Joe Sandbox Cloud Pro Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report rYkaVx1Tiz.exe

Overview

General Information

Joe Sandbox Version:23.0.0
Analysis ID:60291
Start date:12.09.2018
Start time:10:20:01
Joe Sandbox Product:Cloud
Overall analysis duration:0h 9m 11s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:rYkaVx1Tiz.exe
Cookbook file name:default.jbs
Analysis system description:W10 Native physical Machine for testing VM-aware malware (Office 2010, Java 1.8.0_91, Flash 22.0.0.192, Acrobat Reader DC 15.016.20039, Internet Explorer 11, Chrome 55, Firefox 50)
Number of analysed new started processes analysed:16
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.bank.evad.winEXE@25/34@12/0
EGA Information:Failed
HDC Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 6
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated
Warnings:
Show All
  • Execution Graph export aborted for target iexplore.exe, PID 2848 because there are no executed function
  • Execution Graph export aborted for target iexplore.exe, PID 3464 because there are no executed function
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: rYkaVx1Tiz.exe, WindowsImplantment.exe

Detection

StrategyScoreRangeReportingDetection
Threshold1000 - 100Report FP / FNmalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

All domains contacted by the sample do not resolve. Likely the sample is an old dropper which does no longer work
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for submitted fileShow sources
Source: rYkaVx1Tiz.exeAvira: Label: TR/Dropper.MSIL.Gen2
Multi AV Scanner detection for submitted fileShow sources
Source: rYkaVx1Tiz.exevirustotal: Detection: 70%Perma Link
Source: rYkaVx1Tiz.exemetadefender: Detection: 51%Perma Link
Antivirus detection for unpacked fileShow sources
Source: 0.1.rYkaVx1Tiz.exe.1c0000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen2
Source: 10.1.WindowsImplantment.exe.1c0000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen2
Source: 10.2.WindowsImplantment.exe.1c0000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen2
Source: 10.0.WindowsImplantment.exe.1c0000.2.unpackAvira: Label: TR/Dropper.MSIL.Gen2
Source: 10.0.WindowsImplantment.exe.1c0000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen2
Source: 0.0.rYkaVx1Tiz.exe.1c0000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen2
Source: 0.2.rYkaVx1Tiz.exe.1c0000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen2
Source: 10.0.WindowsImplantment.exe.1c0000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen2

Spreading:

barindex
Creates COM task schedule object (often to register a task for autostart)Show sources
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
Enumerates the file systemShow sources
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet ExplorerJump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.iniJump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppDataJump to behavior

Networking:

barindex
Creates a COM Internet Explorer objectShow sources
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAsJump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32Jump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandlerJump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeKey opened: HKEY_USERS\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeKey opened: HKEY_USERS\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32Jump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32Jump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeKey opened: HKEY_USERS\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32Jump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeKey opened: HKEY_USERS\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32Jump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeKey opened: HKEY_USERS\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeKey opened: HKEY_USERS\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeKey opened: HKEY_USERS\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAsJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAsJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeKey opened: HKEY_USERS\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeKey opened: HKEY_USERS\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeKey opened: HKEY_USERS\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeKey opened: HKEY_USERS\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32Jump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32Jump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeKey opened: HKEY_USERS\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandlerJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandlerJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeKey opened: HKEY_USERS\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeKey opened: HKEY_USERS\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32Jump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32Jump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeKey opened: HKEY_USERS\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32Jump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeKey opened: HKEY_USERS\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32Jump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeKey opened: HKEY_USERS\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)Show sources
Source: unknownDNS traffic detected: query: www.windowspatch.com replaycode: Server failure (2)
Found strings which match to known social media urlsShow sources
Source: msapplication.xml1.7.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x7b32f7e9,0x01d44abd</date><accdate>0x7b32f7e9,0x01d44abd</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml1.7.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x7b32f7e9,0x01d44abd</date><accdate>0x7b37bd56,0x01d44abd</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml6.7.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x7b6e9a20,0x01d44abd</date><accdate>0x7b6e9a20,0x01d44abd</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml6.7.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x7b6e9a20,0x01d44abd</date><accdate>0x7b735e6b,0x01d44abd</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml8.7.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x7b8407e5,0x01d44abd</date><accdate>0x7b8407e5,0x01d44abd</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml8.7.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x7b8407e5,0x01d44abd</date><accdate>0x7b866b06,0x01d44abd</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: www.windowspatch.com
Urls found in memory or binary dataShow sources
Source: rYkaVx1Tiz.exe, 00000000.00000002.25126087232.018D0000.00000004.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: msapplication.xml.7.drString found in binary or memory: http://www.amazon.com/
Source: msapplication.xml2.7.drString found in binary or memory: http://www.google.com/
Source: msapplication.xml3.7.drString found in binary or memory: http://www.live.com/
Source: msapplication.xml4.7.drString found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml5.7.drString found in binary or memory: http://www.reddit.com/
Source: msapplication.xml6.7.drString found in binary or memory: http://www.twitter.com/
Source: msapplication.xml7.7.drString found in binary or memory: http://www.wikipedia.com/
Source: rYkaVx1Tiz.exe, 00000000.00000002.25126087232.018D0000.00000004.sdmpString found in binary or memory: http://www.windowspatch.com
Source: rYkaVx1Tiz.exe, 00000000.00000002.25126087232.018D0000.00000004.sdmpString found in binary or memory: http://www.windowspatch.com/
Source: rYkaVx1Tiz.exe, 00000000.00000002.25126087232.018D0000.00000004.sdmp, ~DF56506D0F3B9A9AFA.TMP.7.drString found in binary or memory: http://www.windowspatch.com/khc?77313033325C626F726174
Source: {ABF4A47C-B6B0-11E8-8397-0024E89CECB7}.dat.14.drString found in binary or memory: http://www.windowspatch.com/khc?77313033325C626F726174Root
Source: {ABF4A47C-B6B0-11E8-8397-0024E89CECB7}.dat.14.drString found in binary or memory: http://www.windowspatch.com/khc?77313033325C626F726174h.com/khc?77313033325C626F726174
Source: msapplication.xml8.7.drString found in binary or memory: http://www.youtube.com/

System Summary:

barindex
Potential malicious VBS script found (suspicious strings)Show sources
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeDropped file: CreateObject("WScript.Shell").Run("C:\ProgramData\Windows\WindowsImplantment.exe")Jump to dropped file
Starts Internet Explorer in hidden modeShow sources
Source: C:\Program Files\Internet Explorer\iexplore.exeWindow hidden: window name: IEFrameJump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exeWindow hidden: window name: IEFrameJump to behavior
Sample file is different than original file name gathered from version infoShow sources
Source: rYkaVx1Tiz.exe, 00000000.00000002.25128114963.04820000.00000002.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs rYkaVx1Tiz.exe
Source: rYkaVx1Tiz.exe, 00000000.00000002.25124602420.001F0000.00000002.sdmpBinary or memory string: OriginalFilenameWindows Implantment Module.exej% vs rYkaVx1Tiz.exe
Source: rYkaVx1Tiz.exe, 00000000.00000002.25128328914.04890000.00000002.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs rYkaVx1Tiz.exe
Source: rYkaVx1Tiz.exeBinary or memory string: OriginalFilenameWindows Implantment Module.exej% vs rYkaVx1Tiz.exe
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeSection loaded: sbiedll.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeSection loaded: sbiedll.dllJump to behavior
Classification labelShow sources
Source: classification engineClassification label: mal100.bank.evad.winEXE@25/34@12/0
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rYkaVx1Tiz.exe.logJump to behavior
Creates temporary filesShow sources
Source: C:\Program Files\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DF264248DDDB5CB074.TMPJump to behavior
Executes visual basic scriptsShow sources
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd.exe /c SchTasks /Create /SC MINUTE /MO 3 /TN 'b02b15c6-e056-40aa-adeb-360635a4a3df' /TR 'wscript C:\ProgramData\Windows\ShwDoc.vbs' /f
PE file has an executable .text section and no other executable sectionShow sources
Source: rYkaVx1Tiz.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\35849a60913000fe067eb742f5cabec9\mscorlib.ni.dllJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\35849a60913000fe067eb742f5cabec9\mscorlib.ni.dllJump to behavior
Reads ini filesShow sources
Source: C:\Program Files\Internet Explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: rYkaVx1Tiz.exevirustotal: Detection: 70%
Source: rYkaVx1Tiz.exemetadefender: Detection: 51%
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\rYkaVx1Tiz.exe 'C:\Users\user\Desktop\rYkaVx1Tiz.exe'
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'cmd.exe' /c whoami
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\whoami.exe whoami
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd.exe /c SchTasks /Create /SC MINUTE /MO 3 /TN 'b02b15c6-e056-40aa-adeb-360635a4a3df' /TR 'wscript C:\ProgramData\Windows\ShwDoc.vbs' /f
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\schtasks.exe SchTasks /Create /SC MINUTE /MO 3 /TN 'b02b15c6-e056-40aa-adeb-360635a4a3df' /TR 'wscript C:\ProgramData\Windows\ShwDoc.vbs' /f
Source: unknownProcess created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:1712 CREDAT:82945 /prefetch:2
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE C:\ProgramData\Windows\ShwDoc.vbs
Source: unknownProcess created: C:\ProgramData\Windows\WindowsImplantment.exe 'C:\ProgramData\Windows\WindowsImplantment.exe'
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'cmd.exe' /c whoami
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\whoami.exe whoami
Source: unknownProcess created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:3544 CREDAT:75009 /prefetch:2
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeProcess created: C:\Windows\System32\cmd.exe 'cmd.exe' /c whoamiJump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c SchTasks /Create /SC MINUTE /MO 3 /TN 'b02b15c6-e056-40aa-adeb-360635a4a3df' /TR 'wscript C:\ProgramData\Windows\ShwDoc.vbs' /fJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\whoami.exe whoamiJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTasks /Create /SC MINUTE /MO 3 /TN 'b02b15c6-e056-40aa-adeb-360635a4a3df' /TR 'wscript C:\ProgramData\Windows\ShwDoc.vbs' /fJump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exeProcess created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:1712 CREDAT:82945 /prefetch:2Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\ProgramData\Windows\WindowsImplantment.exe 'C:\ProgramData\Windows\WindowsImplantment.exe' Jump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeProcess created: C:\Windows\System32\cmd.exe 'cmd.exe' /c whoamiJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\whoami.exe whoamiJump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exeProcess created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:3544 CREDAT:75009 /prefetch:2Jump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
Found GUI installer (many successful clicks)Show sources
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeAutomated click: OK
Source: C:\ProgramData\Windows\WindowsImplantment.exeAutomated click: OK
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses Microsoft SilverlightShow sources
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Uses new MSVCR DllsShow sources
Source: C:\Program Files\Internet Explorer\iexplore.exeFile opened: C:\Program Files\Java\jre1.8.0_91\bin\msvcr100.dllJump to behavior
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: rYkaVx1Tiz.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Persistence and Installation Behavior:

barindex
Drops PE files to the application program directory (C:\ProgramData)Show sources
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exePE file moved: C:\ProgramData\Windows\WindowsImplantment.exeJump to behavior

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
Source: unknownProcess created: C:\Windows\System32\schtasks.exe SchTasks /Create /SC MINUTE /MO 3 /TN 'b02b15c6-e056-40aa-adeb-360635a4a3df' /TR 'wscript C:\ProgramData\Windows\ShwDoc.vbs' /f
Uses whoami command line tool to query computer and usernameShow sources
Source: unknownProcess created: C:\Windows\System32\whoami.exe whoami
Source: unknownProcess created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\whoami.exe whoamiJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\whoami.exe whoamiJump to behavior
Creates or modifies windows servicesShow sources
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ASP.NET_4.0.30319\NamesJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Queries BIOS fan information (via WMI, Win32_Fan, often done to detect virtual machines)Show sources
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Fan
Source: C:\ProgramData\Windows\WindowsImplantment.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Fan
Queries pointing device information (via WMI, Win32_PointingDevice, often done to detect virtual machines)Show sources
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_PointingDevice
Source: C:\ProgramData\Windows\WindowsImplantment.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_PointingDevice
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_BaseBoard
Source: C:\ProgramData\Windows\WindowsImplantment.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_BaseBoard
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)Show sources
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_DiskDrive
Source: C:\ProgramData\Windows\WindowsImplantment.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_DiskDrive
Queries thermal zone temperature information (via WMI, MSAcpi_ThermalZoneTemperature, often done to detect virtual machines)Show sources
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSAcpi_ThermalZoneTemperature
Source: C:\ProgramData\Windows\WindowsImplantment.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSAcpi_ThermalZoneTemperature
Source: C:\ProgramData\Windows\WindowsImplantment.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSAcpi_ThermalZoneTemperature
Tries to detect sandboxes and other dynamic analysis tools (process name or module)Show sources
Source: rYkaVx1Tiz.exeBinary or memory string: SBIEDLL.DLL
Enumerates the file systemShow sources
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet ExplorerJump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.iniJump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppDataJump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)Show sources
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: rYkaVx1Tiz.exeBinary or memory string: vmGuestLib.dll
Source: rYkaVx1Tiz.exe, 00000000.00000002.25128328914.04890000.00000002.sdmpBinary or memory string: A virtual machine could not be started because Hyper-V is not installed.
Source: rYkaVx1Tiz.exeBinary or memory string: vboxmrxnp.dll
Source: rYkaVx1Tiz.exeBinary or memory string: vmbusres.dll

Anti Debugging:

barindex
Checks for debuggers (devices)Show sources
Source: C:\Windows\System32\wscript.exeFile opened: C:\Windows\WinSxS\FileMaps\programdata_windows_ef1ff04e6eb475e1.cdf-ms
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Windows\System32\wscript.exeSystem information queried: KernelDebuggerInformationJump to behavior
Enables debug privilegesShow sources
Source: C:\Windows\System32\whoami.exeProcess token adjusted: DebugJump to behavior
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeMemory allocated: page read and write | page guardJump to behavior

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeQueries volume information: C:\Users\user\Desktop\rYkaVx1Tiz.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeQueries volume information: C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Client-Package~31bf3856ad364e35~x86~~10.0.10586.0.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Client-Package~31bf3856ad364e35~x86~~10.0.10586.0.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Client-Package~31bf3856ad364e35~x86~~10.0.10586.0.cat VolumeInformationJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeQueries volume information: C:\ProgramData\Windows\WindowsImplantment.exe VolumeInformationJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeQueries volume information: C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll VolumeInformationJump to behavior
Queries the cryptographic machine GUIDShow sources
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 signatures2 2 Behavior Graph ID: 60291 Sample: rYkaVx1Tiz.exe Startdate: 12/09/2018 Architecture: WINDOWS Score: 100 53 Antivirus detection for submitted file 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 Tries to detect sandboxes and other dynamic analysis tools (process name or module) 2->57 59 3 other signatures 2->59 8 rYkaVx1Tiz.exe 1 4 2->8         started        12 wscript.exe 6 2->12         started        14 iexplore.exe 1 50 2->14         started        16 iexplore.exe 6 82 2->16         started        process3 file4 45 C:\Users\user\AppData\...\rYkaVx1Tiz.exe.log, ASCII 8->45 dropped 47 C:\ProgramData\Windows\ShwDoc.vbs, ASCII 8->47 dropped 73 Potential malicious VBS script found (suspicious strings) 8->73 75 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 8->75 77 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 8->77 81 4 other signatures 8->81 18 cmd.exe 1 8->18         started        21 cmd.exe 1 8->21         started        23 WindowsImplantment.exe 1 12->23         started        79 Starts Internet Explorer in hidden mode 14->79 25 iexplore.exe 32 14->25         started        28 iexplore.exe 33 16->28         started        signatures5 process6 dnsIp7 61 Uses whoami command line tool to query computer and username 18->61 30 conhost.exe 18->30         started        32 whoami.exe 1 18->32         started        34 conhost.exe 21->34         started        36 schtasks.exe 1 21->36         started        63 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 23->63 65 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 23->65 67 Queries thermal zone temperature information (via WMI, MSAcpi_ThermalZoneTemperature, often done to detect virtual machines) 23->67 69 3 other signatures 23->69 38 cmd.exe 1 23->38         started        49 www.windowspatch.com 25->49 51 www.windowspatch.com 28->51 signatures8 process9 signatures10 71 Uses whoami command line tool to query computer and username 38->71 41 conhost.exe 38->41         started        43 whoami.exe 1 38->43         started        process11

Simulations

Behavior and APIs

TimeTypeDescription
10:21:59Task SchedulerRun new task: b02b15c6-e056-40aa-adeb-360635a4a3df path: wscript s>C:\ProgramData\Windows\ShwDoc.vbs
20:24:00API Interceptor21x Sleep call for process: rYkaVx1Tiz.exe modified
20:24:26API Interceptor1x Sleep call for process: WindowsImplantment.exe modified

Antivirus Detection

Initial Sample

SourceDetectionScannerLabelLink
rYkaVx1Tiz.exe70%virustotalBrowse
rYkaVx1Tiz.exe51%metadefenderBrowse
rYkaVx1Tiz.exe100%AviraTR/Dropper.MSIL.Gen2

Dropped Files

No Antivirus matches

Unpacked PE Files

SourceDetectionScannerLabelLink
0.1.rYkaVx1Tiz.exe.1c0000.0.unpack100%AviraTR/Dropper.MSIL.Gen2
10.1.WindowsImplantment.exe.1c0000.0.unpack100%AviraTR/Dropper.MSIL.Gen2
10.2.WindowsImplantment.exe.1c0000.0.unpack100%AviraTR/Dropper.MSIL.Gen2
10.0.WindowsImplantment.exe.1c0000.2.unpack100%AviraTR/Dropper.MSIL.Gen2
10.0.WindowsImplantment.exe.1c0000.0.unpack100%AviraTR/Dropper.MSIL.Gen2
0.0.rYkaVx1Tiz.exe.1c0000.0.unpack100%AviraTR/Dropper.MSIL.Gen2
0.2.rYkaVx1Tiz.exe.1c0000.0.unpack100%AviraTR/Dropper.MSIL.Gen2
10.0.WindowsImplantment.exe.1c0000.1.unpack100%AviraTR/Dropper.MSIL.Gen2

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://www.windowspatch.com/6%virustotalBrowse
http://www.windowspatch.com6%virustotalBrowse

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

Dropped Files

No context

Screenshots

windows-stand

Startup

  • System is w10native
  • rYkaVx1Tiz.exe (PID: 1304 cmdline: 'C:\Users\user\Desktop\rYkaVx1Tiz.exe' MD5: EA6321F55EA83E6F2887A2360F8E55B0)
    • cmd.exe (PID: 3312 cmdline: 'cmd.exe' /c whoami MD5: 7DB6A5CEEAC1CB15CF78552794B3DB31)
      • conhost.exe (PID: 3732 cmdline: C:\Windows\system32\conhost.exe 0x4 MD5: 66CC0EE1A55D150A84EF8D91D18B7C55)
      • whoami.exe (PID: 2000 cmdline: whoami MD5: 31FF92F0558A13CE4C7B935FD007B416)
    • cmd.exe (PID: 2696 cmdline: cmd.exe /c SchTasks /Create /SC MINUTE /MO 3 /TN 'b02b15c6-e056-40aa-adeb-360635a4a3df' /TR 'wscript C:\ProgramData\Windows\ShwDoc.vbs' /f MD5: 7DB6A5CEEAC1CB15CF78552794B3DB31)
      • conhost.exe (PID: 3408 cmdline: C:\Windows\system32\conhost.exe 0x4 MD5: 66CC0EE1A55D150A84EF8D91D18B7C55)
      • schtasks.exe (PID: 2960 cmdline: SchTasks /Create /SC MINUTE /MO 3 /TN 'b02b15c6-e056-40aa-adeb-360635a4a3df' /TR 'wscript C:\ProgramData\Windows\ShwDoc.vbs' /f MD5: 22CFF8E0A49073A4C7A0A9BBADEF062B)
  • iexplore.exe (PID: 1712 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: E7CD04555F47651B79A50DBA6148019C)
    • iexplore.exe (PID: 3464 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:1712 CREDAT:82945 /prefetch:2 MD5: E7CD04555F47651B79A50DBA6148019C)
  • wscript.exe (PID: 1020 cmdline: C:\Windows\system32\wscript.EXE C:\ProgramData\Windows\ShwDoc.vbs MD5: 8271B2F085B320D1AB9E459B9F46D38B)
    • WindowsImplantment.exe (PID: 4008 cmdline: 'C:\ProgramData\Windows\WindowsImplantment.exe' MD5: EA6321F55EA83E6F2887A2360F8E55B0)
      • cmd.exe (PID: 3116 cmdline: 'cmd.exe' /c whoami MD5: 7DB6A5CEEAC1CB15CF78552794B3DB31)
        • conhost.exe (PID: 3488 cmdline: C:\Windows\system32\conhost.exe 0x4 MD5: 66CC0EE1A55D150A84EF8D91D18B7C55)
        • whoami.exe (PID: 3856 cmdline: whoami MD5: 31FF92F0558A13CE4C7B935FD007B416)
  • iexplore.exe (PID: 3544 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: E7CD04555F47651B79A50DBA6148019C)
    • iexplore.exe (PID: 2848 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:3544 CREDAT:75009 /prefetch:2 MD5: E7CD04555F47651B79A50DBA6148019C)
  • cleanup

Created / dropped Files

C:\ProgramData\Windows\GID.bin
Process:C:\Users\user\Desktop\rYkaVx1Tiz.exe
File Type:ASCII text, with no line terminators
Size (bytes):36
Entropy (8bit):3.617861029749889
Encrypted:false
MD5:A09C2A1C51E615CBAD53E233600E4213
SHA1:CD26D532267D3C9DB8DBBBB97D55EDEC8D2884CC
SHA-256:F8024C585D67C081E5D30E4DA8C90CFA74856757ABDF233E9B7F964E06BFA7B3
SHA-512:05B1BC6C69F84AB583255CE15512DAE30A3DA04CAB8FE8025BDE01B893D6CC900CE4E7071EBB9A4FD0EFA32DCB7FDE8A2E06FE1FD0EB6B513BFEED19E794099A
Malicious:false
Reputation:low
C:\ProgramData\Windows\ShwDoc.vbs
Process:C:\Users\user\Desktop\rYkaVx1Tiz.exe
File Type:ASCII text, with no line terminators
Size (bytes):82
Entropy (8bit):4.825055017755302
Encrypted:false
MD5:F705764E83194658E0C700A68FD7C5EC
SHA1:9561C3D735ABEBE9E7C66DAFDEFDFC74178163B9
SHA-256:D09E73521227E898515E13C6FC34C7FAE5025F4BD6381B0AC3EE31F68324A49A
SHA-512:9A5A98F87AFC8C180D73056C1735366ADAD32ABED1D753A2658FF6FEA01F0AC83A863353902E2DF8D03A5089D1E4993205044AAD9D452B75DB3ABEE96688DDB5
Malicious:true
Reputation:low
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WindowsImplantment.exe.log
Process:C:\ProgramData\Windows\WindowsImplantment.exe
File Type:ASCII text, with CRLF line terminators
Size (bytes):1555
Entropy (8bit):5.352538392767234
Encrypted:false
MD5:C935AC7E1FC7129E75D0DC26AF568E34
SHA1:A30111B4FD0759D813AC3344774D760C830E5628
SHA-256:BF61815C9A1C92B9A18A3A017817955AE21A97376A65DD8B5AEC981C8B942615
SHA-512:47424F6AA72913B17D0B4F3A82578748AEFFA4472AF0ED7CEAD056F1375535A4F390AFACE6673023E0115A66ED757C5C98252EC03A5C38D36694157C6EDE25F2
Malicious:false
Reputation:low
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rYkaVx1Tiz.exe.log
Process:C:\Users\user\Desktop\rYkaVx1Tiz.exe
File Type:ASCII text, with CRLF line terminators
Size (bytes):1555
Entropy (8bit):5.352538392767234
Encrypted:false
MD5:C935AC7E1FC7129E75D0DC26AF568E34
SHA1:A30111B4FD0759D813AC3344774D760C830E5628
SHA-256:BF61815C9A1C92B9A18A3A017817955AE21A97376A65DD8B5AEC981C8B942615
SHA-512:47424F6AA72913B17D0B4F3A82578748AEFFA4472AF0ED7CEAD056F1375535A4F390AFACE6673023E0115A66ED757C5C98252EC03A5C38D36694157C6EDE25F2
Malicious:true
Reputation:low
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{ABF4A47A-B6B0-11E8-8397-0024E89CECB7}.dat
Process:C:\Program Files\Internet Explorer\iexplore.exe
File Type:Microsoft Word Document
Size (bytes):29272
Entropy (8bit):1.7631174801934806
Encrypted:false
MD5:BA8F87D51D4BBB5B32D206ADDFBFD1AA
SHA1:C6C19F60B7F8CA245B41F6E04EBD752B994E5116
SHA-256:1D917BE65E038604074E3EEB4AA6135D5C952A822286B4EB6173F49D20494FBD
SHA-512:EDEF7FEAFED4B49D23A428952B71E54404997C640C4701ED691B70C0650A423947216CFFCF3E696A4E2184641697916F7619095C676663826EE58DC9C6330C19
Malicious:false
Reputation:low
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{ABF4A47C-B6B0-11E8-8397-0024E89CECB7}.dat
Process:C:\Program Files\Internet Explorer\iexplore.exe
File Type:Microsoft Word Document
Size (bytes):26344
Entropy (8bit):1.6902340884510254
Encrypted:false
MD5:7FFFD42E903CF0367C86EA733BECAB0F
SHA1:8ED5128D436CC6EDBA34C5A4A299E344A794EF75
SHA-256:3D1E277CE916D25520FE8ADDCD47CAC31FB6208A273B81BFE52364D0F5BE3005
SHA-512:D281F723867C1CD5EF51F045858F4B72B00F8AB36A6549A6BD012F37FD92E6A9BD77B3F366957B657B3C30211C4C8050BBD73B2342D829B7582CAAF039A044CB
Malicious:false
Reputation:low
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{59765749-B6B0-11E8-8397-0024E89CECB7}.dat
Process:C:\Program Files\Internet Explorer\iexplore.exe
File Type:Microsoft Word Document
Size (bytes):29272
Entropy (8bit):1.7605628199733092
Encrypted:false
MD5:333B6D385DD75271560D1C3CE7751538
SHA1:4F75A1D93954163EBDA535AA9AE3411575494100
SHA-256:AB2353B33E6DA1AE47728ECE6A0D6964F70B379B6F7F998657DED1E0B863AB4F
SHA-512:583907EDE5DBBEDCD998CA2815173691CDBEE9089E48C1F187C7BDA712C12652163C24E1B5501020B967FC560F13A7BB3D79CFE0671BF1710A9643DA470E558A
Malicious:false
Reputation:low
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{5976574B-B6B0-11E8-8397-0024E89CECB7}.dat
Process:C:\Program Files\Internet Explorer\iexplore.exe
File Type:Microsoft Word Document
Size (bytes):26344
Entropy (8bit):1.6878435090178883
Encrypted:false
MD5:A38FFB371E78826ED68EFFC38A7A1BE3
SHA1:0A27F063001F7C3710CE593D1982A817A9D0B874
SHA-256:6A410881D9713BC094A3A2FB8A30C65730D3B4DB389367FCF562E2CA8D3D9C44
SHA-512:2EB01A234549E6AD2FC6AA836DAD4D164F3BE91E4C8E9E8DFDDDAC4AB82521F982CCF0C50D35E3CCD80200487E1051386565FA455978F54BD9C16F4DE1AEAC9F
Malicious:false
Reputation:low
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml
Process:C:\Program Files\Internet Explorer\iexplore.exe
File Type:XML document text
Size (bytes):656
Entropy (8bit):5.097476660681116
Encrypted:false
MD5:1801A89A6FA8DDC68BDF279B678411EA
SHA1:9F2E165BFB4D5749122B5CA4582063FA31FE88C8
SHA-256:79AB64FF700C2ECE66BFE6D07DF359E7F44CE35244024C6915D6EA7540CD788D
SHA-512:F9618EEEC21952A6F0A6A59B9A001C02ABDD07D49326C2025483EC9373058CCE835D3076A1F7D3AA6A9B03C2A704D277FBC1F0DFC31A6C213499EBE1D6E7EAEF
Malicious:false
Reputation:low
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml
Process:C:\Program Files\Internet Explorer\iexplore.exe
File Type:XML document text
Size (bytes):653
Entropy (8bit):5.1129256210680065
Encrypted:false
MD5:48F4554AD5867ED5938F921F8E7670B6
SHA1:CFC52E96B1DAC34FD40C57E6D92D128F9DE033E7
SHA-256:55C5A1E519B6F84357226CD7D8579C66405559FF229ACB1613993DBA69861263
SHA-512:A97D2EE540F25EA94288A5F62FD799EA92380566C02B4F7AB941DE010BF389795E1619C8DDE2935550892B4862BB03A7FE9584C26A889ED873F108BD5C9B2E31
Malicious:false
Reputation:low
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml
Process:C:\Program Files\Internet Explorer\iexplore.exe
File Type:XML document text
Size (bytes):662
Entropy (8bit):5.055175620920031
Encrypted:false
MD5:7CDCBD1456DD2FBC67B4EAC9D341ACC2
SHA1:0A71F7590BBA6A41DB7D5532647311A96CE1938E
SHA-256:65100DC5DB77524FCE393F4969287E2B454B86D13ACA2011382DCBC081C9DCA6
SHA-512:D19E7C57B9B587496E6A5E079D1AAB8507ADD7BAA31835660B6F3A2EAADF01ACA4B0AAE416ACEAEDE0619D5F968AADBC5935B39593DCBECDA5816454F4032C4F
Malicious:false
Reputation:low
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-314712940\msapplication.xml
Process:C:\Program Files\Internet Explorer\iexplore.exe
File Type:XML document text
Size (bytes):410
Entropy (8bit):5.152390339351481
Encrypted:false
MD5:0CBF00961861338475078167BB699693
SHA1:153B9AB242297FFF2D3784AAA2D67EFD47FED0B8
SHA-256:CB40D6E09E299226558D5BEB23330266D30FD836FA9D4FF0EEEA0601D2CBCA1D
SHA-512:54D657C398D9B61D766392C8E5BD83A78580D5FC3562BFA30FA49AFC411284154B36E5B0521545834A61C5328184B66C739143139D63D153F52D7B7F9CAC71D9
Malicious:false
Reputation:low
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml
Process:C:\Program Files\Internet Explorer\iexplore.exe
File Type:XML document text
Size (bytes):647
Entropy (8bit):5.06735115717658
Encrypted:false
MD5:3FC7679559AC8ECD04A47B07FE78ECD4
SHA1:44384B7B5B84E56BA178B58756BE3F2D57456F64
SHA-256:8C1F5BD9FA0640271A814ACD6F53346348A5ED28E63C24782C26E02BD8908515
SHA-512:F864066A017610EF9BB70517EAC860F49FC73F739A895BADFF34F0FF1242B097097D9272711B8E8E543C07F8A174FF33E260075691AD571F410C1A9FF06E8BE9
Malicious:false
Reputation:low
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml
Process:C:\Program Files\Internet Explorer\iexplore.exe
File Type:XML document text
Size (bytes):656
Entropy (8bit):5.114363039715043
Encrypted:false
MD5:31BF67CB84D625720E3A8407CE6FD338
SHA1:30A2BA43E7D1915A371BFAECEC6C4D88E3575EDE
SHA-256:27B8A1F0655793EAF19436B155E8D405D271CFA52F5F6F47EEA7DEC6E8581EE3
SHA-512:615CF7C253E3CE84E88B3F5BE1D02E14B7EFA1B5FB87E68B636DC278560B1ECBBF4D3EDE53CC6E00086FE383DA8180ECD3ADA17DDB23469662864053265B70BD
Malicious:false
Reputation:low
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml
Process:C:\Program Files\Internet Explorer\iexplore.exe
File Type:XML document text
Size (bytes):653
Entropy (8bit):5.094201780222524
Encrypted:false
MD5:88AC9BD7BA08F389D94B6AC123D43B50
SHA1:191B63D8E1A5A430B1B311CD0F2214418B680971
SHA-256:A969CB1D9AB9172EF99E7950635A59D926776F34BD19436A80CE51231BD76A32
SHA-512:9EBAED448C8FD8772AD694B1B876C133D62003704F6B2F77FF9CECDDBF48A933EC8DF8530AEECACCCFCE6376BAD7D67C32C74A54DC30905BABD26D1F1AA47089
Malicious:false
Reputation:low
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml
Process:C:\Program Files\Internet Explorer\iexplore.exe
File Type:XML document text
Size (bytes):656
Entropy (8bit):5.1268894059510295
Encrypted:false
MD5:B59C44D46585E2A16CBE531F75A89B25
SHA1:C058DB6DE5037BF46392C3508F3C48FE1C8A8457
SHA-256:B0B07462C0D6A3D1F634151D042D3CDD8F3C2DB4605353B30DBDDDDDE82F4CDD
SHA-512:ED765785115B5FBE74DB1260AD9AE7C4387C6AE3D58561A6DE1286EBA41D1BF7473D31AA5C7CC0DED6CB0559486B4F0E01956454CE0A160C10663F34A1701929
Malicious:false
Reputation:low
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml
Process:C:\Program Files\Internet Explorer\iexplore.exe
File Type:XML document text
Size (bytes):659
Entropy (8bit):5.116120210270429
Encrypted:false
MD5:8B626EEBDA9E687A50021E0B9EEDD96D
SHA1:7BFADC4F7682A80F70FD151C6381E4116B1D0E1E
SHA-256:66C673CE062893F1043659C2706F84009A262C519DE7CF859DB61BCE7CAE9547
SHA-512:FF964FF42B72DD02D267E2FD8029D200E6A9B95953EFB679F461034D8E623B18365A0FB754553DC6FC62B3537E752EDFFAEDEF3B05AB929F6F180AAF740E4B37
Malicious:false
Reputation:low
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml
Process:C:\Program Files\Internet Explorer\iexplore.exe
File Type:XML document text
Size (bytes):653
Entropy (8bit):5.077220315464634
Encrypted:false
MD5:29499A5EC6F7AE9C75FCEB5F0D63F94A
SHA1:2ADE9E3459FAABCC5D0F28E93755C80341F8B383
SHA-256:6AB78F0E32DF197B923A3F89ACE4C9602F5418B72B85B2128A0C197A542B2604
SHA-512:3F9CA8E19CCBD74B19DD6D544F9F69F0A01A20DAE9D9F85AAE8B332F9320DD16076A138C9C7DD685C8377A879873FD49C62C42A3F6DCB86B3F08C35119CC7143
Malicious:false
Reputation:low
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\61979OYO\httpErrorPagesScripts[1]
Process:C:\Program Files\Internet Explorer\iexplore.exe
File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
Size (bytes):8901
Entropy (8bit):5.317225857035187
Encrypted:false
MD5:FC5855D30C457F8207585345EACD6B1E
SHA1:BEF61B445D9A1E907C8B0FCEDE6021C3241BFB9B
SHA-256:47F64690A289649AAF130966513AA6CD38BAA3E7379B6AB8EE2E0C083555BEC9
SHA-512:38089C4987163F03431BBE7F5C75A97A7A3438FA54436F8E51B78BD15384B9957F7AC71A01E9A60EEF197469959A8C020E5EB7CD1E6C98265BB423DD42D51600
Malicious:false
Reputation:moderate, very likely benign file
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GN9495RI\dnserror[1]
Process:C:\Program Files\Internet Explorer\iexplore.exe
File Type:HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
Size (bytes):1857
Entropy (8bit):4.605068478069389
Encrypted:false
MD5:73C70B34B5F8F158D38A94B9D7766515
SHA1:E9EAA065BD6585A1B176E13615FD7E6EF96230A9
SHA-256:3EBD34328A4386B4EBA1F3D5F1252E7BD13744A6918720735020B4689C13FCF4
SHA-512:927DCD4A8CFDEB0F970CB4EE3F059168B37E1E4E04733ED3356F77CA0448D2145E1ABDD4F7CE1C6CA23C1E3676056894625B17987CC56C84C78E73F60E08FC0D
Malicious:false
Reputation:high, very likely benign file
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\S5OF6L0Q\NewErrorPageTemplate[1]
Process:C:\Program Files\Internet Explorer\iexplore.exe
File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
Size (bytes):1310
Entropy (8bit):4.810709096040597
Encrypted:false
MD5:CDF81E591D9CBFB47A7F97A2BCDB70B9
SHA1:8F12010DFAACDECAD77B70A3E781C707CF328496
SHA-256:204D95C6FB161368C795BB63E538FE0B11F9E406494BB5758B3B0D60C5F651BD
SHA-512:977DCC2C6488ACAF0E5970CEF1A7A72C9F9DC6BB82DA54F057E0853C8E939E4AB01B163EB7A5058E093A8BC44ECAD9D06880FDC883E67E28AC67FEE4D070A4CC
Malicious:false
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\X7N0DX2L\errorPageStrings[1]
Process:C:\Program Files\Internet Explorer\iexplore.exe
File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
Size (bytes):3532
Entropy (8bit):5.078885031679817
Encrypted:false
MD5:5922E226EAB2F42711423CCA38BA25AD
SHA1:C23156CC122E1772D0E8F42AF3B66A319A8D2AEA
SHA-256:0246E5565859A53B5840E12985D4C78CFEBC501EA3EF7D3ADE16CBC2D2DBD781
SHA-512:0EEBC4D94DB78DC033521C1D7F496465A220107455E85214B00D762C19EE593240346E24F6376A7818FD6340058FE61A53DF1F05639586CDDF68981C68E338D6
Malicious:false
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Low\IE\6DBAO8NF\httpErrorPagesScripts[1]
Process:C:\Program Files\Internet Explorer\iexplore.exe
File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
Size (bytes):8901
Entropy (8bit):5.317225857035187
Encrypted:false
MD5:FC5855D30C457F8207585345EACD6B1E
SHA1:BEF61B445D9A1E907C8B0FCEDE6021C3241BFB9B
SHA-256:47F64690A289649AAF130966513AA6CD38BAA3E7379B6AB8EE2E0C083555BEC9
SHA-512:38089C4987163F03431BBE7F5C75A97A7A3438FA54436F8E51B78BD15384B9957F7AC71A01E9A60EEF197469959A8C020E5EB7CD1E6C98265BB423DD42D51600
Malicious:false
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Low\IE\8CVDPTGO\errorPageStrings[1]
Process:C:\Program Files\Internet Explorer\iexplore.exe
File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
Size (bytes):3532
Entropy (8bit):5.078885031679817
Encrypted:false
MD5:5922E226EAB2F42711423CCA38BA25AD
SHA1:C23156CC122E1772D0E8F42AF3B66A319A8D2AEA
SHA-256:0246E5565859A53B5840E12985D4C78CFEBC501EA3EF7D3ADE16CBC2D2DBD781
SHA-512:0EEBC4D94DB78DC033521C1D7F496465A220107455E85214B00D762C19EE593240346E24F6376A7818FD6340058FE61A53DF1F05639586CDDF68981C68E338D6
Malicious:false
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Low\IE\HI313LFH\dnserror[1]
Process:C:\Program Files\Internet Explorer\iexplore.exe
File Type:HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
Size (bytes):1857
Entropy (8bit):4.605068478069389
Encrypted:false
MD5:73C70B34B5F8F158D38A94B9D7766515
SHA1:E9EAA065BD6585A1B176E13615FD7E6EF96230A9
SHA-256:3EBD34328A4386B4EBA1F3D5F1252E7BD13744A6918720735020B4689C13FCF4
SHA-512:927DCD4A8CFDEB0F970CB4EE3F059168B37E1E4E04733ED3356F77CA0448D2145E1ABDD4F7CE1C6CA23C1E3676056894625B17987CC56C84C78E73F60E08FC0D
Malicious:false
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Low\IE\LXE2MONP\NewErrorPageTemplate[1]
Process:C:\Program Files\Internet Explorer\iexplore.exe
File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
Size (bytes):1310
Entropy (8bit):4.810709096040597
Encrypted:false
MD5:CDF81E591D9CBFB47A7F97A2BCDB70B9
SHA1:8F12010DFAACDECAD77B70A3E781C707CF328496
SHA-256:204D95C6FB161368C795BB63E538FE0B11F9E406494BB5758B3B0D60C5F651BD
SHA-512:977DCC2C6488ACAF0E5970CEF1A7A72C9F9DC6BB82DA54F057E0853C8E939E4AB01B163EB7A5058E093A8BC44ECAD9D06880FDC883E67E28AC67FEE4D070A4CC
Malicious:false
C:\Users\user\AppData\Local\Temp\JavaDeployReg.log
Process:C:\Program Files\Internet Explorer\iexplore.exe
File Type:ASCII text, with CRLF line terminators
Size (bytes):88
Entropy (8bit):4.296865172831813
Encrypted:false
MD5:32760D219281383922D9211E7EDF82FA
SHA1:7A20CE98E6EA10FF23FB9D9DDB2FE8A188B97E8D
SHA-256:00B8EBFCC2E2E00FB7144ED5A4C76D02FFB91F587F161AE019DF62AF22412724
SHA-512:204ED940A458059378B4AC8A551F53F0AFFA612DE9B39EB3ADFCB3FB96F81905E9AF27A00CF96BC107092941444DAF347A9563AED34AEB04B069A31B67F44B19
Malicious:false
C:\Users\user\AppData\Local\Temp\Low\JavaDeployReg.log
Process:C:\Program Files\Internet Explorer\iexplore.exe
File Type:ASCII text, with CRLF line terminators
Size (bytes):88
Entropy (8bit):4.462368115068405
Encrypted:false
MD5:A141DBBC5AB973B167584036CE8E06C5
SHA1:5E1FDB35B538E58D049A234A94199F8E1E835933
SHA-256:150F572F37438BE5DA7DF21EC563A83B48A08B48B891D006E6B620A4712BB961
SHA-512:427DFD274A3B86AD819EE4DF74846DA975B18DD6A4E0FC3A095CAFD2EEB88ADBCC20632089A56C13DFBBDC836C82678124C81B2C7AAF367990B4DE7A4008EF25
Malicious:false
C:\Users\user\AppData\Local\Temp\~DF264248DDDB5CB074.TMP
Process:C:\Program Files\Internet Explorer\iexplore.exe
File Type:FoxPro FPT, blocks size 2, next free block index 16711424
Size (bytes):12933
Entropy (8bit):0.3980101623303438
Encrypted:false
MD5:CCC12D679F39C685452C17DD942E5432
SHA1:CFAB1329494B1934FA5765BC91869A8E67B3F035
SHA-256:C4757EAB99B0C7236B331F2ABAE7747C3DCD89EA9F157F5EED5FFF6EFA1E229D
SHA-512:9E5944A98626DC473C18BC6945D68402B0AA52E6BA713EC92D882435BD914408C6E06A9A8BB04298744D792998E7960E5260668B4A793564C7283E64C6DF8608
Malicious:false
C:\Users\user\AppData\Local\Temp\~DF56506D0F3B9A9AFA.TMP
Process:C:\Program Files\Internet Explorer\iexplore.exe
File Type:FoxPro FPT, blocks size 2, next free block index 16711424
Size (bytes):38841
Entropy (8bit):0.3945389018514335
Encrypted:false
MD5:DBA11022E9F1C71B206BFF0AC9151D08
SHA1:90C91D13EEF10748E1936240D150B4302964F247
SHA-256:D3F19E2CF865580BE2EDA7E796E4810A4C121EB59CB35E131F4CC16FF9566D47
SHA-512:70EA689AE756C04A3D6CCAE04C02AEACBBDA8FCC4320D417C5BF0EB36DED3A04E9B88973A409ABF066BFC229DC6A562D0B1DD057AE36A2D703A8D9774699191A
Malicious:false
C:\Users\user\AppData\Local\Temp\~DFF87590EA8045F023.TMP
Process:C:\Program Files\Internet Explorer\iexplore.exe
File Type:FoxPro FPT, blocks size 2, next free block index 16711424
Size (bytes):38841
Entropy (8bit):0.39711052082797726
Encrypted:false
MD5:9C4AF05C16ED3460DF478AA8C88AB1AD
SHA1:EA0F500E4B5E117E6537684E148F9351EC7BD599
SHA-256:3C2D038B03FC78A22808A90B2C87FC5498E450C9FE9A201E1D8E98DCCFE1F63B
SHA-512:9F8F3A38D112741C5932DE90BE15CEE0CB28BD2BE3C2EFA2ECAA54CC02D52C4539DEED86C1D7EA895D42DE0D693997068741CCA3B730B0E10E558D182ED629BB
Malicious:false
C:\Users\user\AppData\Local\Temp\~DFFD7A13B6C12F9511.TMP
Process:C:\Program Files\Internet Explorer\iexplore.exe
File Type:FoxPro FPT, blocks size 2, next free block index 16711424
Size (bytes):12933
Entropy (8bit):0.39974669314490197
Encrypted:false
MD5:07F54FFECADF1BE136C9C9DA9D8A43B4
SHA1:AD59924BD306BF7C2472EB1E826DEA477B357750
SHA-256:695B63E9756057072DE825A580C62CDB73F4EAE02FF364D5D708E12922B3134A
SHA-512:AD747ABAE4A58AD46C8441D050E26CCAB9C3BB2F6B5792997B8EF1F9B845D818A66788BF178F20ADDF721AB9C2AD9CD9B1A1BF6FD5177139382395E309F0AD03
Malicious:false
stdout
Process:C:\Windows\System32\whoami.exe
File Type:ASCII text, with CRLF line terminators
Size (bytes):13
Entropy (8bit):3.7004397181410926
Encrypted:false
MD5:4610CA652B724FC45F72742489C8B48B
SHA1:B3264F15077CF6B581EBEF952610A72D7508648A
SHA-256:DD8AF2BC3C990F963E78E7CB3FEDA5C0F3A5EBDC593802DD96A3B6E929BB4C5C
SHA-512:24FD10C49BC3D04FAB0B7889E9A6332A446D55E0B378975B60A21327B27583C95A2AE307C8A62A88A3F41E0BEA675CB8F39FFEA1F55D23B798554E47B9B2B14C
Malicious:false

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
www.windowspatch.comunknownunknownfalsehigh

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://www.windowspatch.com/khc?77313033325C626F726174rYkaVx1Tiz.exe, 00000000.00000002.25126087232.018D0000.00000004.sdmp, ~DF56506D0F3B9A9AFA.TMP.7.drfalse
    		unknown
    http://www.nytimes.com/msapplication.xml4.7.drfalse
      		high
      http://www.windowspatch.com/khc?77313033325C626F726174Root{ABF4A47C-B6B0-11E8-8397-0024E89CECB7}.dat.14.drfalse
        		unknown
        http://www.windowspatch.com/rYkaVx1Tiz.exe, 00000000.00000002.25126087232.018D0000.00000004.sdmpfalseunknown
        http://www.windowspatch.comrYkaVx1Tiz.exe, 00000000.00000002.25126087232.018D0000.00000004.sdmpfalseunknown
        http://www.youtube.com/msapplication.xml8.7.drfalse
          		high
          http://www.windowspatch.com/khc?77313033325C626F726174h.com/khc?77313033325C626F726174{ABF4A47C-B6B0-11E8-8397-0024E89CECB7}.dat.14.drfalse
            		unknown
            http://www.wikipedia.com/msapplication.xml7.7.drfalse
              		unknown
              http://www.amazon.com/msapplication.xml.7.drfalse
                		high
                http://www.live.com/msapplication.xml3.7.drfalse
                  		high
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namerYkaVx1Tiz.exe, 00000000.00000002.25126087232.018D0000.00000004.sdmpfalse
                    		high
                    http://www.reddit.com/msapplication.xml5.7.drfalse
                      		high
                      http://www.twitter.com/msapplication.xml6.7.drfalse
                        		high

                        Contacted IPs

                        No contacted IP infos

                        Static File Info

                        General

                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Entropy (8bit):5.758192633055449
                        TrID:
                        • Win32 Executable (generic) a (10002005/4) 99.02%
                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.73%
                        • Windows Screen Saver (13104/52) 0.13%
                        • Visual Basic Script (6000/0) 0.06%
                        • Win16/32 Executable Delphi generic (2074/23) 0.02%
                        File name:rYkaVx1Tiz.exe
                        File size:191488
                        MD5:ea6321f55ea83e6f2887a2360f8e55b0
                        SHA1:3144555df7028a4f291247b608e3e44059fcb759
                        SHA256:6b240178eedba4ebc9f1c8b56bac02676ce896e609577f4fb64fa977d67c0761
                        SHA512:e4850873cb1d7e87106bd920214e3f8bcaf73bc6563ac2a45a1f46e2416e92ca591c4a46462f1a0a189ed028eccf925dcbe303fbd5faf884b0de4b29ef7f7a81
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....8K[.........."...................... ........@.. .......................@............@................................

                        File Icon

                        Static PE Info

                        General

                        Entrypoint:0x42ff1e
                        Entrypoint Section:.text
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                        DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                        Time Stamp:0x5B4B389B [Sun Jul 15 12:05:47 2018 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:4
                        OS Version Minor:0
                        File Version Major:4
                        File Version Minor:0
                        Subsystem Version Major:4
                        Subsystem Version Minor:0
                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                        Entrypoint Preview

                        Instruction
                        jmp dword ptr [00402000h]
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x2fecc0x4f.text
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x300000x710.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x320000xc.reloc
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x20000x2df240x2e000False0.420049252717data5.78515725799IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                        .rsrc0x300000x7100x800False0.3564453125data3.80094813341IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .reloc0x320000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                        Resources

                        NameRVASizeTypeLanguageCountry
                        RT_VERSION0x300a00x4808086 relocatable (Microsoft)
                        RT_MANIFEST0x305200x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                        Imports

                        DLLImport
                        mscoree.dll_CorExeMain

                        Version Infos

                        DescriptionData
                        Translation0x0000 0x04b0
                        LegalCopyright Microsoft Corporation. All rights reserved.
                        Assembly Version7.0.1348.78
                        InternalNameWindows Implantment Module.exe
                        FileVersion7.0.1348.78
                        CompanyNameMicrosoft Corporation
                        LegalTrademarks
                        CommentsMicrosoft Windows Implantment Module
                        ProductNameMicrosoft Windows Operating System
                        ProductVersion7.0.1348.78
                        FileDescriptionWindows Implantment Module
                        OriginalFilenameWindows Implantment Module.exe

                        Network Behavior

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Sep 12, 2018 10:21:38.178407907 CEST5344253192.168.0.608.8.8.8
                        Sep 12, 2018 10:21:39.169878006 CEST5344253192.168.0.608.8.8.8
                        Sep 12, 2018 10:21:40.169497013 CEST5344253192.168.0.608.8.8.8
                        Sep 12, 2018 10:21:41.205962896 CEST53534428.8.8.8192.168.0.60
                        Sep 12, 2018 10:21:41.215812922 CEST5286153192.168.0.608.8.8.8
                        Sep 12, 2018 10:21:42.201086998 CEST5286153192.168.0.608.8.8.8
                        Sep 12, 2018 10:21:42.205853939 CEST53534428.8.8.8192.168.0.60
                        Sep 12, 2018 10:21:43.197067976 CEST53534428.8.8.8192.168.0.60
                        Sep 12, 2018 10:21:43.201066017 CEST5286153192.168.0.608.8.8.8
                        Sep 12, 2018 10:21:44.244088888 CEST53528618.8.8.8192.168.0.60
                        Sep 12, 2018 10:21:45.229855061 CEST53528618.8.8.8192.168.0.60
                        Sep 12, 2018 10:21:46.234256029 CEST53528618.8.8.8192.168.0.60
                        Sep 12, 2018 10:21:55.841625929 CEST5242053192.168.0.608.8.8.8
                        Sep 12, 2018 10:21:56.826448917 CEST5242053192.168.0.608.8.8.8
                        Sep 12, 2018 10:21:57.826447010 CEST5242053192.168.0.608.8.8.8
                        Sep 12, 2018 10:21:58.876128912 CEST53524208.8.8.8192.168.0.60
                        Sep 12, 2018 10:21:58.886418104 CEST5245553192.168.0.608.8.8.8
                        Sep 12, 2018 10:21:59.857712984 CEST53524208.8.8.8192.168.0.60
                        Sep 12, 2018 10:21:59.873353958 CEST5245553192.168.0.608.8.8.8
                        Sep 12, 2018 10:22:00.873403072 CEST5245553192.168.0.608.8.8.8
                        Sep 12, 2018 10:22:00.885813951 CEST53524208.8.8.8192.168.0.60
                        Sep 12, 2018 10:22:01.917043924 CEST53524558.8.8.8192.168.0.60
                        Sep 12, 2018 10:22:02.902328014 CEST53524558.8.8.8192.168.0.60
                        Sep 12, 2018 10:22:03.908896923 CEST53524558.8.8.8192.168.0.60

                        UDP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Sep 12, 2018 10:21:38.178407907 CEST5344253192.168.0.608.8.8.8
                        Sep 12, 2018 10:21:39.169878006 CEST5344253192.168.0.608.8.8.8
                        Sep 12, 2018 10:21:40.169497013 CEST5344253192.168.0.608.8.8.8
                        Sep 12, 2018 10:21:41.205962896 CEST53534428.8.8.8192.168.0.60
                        Sep 12, 2018 10:21:41.215812922 CEST5286153192.168.0.608.8.8.8
                        Sep 12, 2018 10:21:42.201086998 CEST5286153192.168.0.608.8.8.8
                        Sep 12, 2018 10:21:42.205853939 CEST53534428.8.8.8192.168.0.60
                        Sep 12, 2018 10:21:43.197067976 CEST53534428.8.8.8192.168.0.60
                        Sep 12, 2018 10:21:43.201066017 CEST5286153192.168.0.608.8.8.8
                        Sep 12, 2018 10:21:44.244088888 CEST53528618.8.8.8192.168.0.60
                        Sep 12, 2018 10:21:45.229855061 CEST53528618.8.8.8192.168.0.60
                        Sep 12, 2018 10:21:46.234256029 CEST53528618.8.8.8192.168.0.60
                        Sep 12, 2018 10:21:55.841625929 CEST5242053192.168.0.608.8.8.8
                        Sep 12, 2018 10:21:56.826448917 CEST5242053192.168.0.608.8.8.8
                        Sep 12, 2018 10:21:57.826447010 CEST5242053192.168.0.608.8.8.8
                        Sep 12, 2018 10:21:58.876128912 CEST53524208.8.8.8192.168.0.60
                        Sep 12, 2018 10:21:58.886418104 CEST5245553192.168.0.608.8.8.8
                        Sep 12, 2018 10:21:59.857712984 CEST53524208.8.8.8192.168.0.60
                        Sep 12, 2018 10:21:59.873353958 CEST5245553192.168.0.608.8.8.8
                        Sep 12, 2018 10:22:00.873403072 CEST5245553192.168.0.608.8.8.8
                        Sep 12, 2018 10:22:00.885813951 CEST53524208.8.8.8192.168.0.60
                        Sep 12, 2018 10:22:01.917043924 CEST53524558.8.8.8192.168.0.60
                        Sep 12, 2018 10:22:02.902328014 CEST53524558.8.8.8192.168.0.60
                        Sep 12, 2018 10:22:03.908896923 CEST53524558.8.8.8192.168.0.60

                        ICMP Packets

                        TimestampSource IPDest IPChecksumCodeType
                        Sep 12, 2018 10:21:42.205993891 CEST192.168.0.608.8.8.8ce30(Port unreachable)Destination Unreachable
                        Sep 12, 2018 10:21:43.197328091 CEST192.168.0.608.8.8.8ce30(Port unreachable)Destination Unreachable
                        Sep 12, 2018 10:21:45.231185913 CEST192.168.0.608.8.8.8ce30(Port unreachable)Destination Unreachable
                        Sep 12, 2018 10:21:46.235325098 CEST192.168.0.608.8.8.8ce30(Port unreachable)Destination Unreachable
                        Sep 12, 2018 10:21:59.857837915 CEST192.168.0.608.8.8.8ce30(Port unreachable)Destination Unreachable
                        Sep 12, 2018 10:22:00.885893106 CEST192.168.0.608.8.8.8ce30(Port unreachable)Destination Unreachable
                        Sep 12, 2018 10:22:02.902445078 CEST192.168.0.608.8.8.8ce30(Port unreachable)Destination Unreachable
                        Sep 12, 2018 10:22:03.909018993 CEST192.168.0.608.8.8.8ce30(Port unreachable)Destination Unreachable

                        DNS Queries

                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                        Sep 12, 2018 10:21:38.178407907 CEST192.168.0.608.8.8.80x143cStandard query (0)www.windowspatch.comA (IP address)IN (0x0001)
                        Sep 12, 2018 10:21:39.169878006 CEST192.168.0.608.8.8.80x143cStandard query (0)www.windowspatch.comA (IP address)IN (0x0001)
                        Sep 12, 2018 10:21:40.169497013 CEST192.168.0.608.8.8.80x143cStandard query (0)www.windowspatch.comA (IP address)IN (0x0001)
                        Sep 12, 2018 10:21:41.215812922 CEST192.168.0.608.8.8.80xe38cStandard query (0)www.windowspatch.comA (IP address)IN (0x0001)
                        Sep 12, 2018 10:21:42.201086998 CEST192.168.0.608.8.8.80xe38cStandard query (0)www.windowspatch.comA (IP address)IN (0x0001)
                        Sep 12, 2018 10:21:43.201066017 CEST192.168.0.608.8.8.80xe38cStandard query (0)www.windowspatch.comA (IP address)IN (0x0001)
                        Sep 12, 2018 10:21:55.841625929 CEST192.168.0.608.8.8.80xc93dStandard query (0)www.windowspatch.comA (IP address)IN (0x0001)
                        Sep 12, 2018 10:21:56.826448917 CEST192.168.0.608.8.8.80xc93dStandard query (0)www.windowspatch.comA (IP address)IN (0x0001)
                        Sep 12, 2018 10:21:57.826447010 CEST192.168.0.608.8.8.80xc93dStandard query (0)www.windowspatch.comA (IP address)IN (0x0001)
                        Sep 12, 2018 10:21:58.886418104 CEST192.168.0.608.8.8.80x90aaStandard query (0)www.windowspatch.comA (IP address)IN (0x0001)
                        Sep 12, 2018 10:21:59.873353958 CEST192.168.0.608.8.8.80x90aaStandard query (0)www.windowspatch.comA (IP address)IN (0x0001)
                        Sep 12, 2018 10:22:00.873403072 CEST192.168.0.608.8.8.80x90aaStandard query (0)www.windowspatch.comA (IP address)IN (0x0001)

                        DNS Answers

                        TimestampSource IPDest IPTrans IDReplay CodeNameCNameAddressTypeClass
                        Sep 12, 2018 10:21:41.205962896 CEST8.8.8.8192.168.0.600x143cServer failure (2)www.windowspatch.comnonenoneA (IP address)IN (0x0001)
                        Sep 12, 2018 10:21:42.205853939 CEST8.8.8.8192.168.0.600x143cServer failure (2)www.windowspatch.comnonenoneA (IP address)IN (0x0001)
                        Sep 12, 2018 10:21:43.197067976 CEST8.8.8.8192.168.0.600x143cServer failure (2)www.windowspatch.comnonenoneA (IP address)IN (0x0001)
                        Sep 12, 2018 10:21:44.244088888 CEST8.8.8.8192.168.0.600xe38cServer failure (2)www.windowspatch.comnonenoneA (IP address)IN (0x0001)
                        Sep 12, 2018 10:21:45.229855061 CEST8.8.8.8192.168.0.600xe38cServer failure (2)www.windowspatch.comnonenoneA (IP address)IN (0x0001)
                        Sep 12, 2018 10:21:46.234256029 CEST8.8.8.8192.168.0.600xe38cServer failure (2)www.windowspatch.comnonenoneA (IP address)IN (0x0001)
                        Sep 12, 2018 10:21:58.876128912 CEST8.8.8.8192.168.0.600xc93dServer failure (2)www.windowspatch.comnonenoneA (IP address)IN (0x0001)
                        Sep 12, 2018 10:21:59.857712984 CEST8.8.8.8192.168.0.600xc93dServer failure (2)www.windowspatch.comnonenoneA (IP address)IN (0x0001)
                        Sep 12, 2018 10:22:00.885813951 CEST8.8.8.8192.168.0.600xc93dServer failure (2)www.windowspatch.comnonenoneA (IP address)IN (0x0001)
                        Sep 12, 2018 10:22:01.917043924 CEST8.8.8.8192.168.0.600x90aaServer failure (2)www.windowspatch.comnonenoneA (IP address)IN (0x0001)
                        Sep 12, 2018 10:22:02.902328014 CEST8.8.8.8192.168.0.600x90aaServer failure (2)www.windowspatch.comnonenoneA (IP address)IN (0x0001)
                        Sep 12, 2018 10:22:03.908896923 CEST8.8.8.8192.168.0.600x90aaServer failure (2)www.windowspatch.comnonenoneA (IP address)IN (0x0001)

                        Code Manipulations

                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        Behavior

                        Click to jump to process

                        System Behavior

                        Analysis Process: rYkaVx1Tiz.exe PID: 1304 Parent PID: 304

                        General

                        Start time:20:21:49
                        Start date:12/09/2018
                        Path:C:\Users\user\Desktop\rYkaVx1Tiz.exe
                        Wow64 process (32bit):false
                        Commandline:'C:\Users\user\Desktop\rYkaVx1Tiz.exe'
                        Imagebase:0x1c0000
                        File size:191488 bytes
                        MD5 hash:EA6321F55EA83E6F2887A2360F8E55B0
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET
                        Reputation:low

                        Chronological Activities

                        Analysis Process: cmd.exe PID: 3312 Parent PID: 1304

                        General

                        Start time:20:21:50
                        Start date:12/09/2018
                        Path:C:\Windows\System32\cmd.exe
                        Wow64 process (32bit):false
                        Commandline:'cmd.exe' /c whoami
                        Imagebase:0xc30000
                        File size:202240 bytes
                        MD5 hash:7DB6A5CEEAC1CB15CF78552794B3DB31
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:moderate

                        Chronological Activities

                        Analysis Process: conhost.exe PID: 3732 Parent PID: 3312

                        General

                        Start time:20:21:50
                        Start date:12/09/2018
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0x4
                        Imagebase:0x1230000
                        File size:46080 bytes
                        MD5 hash:66CC0EE1A55D150A84EF8D91D18B7C55
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:moderate

                        Chronological Activities

                        Analysis Process: whoami.exe PID: 2000 Parent PID: 3312

                        General

                        Start time:20:21:50
                        Start date:12/09/2018
                        Path:C:\Windows\System32\whoami.exe
                        Wow64 process (32bit):false
                        Commandline:whoami
                        Imagebase:0xa00000
                        File size:58880 bytes
                        MD5 hash:31FF92F0558A13CE4C7B935FD007B416
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:low

                        Chronological Activities

                        Analysis Process: cmd.exe PID: 2696 Parent PID: 1304

                        General

                        Start time:20:21:56
                        Start date:12/09/2018
                        Path:C:\Windows\System32\cmd.exe
                        Wow64 process (32bit):false
                        Commandline:cmd.exe /c SchTasks /Create /SC MINUTE /MO 3 /TN 'b02b15c6-e056-40aa-adeb-360635a4a3df' /TR 'wscript C:\ProgramData\Windows\ShwDoc.vbs' /f
                        Imagebase:0xc30000
                        File size:202240 bytes
                        MD5 hash:7DB6A5CEEAC1CB15CF78552794B3DB31
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:moderate

                        Chronological Activities

                        Analysis Process: conhost.exe PID: 3408 Parent PID: 2696

                        General

                        Start time:20:21:56
                        Start date:12/09/2018
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0x4
                        Imagebase:0x1230000
                        File size:46080 bytes
                        MD5 hash:66CC0EE1A55D150A84EF8D91D18B7C55
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:moderate

                        Chronological Activities

                        Analysis Process: schtasks.exe PID: 2960 Parent PID: 2696

                        General

                        Start time:20:21:57
                        Start date:12/09/2018
                        Path:C:\Windows\System32\schtasks.exe
                        Wow64 process (32bit):false
                        Commandline:SchTasks /Create /SC MINUTE /MO 3 /TN 'b02b15c6-e056-40aa-adeb-360635a4a3df' /TR 'wscript C:\ProgramData\Windows\ShwDoc.vbs' /f
                        Imagebase:0xb00000
                        File size:186880 bytes
                        MD5 hash:22CFF8E0A49073A4C7A0A9BBADEF062B
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:low

                        Chronological Activities

                        Analysis Process: iexplore.exe PID: 1712 Parent PID: 636

                        General

                        Start time:20:21:57
                        Start date:12/09/2018
                        Path:C:\Program Files\Internet Explorer\iexplore.exe
                        Wow64 process (32bit):false
                        Commandline:'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                        Imagebase:0x1360000
                        File size:820416 bytes
                        MD5 hash:E7CD04555F47651B79A50DBA6148019C
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:moderate

                        Chronological Activities

                        Analysis Process: iexplore.exe PID: 3464 Parent PID: 1712

                        General

                        Start time:20:21:58
                        Start date:12/09/2018
                        Path:C:\Program Files\Internet Explorer\iexplore.exe
                        Wow64 process (32bit):false
                        Commandline:'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:1712 CREDAT:82945 /prefetch:2
                        Imagebase:0x1360000
                        File size:820416 bytes
                        MD5 hash:E7CD04555F47651B79A50DBA6148019C
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:moderate

                        Chronological Activities

                        Analysis Process: wscript.exe PID: 1020 Parent PID: 916

                        General

                        Start time:20:24:00
                        Start date:12/09/2018
                        Path:C:\Windows\System32\wscript.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\wscript.EXE C:\ProgramData\Windows\ShwDoc.vbs
                        Imagebase:0xdc0000
                        File size:148992 bytes
                        MD5 hash:8271B2F085B320D1AB9E459B9F46D38B
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:moderate

                        Chronological Activities

                        Analysis Process: WindowsImplantment.exe PID: 4008 Parent PID: 1020

                        General

                        Start time:20:24:03
                        Start date:12/09/2018
                        Path:C:\ProgramData\Windows\WindowsImplantment.exe
                        Wow64 process (32bit):false
                        Commandline:'C:\ProgramData\Windows\WindowsImplantment.exe'
                        Imagebase:0x1c0000
                        File size:191488 bytes
                        MD5 hash:EA6321F55EA83E6F2887A2360F8E55B0
                        Has administrator privileges:false
                        Programmed in:.Net C# or VB.NET
                        Reputation:low

                        Chronological Activities

                        Analysis Process: cmd.exe PID: 3116 Parent PID: 4008

                        General

                        Start time:20:24:06
                        Start date:12/09/2018
                        Path:C:\Windows\System32\cmd.exe
                        Wow64 process (32bit):false
                        Commandline:'cmd.exe' /c whoami
                        Imagebase:0xc30000
                        File size:202240 bytes
                        MD5 hash:7DB6A5CEEAC1CB15CF78552794B3DB31
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:moderate

                        Chronological Activities

                        Analysis Process: conhost.exe PID: 3488 Parent PID: 3116

                        General

                        Start time:20:24:07
                        Start date:12/09/2018
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0x4
                        Imagebase:0x1230000
                        File size:46080 bytes
                        MD5 hash:66CC0EE1A55D150A84EF8D91D18B7C55
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:moderate

                        Chronological Activities

                        Analysis Process: whoami.exe PID: 3856 Parent PID: 3116

                        General

                        Start time:20:24:07
                        Start date:12/09/2018
                        Path:C:\Windows\System32\whoami.exe
                        Wow64 process (32bit):false
                        Commandline:whoami
                        Imagebase:0xa00000
                        File size:58880 bytes
                        MD5 hash:31FF92F0558A13CE4C7B935FD007B416
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:low

                        Chronological Activities

                        Analysis Process: iexplore.exe PID: 3544 Parent PID: 636

                        General

                        Start time:20:24:15
                        Start date:12/09/2018
                        Path:C:\Program Files\Internet Explorer\iexplore.exe
                        Wow64 process (32bit):false
                        Commandline:'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                        Imagebase:0x1360000
                        File size:820416 bytes
                        MD5 hash:E7CD04555F47651B79A50DBA6148019C
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:moderate

                        Chronological Activities

                        Analysis Process: iexplore.exe PID: 2848 Parent PID: 3544

                        General

                        Start time:20:24:16
                        Start date:12/09/2018
                        Path:C:\Program Files\Internet Explorer\iexplore.exe
                        Wow64 process (32bit):false
                        Commandline:'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:3544 CREDAT:75009 /prefetch:2
                        Imagebase:0x1360000
                        File size:820416 bytes
                        MD5 hash:E7CD04555F47651B79A50DBA6148019C
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:moderate

                        Chronological Activities

                        Disassembly

                        Code Analysis

                        Reset < >

                          Analysis Process: iexplore.exe PID: 3464 Parent PID: 1712

                          Executed Functions

                          Function 07640FC7, Relevance: .0, Instructions: 4
                          Memory Dump Source
                          • Source File: 00000008.00000003.25123097949.07640000.00000010.sdmp, Offset: 07640000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_3_7640000_iexplore.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5bab15bd502082b818c32fd70c294dea96ba727ecf5570fd476731c38de5bca8
                          • Instruction ID: 5252a5e935b542cb13c0008078a0761add6d60e6eb758d5ad05d8ae979947c1b
                          • Opcode Fuzzy Hash: 5bab15bd502082b818c32fd70c294dea96ba727ecf5570fd476731c38de5bca8
                          • Instruction Fuzzy Hash:
                          Function 07640FCF, Relevance: .0, Instructions: 4
                          Memory Dump Source
                          • Source File: 00000008.00000003.25123097949.07640000.00000010.sdmp, Offset: 07640000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_3_7640000_iexplore.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5bab15bd502082b818c32fd70c294dea96ba727ecf5570fd476731c38de5bca8
                          • Instruction ID: 5252a5e935b542cb13c0008078a0761add6d60e6eb758d5ad05d8ae979947c1b
                          • Opcode Fuzzy Hash: 5bab15bd502082b818c32fd70c294dea96ba727ecf5570fd476731c38de5bca8
                          • Instruction Fuzzy Hash:
                          Function 07640FD7, Relevance: .0, Instructions: 4
                          Memory Dump Source
                          • Source File: 00000008.00000003.25123097949.07640000.00000010.sdmp, Offset: 07640000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_3_7640000_iexplore.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5bab15bd502082b818c32fd70c294dea96ba727ecf5570fd476731c38de5bca8
                          • Instruction ID: 5252a5e935b542cb13c0008078a0761add6d60e6eb758d5ad05d8ae979947c1b
                          • Opcode Fuzzy Hash: 5bab15bd502082b818c32fd70c294dea96ba727ecf5570fd476731c38de5bca8
                          • Instruction Fuzzy Hash:

                          Non-executed Functions

                          Analysis Process: iexplore.exe PID: 2848 Parent PID: 3544

                          Executed Functions

                          Function 07610FC7, Relevance: .0, Instructions: 4
                          Memory Dump Source
                          • Source File: 0000000F.00000003.25162354412.07610000.00000010.sdmp, Offset: 07610000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_3_7610000_iexplore.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5bab15bd502082b818c32fd70c294dea96ba727ecf5570fd476731c38de5bca8
                          • Instruction ID: b28cd3330e61497cf032f188fbf3c6e53c6c06f49b4da89cbb12eff1c2181c71
                          • Opcode Fuzzy Hash: 5bab15bd502082b818c32fd70c294dea96ba727ecf5570fd476731c38de5bca8
                          • Instruction Fuzzy Hash:
                          Function 07610FCF, Relevance: .0, Instructions: 4
                          Memory Dump Source
                          • Source File: 0000000F.00000003.25162354412.07610000.00000010.sdmp, Offset: 07610000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_3_7610000_iexplore.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5bab15bd502082b818c32fd70c294dea96ba727ecf5570fd476731c38de5bca8
                          • Instruction ID: b28cd3330e61497cf032f188fbf3c6e53c6c06f49b4da89cbb12eff1c2181c71
                          • Opcode Fuzzy Hash: 5bab15bd502082b818c32fd70c294dea96ba727ecf5570fd476731c38de5bca8
                          • Instruction Fuzzy Hash:
                          Function 07610FD7, Relevance: .0, Instructions: 4
                          Memory Dump Source
                          • Source File: 0000000F.00000003.25162354412.07610000.00000010.sdmp, Offset: 07610000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_3_7610000_iexplore.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5bab15bd502082b818c32fd70c294dea96ba727ecf5570fd476731c38de5bca8
                          • Instruction ID: b28cd3330e61497cf032f188fbf3c6e53c6c06f49b4da89cbb12eff1c2181c71
                          • Opcode Fuzzy Hash: 5bab15bd502082b818c32fd70c294dea96ba727ecf5570fd476731c38de5bca8
                          • Instruction Fuzzy Hash:

                          Non-executed Functions