046 CET44349696204.79.197.200192.168.2.4
                    Jan 24, 2021 10:23:23.503794909 CET44349696204.79.197.200192.168.2.4
                    Jan 24, 2021 10:23:23.503830910 CET44349696204.79.197.200192.168.2.4
                    Jan 24, 2021 10:23:23.503869057 CET44349696204.79.197.200192.168.2.4
                    Jan 24, 2021 10:23:23.503894091 CET44349696204.79.197.200192.168.2.4
                    Jan 24, 2021 10:23:23.503979921 CET44349696204.79.197.200192.168.2.4
                    Jan 24, 2021 10:23:23.504018068 CET44349696204.79.197.200192.168.2.4
                    Jan 24, 2021 10:23:23.504620075 CET44349696204.79.197.200192.168.2.4
                    Jan 24, 2021 10:23:23.504646063 CET44349696204.79.197.200192.168.2.4
                    Jan 24, 2021 10:23:23.504668951 CET44349696204.79.197.200192.168.2.4
                    Jan 24, 2021 10:23:23.504837036 CET44349696204.79.197.200192.168.2.4
                    Jan 24, 2021 10:23:23.504875898 CET44349696204.79.197.200192.168.2.4
                    Jan 24, 2021 10:23:23.505203962 CET44349696204.79.197.200192.168.2.4
                    Jan 24, 2021 10:23:23.505242109 CET44349696204.79.197.200192.168.2.4
                    Jan 24, 2021 10:23:23.505482912 CET44349696204.79.197.200192.168.2.4
                    Jan 24, 2021 10:23:23.505522966 CET44349696204.79.197.200192.168.2.4
                    Jan 24, 2021 10:23:23.505681992 CET44349696204.79.197.200192.168.2.4
                    Jan 24, 2021 10:23:23.505717039 CET44349696204.79.197.200192.168.2.4
                    Jan 24, 2021 10:23:23.505799055 CET44349696204.79.197.200192.168.2.4
                    Jan 24, 2021 10:23:23.505855083 CET49696443192.168.2.4204.79.197.200
                    Jan 24, 2021 10:23:23.506150961 CET44349696204.79.197.200192.168.2.4
                    Jan 24, 2021 10:23:23.506251097 CET44349696204.79.197.200192.168.2.4
                    Jan 24, 2021 10:23:23.506513119 CET44349696204.79.197.200192.168.2.4
                    Jan 24, 2021 10:23:23.506541967 CET44349696204.79.197.200192.168.2.4
                    Jan 24, 2021 10:23:23.626178026 CET44349696204.79.197.200192.168.2.4
                    Jan 24, 2021 10:23:23.626334906 CET49696443192.168.2.4204.79.197.200
                    Jan 24, 2021 10:23:28.676939011 CET49696443192.168.2.4204.79.197.200
                    Jan 24, 2021 10:23:28.677278996 CET49696443192.168.2.4204.79.197.200
                    Jan 24, 2021 10:23:28.677455902 CET49696443192.168.2.4204.79.197.200
                    Jan 24, 2021 10:23:28.677529097 CET49696443192.168.2.4204.79.197.200
                    Jan 24, 2021 10:23:28.677571058 CET49696443192.168.2.4204.79.197.200
                    Jan 24, 2021 10:23:28.677608013 CET49696443192.168.2.4204.79.197.200
                    Jan 24, 2021 10:23:28.677635908 CET49696443192.168.2.4204.79.197.200
                    Jan 24, 2021 10:23:28.677711964 CET49696443192.168.2.4204.79.197.200
                    Jan 24, 2021 10:23:28.677747011 CET49696443192.168.2.4204.79.197.200
                    Jan 24, 2021 10:23:28.677762985 CET49696443192.168.2.4204.79.197.200
                    Jan 24, 2021 10:23:28.677767992 CET49696443192.168.2.4204.79.197.200
                    Jan 24, 2021 10:23:28.686454058 CET44349696204.79.197.200192.168.2.4
                    Jan 24, 2021 10:23:28.686647892 CET44349696204.79.197.200192.168.2.4
                    Jan 24, 2021 10:23:28.686887026 CET44349696204.79.197.200192.168.2.4
                    Jan 24, 2021 10:23:28.687319994 CET44349696204.79.197.200192.168.2.4
                    Jan 24, 2021 10:23:28.687814951 CET44349696204.79.197.200192.168.2.4
                    Jan 24, 2021 10:23:28.687844992 CET44349696204.79.197.200192.168.2.4
                    Jan 24, 2021 10:23:28.687937021 CET44349696204.79.197.200192.168.2.4
                    Jan 24, 2021 10:23:28.688262939 CET44349696204.79.197.200192.168.2.4
                    Jan 24, 2021 10:23:28.688580036 CET44349696204.79.197.200192.168.2.4
                    Jan 24, 2021 10:23:28.688678026 CET44349696204.79.197.200192.168.2.4
                    Jan 24, 2021 10:23:28.688756943 CET49696443192.168.2.4204.79.197.200
                    Jan 24, 2021 10:23:28.688922882 CET44349696204.79.197.200192.168.2.4
                    Jan 24, 2021 10:23:28.689089060 CET44349696204.79.197.200192.168.2.4
                    Jan 24, 2021 10:23:28.689160109 CET49696443192.168.2.4204.79.197.200
                    Jan 24, 2021 10:23:28.689368963 CET44349696204.79.197.200192.168.2.4
                    Jan 24, 2021 10:23:28.689434052 CET44349696204.79.197.200192.168.2.4
                    Jan 24, 2021 10:23:28.689743042 CET44349696204.79.197.200192.168.2.4
                    Jan 24, 2021 10:23:28.689924002 CET44349696204.79.197.200192.168.2.4
                    Jan 24, 2021 10:23:28.720083952 CET44349696204.79.197.200192.168.2.4
                    Jan 24, 2021 10:23:28.720293045 CET49696443192.168.2.4204.79.197.200
                    Jan 24, 2021 10:23:28.755439043 CET44349696204.79.197.200192.168.2.4
                    Jan 24, 2021 10:23:28.755672932 CET49696443192.168.2.4204.79.197.200
                    Jan 24, 2021 10:23:37.462538004 CET49683443192.168.2.440.126.31.135
                    Jan 24, 2021 10:23:37.462593079 CET49682443192.168.2.440.126.31.135
                    Jan 24, 2021 10:23:37.462704897 CET49683443192.168.2.440.126.31.135
                    Jan 24, 2021 10:23:37.462745905 CET49682443192.168.2.440.126.31.135
                    Jan 24, 2021 10:23:37.499459982 CET4434968340.126.31.135192.168.2.4
                    Jan 24, 2021 10:23:37.499675989 CET4434968340.126.31.135192.168.2.4
                    Jan 24, 2021 10:23:37.499989986 CET4434968240.126.31.135192.168.2.4
                    Jan 24, 2021 10:23:37.500017881 CET4434968240.126.31.135192.168.2.4
                    Jan 24, 2021 10:23:37.553977013 CET4434968340.126.31.135192.168.2.4
                    Jan 24, 2021 10:23:37.554744005 CET4434968240.126.31.135192.168.2.4
                    Jan 24, 2021 10:23:37.645104885 CET4434968240.126.31.135192.168.2.4
                    Jan 24, 2021 10:23:37.645154953 CET4434968240.126.31.135192.168.2.4
                    Jan 24, 2021 10:23:37.645194054 CET4434968240.126.31.135192.168.2.4
                    Jan 24, 2021 10:23:37.645241976 CET4434968240.126.31.135192.168.2.4
                    Jan 24, 2021 10:23:37.645297050 CET4434968240.126.31.135192.168.2.4
                    Jan 24, 2021 10:23:37.645302057 CET49682443192.168.2.440.126.31.135
                    Jan 24, 2021 10:23:37.645345926 CET49682443192.168.2.440.126.31.135
                    Jan 24, 2021 10:23:37.645354986 CET4434968240.126.31.135192.168.2.4
                    Jan 24, 2021 10:23:37.645435095 CET49682443192.168.2.440.126.31.135
                    Jan 24, 2021 10:23:37.645481110 CET4434968240.126.31.135192.168.2.4
                    Jan 24, 2021 10:23:37.645541906 CET4434968240.126.31.135192.168.2.4
                    Jan 24, 2021 10:23:37.645591974 CET4434968240.126.31.135192.168.2.4
                    Jan 24, 2021 10:23:37.645615101 CET49682443192.168.2.440.126.31.135
                    Jan 24, 2021 10:23:37.645648003 CET4434968340.126.31.135192.168.2.4
                    Jan 24, 2021 10:23:37.645689964 CET4434968340.126.31.135192.168.2.4
                    Jan 24, 2021 10:23:37.645725965 CET4434968340.126.31.135192.168.2.4
                    Jan 24, 2021 10:23:37.645764112 CET4434968340.126.31.135192.168.2.4
                    Jan 24, 2021 10:23:37.645801067 CET4434968340.126.31.135192.168.2.4
                    Jan 24, 2021 10:23:37.645807028 CET49683443192.168.2.440.126.31.135
                    Jan 24, 2021 10:23:37.645837069 CET4434968340.126.31.135192.168.2.4
                    Jan 24, 2021 10:23:37.645838022 CET49683443192.168.2.440.126.31.135
                    Jan 24, 2021 10:23:37.645874023 CET4434968340.126.31.135192.168.2.4

                    UDP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Jan 24, 2021 10:23:13.309921980 CET5585453192.168.2.48.8.8.8
                    Jan 24, 2021 10:23:13.332984924 CET53558548.8.8.8192.168.2.4
                    Jan 24, 2021 10:23:13.920188904 CET6454953192.168.2.48.8.8.8
                    Jan 24, 2021 10:23:13.943337917 CET53645498.8.8.8192.168.2.4
                    Jan 24, 2021 10:23:14.716948032 CET6315353192.168.2.48.8.8.8
                    Jan 24, 2021 10:23:14.740032911 CET53631538.8.8.8192.168.2.4
                    Jan 24, 2021 10:23:15.511826038 CET5299153192.168.2.48.8.8.8
                    Jan 24, 2021 10:23:15.535604000 CET53529918.8.8.8192.168.2.4
                    Jan 24, 2021 10:23:16.968394041 CET5370053192.168.2.48.8.8.8
                    Jan 24, 2021 10:23:16.991550922 CET53537008.8.8.8192.168.2.4
                    Jan 24, 2021 10:23:17.860275030 CET5172653192.168.2.48.8.8.8
                    Jan 24, 2021 10:23:17.883440971 CET53517268.8.8.8192.168.2.4
                    Jan 24, 2021 10:23:19.125066996 CET5679453192.168.2.48.8.8.8
                    Jan 24, 2021 10:23:19.150897026 CET53567948.8.8.8192.168.2.4
                    Jan 24, 2021 10:23:19.983750105 CET5653453192.168.2.48.8.8.8
                    Jan 24, 2021 10:23:20.006917000 CET53565348.8.8.8192.168.2.4
                    Jan 24, 2021 10:23:20.637813091 CET5662753192.168.2.48.8.8.8
                    Jan 24, 2021 10:23:20.664338112 CET53566278.8.8.8192.168.2.4
                    Jan 24, 2021 10:23:21.486450911 CET5662153192.168.2.48.8.8.8
                    Jan 24, 2021 10:23:21.512278080 CET53566218.8.8.8192.168.2.4
                    Jan 24, 2021 10:23:22.337990046 CET6311653192.168.2.48.8.8.8
                    Jan 24, 2021 10:23:22.361217976 CET53631168.8.8.8192.168.2.4
                    Jan 24, 2021 10:23:23.166867018 CET6407853192.168.2.48.8.8.8
                    Jan 24, 2021 10:23:23.201261997 CET53640788.8.8.8192.168.2.4
                    Jan 24, 2021 10:23:37.773974895 CET6480153192.168.2.48.8.8.8
                    Jan 24, 2021 10:23:37.796924114 CET53648018.8.8.8192.168.2.4
                    Jan 24, 2021 10:23:40.221301079 CET6172153192.168.2.48.8.8.8
                    Jan 24, 2021 10:23:40.253931046 CET53617218.8.8.8192.168.2.4
                    Jan 24, 2021 10:24:03.344569921 CET5125553192.168.2.48.8.8.8
                    Jan 24, 2021 10:24:03.370654106 CET53512558.8.8.8192.168.2.4
                    Jan 24, 2021 10:24:32.072946072 CET6152253192.168.2.48.8.8.8
                    Jan 24, 2021 10:24:32.110757113 CET53615228.8.8.8192.168.2.4

                    HTTP Request Dependency Graph

                    • 110.92.66.246:13527

                    HTTP Packets

                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    0192.168.2.449744110.92.66.24613527C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe
                    TimestampkBytes transferredDirectionData
                    Jan 24, 2021 10:23:44.673149109 CET405OUTGET /\ HTTP/1.1
                    Connection: Upgrade
                    Sec-WebSocket-Key: FCzEFfJJGECxZCsRaGKFlJqHW
                    Sec-WebSocket-Version: 13
                    Upgrade: websocket
                    Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits
                    Host: 110.92.66.246:13527


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    1110.92.66.24613527192.168.2.449744C:\Users\user\zT6Nm@i4\PMRunner64.exe
                    TimestampkBytes transferredDirectionData
                    Jan 24, 2021 10:23:44.892343998 CET406INHTTP/1.1 101 Switching Protocols
                    Connection: Upgrade
                    Upgrade: WebSocket
                    Sec-WebSocket-Accept: J6aOSpBDe/Sy9K0gZYEbzVgYYn8=
                    Content-Length: 0


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    2192.168.2.449745110.92.66.24613527C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe
                    TimestampkBytes transferredDirectionData
                    Jan 24, 2021 10:23:50.193909883 CET407OUTGET /\ HTTP/1.1
                    Connection: Upgrade
                    Sec-WebSocket-Key: hVvGEJDDITDIJDJeQLtIKCsnC
                    Sec-WebSocket-Version: 13
                    Upgrade: websocket
                    Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits
                    Host: 110.92.66.246:13527


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    3110.92.66.24613527192.168.2.449745C:\Users\user\zT6Nm@i4\PMRunner64.exe
                    TimestampkBytes transferredDirectionData
                    Jan 24, 2021 10:23:50.387290955 CET407INHTTP/1.1 101 Switching Protocols
                    Connection: Upgrade
                    Upgrade: WebSocket
                    Sec-WebSocket-Accept: Zt5ptgVJyb+M21WHDTqV3GKtCPo=
                    Content-Length: 0


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    4192.168.2.449746110.92.66.24613527C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe
                    TimestampkBytes transferredDirectionData
                    Jan 24, 2021 10:23:54.288530111 CET607OUTGET /\ HTTP/1.1
                    Connection: Upgrade
                    Sec-WebSocket-Key: IKBXBepAaaBfkIYjnCKuMRKkF
                    Sec-WebSocket-Version: 13
                    Upgrade: websocket
                    Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits
                    Host: 110.92.66.246:13527


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    5110.92.66.24613527192.168.2.449746C:\Users\user\zT6Nm@i4\PMRunner64.exe
                    TimestampkBytes transferredDirectionData
                    Jan 24, 2021 10:23:54.507450104 CET607INHTTP/1.1 101 Switching Protocols
                    Connection: Upgrade
                    Upgrade: WebSocket
                    Sec-WebSocket-Accept: Kj9tthj3c2jmoKNtKOHJo/S2svQ=
                    Content-Length: 0


                    Code Manipulations

                    Statistics

                    Behavior

                    Click to jump to process

                    System Behavior

                    Analysis Process: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe PID: 4164 Parent PID: 5908

                    General

                    Start time:10:23:18
                    Start date:24/01/2021
                    Path:C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe
                    Wow64 process (32bit):false
                    Commandline:'C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe'
                    Imagebase:0x140000000
                    File size:3150336 bytes
                    MD5 hash:6665909A2652C5860FD874CB15C3991C
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:low

                    Analysis Process: zr.exe PID: 6340 Parent PID: 4164

                    General

                    Start time:10:23:22
                    Start date:24/01/2021
                    Path:C:\Users\user\zT6Nm@i4\zr.exe
                    Wow64 process (32bit):true
                    Commandline:'C:\Users\user\zT6Nm@i4\zr.exe' a 'C:\Users\user\zT6Nm@i4\111.7z' 'C:\Users\user\zT6Nm@i4\TXP\*'
                    Imagebase:0x400000
                    File size:461088 bytes
                    MD5 hash:045FCBE6C174AFA9A6A998BDD6F9FAD7
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Antivirus matches:
                    • Detection: 0%, Virustotal, Browse
                    • Detection: 0%, Metadefender, Browse
                    • Detection: 0%, ReversingLabs
                    Reputation:low

                    Analysis Process: conhost.exe PID: 6356 Parent PID: 6340

                    General

                    Start time:10:23:22
                    Start date:24/01/2021
                    Path:C:\Windows\System32\conhost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Imagebase:0x7ff724c50000
                    File size:625664 bytes
                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high

                    Analysis Process: cmd.exe PID: 6648 Parent PID: 4164

                    General

                    Start time:10:23:24
                    Start date:24/01/2021
                    Path:C:\Windows\System32\cmd.exe
                    Wow64 process (32bit):false
                    Commandline:'C:\Windows\System32\cmd.exe' /C 'C:\Users\user\zT6Nm@i4\copy.bat'
                    Imagebase:0x7ff622070000
                    File size:273920 bytes
                    MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high

                    Analysis Process: conhost.exe PID: 6700 Parent PID: 6648

                    General

                    Start time:10:23:24
                    Start date:24/01/2021
                    Path:C:\Windows\System32\conhost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Imagebase:0x7ff724c50000
                    File size:625664 bytes
                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high

                    Analysis Process: zr.exe PID: 6800 Parent PID: 6796

                    General

                    Start time:10:23:28
                    Start date:24/01/2021
                    Path:C:\ProgramData\Microsoft\zr.exe
                    Wow64 process (32bit):true
                    Commandline:'C:\ProgramData\Microsoft\zr.exe' x C:\ProgramData\Microsoft\111.7z -y
                    Imagebase:0x400000
                    File size:461088 bytes
                    MD5 hash:045FCBE6C174AFA9A6A998BDD6F9FAD7
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Antivirus matches:
                    • Detection: 0%, Virustotal, Browse
                    • Detection: 0%, Metadefender, Browse
                    • Detection: 0%, ReversingLabs
                    Reputation:low

                    Analysis Process: conhost.exe PID: 6656 Parent PID: 6800

                    General

                    Start time:10:23:28
                    Start date:24/01/2021
                    Path:C:\Windows\System32\conhost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Imagebase:0x7ff724c50000
                    File size:625664 bytes
                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high

                    Analysis Process: PMRunner64.exe PID: 7120 Parent PID: 4164

                    General

                    Start time:10:23:37
                    Start date:24/01/2021
                    Path:C:\Users\user\zT6Nm@i4\PMRunner64.exe
                    Wow64 process (32bit):false
                    Commandline:'C:\Users\user\zT6Nm@i4\PMRunner64.exe'
                    Imagebase:0x7ff7a5160000
                    File size:271704 bytes
                    MD5 hash:65DBB57517611D9DE8CE522022DCD727
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Antivirus matches:
                    • Detection: 0%, Virustotal, Browse
                    • Detection: 0%, Metadefender, Browse
                    • Detection: 0%, ReversingLabs
                    Reputation:low

                    Analysis Process: PMRunner64.exe PID: 6492 Parent PID: 3424

                    General

                    Start time:10:23:48
                    Start date:24/01/2021
                    Path:C:\Users\user\zT6Nm@i4\PMRunner64.exe
                    Wow64 process (32bit):false
                    Commandline:'C:\Users\user\zT6Nm@i4\PMRunner64.exe'
                    Imagebase:0x7ff7a5160000
                    File size:271704 bytes
                    MD5 hash:65DBB57517611D9DE8CE522022DCD727
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:low

                    Analysis Process: PMRunner64.exe PID: 6972 Parent PID: 3424

                    General

                    Start time:10:23:56
                    Start date:24/01/2021
                    Path:C:\Users\user\zT6Nm@i4\PMRunner64.exe
                    Wow64 process (32bit):false
                    Commandline:'C:\Users\user\zT6Nm@i4\PMRunner64.exe'
                    Imagebase:0x7ff7a5160000
                    File size:271704 bytes
                    MD5 hash:65DBB57517611D9DE8CE522022DCD727
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:low

                    Disassembly

                    Code Analysis

                    Reset < >