SecondWrite DeepView - 5550110ddb42ca9358fe3a99d911eedcc3a607b08bcea7b7b9c9b55a358e5cf8

100

Malicious

This predictive confidence of maliciousness for this sample is 100%.

5550110ddb42ca9358fe3a99d911eedcc3a607b08bcea7b7b9c9b55a358e5cf8

124.2 kB

Size

2020-06-23 17:15:35

First seen 6 days ago

Windows PE32 Executable

Classification

Full Detail

Ransomware

Low

Trojan

High

Virus

Low

Banker

Low

Bot

Low

Rat

Low

Adware

Low

Infostealer

Medium

Worm

Low

Spyware

Low

Indicators

Expand All

DeepView™ Indicators

Forced Code Execution

Automatic Sequence Detection

Program Level Indicators

Anti-Analysis

Attempts to repeatedly call a single API many times in order to delay analysis time

Anti-Sandbox

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

A process attempted to delay the analysis task.

Anti-Vm

Queries for the computername

PID	API	Arguments
2904	GetComputerNameA	computer_name: VIRTUAL-PC
2904	GetComputerNameA	computer_name: VIRTUAL-PC

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available

PID	API	Arguments
2272	GlobalMemoryStatusEx	N/A

Checks adapter addresses which can be used to detect virtual network interfaces

PID	API	Arguments
2904	GetAdaptersAddresses	flags: 0 family: 0
2904	GetAdaptersAddresses	flags: 0 family: 0

Av-Tools

This sample is detected by clamav as: Win.Malware.Scar-6745903-0

One or more AV tool detects this sample as malicious: Trojan:Win32/Sakurel.B!dha

Dropper

Drops a binary and executes it

Generic

Creates executable files on the filesystem

Reads data out of its own binary image

Http

Performs some HTTP requests

Infostealer

Sniffs keystrokes

Network

Performs some DNS requests

Origin

Unconventionial language used in binary resources

Packer

Allocates read-write-execute memory (usually to unpack itself)

PID	API	Arguments
2904	NtProtectVirtualMemory	process_identifier: 2904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 base_address: 0x03801000 process_handle: 0xffffffff
2904	NtProtectVirtualMemory	process_identifier: 2904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 base_address: 0x409a1000 process_handle: 0xffffffff
2904	NtProtectVirtualMemory	process_identifier: 2904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 base_address: 0x6c881000 process_handle: 0xffffffff
2904	NtProtectVirtualMemory	process_identifier: 2904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 base_address: 0x3fd81000 process_handle: 0xffffffff
2904	NtProtectVirtualMemory	process_identifier: 2904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 base_address: 0x40ed1000 process_handle: 0xffffffff

Creates a suspicious process

Creates a slightly modified copy of itself

Persistence

Installs itself for autorun at Windows startup

Static

Anomalous binary characteristics

Stealth

A process created a hidden window

Possible date expiration check, exits too soon after checking local time

Deletes its original binary from disk

Yara

Yara Pattern Name	Description
Str_Win32_Wininet_Library	Match Windows Inet API library declaration
Str_Win32_Internet_API	Match Windows Inet API call
Str_Win32_Http_API	Match Windows Http API call
IsPE32	No Description Available
HasOverlay	Overlay Check
HasRichSignature	Rich Signature Check
sakula_v1_4	Sakula v1.4
anti_dbg	Checks if being debugged
network_http	Communications over HTTP
win_registry	Affect system registries
win_token	Affect system token
win_files_operation	Affect private profile

Static Analysis

Sections

Name	Virtual Address	Virtual Size	Size of Raw Data	Entropy
.text	0x00001000	0x0000d544	0x0000e000	6.45158428922
.rdata	0x0000f000	0x00002536	0x00003000	4.67891639254
.data	0x00012000	0x000039c8	0x00002000	1.41778191535
.rsrc	0x00016000	0x00002b30	0x00003000	3.55513877152

Resources

Name	Offset	Size	Language	Sub-language	File type
DAT	0x000174d8	0x00001600	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	None
DAT	0x000174d8	0x00001600	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	None
RT_MANIFEST	0x00018ad8	0x00000056	LANG_ENGLISH	SUBLANG_ENGLISH_US	None

Imports

Library KERNEL32.dll:

CloseHandle
CreateDirectoryA
CreateFileA
CreatePipe
CreateProcessA
DeleteCriticalSection
EnterCriticalSection
ExitProcess
ExpandEnvironmentStringsA
FindClose
FindFirstFileA
FindResourceA
FlushFileBuffers
FreeEnvironmentStringsA
FreeEnvironmentStringsW
GetACP
GetCommandLineA
GetComputerNameA
GetConsoleCP
GetConsoleMode
GetConsoleOutputCP
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThread
GetCurrentThreadId
GetEnvironmentStrings
GetEnvironmentStringsW
GetFileSize
GetFileType
GetLastError
GetLocaleInfoA
GetModuleFileNameA
GetModuleHandleA
GetOEMCP
GetProcAddress
GetProcessHeap
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSystemDirectoryA
GetSystemTimeAsFileTime
GetTempPathA
GetTickCount
GetVersionExA
GetVolumeInformationA
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
HeapSize
InitializeCriticalSection
InterlockedDecrement
InterlockedIncrement
IsDebuggerPresent
LCMapStringA
LCMapStringW
LeaveCriticalSection
LoadLibraryA
LoadResource
LockResource
MultiByteToWideChar
OpenProcess
PeekNamedPipe
QueryPerformanceCounter
ReadFile
RtlUnwind
SetEndOfFile
SetFilePointer
SetHandleCount
SetLastError
SetPriorityClass
SetStdHandle
SetThreadPriority
SetUnhandledExceptionFilter
SizeofResource
Sleep
TerminateProcess
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
UnhandledExceptionFilter
VirtualAlloc
VirtualFree
WideCharToMultiByte
WinExec
WriteConsoleA
WriteConsoleW
WriteFile

Library ADVAPI32.dll:

AllocateAndInitializeSid
EqualSid
FreeSid
GetTokenInformation
GetUserNameA
OpenProcessToken
RegCloseKey
RegDeleteKeyA
RegOpenKeyA
RegSetValueExA

Library SHELL32.dll:

None
SHChangeNotify
ShellExecuteA

Library WININET.dll:

HttpOpenRequestA
HttpSendRequestA
InternetCloseHandle
InternetConnectA
InternetOpenA
InternetOpenUrlA
InternetReadFile

Strings

!This program cannot be run in DOS mode.
ovRich
`.rdata
@.data
\$$VW3
L$ _^[3
l$(PUVh ;A
L$@QUUUj
T$0Rhl=A
UUUWUU
T$@RVWP
QVVVVVVh
^WWWWW
0VVVVV
YYuTVWh2
t!h|IA
<at9<rt,<wt
URPQQh
HHt@HHt
2If90t
0WWWWW
j(j ^V
F9=LHA
Y;=08A
>=Yt/j
t#SSUP
t$$VSS
_^][YY
YYu-9D$
t>Ht2Ht&
^SSSSS
8VVVVV
;t$,v-
UQPXY]Y[
0A@@Ju
Fh=(2A
t^9(uZ
tD9(u@
^SSSSS
j"^SSSSS
tm95pGA
0SSSSS
0SSSSS
0SSSSS
v$;549A
PPPPPPPP
PPPPPPPP
t+WWVPV
rss.tmp
iexplorer
?resid=%d&photoid=
=%s&type=%d&resid=%d
.jpg?resid=%d
http://
HTTP/1.1
%d_of_%d_for_%s_on_%s
cmd.exe /c
Self Process Id:%d
Create Child Cmd.exe Process Succeed!
Child ProcessId is %d
C:\windows\system32\cmd.exe
Program Files (x86)
cmd.exe
/c ping 127.0.0.1 & del /q "%s"
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
PlayWin32
Playx64
cmd.exe /c rundll32 "%s"
CorExitProcess
mscoree.dll
UTF-16LE
UNICODE
(null)
`h````
xpxxxx
runtime error
TLOSS error
SING error
DOMAIN error
An application has made an attempt to load the C runtime library incorrectly.
Please contact the application's support team for more information.
- Attempt to use MSIL code from this assembly during native code initialization
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
- not enough space for locale information
- Attempt to initialize the CRT more than once.
This indicates a bug in your application.
- CRT not initialized
- unable to initialize heap
- not enough space for lowio initialization
- not enough space for stdio initialization
- pure virtual function call
- not enough space for _onexit/atexit table
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
- not enough space for thread data
This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
- not enough space for environment
- not enough space for arguments
- floating point not loaded
Microsoft Visual C++ Runtime Library
<program name unknown>
Runtime Error!
Program:
EncodePointer
KERNEL32.DLL
DecodePointer
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
InitializeCriticalSectionAndSpinCount
kernel32.dll
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
`h`hhh
xppwpp
GetProcessWindowStation
GetUserObjectInformationA
GetLastActivePopup
GetActiveWindow
MessageBoxA
USER32.DLL
!"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
CONOUT$
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
GetVersionExA
GetVolumeInformationA
GetModuleFileNameA
GetLastError
GetComputerNameA
MultiByteToWideChar
WideCharToMultiByte
GetTickCount
GetTempPathA
WinExec
CloseHandle
WriteFile
SetFilePointer
CreateFileA
VirtualFree
ReadFile
VirtualAlloc
GetFileSize
PeekNamedPipe
CreateProcessA
GetStartupInfoA
CreatePipe
GetCurrentProcessId
TerminateProcess
OpenProcess
FindClose
FindFirstFileA
GetSystemDirectoryA
ExitProcess
SetThreadPriority
GetCurrentThread
SetPriorityClass
GetCurrentProcess
SizeofResource
LockResource
LoadResource
FindResourceA
CreateDirectoryA
ExpandEnvironmentStringsA
KERNEL32.dll
FreeSid
EqualSid
GetTokenInformation
AllocateAndInitializeSid
OpenProcessToken
RegCloseKey
RegDeleteKeyA
RegOpenKeyA
GetUserNameA
RegSetValueExA
ADVAPI32.dll
ShellExecuteA
SHChangeNotify
SHELL32.dll
InternetOpenA
InternetCloseHandle
HttpSendRequestA
HttpOpenRequestA
InternetConnectA
InternetReadFile
InternetOpenUrlA
WININET.dll
GetSystemTimeAsFileTime
HeapAlloc
HeapFree
GetProcAddress
GetModuleHandleA
GetCommandLineA
GetProcessHeap
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
EnterCriticalSection
LeaveCriticalSection
RtlUnwind
DeleteCriticalSection
HeapReAlloc
HeapDestroy
HeapCreate
GetStdHandle
SetHandleCount
GetFileType
GetConsoleCP
GetConsoleMode
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
InterlockedIncrement
SetLastError
GetCurrentThreadId
InterlockedDecrement
LoadLibraryA
InitializeCriticalSection
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
QueryPerformanceCounter
SetStdHandle
FlushFileBuffers
GetCPInfo
GetACP
GetOEMCP
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW
HeapSize
GetLocaleInfoA
SetEndOfFile
LCMapStringA
LCMapStringW
GetStringTypeA
GetStringTypeW
!!!x%7 ;&3"x59;
y&>9"9y
83!?;713x7%&
y ?3!&>9"9x7%&
?;713?2
&27"3x3.3
',4!5:
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
tVKCVEI
cKhMJO
cK`ARpKKH
4rswuvN
eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
IWRGVP
IEHHKG
IAIWAP
/!WTVMJPB
oavjah
1&cAPiK@QHAbMHAjEIAs
0&cAPiK@QHAbMHAjEIAe
1!sMJa\AG
>%a\MPtVKGAWW
wHAAT
@%bVAAhMFVEV]eJ@a\MPpLVAE@
mWqWAVeJe@IMJ
wlgVAEPAmPAIbVKItEVWMJCjEIA
%wLAHHa\AGQPAa\s
gKmJMPMEHM^A
gKcAPkFNAGP
qeg`HH
tHE]sMJ
tVKCVEI
cKhMJO
cK`ARpKKH
rswuvp
eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
IWRGVP
IEHHKG
IAIWAP
/!WTVMJPB
oavjah
1&cAPiK@QHAbMHAjEIAs
0&cAPiK@QHAbMHAjEIAe
1!sMJa\AG
>%a\MPtVKGAWW
wHAAT
@%bVAAhMFVEV]eJ@a\MPpLVAE@
mWqWAVeJe@IMJ
wlgVAEPAmPAIbVKItEVWMJCjEIA
%wLAHHa\AGQPAa\s
gKmJMPMEHM^A
gKcAPkFNAGP
qeg`HH
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
</assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX
!This program cannot be run in DOS mode.
h:Rich2
`.data
@.reloc
otools\inc\nlg\private\inc\msfsa\faarray_cont_t.h
otools\inc\nlg\private\inc\msfsa\falextools_t.h
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
CorExitProcess
bad exception
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
Unknown exception
GetProcessWindowStation
GetUserObjectInformationW
GetLastActivePopup
GetActiveWindow
MessageBoxW
!"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
nlg\lib\msfsa\faallocator.cpp
nlg\lib\msfsa\farsdfa_pack_triv.cpp
otools\inc\nlg\private\inc\msfsa\faarray_cont_2xresize_t.h
nlg\lib\msfsa\famultimap_pack.cpp
Internal error.
Object cannot be initialized.
Limit size has been exceeded.
Out of memory.
Object is not ready.
t#Hu7V
t79V$t2h
E(null)
((((( H
h(((( H
H
eaHAREPMKJ
e@IMJMWPVEPKV
xSMJ@KSWxW]WPAI
xW]WTVATx
xsMJ@KSWxw]WPAI
xW]WTVAT
gv}tpfewa
xsMJ@KSWxw]WPAI
xW]WTVATxW]WTVAT
eaHAREPMKJ
e@IMJMWPVEPKV
xSMJ@KSWxW]WPAI
xW]WTVATx
xsMJ@KSWxw]WPAI
xW]WTVAT
gv}tpfewa
xsMJ@KSWxw]WPAI
xW]WTVATxW]WTVAT
RESOURCE_FATOKENIZER
KERNEL32.DLL
mscoree.dll
runtime error
TLOSS error
SING error
DOMAIN error
- Attempt to use MSIL code from this assembly during native code initialization
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
- not enough space for locale information
- Attempt to initialize the CRT more than once.
This indicates a bug in your application.
- CRT not initialized
- unable to initialize heap
- not enough space for lowio initialization
- not enough space for stdio initialization
- pure virtual function call
- not enough space for _onexit/atexit table
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
- not enough space for thread data
- abort() has been called
- not enough space for environment
- not enough space for arguments
- floating point support not loaded
Microsoft Visual C++ Runtime Library
<program name unknown>
Runtime Error!
Program:
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
WUSER32.DLL
((((( H
CONOUT$

Dropped Files

1000afaf8a5dfd52_adobeupdate.exe

Name: 1000afaf8a5dfd52_adobeupdate.exe
Size: 124.2 kB
Type: PE32 executable (GUI) Intel 80386, for MS Windows
MD5: 72b2f75560669e6825a049114ced3032
SHA1: 063cc2953aecfb72fd50e48ac9dcda2eb44dba03
SHA256: 1000afaf8a5dfd520ad1ea7b0274c4bf86614f5237a966a2a1f43412b7bc7e71
SHA512: ecf51cb132e7703d346e97036aeee49bba46fe16714b6368c18849853f6b2dcbb82566efb999ce8996a226b0bbf6952d5f29eacc2c47ff63a992b4a28442de1e
Ssdeep: 1536:TJbCiJVkgMaT2itTkjoRXnM48dXFajVPYxCEtkz30rtrvYTjipvF2+:9bfVk29te2jqxCEtg30BrYvQd2+

5550110ddb42ca93_5550110ddb42ca9358fe3a99d911eedcc3a607b08bcea7b7b9c9b55a358e5cf8.exe

Name: 5550110ddb42ca93_5550110ddb42ca9358fe3a99d911eedcc3a607b08bcea7b7b9c9b55a358e5cf8.exe
Size: 124.2 kB
Type: PE32 executable (GUI) Intel 80386, for MS Windows
MD5: 3886a6d991d1824e7d67452b4e59c8af
SHA1: e1fa437d513fbf744c1a5d69ce80fde1856625c2
SHA256: 5550110ddb42ca9358fe3a99d911eedcc3a607b08bcea7b7b9c9b55a358e5cf8
SHA512: 7c80c999e2a5fd307199b178ee40018ef3f61067be074e7827b1066be18245eb43b6edc3242dcef4f66068ece9410ca0bc8f84b97b4247cc28cfd0b5b58a69a9
Ssdeep: 1536:TJbCiJVkgMaT2itTkjoRXnM48dXFajVPYxCEtkz30rtrvYTjipvF2V:9bfVk29te2jqxCEtg30BrYvQd2V

81fd10aec2fd12f5_adobeupdate.exe

Name: 81fd10aec2fd12f5_adobeupdate.exe
Size: 124.2 kB
Type: PE32 executable (GUI) Intel 80386, for MS Windows
MD5: 9a68d1b39944337eb5c2fd7c4cad41c3
SHA1: d17e35d885ab9fecd4e48f170895589a0a04071f
SHA256: 81fd10aec2fd12f5ce3a1b036516d865bd1a6b195ad93d02114ef6c5454310e6
SHA512: 384b858c9cba819b9395d327e503c040eb0e1479cdde9cdef82ce4efc01cf05f489cfb696d77993e209717c8fece84a263ebabfb1dc7ee71f3b13d2693f8f211
Ssdeep: 1536:TJbCiJVkgMaT2itTkjoRXnM48dXFajVPYxCEtkz30rtrvYTjipvF2g:9bfVk29te2jqxCEtg30BrYvQd2g

cce07e2c1a4fe330_adobeupdate.exe

Name: cce07e2c1a4fe330_adobeupdate.exe
Size: 124.2 kB
Type: PE32 executable (GUI) Intel 80386, for MS Windows
MD5: 564acaad5b2431283dc43c96733bba93
SHA1: e13d4f48e4f25f5aca108b77ad9d2a2fcc4b3b13
SHA256: cce07e2c1a4fe330878669b5d7c348f6d075d6ffc444e86dd3309ede758cc738
SHA512: 77a4a3675c94e06319897b0614707902df432f815f537c3395e6e71f1afefdc0d8dbfe02c325d0934fefa8daea755265d3fc21aa0399b62b008b20b01416a54a
Ssdeep: 1536:TJbCiJVkgMaT2itTkjoRXnM48dXFajVPYxCEtkz30rtrvYTjipvF2B:9bfVk29te2jqxCEtg30BrYvQd2B

Network

DNS Requests

Domain	IP Address	Destination Location
www.savmpet.com		Not Available
www.msftncsi.com	184.150.58.160	CA
teredo.ipv6.microsoft.com		Not Available

HTTP Requests

http://www.msftncsi.com/ncsi.txt

GET /ncsi.txt HTTP/1.1
Connection: Close
User-Agent: Microsoft NCSI
Host: www.msftncsi.com

Hosts Involved

IP Address	Country of Origin
23.20.239.12	US
87.245.213.82	GB

Geolocation

Destination Country

US:: 33%
GB:: 33%
CA:: 33%

File

Type: PE32 executable (GUI) Intel 80386, for MS Windows
CRC32: 5217DE8A
MD5: 3886a6d991d1824e7d67452b4e59c8af
SHA1: e1fa437d513fbf744c1a5d69ce80fde1856625c2
SHA256: 5550110ddb42ca9358fe3a99d911eedcc3a607b08bcea7b7b9c9b55a358e5cf8
SHA512: 7c80c999e2a5fd307199b178ee40018ef3f61067be074e7827b1066be18245eb43b6edc3242dcef4f66068ece9410ca0bc8f84b97b4247cc28cfd0b5b58a69a9
Ssdeep: 1536:TJbCiJVkgMaT2itTkjoRXnM48dXFajVPYxCEtkz30rtrvYTjipvF2V:9bfVk29te2jqxCEtg30BrYvQd2V
PEiD: None matched

Screenshots

Behavior Summary

File-Read

C:\Program Files (x86)\desktop.ini
C:\Users\Public\Desktop\Adobe Reader 9.lnk
C:\Users\Virtual\AppData\Local\Temp\5550110ddb42ca9358fe3a99d911eedcc3a607b08bcea7b7b9c9b55a358e5cf8.exe
C:\Users\Virtual\Desktop\TeXnicCenter.lnk

File-Written

C:\Users\Virtual\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

File-Deleted

C:\Users\Virtual\AppData\Local\Temp\5550110ddb42ca9358fe3a99d911eedcc3a607b08bcea7b7b9c9b55a358e5cf8.exe

File-Opened

C:\
C:\Program Files (x86)\desktop.ini
C:\Users\Public\Desktop\Adobe Reader 9.lnk
C:\Users\Virtual\AppData\Local\Temp\5550110ddb42ca9358fe3a99d911eedcc3a607b08bcea7b7b9c9b55a358e5cf8.exe
C:\Users\Virtual\Desktop\TeXnicCenter.lnk
C:\Windows\
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\SysWOW64\en-US\KERNELBASE.dll.mui

Network-Resolves URL

127.0.0.1
Virtual-PC
wpad

Network-Connects Host

www.savmpet.com

Directory-Created

C:\Users\Virtual\AppData\Local\Temp\MicroMedia

Directory-Enumerated

C:\Program Files (x86)
C:\ProgramData\Microsoft\Network\Connections\Pbk\*.pbk
C:\ProgramData\Microsoft\Network\Connections\Pbk\rasphone.pbk
C:\Python27\Scripts\ping
C:\Python27\Scripts\ping.*
C:\Python27\ping
C:\Python27\ping.*
C:\Users
C:\Users\Virtual
C:\Users\Virtual\AppData
C:\Users\Virtual\AppData\Local
C:\Users\Virtual\AppData\Local\Temp
C:\Users\Virtual\AppData\Local\Temp\5550110ddb42ca9358fe3a99d911eedcc3a607b08bcea7b7b9c9b55a358e5cf8.exe
C:\Users\Virtual\AppData\Local\Temp\ping
C:\Users\Virtual\AppData\Local\Temp\ping.*
C:\Users\Virtual\AppData\Roaming\Microsoft\Network\Connections\Pbk\*.pbk
C:\Users\Virtual\AppData\Roaming\Microsoft\Network\Connections\Pbk\rasphone.pbk
C:\Windows\System32\PING.COM
C:\Windows\System32\PING.EXE
C:\Windows\System32\ping.*
C:\Windows\System32\ras\*.pbk

Registry Key-Opened

HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions
HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}
HKEY_CURRENT_USER\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}
HKEY_CURRENT_USER\Interface\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}
HKEY_CURRENT_USER\Interface\{2A1C9EB2-DF62-4154-B800-63278FCB8037}
HKEY_CURRENT_USER\Interface\{55272A00-42CB-11CE-8135-00AA004BB851}
HKEY_CURRENT_USER\Interface\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}
HKEY_CURRENT_USER\Interface\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}
HKEY_CURRENT_USER\Software\Microsoft\Command Processor
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Paths\5550110ddb42ca9358fe3a99d911eedcc3a607b08bcea7b7b9c9b55a358e5cf8.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{94956483-9236-11e5-a874-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{94956484-9236-11e5-a874-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\WHCIconStartup
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-ae-97-44
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-cf-f0-3d
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{74306E05-02D8-40D6-B925-AFF78A888B42}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{74306E05-02D8-40D6-B925-AFF78A888B42}\52-54-00-cf-f0-3d
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections
HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{55272A00-42CB-11CE-8135-00AA004BB851}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\5550110ddb42ca9358fe3a99d911eedcc3a607b08bcea7b7b9c9b55a358e5cf8.exe
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Winsock\Setup Migration\Providers\Tcpip
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock\Setup Migration\Providers
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc
HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing
HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\AdobeUpdate_RASMANCS
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3131157199-1995805048-2727015567-1000
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\5550110ddb42ca9358fe3a99d911eedcc3a607b08bcea7b7b9c9b55a358e5cf8.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\PropertySystem\PropertyHandlers\.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\System\DNSClient
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DnsClient
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DnsCache\Parameters
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip6\Parameters\Winsock
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock

Registry Key-Read

HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\ReNotifyCount
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{94956483-9236-11e5-a874-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{94956483-9236-11e5-a874-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{94956484-9236-11e5-a874-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{94956484-9236-11e5-a874-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoProxyDetectType
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadExpirationDays
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{74306E05-02D8-40D6-B925-AFF78A888B42}\WpadDecision
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{74306E05-02D8-40D6-B925-AFF78A888B42}\WpadDecisionTime
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.lnk\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.lnk\ShellEx\{00021500-0000-0000-C000-000000000046}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00021401-0000-0000-C000-000000000046}\DisableProcessIsolation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00021401-0000-0000-C000-000000000046}\EnableShareDenyNone
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00021401-0000-0000-C000-000000000046}\NoOplock
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00021401-0000-0000-C000-000000000046}\UseInProcHandlerCache
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00021401-0000-0000-C000-000000000046}\UseOutOfProcHandlerCache
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\System.NamespaceCLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\{28636AA6-953D-11D2-B5D6-00C04FD918D0} 6
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\DisableProcessIsolation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\NoOplock
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\UseInProcHandlerCache
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\UseOutOfProcHandlerCache
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}\DriveMask
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HasNavigationEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{55272A00-42CB-11CE-8135-00AA004BB851}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\MaxRpcSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3131157199-1995805048-2727015567-1000\ProfileImagePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\AllowFileCLSIDJunctions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\PropertySystem\PropertyHandlers\.exe\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\SourcePath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\AdobeUpdate_RASAPI32\ConsoleTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\AdobeUpdate_RASAPI32\EnableConsoleTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\AdobeUpdate_RASAPI32\EnableFileTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\AdobeUpdate_RASAPI32\FileDirectory
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\AdobeUpdate_RASAPI32\FileTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\AdobeUpdate_RASAPI32\MaxFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\AdobeUpdate_RASMANCS\ConsoleTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\AdobeUpdate_RASMANCS\EnableConsoleTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\AdobeUpdate_RASMANCS\EnableFileTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\AdobeUpdate_RASMANCS\FileDirectory
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\AdobeUpdate_RASMANCS\FileTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\AdobeUpdate_RASMANCS\MaxFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\DevicePath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\ComputerName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TCPIP6\Parameters\Winsock\Mapping
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\DefaultTTL
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Domain
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Hostname
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Winsock\HelperDllName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Winsock\Mapping
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Winsock\MaxSockaddrLength
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Winsock\MinSockaddrLength
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Winsock\UseDelayedAcceptance
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Winsock\Parameters\Transports
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Winsock\Setup Migration\Providers\Tcpip\WinSock 2.0 Provider ID
HKEY_LOCAL_MACHINE\SYSTEM\Setup\OOBEInProgress
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress

Registry Key-Written

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-ae-97-44\WpadDecision
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-ae-97-44\WpadDecisionReason
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-ae-97-44\WpadDecisionTime
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-cf-f0-3d\WpadDecision
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-cf-f0-3d\WpadDecisionReason
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-cf-f0-3d\WpadDecisionTime
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{74306E05-02D8-40D6-B925-AFF78A888B42}\WpadDecision
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{74306E05-02D8-40D6-B925-AFF78A888B42}\WpadDecisionReason
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{74306E05-02D8-40D6-B925-AFF78A888B42}\WpadDecisionTime
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{74306E05-02D8-40D6-B925-AFF78A888B42}\WpadNetworkName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\AdobeUpdate_RASMANCS\ConsoleTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\AdobeUpdate_RASMANCS\EnableConsoleTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\AdobeUpdate_RASMANCS\EnableFileTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\AdobeUpdate_RASMANCS\FileDirectory
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\AdobeUpdate_RASMANCS\FileTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\AdobeUpdate_RASMANCS\MaxFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate

Mutex-Accessed

IESQMMUTEX_0_208

Processes

Process Name

PID

Parent PID

5550110ddb42ca9358fe3a99d911eedcc3a607b08bcea7b7b9c9b55a358e5cf8.exe 2856 2508

Filter:

Registry File Process Services Network Synchronization

Show entries

Search:

Time	Repeat	API	Arguments	Result
1592942873.18		GetSystemTimeAsFileTime		Status SUCCESS
1592942873.18		NtAllocateVirtualMemory	process_identifier: 2856 region_size: 983040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 base_address: "0x0c610000" allocation_type: 8192 process_handle: "0xffffffff"	Status SUCCESS
1592942873.18		NtFreeVirtualMemory	free_type: 32768 base_address: "0x0c610000" process_identifier: 2856 process_handle: "0xffffffff" size: 917504	Status SUCCESS
1592942873.18		NtAllocateVirtualMemory	process_identifier: 2856 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 base_address: "0x0c6f0000" allocation_type: 4096 process_handle: "0xffffffff"	Status SUCCESS
1592942873.18		LdrGetDllHandle	module_name: "KERNEL32.DLL" module_address: "0x7dd60000" stack_pivoted: 0	Status SUCCESS
1592942873.18	4	LdrGetProcedureAddress	ordinal: 0 function_address: "0x7dd74f2b" function_name: "FlsAlloc" module: "kernel32" module_address: "0x7dd60000"	Status SUCCESS
1592942873.18		LdrGetDllHandle	module_name: "KERNEL32.DLL" module_address: "0x7dd60000" stack_pivoted: 0	Status SUCCESS
1592942873.18		LdrGetProcedureAddress	ordinal: 0 function_address: "0x7deb0fcb" function_name: "EncodePointer" module: "kernel32" module_address: "0x7dd60000"	Status SUCCESS
1592942873.18		LdrGetDllHandle	module_name: "KERNEL32.DLL" module_address: "0x7dd60000" stack_pivoted: 0	Status SUCCESS
1592942873.18		LdrGetProcedureAddress	ordinal: 0 function_address: "0x7deb0fcb" function_name: "EncodePointer" module: "kernel32" module_address: "0x7dd60000"	Status SUCCESS

Showing 1 to 10 of 304 entries

Previous1 2 3 4 5…31Next

AdobeUpdate.exe 2904 2856

Filter:

Registry File Process Services Network Synchronization

Show entries

Search:

Time	Repeat	API	Arguments	Result
1592942873.36		GetSystemTimeAsFileTime		Status SUCCESS
1592942873.36	2	NtAllocateVirtualMemory	process_identifier: 2904 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 base_address: "0x00670000" allocation_type: 8192 process_handle: "0xffffffff"	Status SUCCESS
1592942873.36		LdrGetDllHandle	module_name: "KERNEL32.DLL" module_address: "0x7dd60000" stack_pivoted: 0	Status SUCCESS
1592942873.36	4	LdrGetProcedureAddress	ordinal: 0 function_address: "0x7dd74f2b" function_name: "FlsAlloc" module: "kernel32" module_address: "0x7dd60000"	Status SUCCESS
1592942873.36		LdrGetDllHandle	module_name: "KERNEL32.DLL" module_address: "0x7dd60000" stack_pivoted: 0	Status SUCCESS
1592942873.36		LdrGetProcedureAddress	ordinal: 0 function_address: "0x7deb0fcb" function_name: "EncodePointer" module: "kernel32" module_address: "0x7dd60000"	Status SUCCESS
1592942873.36		LdrGetDllHandle	module_name: "KERNEL32.DLL" module_address: "0x7dd60000" stack_pivoted: 0	Status SUCCESS
1592942873.36		LdrGetProcedureAddress	ordinal: 0 function_address: "0x7deb0fcb" function_name: "EncodePointer" module: "kernel32" module_address: "0x7dd60000"	Status SUCCESS
1592942873.36		LdrGetDllHandle	module_name: "KERNEL32.DLL" module_address: "0x7dd60000" stack_pivoted: 0	Status SUCCESS
1592942873.36		LdrGetProcedureAddress	ordinal: 0 function_address: "0x7deb0fcb" function_name: "EncodePointer" module: "kernel32" module_address: "0x7dd60000"	Status SUCCESS

Showing 1 to 10 of 470 entries

Previous1 2 3 4 5…47Next

explorer.exe 1072 1036

Time	Repeat	API	Arguments	Result
1592942474.51		GetForegroundWindow		Return Value 65592 Status SUCCESS
1592942474.79		LoadStringW	module_handle: "0x0000000000000000" id: 543 string: "Show hidden icons"	Return Value 17 Status SUCCESS
1592942474.79	2	GetSystemMetrics	index: 45	Return Value 2 Status SUCCESS
1592942474.79		LoadStringW	module_handle: "0x0000000000000000" id: 543 string: "Show hidden icons"	Return Value 17 Status SUCCESS
1592942475.04		GetForegroundWindow		Return Value 65592 Status SUCCESS
1592942475.04		EnumWindows		Return Value 1 Status SUCCESS
1592942475.1		GetForegroundWindow		Return Value 65592 Status SUCCESS
1592942475.1		EnumWindows		Return Value 1 Status SUCCESS
1592942475.16		GetForegroundWindow		Return Value 65592 Status SUCCESS
1592942475.16		EnumWindows		Return Value 1 Status SUCCESS

cmd.exe 460 2856

Filter:

Registry File Process Services Network Synchronization

Show entries

Search:

Time	API	Arguments	Result
1592942904.3	GetSystemTimeAsFileTime		Status SUCCESS
1592942904.31	SetUnhandledExceptionFilter		Status FAILURE
1592942904.31	NtOpenThread	access: "0x001fffff" thread_name: "" thread_handle: "0x0000006c" process_identifier: 0	Status SUCCESS
1592942904.31	LdrGetDllHandle	module_name: "KERNEL32.DLL" module_address: "0x7dd60000" stack_pivoted: 0	Status SUCCESS
1592942904.31	LdrGetProcedureAddress	ordinal: 0 function_address: "0x7dd8a84f" function_name: "SetThreadUILanguage" module: "kernel32" module_address: "0x7dd60000"	Status SUCCESS
1592942904.31	RegOpenKeyExW	regkey_r: "Software\Policies\Microsoft\Windows\System" base_handle: "0x80000001" key_handle: "0x00000000" options: 0 access: "0x00020019" regkey: "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System"	Return Value 2 Status FAILURE
1592942904.33	RegOpenKeyExW	regkey_r: "Software\Microsoft\Command Processor" base_handle: "0x80000002" key_handle: "0x00000074" options: 0 access: "0x02000000" regkey: "HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor"	Status SUCCESS
1592942904.33	RegQueryValueExW	key_handle: "0x00000074" regkey_r: "DisableUNCCheck" reg_type: 0 value: "" regkey: "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck"	Return Value 2 Status FAILURE
1592942904.33	RegQueryValueExW	key_handle: "0x00000074" regkey_r: "EnableExtensions" reg_type: 4 value: 1 regkey: "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions"	Status SUCCESS
1592942904.33	RegQueryValueExW	key_handle: "0x00000074" regkey_r: "DelayedExpansion" reg_type: 0 value: "" regkey: "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion"	Return Value 2 Status FAILURE

Showing 1 to 10 of 96 entries

Previous1 2 3 4 5…10Next

Time	API	Arguments	Result
1592942904.61	GetSystemTimeAsFileTime		Status SUCCESS
1592942904.61	SetUnhandledExceptionFilter		Status FAILURE
1592942904.61	WSAStartup	wVersionRequested: 2	Status SUCCESS
1592942904.61	RegOpenKeyExA	regkey_r: "SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" base_handle: "0x80000002" key_handle: "0x00000084" options: 0 access: "0x00000001" regkey: "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters"	Status SUCCESS
1592942904.61	RegQueryValueExA	key_handle: "0x00000084" regkey_r: "DefaultTTL" reg_type: 0 value: "" regkey: "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\DefaultTTL"	Return Value 2 Status FAILURE
1592942904.61	RegCloseKey	key_handle: "0x00000084"	Status SUCCESS
1592942904.61	getaddrinfo	service_name: "" hostname: "127.0.0.1"	Status SUCCESS
1592942904.61	LdrLoadDll	module_name: "rpcrt4.dll" basename: "rpcrt4" stack_pivoted: 0 flags: 0 module_address: "0x7db50000"	Status SUCCESS
1592942904.61	NtQuerySystemInformation	information_class: 0	Status SUCCESS
1592942904.61	RegOpenKeyExA	regkey_r: "Software\Microsoft\Rpc" base_handle: "0x80000002" key_handle: "0x00000084" options: 0 access: "0x00020019" regkey: "HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc"	Status SUCCESS

Classification

Indicators

Yara

Static Analysis

Sections

Resources

Imports

Library KERNEL32.dll:

Library ADVAPI32.dll:

Library SHELL32.dll:

Library WININET.dll:

Strings

Dropped Files

1000afaf8a5dfd52_adobeupdate.exe

5550110ddb42ca93_5550110ddb42ca9358fe3a99d911eedcc3a607b08bcea7b7b9c9b55a358e5cf8.exe

81fd10aec2fd12f5_adobeupdate.exe

cce07e2c1a4fe330_adobeupdate.exe

Network

DNS Requests

HTTP Requests

http://www.msftncsi.com/ncsi.txt

Hosts Involved

Geolocation

Destination Country

File

Screenshots

Behavior Summary

File-Read

File-Written

File-Deleted

File-Opened

Network-Resolves URL

Network-Connects Host

Directory-Created

Directory-Enumerated

Registry Key-Opened

Registry Key-Read

Registry Key-Written

Mutex-Accessed

Processes

5550110ddb42ca9358fe3a99d911eedcc3a607b08bcea7b7b9c9b55a358e5cf8.exe28562508

AdobeUpdate.exe29042856

explorer.exe10721036

cmd.exe4602856

PING.EXE2272460

5550110ddb42ca9358fe3a99d911eedcc3a607b08bcea7b7b9c9b55a358e5cf8.exe 2856 2508

AdobeUpdate.exe 2904 2856

explorer.exe 1072 1036

cmd.exe 460 2856

PING.EXE 2272 460