Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:20.0.0
Analysis ID:46425
Start time:15:57:49
Joe Sandbox Product:CloudBasic
Start date:14.02.2018
Overall analysis duration:0h 1m 32s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:n3uZgopfqY.exe
Cookbook file name:default.jbs
Analysis system description:Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1)
Number of analysed new started processes analysed:2
Number of new started drivers analysed:4
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Detection:MAL
Classification:mal48.winEXE@2/0@3/2
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
EGA Information:Failed
HDC Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated
Warnings:
Show All
  • Exclude process from analysis (whitelisted): vga.dll, dllhost.exe
  • Report size getting too big, too many NtEnumerateKey calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: n3uZgopfqY.exe


Detection

StrategyScoreRangeReportingDetection
Threshold480 - 100Report FP / FNmalicious


Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Signature Overview

Click to jump to signature section


Networking:

barindex
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /api/getBingDownloadNX HTTP/1.1Host: desk.barConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /api/getBingDownloadNX HTTP/1.1Host: desk.bar
Found strings which match to known social media urlsShow sources
Source: n3uZgopfqY.exeString found in binary or memory: login.yahoo.com equals www.yahoo.com (Yahoo)
Source: n3uZgopfqY.exeString found in binary or memory: login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: n3uZgopfqY.exeString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: ts-ocsp.ws.symantec.com
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: POST /api/reportInstalls HTTP/1.1Content-Type: application/x-www-form-urlencoded; charset=UTF-8Host: desk.barContent-Length: 94Expect: 100-continue
Urls found in memory or binary dataShow sources
Source: n3uZgopfqY.exeString found in binary or memory: file://
Source: n3uZgopfqY.exeString found in binary or memory: file:///
Source: n3uZgopfqY.exeString found in binary or memory: file:///C:/Users/Herb
Source: n3uZgopfqY.exeString found in binary or memory: file:///h$
Source: n3uZgopfqY.exeString found in binary or memory: http://
Source: n3uZgopfqY.exeString found in binary or memory: http://crl.comodo.net/UTN-USERFirst-Hardware.crl0q
Source: n3uZgopfqY.exeString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: n3uZgopfqY.exeString found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: n3uZgopfqY.exeString found in binary or memory: http://crl.entrust.net/server1.crl0
Source: n3uZgopfqY.exeString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: n3uZgopfqY.exeString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: n3uZgopfqY.exeString found in binary or memory: http://crl.thawte.com/ThawtePCA.crl0
Source: n3uZgopfqY.exeString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: n3uZgopfqY.exeString found in binary or memory: http://crl.usertrust.com/UTN-USERFirst-Object.crl0)
Source: n3uZgopfqY.exeString found in binary or memory: http://crt.comod
Source: n3uZgopfqY.exeString found in binary or memory: http://crt.comodoca.com/UTNAddTrustServerCA.crt0$
Source: n3uZgopfqY.exeString found in binary or memory: http://cybertrust.omniroot.com/repository.cfm0
Source: n3uZgopfqY.exeString found in binary or memory: http://defaultcontainer/
Source: n3uZgopfqY.exeString found in binary or memory: http://des0
Source: n3uZgopfqY.exeString found in binary or memory: http://des0B
Source: n3uZgopfqY.exeString found in binary or memory: http://desk.bar
Source: n3uZgopfqY.exeString found in binary or memory: http://desk.bar/api/getBingDownloadNX
Source: n3uZgopfqY.exeString found in binary or memory: http://desk.bar/api/getDeskBarMicrosoft
Source: n3uZgopfqY.exeString found in binary or memory: http://desk.bar/api/getDeskBarMicrosoft#setup_deskbar.exeKhttp://desk.bar/api/getBingDownloadNX
Source: n3uZgopfqY.exeString found in binary or memory: http://desk.bar/api/reportInstalls
Source: n3uZgopfqY.exeString found in binary or memory: http://foo/
Source: n3uZgopfqY.exeString found in binary or memory: http://foo/bar/
Source: n3uZgopfqY.exeString found in binary or memory: http://ocsp.comodoca.com0
Source: n3uZgopfqY.exeString found in binary or memory: http://ocsp.comodoca.com0%
Source: n3uZgopfqY.exeString found in binary or memory: http://ocsp.comodoca.com0-
Source: n3uZgopfqY.exeString found in binary or memory: http://ocsp.comodoca.com0/
Source: n3uZgopfqY.exeString found in binary or memory: http://ocsp.comodoca.com05
Source: n3uZgopfqY.exeString found in binary or memory: http://ocsp.entrust.net03
Source: n3uZgopfqY.exeString found in binary or memory: http://ocsp.entrust.net0D
Source: n3uZgopfqY.exeString found in binary or memory: http://ocsp.thawte.com0
Source: n3uZgopfqY.exeString found in binary or memory: http://ocsp.thawte.comhttp://crl.thawte.com/ThawtePCA.crl
Source: n3uZgopfqY.exeString found in binary or memory: http://th.symcb.com/th.crl0
Source: n3uZgopfqY.exeString found in binary or memory: http://th.symcb.com/th.crt0
Source: n3uZgopfqY.exeString found in binary or memory: http://th.symcd.com0&
Source: n3uZgopfqY.exeString found in binary or memory: http://th.symcd.comhttp://th.symcb.com/th.crlA
Source: n3uZgopfqY.exeString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: n3uZgopfqY.exeString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: n3uZgopfqY.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: n3uZgopfqY.exeString found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: n3uZgopfqY.exeString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: n3uZgopfqY.exeString found in binary or memory: http://www.public-trust.com/CPS/OmniRoot.html0
Source: n3uZgopfqY.exeString found in binary or memory: http://www.public-trust.com/cgi-bin/CRL/2018/cdp.crl0
Source: n3uZgopfqY.exeString found in binary or memory: http://www.usertrust.com1
Source: n3uZgopfqY.exeString found in binary or memory: https://secure.c
Source: n3uZgopfqY.exeString found in binary or memory: https://secure.comodo.com/CPS0
Source: n3uZgopfqY.exeString found in binary or memory: https://www.thawte.com/cps0/
Source: n3uZgopfqY.exeString found in binary or memory: https://www.thawte.com/repository0
HTTP GET or POST without a user agentShow sources
Source: global trafficHTTP traffic detected: GET /api/getBingDownloadNX HTTP/1.1Host: desk.barConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /api/getBingDownloadNX HTTP/1.1Host: desk.bar
Source: global trafficHTTP traffic detected: POST /api/reportInstalls HTTP/1.1Content-Type: application/x-www-form-urlencoded; charset=UTF-8Host: desk.barContent-Length: 94Expect: 100-continue
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2018455 ET TROJAN DNS Reply Sinkhole - Anubis - 195.22.26.192/26 8.8.8.8:53 -> 192.168.2.2:50323
Source: TrafficSnort IDS: 2404030 ET CNC Shadowserver Reported CnC Server TCP group 16 192.168.2.2:49167 -> 195.22.26.248:80

System Summary:

barindex
Uses Microsoft SilverlightShow sources
Source: C:\Users\user\Desktop\n3uZgopfqY.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
PE file contains a COM descriptor data directoryShow sources
Source: n3uZgopfqY.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Uses new MSVCR DllsShow sources
Source: C:\Users\user\Desktop\n3uZgopfqY.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\MSVCR80.dll
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: n3uZgopfqY.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
PE file contains a debug data directoryShow sources
Source: n3uZgopfqY.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Binary contains paths to debug symbolsShow sources
Source: Binary string: c:\Users\testbox\Documents\Visual Studio 2013\Projects\DeskBarBundler\DeskBarBundler\obj\Release\DeskBarBundler.pdb source: n3uZgopfqY.exe
Source: Binary string: mscorrc.pdb source: n3uZgopfqY.exe
Source: Binary string: c:\Users\testbox\Documents\Visual Studio 2013\Projects\DeskBarBundler\DeskBarBundler\obj\Release\DeskBarBundler.pdbh[~[ p[_CorExeMainmscoree.dll source: n3uZgopfqY.exe
Classification labelShow sources
Source: classification engineClassification label: mal48.winEXE@2/0@3/2
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\n3uZgopfqY.exeFile created: C:\Users\user\AppData\Roaming\BlueLabsSoftware
PE file has an executable .text section and no other executable sectionShow sources
Source: n3uZgopfqY.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Users\user\Desktop\n3uZgopfqY.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dll
Source: C:\Users\user\Desktop\n3uZgopfqY.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\Desktop\n3uZgopfqY.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Reads ini filesShow sources
Source: C:\Users\user\Desktop\n3uZgopfqY.exeFile read: C:\Users\user\Desktop\desktop.ini
Reads software policiesShow sources
Source: C:\Users\user\Desktop\n3uZgopfqY.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Sample is known by Antivirus (Virustotal or Metascan)Show sources
Source: n3uZgopfqY.exeMetascan Online: hash found
Creates mutexesShow sources
Source: C:\Users\user\Desktop\n3uZgopfqY.exeMutant created: \Sessions\1\BaseNamedObjects\Global\CLR_PerfMon_WrapMutex
Source: C:\Users\user\Desktop\n3uZgopfqY.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Reads the hosts fileShow sources
Source: C:\Users\user\Desktop\n3uZgopfqY.exeFile read: C:\Windows\System32\drivers\etc\hosts
Sample file is different than original file name gathered from version infoShow sources
Source: n3uZgopfqY.exeBinary or memory string: OriginalFilenamemscorrc.dllT vs n3uZgopfqY.exe
Source: n3uZgopfqY.exeBinary or memory string: OriginalFilenameKernelbasej% vs n3uZgopfqY.exe
Source: n3uZgopfqY.exeBinary or memory string: originalfilename vs n3uZgopfqY.exe
Source: n3uZgopfqY.exeBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs n3uZgopfqY.exe
Source: n3uZgopfqY.exeBinary or memory string: OriginalFilenameDeskBarBundler.exe@ vs n3uZgopfqY.exe
Source: n3uZgopfqY.exeBinary or memory string: System.OriginalFileName vs n3uZgopfqY.exe
Source: n3uZgopfqY.exeBinary or memory string: OriginalFilenamemscorwks.dllT vs n3uZgopfqY.exe
Source: n3uZgopfqY.exeBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs n3uZgopfqY.exe
Source: n3uZgopfqY.exeBinary or memory string: OriginalFilenameSETUPAPI.DLL.MUIj% vs n3uZgopfqY.exe
Source: n3uZgopfqY.exeBinary or memory string: OriginalFilenameDeskBarBundler.exe@ vs n3uZgopfqY.exe
Spawns driversShow sources
Source: unknownDriver loaded: C:\Windows\System32\vga256.dll

Anti Debugging:

barindex
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Users\user\Desktop\n3uZgopfqY.exeMemory allocated: page read and write and page guard
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Users\user\Desktop\n3uZgopfqY.exeSystem information queried: KernelDebuggerInformation

Malware Analysis System Evasion:

barindex
Contains long sleeps (>= 3 min)Show sources
Source: C:\Users\user\Desktop\n3uZgopfqY.exeThread delayed: delay time: 922337203685477

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\n3uZgopfqY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\n3uZgopfqY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\n3uZgopfqY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\n3uZgopfqY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\n3uZgopfqY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\n3uZgopfqY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\n3uZgopfqY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\n3uZgopfqY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\n3uZgopfqY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\n3uZgopfqY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\n3uZgopfqY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\n3uZgopfqY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\n3uZgopfqY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\n3uZgopfqY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\n3uZgopfqY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\n3uZgopfqY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\n3uZgopfqY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\n3uZgopfqY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\n3uZgopfqY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\n3uZgopfqY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\n3uZgopfqY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\n3uZgopfqY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\n3uZgopfqY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\n3uZgopfqY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\n3uZgopfqY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\n3uZgopfqY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\n3uZgopfqY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\n3uZgopfqY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\n3uZgopfqY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\n3uZgopfqY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\n3uZgopfqY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\n3uZgopfqY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\n3uZgopfqY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\n3uZgopfqY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\n3uZgopfqY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\n3uZgopfqY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\n3uZgopfqY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\n3uZgopfqY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\n3uZgopfqY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\n3uZgopfqY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\n3uZgopfqY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\n3uZgopfqY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\n3uZgopfqY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\n3uZgopfqY.exeProcess information set: NOOPENFILEERRORBOX

Language, Device and Operating System Detection:

barindex
Queries the cryptographic machine GUIDShow sources
Source: C:\Users\user\Desktop\n3uZgopfqY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 46425 Sample: n3uZgopfqY.exe Startdate: 14/02/2018 Architecture: WINDOWS Score: 48 13 desk.bar 2->13 15 ts-ocsp.ws.symantec.com 2->15 21 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->21 6 n3uZgopfqY.exe 12 5 2->6         started        9 vga256.dll 2->9         started        11 vga64k.dll 2->11         started        signatures3 process4 dnsIp5 17 desk.bar 195.22.26.248, 49167, 49168, 49169 CLARANET-ASClaraNETLTDGB Portugal 6->17 19 8.8.8.8, 50323, 53, 57729 GOOGLE-GoogleIncUS United States 6->19

Simulations

Behavior and APIs

TimeTypeDescription
15:58:51API Interceptor1x Sleep call for process: n3uZgopfqY.exe modified from: 60000ms to: 100ms

Antivirus Detection

Initial Sample

SourceDetectionCloudLink
n3uZgopfqY.exe0%virustotalBrowse
n3uZgopfqY.exe0%metadefenderBrowse

Dropped Files

No Antivirus matches

Domains

SourceDetectionCloudLink
ts-ocsp.ws.symantec.com0%virustotalBrowse
desk.bar3%virustotalBrowse

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
195.22.26.248wpad.SRWIN2K3.commaliciousBrowse
  • wpad.srwin2k3.com/favicon.ico
YvGCoGzEzrf89416eb1f7b958bb512e80ebf7b4deb3c6ea4c985f9714542e278a23b2f9b2cmaliciousBrowse
  • api.POWERMASTER.CLUB/battery/api/7
http://goccl2.syscarnival.com//~/media/E191A56AD442496096F16DE6E913BF42.ashxmaliciousBrowse
  • goccl2.syscarnival.com/favicon.ico
FnUGKWbcG7.apk24361fb26f7ae15c026c60677a523850a24c9f154a4ef67aaeb5f117df466fa9maliciousBrowse
  • api.loveddl.com/statistics.php
http://lispotcrime.com/impmaliciousBrowse
  • lispotcrime.com/favicon.ico
http://sos.atplan.net/sos/logdatamaliciousBrowse
  • sos.atplan.net/favicon.ico
propeladserver.com/crossdomain.xmlmaliciousBrowse
  • propeladserver.com/favicon.ico
7d059fae265035ff8a0.exe7d059fae265035ff8a0ad01c051bb133eb8b71175419fda9e34b8974878669e2maliciousBrowse
  • server.peperware.com/0.0.0
SNCpGUSAC3.exe65bd74e7baa5c7b61465a8edb58ddadb85fc1c6947aeb307165aeb2f8861d8abmaliciousBrowse
  • www.update-srv.info/check/eyJ0YXNrIjoidXBkYXRlciIsInZlcnNpb24iOiIxLjcuMC4wIiwiaXNfaG91c2UiOnRydWV9.sAl6930D34m0hRdJedPTOdvIjx4
xY1GKfr9Be.apkb59fece0a308501648dd213b94bcc0cf69a025c2679f57b7e3a7d007f6ff99dcmaliciousBrowse
  • slot2.adsnike.com/Slot/AdQueue?&adunit=4c0d13d3ad6cc317017872e51d01b238&av=1.4&udid=9a46817be12b0c2e285855fd72f60ad88e117ad5&os=1&nt=9&z=%2B0200&adnum=1&ct=0&st=0&ta=1&android_id=d31d40f293453e08&advertising_id=f66abd88-0b7b-4277-9568-1c56dfdf4696&imei=339986685636317&dpi=160&model=Galaxy%20Nexus&brand=google&product=%3Doccam&osv=23&osvc=4.2.1&dmf=samsung&ta=1&ipkg=1m9QWQ
DC59kLGZxK.exec1f59897e835aff91e6d18dee12379cbe6c3294ed621815cc91578f64ab6387amaliciousBrowse
  • server.peperware.com/0.0.0
iasJ9Sb73f.apkb0b2ec62dc64b66d3fc5e7ac3991a4b34f0e2059feb257084340dc3b344b0b2amaliciousBrowse
  • en.tcupdate.com/cku22/home
8PCxzbsv7Z.exe9f1f14ac1951de0e4e352200465bf00eb1c8e494635f388bbdcfbde4f4d18847maliciousBrowse
  • secure.update-srv.info/check/eyJ0YXNrIjoidXBkYXRlciIsInZlcnNpb24iOiIxLjcuMC4wIn0.TQsHAxPI7CYPhfTovCoTP0PIalQ
sTzpXqecgO.exeb580c006b227043d2c46c5d26e7e2aa6313c6540c3d799b22e38b4181e647647maliciousBrowse
  • installs.peperware.com/install/00000/E99C189F93C7BACC7FAF-CB0B-4C48-9F32-BF972D86A913
LGyvGvO6bE.apk5a3c17d1b87858ad2e1b68de19712b95e66524b7d33ec956cb7388f243845997maliciousBrowse
  • track-web.link/bl_csv.php
epfq2U8E6L.apk2d605c8e985000b0f12cddc1e89db457d52afa875b53239cda4c49e941468568maliciousBrowse
  • api.loveddl.com/statistics.php
bdtwxjsvrj.commaliciousBrowse
  • bdtwxjsvrj.com/favicon.ico
HBamaTP2sB.apk3cadcb0fb23e4453ab7d4653ea082f2929e019f3be01055ba7c3bae4511cf35cmaliciousBrowse
  • app2.adsnike.com/update_v2.php

Domains

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
ts-ocsp.ws.symantec.comQQ9.0.1.exe291e01a47f552cd782452cac1d7374bc2797c70d15c062dfe3409e0d9ba8d65bmaliciousBrowse
  • 23.51.123.27
yeVDUkJeV6.exeef6115fc310a205bda5f35d93e8abcdc3a582fd7bfd6c34364bc8c0115d92ee0maliciousBrowse
  • 23.63.139.27
121.exe7cde65d1b31292def5371b3741717f1ed7357df81c311698ec301b899a069b95maliciousBrowse
  • 23.52.27.27
SNCpGUSAC3.exe65bd74e7baa5c7b61465a8edb58ddadb85fc1c6947aeb307165aeb2f8861d8abmaliciousBrowse
  • 23.5.251.27
8PCxzbsv7Z.exe9f1f14ac1951de0e4e352200465bf00eb1c8e494635f388bbdcfbde4f4d18847maliciousBrowse
  • 23.51.123.27
Advancegraphic.exe89d979146a13dce39af4e6daf340a06471ca3aa6cc768cf865f8c7c93590a11fmaliciousBrowse
  • 23.46.123.27

ASN

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
CLARANET-ASClaraNETLTDGBTTF9sBZHUZ.exe16aa9721fc22325227e041a7bc7a6a32b7523dc986c20a0f62513abe7261a8d9maliciousBrowse
  • 195.38.137.100
wpad.SRWIN2K3.commaliciousBrowse
  • 195.22.26.248
http://errors.newdatastatsserv.com/mac-error.gif?msg=Safari version 11.0.1 is not supported&funcName=WebSocketServerApp::main&errtype=WSSException&os=mac_10_11_6&ibic=8BC08762BAAC455EB4EC0742C1B51110&rnd=1512632018198787maliciousBrowse
  • 195.38.137.100
Invoice #32257232.doc9f53ec77d3d8da1ab1eb50b1fcf837bf06d53c52e2912ed1228975ff67649629maliciousBrowse
  • 188.93.230.140
YvGCoGzEzrf89416eb1f7b958bb512e80ebf7b4deb3c6ea4c985f9714542e278a23b2f9b2cmaliciousBrowse
  • 195.22.26.248
http://goccl2.syscarnival.com//~/media/E191A56AD442496096F16DE6E913BF42.ashxmaliciousBrowse
  • 195.22.26.248
friendsecure.net/ABIUSP/setup.exemaliciousBrowse
  • 195.22.4.21
FnUGKWbcG7.apk24361fb26f7ae15c026c60677a523850a24c9f154a4ef67aaeb5f117df466fa9maliciousBrowse
  • 195.22.26.248
http://lispotcrime.com/impmaliciousBrowse
  • 195.22.26.248
http://sos.atplan.net/sos/logdatamaliciousBrowse
  • 195.22.26.248
Gpcode.exed17ddc2ff7ff9b3ae06c5cfcb50413b8eb3807c282843a277d1c0a0428a4c969maliciousBrowse
  • 195.157.15.100
propeladserver.com/crossdomain.xmlmaliciousBrowse
  • 195.22.26.248
7d059fae265035ff8a0.exe7d059fae265035ff8a0ad01c051bb133eb8b71175419fda9e34b8974878669e2maliciousBrowse
  • 195.22.26.248
SNCpGUSAC3.exe65bd74e7baa5c7b61465a8edb58ddadb85fc1c6947aeb307165aeb2f8861d8abmaliciousBrowse
  • 195.22.26.248
829BhfK144.exe4465b0d771af98d56b9d0f3c5d1d61e1e565467d0c0ef32ed26d0490a6dda30bmaliciousBrowse
  • 195.22.26.248
http://wwab2391wab.imizi.com.br/desktop/login/https-bcp----ae71301c71dc9286671775912f9dc5b7maliciousBrowse
  • 185.118.114.65
xY1GKfr9Be.apkb59fece0a308501648dd213b94bcc0cf69a025c2679f57b7e3a7d007f6ff99dcmaliciousBrowse
  • 195.22.26.248
DC59kLGZxK.exec1f59897e835aff91e6d18dee12379cbe6c3294ed621815cc91578f64ab6387amaliciousBrowse
  • 195.22.26.248
iasJ9Sb73f.apkb0b2ec62dc64b66d3fc5e7ac3991a4b34f0e2059feb257084340dc3b344b0b2amaliciousBrowse
  • 195.22.26.248
8VhJ0zjBQ5.exe69c795919fbd9ae292849efbf3aa0c89dcd808268ba8a67825dbeef9849b5dc6maliciousBrowse
  • 195.22.26.248

Dropped Files

No context

Startup

  • System is w7
  • n3uZgopfqY.exe (PID: 3240 cmdline: 'C:\Users\user\Desktop\n3uZgopfqY.exe' MD5: C895E31F3DEBD2595FE6CD2504B80C56)
  • vga256.dll (PID: 4 cmdline: unknown MD5: B11BCD430977E5FBCB3A5804C675C5A0)
  • vga64k.dll (PID: 4 cmdline: unknown MD5: 7FFE091344E7939B3BAD6E8ADAD617B3)
  • cleanup

Created / dropped Files

No created / dropped files found

Contacted Domains/Contacted IPs

Contacted Domains

NameIPActiveMaliciousAntivirus Detection
ts-ocsp.ws.symantec.com23.5.251.27truefalse0%, virustotal, Browse
desk.bar195.22.26.248truetrue3%, virustotal, Browse

Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs
IPCountryFlagASNASN NameMalicious
195.22.26.248Portugal
8426CLARANET-ASClaraNETLTDGBtrue
8.8.8.8United States
15169GOOGLE-GoogleIncUSfalse

Static File Info

General

File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):6.084074288892797
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.83%
  • Windows Screen Saver (13104/52) 0.13%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:n3uZgopfqY.exe
File size:23736
MD5:c895e31f3debd2595fe6cd2504b80c56
SHA1:8a1058f314fa907e49d3b7745e8d6753e5f72d3a
SHA256:652b81c2cb538d558986ee9bc65405d46b2536e00fc25d84ed8e602568ec3981
SHA512:6894573a4f51a3cb6868ed31d2c0b5b121f51deda56074272dedc8e74ee2feab3e09dbd7b0a13d35ba1103c54db57297d0c61fb6d080933a9008639eeb1e8d37
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....{U.................<...........[... ...`....@.. ..............................t.....@................................

File Icon

Static PE Info

General

Entrypoint:0x405b8e
Entrypoint Section:.text
Digitally signed:true
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:0x557B05BE [Fri Jun 12 16:15:58 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:v2.0.50727
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:true
Signature Issuer:CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US
Signature Validation Error:The operation completed successfully
Error Number:0
Not Before, Not After
  • 9/30/2014 2:00:00 AM 10/1/2015 1:59:59 AM
Subject Chain
  • CN="Blue Labs, LLC", O="Blue Labs, LLC", L=St Louis Park, S=Minnesota, C=US
Version:3
Thumbprint:6AACC729575C373F151A40D601CA7CF70183DF0D
Serial:35D6CCDACB4165CA9B77CCB53FA48DC9

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x5b400x4b.text
IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x570.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x46000x16b8
IMAGE_DIRECTORY_ENTRY_BASERELOC0x80000xc.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x5a080x1c.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x20000x3b940x3c00False0.451692708333data5.64591071767IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc0x60000x5700x600False0.39453125data3.99184310315IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0x80000xc0x200False0.044921875dBase IV DBT of \220;.DBF, blocks size 12, next free block index 204800.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountry
RT_VERSION0x60a00x2e0data
RT_MANIFEST0x63800x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLLImport
mscoree.dll_CorExeMain

Version Infos

DescriptionData
Translation0x0000 0x04b0
LegalCopyrightCopyright 2015
Assembly Version1.0.0.0
InternalNameDeskBarBundler.exe
FileVersion1.0.0.0
ProductNameDeskBarBundler
ProductVersion1.0.0.0
FileDescriptionDeskBarBundler
OriginalFilenameDeskBarBundler.exe

Network Behavior

Snort IDS Alerts

TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
02/14/18-15:58:31.064401UDP2018455ET TROJAN DNS Reply Sinkhole - Anubis - 195.22.26.192/2653503238.8.8.8192.168.2.2
02/14/18-15:58:31.115194TCP2404030ET CNC Shadowserver Reported CnC Server TCP group 164916780192.168.2.2195.22.26.248

Network Port Distribution

TCP Packets

TimestampSource PortDest PortSource IPDest IP
Feb 14, 2018 15:58:17.325826883 CET53616748.8.8.8192.168.2.2
Feb 14, 2018 15:58:26.469430923 CET5772953192.168.2.28.8.8.8
Feb 14, 2018 15:58:27.266499996 CET53577298.8.8.8192.168.2.2
Feb 14, 2018 15:58:27.269504070 CET6531153192.168.2.28.8.8.8
Feb 14, 2018 15:58:28.070833921 CET53653118.8.8.8192.168.2.2
Feb 14, 2018 15:58:30.250041008 CET5032353192.168.2.28.8.8.8
Feb 14, 2018 15:58:31.064400911 CET53503238.8.8.8192.168.2.2
Feb 14, 2018 15:58:31.115194082 CET4916780192.168.2.2195.22.26.248
Feb 14, 2018 15:58:31.115236044 CET8049167195.22.26.248192.168.2.2
Feb 14, 2018 15:58:31.115340948 CET4916780192.168.2.2195.22.26.248
Feb 14, 2018 15:58:31.116056919 CET4916780192.168.2.2195.22.26.248
Feb 14, 2018 15:58:31.116081953 CET8049167195.22.26.248192.168.2.2
Feb 14, 2018 15:58:31.370939016 CET8049167195.22.26.248192.168.2.2
Feb 14, 2018 15:58:31.370975971 CET8049167195.22.26.248192.168.2.2
Feb 14, 2018 15:58:31.371120930 CET4916780192.168.2.2195.22.26.248
Feb 14, 2018 15:58:31.373450041 CET4916780192.168.2.2195.22.26.248
Feb 14, 2018 15:58:31.373478889 CET8049167195.22.26.248192.168.2.2
Feb 14, 2018 15:58:31.375931025 CET4916880192.168.2.2195.22.26.248
Feb 14, 2018 15:58:31.375967026 CET8049168195.22.26.248192.168.2.2
Feb 14, 2018 15:58:31.376149893 CET4916880192.168.2.2195.22.26.248
Feb 14, 2018 15:58:31.376593113 CET4916880192.168.2.2195.22.26.248
Feb 14, 2018 15:58:31.376616001 CET8049168195.22.26.248192.168.2.2
Feb 14, 2018 15:58:31.673306942 CET8049168195.22.26.248192.168.2.2
Feb 14, 2018 15:58:31.673346043 CET8049168195.22.26.248192.168.2.2
Feb 14, 2018 15:58:31.673516989 CET4916880192.168.2.2195.22.26.248
Feb 14, 2018 15:58:31.677041054 CET4916880192.168.2.2195.22.26.248
Feb 14, 2018 15:58:31.677077055 CET8049168195.22.26.248192.168.2.2
Feb 14, 2018 15:58:32.206587076 CET4916980192.168.2.2195.22.26.248
Feb 14, 2018 15:58:32.206614017 CET8049169195.22.26.248192.168.2.2
Feb 14, 2018 15:58:32.207561970 CET4916980192.168.2.2195.22.26.248
Feb 14, 2018 15:58:32.207830906 CET4916980192.168.2.2195.22.26.248
Feb 14, 2018 15:58:32.207842112 CET8049169195.22.26.248192.168.2.2
Feb 14, 2018 15:58:32.483495951 CET8049169195.22.26.248192.168.2.2
Feb 14, 2018 15:58:32.484642982 CET4916980192.168.2.2195.22.26.248
Feb 14, 2018 15:58:32.484678030 CET8049169195.22.26.248192.168.2.2
Feb 14, 2018 15:58:32.729067087 CET8049169195.22.26.248192.168.2.2
Feb 14, 2018 15:58:32.729104996 CET8049169195.22.26.248192.168.2.2
Feb 14, 2018 15:58:32.729347944 CET4916980192.168.2.2195.22.26.248
Feb 14, 2018 15:58:32.730241060 CET4916980192.168.2.2195.22.26.248
Feb 14, 2018 15:58:32.730276108 CET8049169195.22.26.248192.168.2.2

UDP Packets

TimestampSource PortDest PortSource IPDest IP
Feb 14, 2018 15:58:17.325826883 CET53616748.8.8.8192.168.2.2
Feb 14, 2018 15:58:26.469430923 CET5772953192.168.2.28.8.8.8
Feb 14, 2018 15:58:27.266499996 CET53577298.8.8.8192.168.2.2
Feb 14, 2018 15:58:27.269504070 CET6531153192.168.2.28.8.8.8
Feb 14, 2018 15:58:28.070833921 CET53653118.8.8.8192.168.2.2
Feb 14, 2018 15:58:30.250041008 CET5032353192.168.2.28.8.8.8
Feb 14, 2018 15:58:31.064400911 CET53503238.8.8.8192.168.2.2

DNS Queries

TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
Feb 14, 2018 15:58:26.469430923 CET192.168.2.28.8.8.80x8493Standard query (0)ts-ocsp.ws.symantec.comA (IP address)IN (0x0001)
Feb 14, 2018 15:58:27.269504070 CET192.168.2.28.8.8.80xcf44Standard query (0)ts-ocsp.ws.symantec.comA (IP address)IN (0x0001)
Feb 14, 2018 15:58:30.250041008 CET192.168.2.28.8.8.80x1694Standard query (0)desk.barA (IP address)IN (0x0001)

DNS Answers

TimestampSource IPDest IPTrans IDReplay CodeNameCNameAddressTypeClass
Feb 14, 2018 15:58:27.266499996 CET8.8.8.8192.168.2.20x8493No error (0)ts-ocsp.ws.symantec.com23.5.251.27A (IP address)IN (0x0001)
Feb 14, 2018 15:58:28.070833921 CET8.8.8.8192.168.2.20xcf44No error (0)ts-ocsp.ws.symantec.com23.5.251.27A (IP address)IN (0x0001)
Feb 14, 2018 15:58:31.064400911 CET8.8.8.8192.168.2.20x1694No error (0)desk.bar195.22.26.248A (IP address)IN (0x0001)

HTTP Request Dependency Graph

  • desk.bar

HTTP Packets

Session IDSource IPSource PortDestination IPDestination PortProcess
0192.168.2.249167195.22.26.24880C:\Users\user\Desktop\n3uZgopfqY.exe
TimestampkBytes transferredDirectionData
Feb 14, 2018 15:58:31.116056919 CET7OUTGET /api/getBingDownloadNX HTTP/1.1
Host: desk.bar
Connection: Keep-Alive
Feb 14, 2018 15:58:31.370939016 CET7INHTTP/1.1 200 OK
Server: nginx
Date: Wed, 14 Feb 2018 14:58:31 GMT
Content-Type: text/html
Connection: close


Session IDSource IPSource PortDestination IPDestination PortProcess
1192.168.2.249168195.22.26.24880C:\Users\user\Desktop\n3uZgopfqY.exe
TimestampkBytes transferredDirectionData
Feb 14, 2018 15:58:31.376593113 CET8OUTGET /api/getBingDownloadNX HTTP/1.1
Host: desk.bar
Feb 14, 2018 15:58:31.673306942 CET8INHTTP/1.1 200 OK
Server: nginx
Date: Wed, 14 Feb 2018 14:58:31 GMT
Content-Type: text/html
Connection: close


Session IDSource IPSource PortDestination IPDestination PortProcess
2192.168.2.249169195.22.26.24880C:\Users\user\Desktop\n3uZgopfqY.exe
TimestampkBytes transferredDirectionData
Feb 14, 2018 15:58:32.207830906 CET9OUTPOST /api/reportInstalls HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Host: desk.bar
Content-Length: 94
Expect: 100-continue
Feb 14, 2018 15:58:32.483495951 CET9INHTTP/1.1 100 Continue
Feb 14, 2018 15:58:32.484642982 CET9OUTData Raw: 53 6f 75 72 63 65 3d 64 65 66 61 75 6c 74 54 65 72 6d 26 44 48 50 3d 66 61 6c 73 65 26 44 53 50 3d 66 61 6c 73 65 26 44 65 73 6b 42 61 72 43 6f 64 65 3d 26 42 69 6e 67 43 6f 64 65 3d 26 43 6f 75 6e 74 72 79 43 6f 64 65 3d 52 4f 57 26 49 6e 73 74
Data Ascii: Source=defaultTerm&DHP=false&DSP=false&DeskBarCode=&BingCode=&CountryCode=ROW&InstallDeskBar=0
Feb 14, 2018 15:58:32.729067087 CET9INHTTP/1.1 200 OK
Server: nginx
Date: Wed, 14 Feb 2018 14:58:32 GMT
Content-Type: text/html
Connection: close


Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

General

Start time:15:58:47
Start date:14/02/2018
Path:C:\Users\user\Desktop\n3uZgopfqY.exe
Wow64 process (32bit):false
Commandline:'C:\Users\user\Desktop\n3uZgopfqY.exe'
Imagebase:0x1210000
File size:23736 bytes
MD5 hash:C895E31F3DEBD2595FE6CD2504B80C56
Programmed in:.Net C# or VB.NET
Reputation:low

General

Start time:15:58:48
Start date:14/02/2018
Path:C:\Windows\System32\vga256.dll
Wow64 process (32bit):
Commandline:unknown
Imagebase:
File size:56320 bytes
MD5 hash:B11BCD430977E5FBCB3A5804C675C5A0
Programmed in:C, C++ or other language
Reputation:moderate

General

Start time:15:58:48
Start date:14/02/2018
Path:C:\Windows\System32\vga64k.dll
Wow64 process (32bit):
Commandline:unknown
Imagebase:
File size:21504 bytes
MD5 hash:7FFE091344E7939B3BAD6E8ADAD617B3
Programmed in:C, C++ or other language
Reputation:moderate

Disassembly

Code Analysis

Reset < >