Automated Malware Analysis Report for Oldnewexplorercfg.Exe

ID: 152305 Sample Name: OldNewExplorerCfg.exe Cookbook: default.jbs Time: 03:48:12 Date: 15/07/2019 Version: 26.0.0 Aquamarine Table of Contents

Table of Contents 2 Analysis Report OldNewExplorerCfg.exe 5 Overview 5 General Information 5 Detection 5 Confidence 6 Classification 6 Analysis Advice 6 Mitre Att&ck Matrix 7 Signature Overview 7 AV Detection: 7 Spreading: 7 Networking: 7 Key, Mouse, Clipboard, Microphone and Screen Capturing: 7 DDoS: 8 System Summary: 8 Data Obfuscation: 8 Hooking and other Techniques for Hiding and Protection: 8 Malware Analysis System Evasion: 8 Anti Debugging: 8 HIPS / PFW / Operating System Protection Evasion: 8 Language, Device and Operating System Detection: 8 Behavior Graph 9 Simulations 9 Behavior and APIs 9 Antivirus and Machine Learning Detection 9 Initial Sample 9 Dropped Files 9 Unpacked PE Files 9 Domains 10 URLs 10 Yara Overview 10 Initial Sample 10 PCAP (Network Traffic) 10 Dropped Files 10 Memory Dumps 10 Unpacked PEs 10 Joe Sandbox View / Context 10 IPs 10 Domains 10 ASN 10 JA3 Fingerprints 10 Dropped Files 10 Screenshots 10 Thumbnails 11 Startup 11 Created / dropped Files 12 Domains and IPs 12 Contacted Domains 12 URLs from Memory and Binaries 12 Contacted IPs 12 Static File Info 12 General 12 File Icon 13 Static PE Info 13 General 13 Entrypoint Preview 13 Data Directories 14 Sections 14

Copyright Joe Security LLC 2019 Page 2 of 27 Resources 14 Imports 15 Version Infos 16 Possible Origin 16 Network Behavior 17 Code Manipulations 17 Statistics 17 Behavior 17 System Behavior 17 Analysis Process: OldNewExplorerCfg.exe PID: 3760 Parent PID: 4364 18 General 18 File Activities 18 Analysis Process: regsvr32.exe PID: 2884 Parent PID: 3760 18 General 18 Analysis Process: regsvr32.exe PID: 4220 Parent PID: 3760 18 General 18 Analysis Process: regsvr32.exe PID: 1708 Parent PID: 3760 18 General 19 Analysis Process: regsvr32.exe PID: 4572 Parent PID: 3760 19 General 19 Analysis Process: regsvr32.exe PID: 4588 Parent PID: 3760 19 General 19 Analysis Process: regsvr32.exe PID: 1832 Parent PID: 3760 19 General 19 Analysis Process: regsvr32.exe PID: 5056 Parent PID: 3760 20 General 20 Analysis Process: regsvr32.exe PID: 4428 Parent PID: 3760 20 General 20 Analysis Process: regsvr32.exe PID: 2888 Parent PID: 3760 20 General 20 Analysis Process: regsvr32.exe PID: 4464 Parent PID: 3760 20 General 20 Analysis Process: regsvr32.exe PID: 1596 Parent PID: 3760 21 General 21 Analysis Process: regsvr32.exe PID: 2808 Parent PID: 3760 21 General 21 Analysis Process: regsvr32.exe PID: 3752 Parent PID: 3760 21 General 21 Analysis Process: regsvr32.exe PID: 3016 Parent PID: 3760 22 General 22 Analysis Process: regsvr32.exe PID: 4460 Parent PID: 3760 22 General 22 Analysis Process: regsvr32.exe PID: 2500 Parent PID: 3760 22 General 22 Analysis Process: regsvr32.exe PID: 228 Parent PID: 3760 22 General 22 Analysis Process: regsvr32.exe PID: 2440 Parent PID: 3760 23 General 23 Analysis Process: regsvr32.exe PID: 4288 Parent PID: 3760 23 General 23 Analysis Process: regsvr32.exe PID: 1876 Parent PID: 3760 23 General 23 Analysis Process: regsvr32.exe PID: 2128 Parent PID: 3760 23 General 24 Analysis Process: regsvr32.exe PID: 4716 Parent PID: 3760 24 General 24 Analysis Process: regsvr32.exe PID: 2212 Parent PID: 3760 24 General 24 Analysis Process: regsvr32.exe PID: 5060 Parent PID: 3760 24 General 24 Analysis Process: regsvr32.exe PID: 2720 Parent PID: 3760 25 General 25 Analysis Process: regsvr32.exe PID: 3536 Parent PID: 3760 25 General 25 Analysis Process: regsvr32.exe PID: 3828 Parent PID: 3760 25 General 25 Analysis Process: regsvr32.exe PID: 4648 Parent PID: 3760 25 Copyright Joe Security LLC 2019 Page 3 of 27 General 25 Analysis Process: regsvr32.exe PID: 4500 Parent PID: 3760 26 General 26 Analysis Process: regsvr32.exe PID: 3736 Parent PID: 3760 26 General 26 Analysis Process: regsvr32.exe PID: 2772 Parent PID: 3760 26 General 26 Analysis Process: regsvr32.exe PID: 3460 Parent PID: 3760 26 General 26 Analysis Process: regsvr32.exe PID: 2600 Parent PID: 3760 27 General 27 Disassembly 27 Code Analysis 27

Overview

General Information

Joe Sandbox Version: 26.0.0 Aquamarine Analysis ID: 152305 Start date: 15.07.2019 Start time: 03:48:12 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 7m 11s Hypervisor based Inspection enabled: false Report type: light Sample file name: OldNewExplorerCfg.exe Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113 Number of analysed new started processes analysed: 41 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis stop reason: Timeout Detection: MAL Classification: mal48.winEXE@96/0@0/0 EGA Information: Successful, ratio: 100% HDC Information: Successful, ratio: 99.7% (good quality ratio 87%) Quality average: 75.2% Quality standard deviation: 34.2% HCA Information: Failed Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .exe Warnings: Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, conhost.exe, CompatTelRunner.exe, WmiPrvSE.exe Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Detection

Strategy Score Range Reporting Whitelisted Detection

Threshold 48 0 - 100 false

Strategy Score Range Further Analysis Required? Confidence

Threshold 5 0 - 5 false

Classification

Ransomware

Miner Spreading

mmaallliiiccciiioouusss

malicious

Evader Phishing

sssuusssppiiiccciiioouusss

suspicious

cccllleeaann

clean

Exploiter Banker

Spyware Trojan / Bot

Adware

Analysis Advice

Copyright Joe Security LLC 2019 Page 6 of 27 Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Mitre Att&ck Matrix

Privilege Credential Lateral Command Initial Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Valid Accounts Windows New Exploitation for Software Packing 1 Input System Time Application Screen Data Standard Remote Service 1 Privilege Capture 1 1 Discovery 1 Deployment Capture 1 Encrypted 1 Cryptographic Management Escalation 1 Software Protocol 1 Replication Service Port Monitors Process Process Injection 1 Network Process Remote Input Exfiltration Fallback Through Execution Injection 1 Sniffing Discovery 1 Services Capture 1 1 Over Other Channels Removable Network Media Medium Drive-by Windows Accessibility New Service 1 Deobfuscate/Decode Input Capture Application Windows Data from Automated Custom Compromise Management Features Files or Window Remote Network Exfiltration Cryptographic Instrumentation Information 1 Discovery 1 Management Shared Drive Protocol Exploit Public- Scheduled Task System DLL Search Obfuscated Files or Credentials in Security Logon Scripts Input Capture Data Encrypted Multiband Facing Firmware Order Hijacking Information 2 Files Software Communication Application Discovery 1 1 Spearphishing Command-Line Shortcut File System DLL Side- Account File and Shared Data Staged Scheduled Standard Link Interface Modification Permissions Loading 1 Manipulation Directory Webroot Transfer Cryptographic Weakness Discovery 2 Protocol Spearphishing Graphical User Modify New Service DLL Search Order Brute Force System Third-party Screen Data Transfer Commonly Attachment Interface Existing Hijacking Information Software Capture Size Limits Used Port Service Discovery 2 4

Signature Overview

• AV Detection • Spreading • Networking • Key, Mouse, Clipboard, Microphone and Screen Capturing • DDoS • System Summary • Data Obfuscation • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Anti Debugging • HIPS / PFW / Operating System Protection Evasion • Language, Device and Operating System Detection

Click to jump to signature section

AV Detection:

Antivirus or Machine Learning detection for unpacked file

Spreading:

Contains functionality to enumerate / list files inside a directory

Networking:

Urls found in memory or binary data

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality to retrieve information about pressed keystrokes

DDoS:

Too many similar processes found

System Summary:

Detected potential crypto function

Found potential string decryption / allocating functions

PE file contains strange resources

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Classification label

Contains functionality for error logging

Contains functionality to check free disk space

Contains functionality to load and extract PE file embedded resources

Parts of this applications are using Borland Delphi (Probably coded in Delphi)

Reads ini files

Reads software policies

Spawns processes

Uses an in-process (OLE) Automation server

Executable creates window controls seldom found in malware

Found GUI installer (many successful clicks)

Data Obfuscation:

Registers a DLL

Uses code obfuscation techniques (call, push, ret)

Hooking and other Techniques for Hiding and Protection:

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Disables application error messsages (SetErrorMode)

Malware Analysis System Evasion:

Found large amount of non-executed APIs

Queries keyboard layouts

Contains functionality to enumerate / list files inside a directory

Contains functionality to query system information

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Anti Debugging:

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

HIPS / PFW / Operating System Protection Evasion:

Contains functionality to launch a program with higher privileges

May try to detect the Windows Explorer process (often used for injection)

Language, Device and Operating System Detection:

Contains functionality locales information (e.g. system language) Copyright Joe Security LLC 2019 Page 8 of 27 Contains functionality to query local / system time

Contains functionality to query windows version

Behavior Graph

Hide Legend Legend: Process Behavior Graph Signature

ID: 152305 Created File

Sample: OldNewExplorerCfg.exe DNS/IP Info

Startdate: 15/07/2019 Is Dropped Architecture: WINDOWS Is Windows Process

Score: 48 Number of created Registry Values

Number of created Files

Visual Basic

Too many similar processes Delphi started found Java

.Net C# or VB.NET

C, C++ or other language

OldNewExplorerCfg.exe Is malicious Internet

started started started

regsvr32.exe regsvr32.exe regsvr32.exe

30 other processes

Simulations

Behavior and APIs

Time Type Description 03:49:14 API Interceptor 2x Sleep call for process: OldNewExplorerCfg.exe modified

Antivirus and Machine Learning Detection

Initial Sample

Source Detection Scanner Label Link OldNewExplorerCfg.exe 0% virustotal Browse OldNewExplorerCfg.exe 0% metadefender Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

Copyright Joe Security LLC 2019 Page 9 of 27 Source Detection Scanner Label Link Download 0.1.OldNewExplorerCfg.exe.400000.0.unpack 100% Joe Sandbox ML Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Copyright Joe Security LLC 2019 Page 10 of 27 Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Startup

Copyright Joe Security LLC 2019 Page 11 of 27 System is w10x64 OldNewExplorerCfg.exe (PID: 3760 cmdline: 'C:\Users\user\Desktop\OldNewExplorerCfg.exe' MD5: 65BE2E79D41C7408A1BB3F9EC1AA0812) regsvr32.exe (PID: 2884 cmdline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer64.dll' MD5: 426E7499F6A7346F0410DEAD0805586B) regsvr32.exe (PID: 4220 cmdline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer32.dll' MD5: 426E7499F6A7346F0410DEAD0805586B) regsvr32.exe (PID: 1708 cmdline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer64.dll' MD5: 426E7499F6A7346F0410DEAD0805586B) regsvr32.exe (PID: 4572 cmdline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer32.dll' MD5: 426E7499F6A7346F0410DEAD0805586B) regsvr32.exe (PID: 4588 cmdline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer64.dll' MD5: 426E7499F6A7346F0410DEAD0805586B) regsvr32.exe (PID: 1832 cmdline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer32.dll' MD5: 426E7499F6A7346F0410DEAD0805586B) regsvr32.exe (PID: 5056 cmdline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer64.dll' MD5: 426E7499F6A7346F0410DEAD0805586B) regsvr32.exe (PID: 4428 cmdline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer32.dll' MD5: 426E7499F6A7346F0410DEAD0805586B) regsvr32.exe (PID: 2888 cmdline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer64.dll' MD5: 426E7499F6A7346F0410DEAD0805586B) regsvr32.exe (PID: 4464 cmdline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer32.dll' MD5: 426E7499F6A7346F0410DEAD0805586B) regsvr32.exe (PID: 1596 cmdline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer64.dll' MD5: 426E7499F6A7346F0410DEAD0805586B) regsvr32.exe (PID: 2808 cmdline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer32.dll' MD5: 426E7499F6A7346F0410DEAD0805586B) regsvr32.exe (PID: 3752 cmdline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer64.dll' MD5: 426E7499F6A7346F0410DEAD0805586B) regsvr32.exe (PID: 3016 cmdline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer32.dll' MD5: 426E7499F6A7346F0410DEAD0805586B) regsvr32.exe (PID: 4460 cmdline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer64.dll' MD5: 426E7499F6A7346F0410DEAD0805586B) regsvr32.exe (PID: 2500 cmdline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer32.dll' MD5: 426E7499F6A7346F0410DEAD0805586B) regsvr32.exe (PID: 228 cmdline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer64.dll' MD5: 426E7499F6A7346F0410DEAD0805586B) regsvr32.exe (PID: 2440 cmdline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer32.dll' MD5: 426E7499F6A7346F0410DEAD0805586B) regsvr32.exe (PID: 4288 cmdline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer64.dll' MD5: 426E7499F6A7346F0410DEAD0805586B) regsvr32.exe (PID: 1876 cmdline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer32.dll' MD5: 426E7499F6A7346F0410DEAD0805586B) regsvr32.exe (PID: 2128 cmdline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer64.dll' MD5: 426E7499F6A7346F0410DEAD0805586B) regsvr32.exe (PID: 4716 cmdline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer32.dll' MD5: 426E7499F6A7346F0410DEAD0805586B) regsvr32.exe (PID: 2212 cmdline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer64.dll' MD5: 426E7499F6A7346F0410DEAD0805586B) regsvr32.exe (PID: 5060 cmdline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer32.dll' MD5: 426E7499F6A7346F0410DEAD0805586B) regsvr32.exe (PID: 2720 cmdline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer64.dll' MD5: 426E7499F6A7346F0410DEAD0805586B) regsvr32.exe (PID: 3536 cmdline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer32.dll' MD5: 426E7499F6A7346F0410DEAD0805586B) regsvr32.exe (PID: 3828 cmdline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer64.dll' MD5: 426E7499F6A7346F0410DEAD0805586B) regsvr32.exe (PID: 4648 cmdline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer32.dll' MD5: 426E7499F6A7346F0410DEAD0805586B) regsvr32.exe (PID: 4500 cmdline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer64.dll' MD5: 426E7499F6A7346F0410DEAD0805586B) regsvr32.exe (PID: 3736 cmdline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer32.dll' MD5: 426E7499F6A7346F0410DEAD0805586B) regsvr32.exe (PID: 2772 cmdline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer64.dll' MD5: 426E7499F6A7346F0410DEAD0805586B) regsvr32.exe (PID: 3460 cmdline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer32.dll' MD5: 426E7499F6A7346F0410DEAD0805586B) regsvr32.exe (PID: 2600 cmdline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer64.dll' MD5: 426E7499F6A7346F0410DEAD0805586B) cleanup

Created / dropped Files

No created / dropped files found

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name Source Malicious Antivirus Detection Reputation https://www.paypal.com/cgi-bin/webscr?cmd=_s- OldNewExplorerCfg.exe false high xclick&hosted_button_id=CPV9996DWXNH2 https://www.paypal.com/cgi-bin/webscr?cmd=_s- OldNewExplorerCfg.exe false high xclick&hosted_button_id=CPV9996DWXNH2SV

Contacted IPs

No contacted IP infos

Static File Info

General File type: PE32 executable (GUI) Intel 80386, for MS Windows Copyright Joe Security LLC 2019 Page 12 of 27 General Entropy (8bit): 6.375145045736233 TrID: Win32 Executable (generic) a (10002005/4) 99.81% Windows Screen Saver (13104/52) 0.13% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% File name: OldNewExplorerCfg.exe File size: 615936 MD5: 65be2e79d41c7408a1bb3f9ec1aa0812 SHA1: e2b4c28e952af8c1c6fbdcadedd59f902afb6a3c SHA256: 302fdeb4c369680643bbd8a14659fa23804974254a03b70 f31943956b1174d7e SHA512: 9a8546024d0514f1505c1f6ed85279287f041b2180c0079 ed8270861ed0ffac499486f1804cd7ed7000584ae3b04b4 991202c95562c34137ddad5d3a1c4ceb8a SSDEEP: 12288:Z4g2efMAIUSBXfHZnRlp9fHDObbMv2PtmtXR8 88888888888W88888888888:GoX3SBnlCkAmtX File Content Preview: MZP...... @...... !..L.!.. This program must be run under Win32..$7......

File Icon

Icon Hash: c086b2f0e8b0b28c

Static PE Info

General Entrypoint: 0x4737d4 Entrypoint Section: .itext Digitally signed: false Imagebase: 0x400000 Subsystem: windows gui Image File Characteristics: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI DLL Characteristics: Time Stamp: 0x59848E2A [Fri Aug 4 15:09:30 2017 UTC] TLS Callbacks: CLR (.Net) Version: OS Version Major: 5 OS Version Minor: 0 File Version Major: 5 File Version Minor: 0 Subsystem Version Major: 5 Subsystem Version Minor: 0 Import Hash: 77e1fec9e1a641cf3d7dcc7b20f9bc0e

Entrypoint Preview

Instruction push ebp mov ebp, esp add esp, FFFFFFF0h mov eax, 004721C0h call 00007FA43063A0F1h mov eax, dword ptr [00475D44h] mov eax, dword ptr [eax] call 00007FA4306A01B5h mov eax, dword ptr [00475D44h] mov eax, dword ptr [eax] mov dl, 01h call 00007FA4306A1D0Bh

Copyright Joe Security LLC 2019 Page 13 of 27 Instruction mov eax, dword ptr [00475D44h] mov eax, dword ptr [eax] mov edx, 00473844h call 00007FA43069FC12h mov ecx, dword ptr [00475B08h] mov eax, dword ptr [00475D44h] mov eax, dword ptr [eax] mov edx, dword ptr [00470BD8h] call 00007FA4306A0196h mov eax, dword ptr [00475D44h] mov eax, dword ptr [eax] call 00007FA4306A02DAh call 00007FA4306373ADh mov al, 04h add al, byte ptr [eax]

Data Directories

Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_EXPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IMPORT 0x7c000 0x2ae8 .idata IMAGE_DIRECTORY_ENTRY_RESOURCE 0x8a000 0x17400 .rsrc IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x0 0x0 IMAGE_DIRECTORY_ENTRY_SECURITY 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BASERELOC 0x81000 0x8154 .reloc IMAGE_DIRECTORY_ENTRY_DEBUG 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_TLS 0x80000 0x18 .rdata IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IAT 0x7c83c 0x698 .idata IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0

Sections

Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics .text 0x1000 0x713c0 0x71400 False 0.506133157423 data 6.47143659728 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ .itext 0x73000 0x864 0xa00 False 0.521484375 data 5.42421997392 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ .data 0x74000 0x1ec8 0x2000 False 0.392211914062 data 3.80480868088 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ .bss 0x76000 0x5210 0x0 False 0 empty 0.0 IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ .idata 0x7c000 0x2ae8 0x2c00 False 0.312855113636 data 5.14835475102 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ .tls 0x7f000 0x3c 0x0 False 0 empty 0.0 IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ .rdata 0x80000 0x18 0x200 False 0.05078125 data 0.184150656087 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_READ .reloc 0x81000 0x8154 0x8200 False 0.568870192308 data 6.63784279374 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_DISCARDABLE , IMAGE_SCN_MEM_READ .rsrc 0x8a000 0x17400 0x17400 False 0.140751008065 data 4.08908389781 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_READ

Resources

Name RVA Size Type Language Country RT_CURSOR 0x8a8d8 0x134 data English United States RT_CURSOR 0x8aa0c 0x134 data English United States RT_CURSOR 0x8ab40 0x134 data English United States Copyright Joe Security LLC 2019 Page 14 of 27 Name RVA Size Type Language Country

RT_CURSOR 0x8ac74 0x134 data English United States RT_CURSOR 0x8ada8 0x134 data English United States RT_CURSOR 0x8aedc 0x134 data English United States RT_CURSOR 0x8b010 0x134 data English United States RT_ICON 0x8b144 0x4228 dBase IV DBT of \200.DBF, blocks size 0, block Russian Russia length 16896, next free block index 40, next free block 4294967295, next used block 4294967295 RT_ICON 0x8f36c 0x25a8 data Russian Russia RT_ICON 0x91914 0x1a68 data Russian Russia RT_ICON 0x9337c 0x10a8 data Russian Russia RT_ICON 0x94424 0x988 data Russian Russia RT_ICON 0x94dac 0x468 GLS_BINARY_LSB_FIRST Russian Russia RT_STRING 0x95214 0x200 data RT_STRING 0x95414 0x100 data RT_STRING 0x95514 0xcc data RT_STRING 0x955e0 0x390 data RT_STRING 0x95970 0x3b8 data RT_STRING 0x95d28 0x3dc data RT_STRING 0x96104 0x384 data RT_STRING 0x96488 0x3f0 data RT_STRING 0x96878 0x19c data RT_STRING 0x96a14 0xcc data RT_STRING 0x96ae0 0x194 data RT_STRING 0x96c74 0x3b0 data RT_STRING 0x97024 0x368 data RT_STRING 0x9738c 0x294 data RT_RCDATA 0x97620 0x82e8 data English United States RT_RCDATA 0x9f908 0x10 data RT_RCDATA 0x9f918 0x2a0 data RT_RCDATA 0x9fbb8 0x1068 Delphi compiled form 'TMain' RT_GROUP_CURSOR 0xa0c20 0x14 Lotus unknown worksheet or configuration, revision English United States 0x1 RT_GROUP_CURSOR 0xa0c34 0x14 Lotus unknown worksheet or configuration, revision English United States 0x1 RT_GROUP_CURSOR 0xa0c48 0x14 Lotus unknown worksheet or configuration, revision English United States 0x1 RT_GROUP_CURSOR 0xa0c5c 0x14 Lotus unknown worksheet or configuration, revision English United States 0x1 RT_GROUP_CURSOR 0xa0c70 0x14 Lotus unknown worksheet or configuration, revision English United States 0x1 RT_GROUP_CURSOR 0xa0c84 0x14 Lotus unknown worksheet or configuration, revision English United States 0x1 RT_GROUP_CURSOR 0xa0c98 0x14 Lotus unknown worksheet or configuration, revision English United States 0x1 RT_GROUP_ICON 0xa0cac 0x5a data Russian Russia RT_VERSION 0xa0d08 0x314 data Russian Russia RT_MANIFEST 0xa101c 0x352 XML 1.0 document, ASCII text, with CRLF line Russian Russia terminators

Imports

DLL Import oleaut32.dll SysFreeString, SysReAllocStringLen, SysAllocStringLen advapi32.dll RegQueryValueExW, RegOpenKeyExW, RegCloseKey user32.dll GetKeyboardType, LoadStringW, MessageBoxA, CharNextW kernel32.dll GetACP, Sleep, VirtualFree, VirtualAlloc, GetSystemInfo, GetVersion, GetCurrentThreadId, VirtualQuery, WideCharToMultiByte, SetCurrentDirectoryW, MultiByteToWideChar, lstrlenW, lstrcpynW, LoadLibraryExW, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetCurrentDirectoryW, GetCommandLineW, FreeLibrary, FindFirstFileW, FindClose, ExitProcess, ExitThread, CreateThread, CompareStringW, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle, CloseHandle kernel32.dll TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleW

Copyright Joe Security LLC 2019 Page 15 of 27 DLL Import user32.dll CreateWindowExW, WindowFromPoint, WaitMessage, UpdateWindow, UnregisterClassW, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, TrackMouseEvent, SystemParametersInfoW, ShowWindow, ShowScrollBar, ShowOwnedPopups, SetWindowsHookExW, SetWindowTextW, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropW, SetParent, SetMenuItemInfoW, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongW, SetCapture, SetActiveWindow, SendMessageTimeoutW, SendMessageA, SendMessageW, ScrollWindow, ScreenToClient, RemovePropW, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageW, RegisterClipboardFormatW, RegisterClassW, RedrawWindow, PostQuitMessage, PostMessageW, PeekMessageA, PeekMessageW, OffsetRect, MsgWaitForMultipleObjectsEx, MsgWaitForMultipleObjects, MessageBoxW, MapWindowPoints, MapVirtualKeyW, LoadStringW, LoadKeyboardLayoutW, LoadIconW, LoadCursorW, LoadBitmapW, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsIconic, IsDialogMessageA, IsDialogMessageW, IsChild, InvalidateRect, IntersectRect, InsertMenuItemW, InsertMenuW, InflateRect, GetWindowThreadProcessId, GetWindowTextW, GetWindowRect, GetWindowPlacement, GetWindowLongW, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropW, GetParent, GetWindow, GetMessagePos, GetMenuStringW, GetMenuState, GetMenuItemInfoW, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameW, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextW, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClientRect, GetClassLongW, GetClassInfoW, GetCapture, GetActiveWindow, FrameRect, FindWindowExW, FindWindowW, FillRect, EnumWindows, EnumThreadWindows, EnumChildWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextExW, DrawTextW, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageA, DispatchMessageW, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcW, DefMDIChildProcW, DefFrameProcW, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CharUpperBuffW, CharNextW, CharLowerW, CallWindowProcW, CallNextHookEx, BeginPaint, AdjustWindowRectEx, ActivateKeyboardLayout msimg32.dll AlphaBlend gdi32.dll UnrealizeObject, StretchBlt, SetWindowOrgEx, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SelectClipRgn, SaveDC, RoundRect, RestoreDC, Rectangle, RectVisible, RealizePalette, Polyline, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetTextMetricsW, GetTextExtentPoint32W, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectW, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, FrameRgn, ExtTextOutW, ExcludeClipRect, Ellipse, DeleteObject, DeleteDC, CreateSolidBrush, CreateRectRgn, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectW, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, BitBlt version.dll VerQueryValueW, GetFileVersionInfoSizeW, GetFileVersionInfoW kernel32.dll lstrcpynW, lstrcpyW, WriteFile, WideCharToMultiByte, WaitForSingleObject, WaitForMultipleObjectsEx, VirtualQueryEx, VirtualQuery, VirtualProtectEx, VirtualAlloc, SwitchToThread, SizeofResource, SignalObjectAndWait, SetThreadLocale, SetLastError, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResumeThread, ResetEvent, ReadFile, MultiByteToWideChar, MulDiv, LockResource, LoadResource, LoadLibraryW, LeaveCriticalSection, IsBadReadPtr, InitializeCriticalSection, GlobalFindAtomW, GlobalDeleteAtom, GlobalAddAtomW, GetVersionExW, GetVersion, GetTickCount, GetThreadLocale, GetStdHandle, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetLocalTime, GetLastError, GetFullPathNameW, GetExitCodeThread, GetDiskFreeSpaceW, GetDateFormatW, GetCurrentThreadId, GetCurrentThread, GetCurrentProcessId, GetCurrentProcess, GetCPInfo, FreeResource, InterlockedIncrement, InterlockedExchangeAdd, InterlockedExchange, InterlockedDecrement, InterlockedCompareExchange, FreeLibrary, FormatMessageW, FindResourceW, EnumCalendarInfoW, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateMutexW, CreateFileW, CreateEventW, CompareStringW, CloseHandle advapi32.dll RegSetValueExW, RegQueryValueExW, RegOpenKeyExW, RegFlushKey, RegCreateKeyExW, RegCloseKey user32.dll wsprintfW ole32.dll OleUninitialize, OleInitialize, CoInitialize kernel32.dll Sleep oleaut32.dll SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit comctl32.dll InitializeFlatSB, FlatSB_SetScrollProp, FlatSB_SetScrollPos, FlatSB_SetScrollInfo, FlatSB_GetScrollPos, FlatSB_GetScrollInfo, _TrackMouseEvent, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_Add, ImageList_SetImageCount, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create shell32.dll ShellExecuteW shlwapi.dll kernel32.dll IsWow64Process advapi32.dll RegDeleteKeyExW

Version Infos

Description Data LegalCopyright (c) Tihiy 2014 InternalName The ONE FileVersion 1.1.8.4 CompanyName Tihiy LegalTrademarks OldNewExplorer Comments ProductName OldNewExplorer ProductVersion 1.0.0.0 FileDescription OldNewExplorer configuration OriginalFilename Translation 0x0419 0x04e3

Possible Origin Copyright Joe Security LLC 2019 Page 16 of 27 Language of compilation system Country where language is spoken Map

English United States

Russian Russia

Network Behavior

No network behavior found

Code Manipulations

Statistics

Behavior

• OldNewExplorerCfg.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe

Click to jump to process

System Behavior

General

Start time: 03:49:10 Start date: 15/07/2019 Path: C:\Users\user\Desktop\OldNewExplorerCfg.exe Wow64 process (32bit): true Commandline: 'C:\Users\user\Desktop\OldNewExplorerCfg.exe' Imagebase: 0x400000 File size: 615936 bytes MD5 hash: 65BE2E79D41C7408A1BB3F9EC1AA0812 Has administrator privileges: true Programmed in: Borland Delphi Reputation: low

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

Source File Path Offset Length Completion Count Address Symbol

Analysis Process: regsvr32.exe PID: 2884 Parent PID: 3760

General

Start time: 03:49:15 Start date: 15/07/2019 Path: C:\Windows\SysWOW64\regsvr32.exe Wow64 process (32bit): true Commandline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer64.dll' Imagebase: 0x9c0000 File size: 20992 bytes MD5 hash: 426E7499F6A7346F0410DEAD0805586B Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

Analysis Process: regsvr32.exe PID: 4220 Parent PID: 3760

General

Start time: 03:49:15 Start date: 15/07/2019 Path: C:\Windows\SysWOW64\regsvr32.exe Wow64 process (32bit): true Commandline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer32.dll' Imagebase: 0x9c0000 File size: 20992 bytes MD5 hash: 426E7499F6A7346F0410DEAD0805586B Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

Analysis Process: regsvr32.exe PID: 1708 Parent PID: 3760

Start time: 03:49:19 Start date: 15/07/2019 Path: C:\Windows\SysWOW64\regsvr32.exe Wow64 process (32bit): true Commandline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer64.dll' Imagebase: 0x9c0000 File size: 20992 bytes MD5 hash: 426E7499F6A7346F0410DEAD0805586B Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

Analysis Process: regsvr32.exe PID: 4572 Parent PID: 3760

General

Start time: 03:49:19 Start date: 15/07/2019 Path: C:\Windows\SysWOW64\regsvr32.exe Wow64 process (32bit): true Commandline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer32.dll' Imagebase: 0x9c0000 File size: 20992 bytes MD5 hash: 426E7499F6A7346F0410DEAD0805586B Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

Analysis Process: regsvr32.exe PID: 4588 Parent PID: 3760

General

Start time: 03:49:23 Start date: 15/07/2019 Path: C:\Windows\SysWOW64\regsvr32.exe Wow64 process (32bit): true Commandline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer64.dll' Imagebase: 0x9c0000 File size: 20992 bytes MD5 hash: 426E7499F6A7346F0410DEAD0805586B Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

Analysis Process: regsvr32.exe PID: 1832 Parent PID: 3760

General

Start time: 03:49:23 Start date: 15/07/2019 Path: C:\Windows\SysWOW64\regsvr32.exe Wow64 process (32bit): true Commandline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer32.dll' Imagebase: 0x9c0000 File size: 20992 bytes MD5 hash: 426E7499F6A7346F0410DEAD0805586B

Copyright Joe Security LLC 2019 Page 19 of 27 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

Analysis Process: regsvr32.exe PID: 5056 Parent PID: 3760

General

Start time: 03:49:27 Start date: 15/07/2019 Path: C:\Windows\SysWOW64\regsvr32.exe Wow64 process (32bit): true Commandline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer64.dll' Imagebase: 0x9c0000 File size: 20992 bytes MD5 hash: 426E7499F6A7346F0410DEAD0805586B Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

Analysis Process: regsvr32.exe PID: 4428 Parent PID: 3760

General

Start time: 03:49:27 Start date: 15/07/2019 Path: C:\Windows\SysWOW64\regsvr32.exe Wow64 process (32bit): true Commandline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer32.dll' Imagebase: 0x9c0000 File size: 20992 bytes MD5 hash: 426E7499F6A7346F0410DEAD0805586B Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

Analysis Process: regsvr32.exe PID: 2888 Parent PID: 3760

General

Start time: 03:49:30 Start date: 15/07/2019 Path: C:\Windows\SysWOW64\regsvr32.exe Wow64 process (32bit): true Commandline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer64.dll' Imagebase: 0x9c0000 File size: 20992 bytes MD5 hash: 426E7499F6A7346F0410DEAD0805586B Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

Analysis Process: regsvr32.exe PID: 4464 Parent PID: 3760

General

Copyright Joe Security LLC 2019 Page 20 of 27 Start time: 03:49:31 Start date: 15/07/2019 Path: C:\Windows\SysWOW64\regsvr32.exe Wow64 process (32bit): true Commandline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer32.dll' Imagebase: 0x9c0000 File size: 20992 bytes MD5 hash: 426E7499F6A7346F0410DEAD0805586B Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

Analysis Process: regsvr32.exe PID: 1596 Parent PID: 3760

General

Start time: 03:49:34 Start date: 15/07/2019 Path: C:\Windows\SysWOW64\regsvr32.exe Wow64 process (32bit): true Commandline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer64.dll' Imagebase: 0x9c0000 File size: 20992 bytes MD5 hash: 426E7499F6A7346F0410DEAD0805586B Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

Analysis Process: regsvr32.exe PID: 2808 Parent PID: 3760

General

Start time: 03:49:34 Start date: 15/07/2019 Path: C:\Windows\SysWOW64\regsvr32.exe Wow64 process (32bit): true Commandline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer32.dll' Imagebase: 0x9c0000 File size: 20992 bytes MD5 hash: 426E7499F6A7346F0410DEAD0805586B Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

Analysis Process: regsvr32.exe PID: 3752 Parent PID: 3760

General

Start time: 03:49:38 Start date: 15/07/2019 Path: C:\Windows\SysWOW64\regsvr32.exe Wow64 process (32bit): true Commandline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer64.dll' Imagebase: 0x9c0000 File size: 20992 bytes MD5 hash: 426E7499F6A7346F0410DEAD0805586B Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: regsvr32.exe PID: 3016 Parent PID: 3760

General

Start time: 03:49:38 Start date: 15/07/2019 Path: C:\Windows\SysWOW64\regsvr32.exe Wow64 process (32bit): true Commandline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer32.dll' Imagebase: 0x9c0000 File size: 20992 bytes MD5 hash: 426E7499F6A7346F0410DEAD0805586B Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

Analysis Process: regsvr32.exe PID: 4460 Parent PID: 3760

General

Start time: 03:49:42 Start date: 15/07/2019 Path: C:\Windows\SysWOW64\regsvr32.exe Wow64 process (32bit): true Commandline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer64.dll' Imagebase: 0x9c0000 File size: 20992 bytes MD5 hash: 426E7499F6A7346F0410DEAD0805586B Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

Analysis Process: regsvr32.exe PID: 2500 Parent PID: 3760

General

Start time: 03:49:42 Start date: 15/07/2019 Path: C:\Windows\SysWOW64\regsvr32.exe Wow64 process (32bit): true Commandline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer32.dll' Imagebase: 0x9c0000 File size: 20992 bytes MD5 hash: 426E7499F6A7346F0410DEAD0805586B Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

Analysis Process: regsvr32.exe PID: 228 Parent PID: 3760

General

Start time: 03:49:46 Start date: 15/07/2019 Copyright Joe Security LLC 2019 Page 22 of 27 Path: C:\Windows\SysWOW64\regsvr32.exe Wow64 process (32bit): true Commandline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer64.dll' Imagebase: 0x9c0000 File size: 20992 bytes MD5 hash: 426E7499F6A7346F0410DEAD0805586B Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

Analysis Process: regsvr32.exe PID: 2440 Parent PID: 3760

General

Start time: 03:49:46 Start date: 15/07/2019 Path: C:\Windows\SysWOW64\regsvr32.exe Wow64 process (32bit): true Commandline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer32.dll' Imagebase: 0x9c0000 File size: 20992 bytes MD5 hash: 426E7499F6A7346F0410DEAD0805586B Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: regsvr32.exe PID: 4288 Parent PID: 3760

General

Start time: 03:49:50 Start date: 15/07/2019 Path: C:\Windows\SysWOW64\regsvr32.exe Wow64 process (32bit): true Commandline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer64.dll' Imagebase: 0x9c0000 File size: 20992 bytes MD5 hash: 426E7499F6A7346F0410DEAD0805586B Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: regsvr32.exe PID: 1876 Parent PID: 3760

General

Start time: 03:49:50 Start date: 15/07/2019 Path: C:\Windows\SysWOW64\regsvr32.exe Wow64 process (32bit): true Commandline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer32.dll' Imagebase: 0x9c0000 File size: 20992 bytes MD5 hash: 426E7499F6A7346F0410DEAD0805586B Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: regsvr32.exe PID: 2128 Parent PID: 3760 Copyright Joe Security LLC 2019 Page 23 of 27 General

Start time: 03:49:53 Start date: 15/07/2019 Path: C:\Windows\SysWOW64\regsvr32.exe Wow64 process (32bit): true Commandline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer64.dll' Imagebase: 0x9c0000 File size: 20992 bytes MD5 hash: 426E7499F6A7346F0410DEAD0805586B Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: regsvr32.exe PID: 4716 Parent PID: 3760

General

Start time: 03:49:54 Start date: 15/07/2019 Path: C:\Windows\SysWOW64\regsvr32.exe Wow64 process (32bit): true Commandline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer32.dll' Imagebase: 0x9c0000 File size: 20992 bytes MD5 hash: 426E7499F6A7346F0410DEAD0805586B Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: regsvr32.exe PID: 2212 Parent PID: 3760

General

Start time: 03:49:57 Start date: 15/07/2019 Path: C:\Windows\SysWOW64\regsvr32.exe Wow64 process (32bit): true Commandline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer64.dll' Imagebase: 0x9c0000 File size: 20992 bytes MD5 hash: 426E7499F6A7346F0410DEAD0805586B Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: regsvr32.exe PID: 5060 Parent PID: 3760

General

Start time: 03:49:57 Start date: 15/07/2019 Path: C:\Windows\SysWOW64\regsvr32.exe Wow64 process (32bit): true Commandline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer32.dll' Imagebase: 0x9c0000 File size: 20992 bytes MD5 hash: 426E7499F6A7346F0410DEAD0805586B Has administrator privileges: true Programmed in: C, C++ or other language

General

Start time: 03:50:01 Start date: 15/07/2019 Path: C:\Windows\SysWOW64\regsvr32.exe Wow64 process (32bit): true Commandline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer64.dll' Imagebase: 0x9c0000 File size: 20992 bytes MD5 hash: 426E7499F6A7346F0410DEAD0805586B Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: regsvr32.exe PID: 3536 Parent PID: 3760

General

Start time: 03:50:01 Start date: 15/07/2019 Path: C:\Windows\SysWOW64\regsvr32.exe Wow64 process (32bit): true Commandline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer32.dll' Imagebase: 0x9c0000 File size: 20992 bytes MD5 hash: 426E7499F6A7346F0410DEAD0805586B Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: regsvr32.exe PID: 3828 Parent PID: 3760

General

Start time: 03:50:05 Start date: 15/07/2019 Path: C:\Windows\SysWOW64\regsvr32.exe Wow64 process (32bit): true Commandline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer64.dll' Imagebase: 0x9c0000 File size: 20992 bytes MD5 hash: 426E7499F6A7346F0410DEAD0805586B Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: regsvr32.exe PID: 4648 Parent PID: 3760

General

Copyright Joe Security LLC 2019 Page 25 of 27 File size: 20992 bytes MD5 hash: 426E7499F6A7346F0410DEAD0805586B Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: regsvr32.exe PID: 4500 Parent PID: 3760

General

Start time: 03:50:09 Start date: 15/07/2019 Path: C:\Windows\SysWOW64\regsvr32.exe Wow64 process (32bit): true Commandline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer64.dll' Imagebase: 0x9c0000 File size: 20992 bytes MD5 hash: 426E7499F6A7346F0410DEAD0805586B Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: regsvr32.exe PID: 3736 Parent PID: 3760

General

Start time: 03:50:09 Start date: 15/07/2019 Path: C:\Windows\SysWOW64\regsvr32.exe Wow64 process (32bit): true Commandline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer32.dll' Imagebase: 0x9c0000 File size: 20992 bytes MD5 hash: 426E7499F6A7346F0410DEAD0805586B Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: regsvr32.exe PID: 2772 Parent PID: 3760

General

Start time: 03:50:13 Start date: 15/07/2019 Path: C:\Windows\SysWOW64\regsvr32.exe Wow64 process (32bit): true Commandline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer64.dll' Imagebase: 0x9c0000 File size: 20992 bytes MD5 hash: 426E7499F6A7346F0410DEAD0805586B Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: regsvr32.exe PID: 3460 Parent PID: 3760

General

Start time: 03:50:13 Start date: 15/07/2019 Copyright Joe Security LLC 2019 Page 26 of 27 Path: C:\Windows\SysWOW64\regsvr32.exe Wow64 process (32bit): true Commandline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer32.dll' Imagebase: 0x9c0000 File size: 20992 bytes MD5 hash: 426E7499F6A7346F0410DEAD0805586B Has administrator privileges: true Programmed in: C, C++ or other language

Analysis Process: regsvr32.exe PID: 2600 Parent PID: 3760

General

Start time: 03:50:17 Start date: 15/07/2019 Path: C:\Windows\SysWOW64\regsvr32.exe Wow64 process (32bit): true Commandline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer64.dll' Imagebase: 0x9c0000 File size: 20992 bytes MD5 hash: 426E7499F6A7346F0410DEAD0805586B Has administrator privileges: true Programmed in: C, C++ or other language

Disassembly

Code Analysis