ID: 152305 Sample Name: OldNewExplorerCfg.exe Cookbook: default.jbs Time: 03:48:12 Date: 15/07/2019 Version: 26.0.0 Aquamarine Table of Contents
Table of Contents 2 Analysis Report OldNewExplorerCfg.exe 5 Overview 5 General Information 5 Detection 5 Confidence 6 Classification 6 Analysis Advice 6 Mitre Att&ck Matrix 7 Signature Overview 7 AV Detection: 7 Spreading: 7 Networking: 7 Key, Mouse, Clipboard, Microphone and Screen Capturing: 7 DDoS: 8 System Summary: 8 Data Obfuscation: 8 Hooking and other Techniques for Hiding and Protection: 8 Malware Analysis System Evasion: 8 Anti Debugging: 8 HIPS / PFW / Operating System Protection Evasion: 8 Language, Device and Operating System Detection: 8 Behavior Graph 9 Simulations 9 Behavior and APIs 9 Antivirus and Machine Learning Detection 9 Initial Sample 9 Dropped Files 9 Unpacked PE Files 9 Domains 10 URLs 10 Yara Overview 10 Initial Sample 10 PCAP (Network Traffic) 10 Dropped Files 10 Memory Dumps 10 Unpacked PEs 10 Joe Sandbox View / Context 10 IPs 10 Domains 10 ASN 10 JA3 Fingerprints 10 Dropped Files 10 Screenshots 10 Thumbnails 11 Startup 11 Created / dropped Files 12 Domains and IPs 12 Contacted Domains 12 URLs from Memory and Binaries 12 Contacted IPs 12 Static File Info 12 General 12 File Icon 13 Static PE Info 13 General 13 Entrypoint Preview 13 Data Directories 14 Sections 14
Copyright Joe Security LLC 2019 Page 2 of 27 Resources 14 Imports 15 Version Infos 16 Possible Origin 16 Network Behavior 17 Code Manipulations 17 Statistics 17 Behavior 17 System Behavior 17 Analysis Process: OldNewExplorerCfg.exe PID: 3760 Parent PID: 4364 18 General 18 File Activities 18 Analysis Process: regsvr32.exe PID: 2884 Parent PID: 3760 18 General 18 Analysis Process: regsvr32.exe PID: 4220 Parent PID: 3760 18 General 18 Analysis Process: regsvr32.exe PID: 1708 Parent PID: 3760 18 General 19 Analysis Process: regsvr32.exe PID: 4572 Parent PID: 3760 19 General 19 Analysis Process: regsvr32.exe PID: 4588 Parent PID: 3760 19 General 19 Analysis Process: regsvr32.exe PID: 1832 Parent PID: 3760 19 General 19 Analysis Process: regsvr32.exe PID: 5056 Parent PID: 3760 20 General 20 Analysis Process: regsvr32.exe PID: 4428 Parent PID: 3760 20 General 20 Analysis Process: regsvr32.exe PID: 2888 Parent PID: 3760 20 General 20 Analysis Process: regsvr32.exe PID: 4464 Parent PID: 3760 20 General 20 Analysis Process: regsvr32.exe PID: 1596 Parent PID: 3760 21 General 21 Analysis Process: regsvr32.exe PID: 2808 Parent PID: 3760 21 General 21 Analysis Process: regsvr32.exe PID: 3752 Parent PID: 3760 21 General 21 Analysis Process: regsvr32.exe PID: 3016 Parent PID: 3760 22 General 22 Analysis Process: regsvr32.exe PID: 4460 Parent PID: 3760 22 General 22 Analysis Process: regsvr32.exe PID: 2500 Parent PID: 3760 22 General 22 Analysis Process: regsvr32.exe PID: 228 Parent PID: 3760 22 General 22 Analysis Process: regsvr32.exe PID: 2440 Parent PID: 3760 23 General 23 Analysis Process: regsvr32.exe PID: 4288 Parent PID: 3760 23 General 23 Analysis Process: regsvr32.exe PID: 1876 Parent PID: 3760 23 General 23 Analysis Process: regsvr32.exe PID: 2128 Parent PID: 3760 23 General 24 Analysis Process: regsvr32.exe PID: 4716 Parent PID: 3760 24 General 24 Analysis Process: regsvr32.exe PID: 2212 Parent PID: 3760 24 General 24 Analysis Process: regsvr32.exe PID: 5060 Parent PID: 3760 24 General 24 Analysis Process: regsvr32.exe PID: 2720 Parent PID: 3760 25 General 25 Analysis Process: regsvr32.exe PID: 3536 Parent PID: 3760 25 General 25 Analysis Process: regsvr32.exe PID: 3828 Parent PID: 3760 25 General 25 Analysis Process: regsvr32.exe PID: 4648 Parent PID: 3760 25 Copyright Joe Security LLC 2019 Page 3 of 27 General 25 Analysis Process: regsvr32.exe PID: 4500 Parent PID: 3760 26 General 26 Analysis Process: regsvr32.exe PID: 3736 Parent PID: 3760 26 General 26 Analysis Process: regsvr32.exe PID: 2772 Parent PID: 3760 26 General 26 Analysis Process: regsvr32.exe PID: 3460 Parent PID: 3760 26 General 26 Analysis Process: regsvr32.exe PID: 2600 Parent PID: 3760 27 General 27 Disassembly 27 Code Analysis 27
Copyright Joe Security LLC 2019 Page 4 of 27 Analysis Report OldNewExplorerCfg.exe
Overview
General Information
Joe Sandbox Version: 26.0.0 Aquamarine Analysis ID: 152305 Start date: 15.07.2019 Start time: 03:48:12 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 7m 11s Hypervisor based Inspection enabled: false Report type: light Sample file name: OldNewExplorerCfg.exe Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113 Number of analysed new started processes analysed: 41 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis stop reason: Timeout Detection: MAL Classification: mal48.winEXE@96/0@0/0 EGA Information: Successful, ratio: 100% HDC Information: Successful, ratio: 99.7% (good quality ratio 87%) Quality average: 75.2% Quality standard deviation: 34.2% HCA Information: Failed Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .exe Warnings: Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, conhost.exe, CompatTelRunner.exe, WmiPrvSE.exe Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.
Detection
Strategy Score Range Reporting Whitelisted Detection
Threshold 48 0 - 100 false
Copyright Joe Security LLC 2019 Page 5 of 27 Confidence
Strategy Score Range Further Analysis Required? Confidence
Threshold 5 0 - 5 false
Classification
Ransomware
Miner Spreading
mmaallliiiccciiioouusss
malicious
Evader Phishing
sssuusssppiiiccciiioouusss
suspicious
cccllleeaann
clean
Exploiter Banker
Spyware Trojan / Bot
Adware
Analysis Advice
Copyright Joe Security LLC 2019 Page 6 of 27 Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Mitre Att&ck Matrix
Privilege Credential Lateral Command Initial Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Valid Accounts Windows New Exploitation for Software Packing 1 Input System Time Application Screen Data Standard Remote Service 1 Privilege Capture 1 1 Discovery 1 Deployment Capture 1 Encrypted 1 Cryptographic Management Escalation 1 Software Protocol 1 Replication Service Port Monitors Process Process Injection 1 Network Process Remote Input Exfiltration Fallback Through Execution Injection 1 Sniffing Discovery 1 Services Capture 1 1 Over Other Channels Removable Network Media Medium Drive-by Windows Accessibility New Service 1 Deobfuscate/Decode Input Capture Application Windows Data from Automated Custom Compromise Management Features Files or Window Remote Network Exfiltration Cryptographic Instrumentation Information 1 Discovery 1 Management Shared Drive Protocol Exploit Public- Scheduled Task System DLL Search Obfuscated Files or Credentials in Security Logon Scripts Input Capture Data Encrypted Multiband Facing Firmware Order Hijacking Information 2 Files Software Communication Application Discovery 1 1 Spearphishing Command-Line Shortcut File System DLL Side- Account File and Shared Data Staged Scheduled Standard Link Interface Modification Permissions Loading 1 Manipulation Directory Webroot Transfer Cryptographic Weakness Discovery 2 Protocol Spearphishing Graphical User Modify New Service DLL Search Order Brute Force System Third-party Screen Data Transfer Commonly Attachment Interface Existing Hijacking Information Software Capture Size Limits Used Port Service Discovery 2 4
Signature Overview
• AV Detection • Spreading • Networking • Key, Mouse, Clipboard, Microphone and Screen Capturing • DDoS • System Summary • Data Obfuscation • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Anti Debugging • HIPS / PFW / Operating System Protection Evasion • Language, Device and Operating System Detection
Click to jump to signature section
AV Detection:
Antivirus or Machine Learning detection for unpacked file
Spreading:
Contains functionality to enumerate / list files inside a directory
Networking:
Urls found in memory or binary data
Key, Mouse, Clipboard, Microphone and Screen Capturing:
Copyright Joe Security LLC 2019 Page 7 of 27 Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
DDoS:
Too many similar processes found
System Summary:
Detected potential crypto function
Found potential string decryption / allocating functions
PE file contains strange resources
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Classification label
Contains functionality for error logging
Contains functionality to check free disk space
Contains functionality to load and extract PE file embedded resources
Parts of this applications are using Borland Delphi (Probably coded in Delphi)
Reads ini files
Reads software policies
Spawns processes
Uses an in-process (OLE) Automation server
Executable creates window controls seldom found in malware
Found GUI installer (many successful clicks)
Data Obfuscation:
Registers a DLL
Uses code obfuscation techniques (call, push, ret)
Hooking and other Techniques for Hiding and Protection:
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Disables application error messsages (SetErrorMode)
Malware Analysis System Evasion:
Found large amount of non-executed APIs
Queries keyboard layouts
Contains functionality to enumerate / list files inside a directory
Contains functionality to query system information
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)
Anti Debugging:
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
HIPS / PFW / Operating System Protection Evasion:
Contains functionality to launch a program with higher privileges
May try to detect the Windows Explorer process (often used for injection)
Language, Device and Operating System Detection:
Contains functionality locales information (e.g. system language) Copyright Joe Security LLC 2019 Page 8 of 27 Contains functionality to query local / system time
Contains functionality to query windows version
Behavior Graph
Hide Legend Legend: Process Behavior Graph Signature
ID: 152305 Created File
Sample: OldNewExplorerCfg.exe DNS/IP Info
Startdate: 15/07/2019 Is Dropped Architecture: WINDOWS Is Windows Process
Score: 48 Number of created Registry Values
Number of created Files
Visual Basic
Too many similar processes Delphi started found Java
.Net C# or VB.NET
C, C++ or other language
OldNewExplorerCfg.exe Is malicious Internet
1
started started started
regsvr32.exe regsvr32.exe regsvr32.exe
30 other processes
Simulations
Behavior and APIs
Time Type Description 03:49:14 API Interceptor 2x Sleep call for process: OldNewExplorerCfg.exe modified
Antivirus and Machine Learning Detection
Initial Sample
Source Detection Scanner Label Link OldNewExplorerCfg.exe 0% virustotal Browse OldNewExplorerCfg.exe 0% metadefender Browse
Dropped Files
No Antivirus matches
Unpacked PE Files
Copyright Joe Security LLC 2019 Page 9 of 27 Source Detection Scanner Label Link Download 0.1.OldNewExplorerCfg.exe.400000.0.unpack 100% Joe Sandbox ML Download File
Domains
No Antivirus matches
URLs
No Antivirus matches
Yara Overview
Initial Sample
No yara matches
PCAP (Network Traffic)
No yara matches
Dropped Files
No yara matches
Memory Dumps
No yara matches
Unpacked PEs
No yara matches
Joe Sandbox View / Context
IPs
No context
Domains
No context
ASN
No context
JA3 Fingerprints
No context
Dropped Files
No context
Screenshots
Copyright Joe Security LLC 2019 Page 10 of 27 Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Startup
Copyright Joe Security LLC 2019 Page 11 of 27 System is w10x64 OldNewExplorerCfg.exe (PID: 3760 cmdline: 'C:\Users\user\Desktop\OldNewExplorerCfg.exe' MD5: 65BE2E79D41C7408A1BB3F9EC1AA0812) regsvr32.exe (PID: 2884 cmdline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer64.dll' MD5: 426E7499F6A7346F0410DEAD0805586B) regsvr32.exe (PID: 4220 cmdline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer32.dll' MD5: 426E7499F6A7346F0410DEAD0805586B) regsvr32.exe (PID: 1708 cmdline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer64.dll' MD5: 426E7499F6A7346F0410DEAD0805586B) regsvr32.exe (PID: 4572 cmdline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer32.dll' MD5: 426E7499F6A7346F0410DEAD0805586B) regsvr32.exe (PID: 4588 cmdline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer64.dll' MD5: 426E7499F6A7346F0410DEAD0805586B) regsvr32.exe (PID: 1832 cmdline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer32.dll' MD5: 426E7499F6A7346F0410DEAD0805586B) regsvr32.exe (PID: 5056 cmdline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer64.dll' MD5: 426E7499F6A7346F0410DEAD0805586B) regsvr32.exe (PID: 4428 cmdline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer32.dll' MD5: 426E7499F6A7346F0410DEAD0805586B) regsvr32.exe (PID: 2888 cmdline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer64.dll' MD5: 426E7499F6A7346F0410DEAD0805586B) regsvr32.exe (PID: 4464 cmdline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer32.dll' MD5: 426E7499F6A7346F0410DEAD0805586B) regsvr32.exe (PID: 1596 cmdline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer64.dll' MD5: 426E7499F6A7346F0410DEAD0805586B) regsvr32.exe (PID: 2808 cmdline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer32.dll' MD5: 426E7499F6A7346F0410DEAD0805586B) regsvr32.exe (PID: 3752 cmdline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer64.dll' MD5: 426E7499F6A7346F0410DEAD0805586B) regsvr32.exe (PID: 3016 cmdline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer32.dll' MD5: 426E7499F6A7346F0410DEAD0805586B) regsvr32.exe (PID: 4460 cmdline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer64.dll' MD5: 426E7499F6A7346F0410DEAD0805586B) regsvr32.exe (PID: 2500 cmdline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer32.dll' MD5: 426E7499F6A7346F0410DEAD0805586B) regsvr32.exe (PID: 228 cmdline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer64.dll' MD5: 426E7499F6A7346F0410DEAD0805586B) regsvr32.exe (PID: 2440 cmdline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer32.dll' MD5: 426E7499F6A7346F0410DEAD0805586B) regsvr32.exe (PID: 4288 cmdline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer64.dll' MD5: 426E7499F6A7346F0410DEAD0805586B) regsvr32.exe (PID: 1876 cmdline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer32.dll' MD5: 426E7499F6A7346F0410DEAD0805586B) regsvr32.exe (PID: 2128 cmdline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer64.dll' MD5: 426E7499F6A7346F0410DEAD0805586B) regsvr32.exe (PID: 4716 cmdline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer32.dll' MD5: 426E7499F6A7346F0410DEAD0805586B) regsvr32.exe (PID: 2212 cmdline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer64.dll' MD5: 426E7499F6A7346F0410DEAD0805586B) regsvr32.exe (PID: 5060 cmdline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer32.dll' MD5: 426E7499F6A7346F0410DEAD0805586B) regsvr32.exe (PID: 2720 cmdline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer64.dll' MD5: 426E7499F6A7346F0410DEAD0805586B) regsvr32.exe (PID: 3536 cmdline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer32.dll' MD5: 426E7499F6A7346F0410DEAD0805586B) regsvr32.exe (PID: 3828 cmdline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer64.dll' MD5: 426E7499F6A7346F0410DEAD0805586B) regsvr32.exe (PID: 4648 cmdline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer32.dll' MD5: 426E7499F6A7346F0410DEAD0805586B) regsvr32.exe (PID: 4500 cmdline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer64.dll' MD5: 426E7499F6A7346F0410DEAD0805586B) regsvr32.exe (PID: 3736 cmdline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer32.dll' MD5: 426E7499F6A7346F0410DEAD0805586B) regsvr32.exe (PID: 2772 cmdline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer64.dll' MD5: 426E7499F6A7346F0410DEAD0805586B) regsvr32.exe (PID: 3460 cmdline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer32.dll' MD5: 426E7499F6A7346F0410DEAD0805586B) regsvr32.exe (PID: 2600 cmdline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer64.dll' MD5: 426E7499F6A7346F0410DEAD0805586B) cleanup
Created / dropped Files
No created / dropped files found
Domains and IPs
Contacted Domains
No contacted domains info
URLs from Memory and Binaries
Name Source Malicious Antivirus Detection Reputation https://www.paypal.com/cgi-bin/webscr?cmd=_s- OldNewExplorerCfg.exe false high xclick&hosted_button_id=CPV9996DWXNH2 https://www.paypal.com/cgi-bin/webscr?cmd=_s- OldNewExplorerCfg.exe false high xclick&hosted_button_id=CPV9996DWXNH2SV
Contacted IPs
No contacted IP infos
Static File Info
General File type: PE32 executable (GUI) Intel 80386, for MS Windows Copyright Joe Security LLC 2019 Page 12 of 27 General Entropy (8bit): 6.375145045736233 TrID: Win32 Executable (generic) a (10002005/4) 99.81% Windows Screen Saver (13104/52) 0.13% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% File name: OldNewExplorerCfg.exe File size: 615936 MD5: 65be2e79d41c7408a1bb3f9ec1aa0812 SHA1: e2b4c28e952af8c1c6fbdcadedd59f902afb6a3c SHA256: 302fdeb4c369680643bbd8a14659fa23804974254a03b70 f31943956b1174d7e SHA512: 9a8546024d0514f1505c1f6ed85279287f041b2180c0079 ed8270861ed0ffac499486f1804cd7ed7000584ae3b04b4 991202c95562c34137ddad5d3a1c4ceb8a SSDEEP: 12288:Z4g2efMAIUSBXfHZnRlp9fHDObbMv2PtmtXR8 88888888888W88888888888:GoX3SBnlCkAmtX File Content Preview: MZP...... @...... !..L.!.. This program must be run under Win32..$7......
File Icon
Icon Hash: c086b2f0e8b0b28c
Static PE Info
General Entrypoint: 0x4737d4 Entrypoint Section: .itext Digitally signed: false Imagebase: 0x400000 Subsystem: windows gui Image File Characteristics: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI DLL Characteristics: Time Stamp: 0x59848E2A [Fri Aug 4 15:09:30 2017 UTC] TLS Callbacks: CLR (.Net) Version: OS Version Major: 5 OS Version Minor: 0 File Version Major: 5 File Version Minor: 0 Subsystem Version Major: 5 Subsystem Version Minor: 0 Import Hash: 77e1fec9e1a641cf3d7dcc7b20f9bc0e
Entrypoint Preview
Instruction push ebp mov ebp, esp add esp, FFFFFFF0h mov eax, 004721C0h call 00007FA43063A0F1h mov eax, dword ptr [00475D44h] mov eax, dword ptr [eax] call 00007FA4306A01B5h mov eax, dword ptr [00475D44h] mov eax, dword ptr [eax] mov dl, 01h call 00007FA4306A1D0Bh
Copyright Joe Security LLC 2019 Page 13 of 27 Instruction mov eax, dword ptr [00475D44h] mov eax, dword ptr [eax] mov edx, 00473844h call 00007FA43069FC12h mov ecx, dword ptr [00475B08h] mov eax, dword ptr [00475D44h] mov eax, dword ptr [eax] mov edx, dword ptr [00470BD8h] call 00007FA4306A0196h mov eax, dword ptr [00475D44h] mov eax, dword ptr [eax] call 00007FA4306A02DAh call 00007FA4306373ADh mov al, 04h add al, byte ptr [eax]
Data Directories
Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_EXPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IMPORT 0x7c000 0x2ae8 .idata IMAGE_DIRECTORY_ENTRY_RESOURCE 0x8a000 0x17400 .rsrc IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x0 0x0 IMAGE_DIRECTORY_ENTRY_SECURITY 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BASERELOC 0x81000 0x8154 .reloc IMAGE_DIRECTORY_ENTRY_DEBUG 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_TLS 0x80000 0x18 .rdata IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IAT 0x7c83c 0x698 .idata IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0
Sections
Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics .text 0x1000 0x713c0 0x71400 False 0.506133157423 data 6.47143659728 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ .itext 0x73000 0x864 0xa00 False 0.521484375 data 5.42421997392 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ .data 0x74000 0x1ec8 0x2000 False 0.392211914062 data 3.80480868088 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ .bss 0x76000 0x5210 0x0 False 0 empty 0.0 IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ .idata 0x7c000 0x2ae8 0x2c00 False 0.312855113636 data 5.14835475102 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ .tls 0x7f000 0x3c 0x0 False 0 empty 0.0 IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ .rdata 0x80000 0x18 0x200 False 0.05078125 data 0.184150656087 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_READ .reloc 0x81000 0x8154 0x8200 False 0.568870192308 data 6.63784279374 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_DISCARDABLE , IMAGE_SCN_MEM_READ .rsrc 0x8a000 0x17400 0x17400 False 0.140751008065 data 4.08908389781 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_READ
Resources
Name RVA Size Type Language Country RT_CURSOR 0x8a8d8 0x134 data English United States RT_CURSOR 0x8aa0c 0x134 data English United States RT_CURSOR 0x8ab40 0x134 data English United States Copyright Joe Security LLC 2019 Page 14 of 27 Name RVA Size Type Language Country
RT_CURSOR 0x8ac74 0x134 data English United States RT_CURSOR 0x8ada8 0x134 data English United States RT_CURSOR 0x8aedc 0x134 data English United States RT_CURSOR 0x8b010 0x134 data English United States RT_ICON 0x8b144 0x4228 dBase IV DBT of \200.DBF, blocks size 0, block Russian Russia length 16896, next free block index 40, next free block 4294967295, next used block 4294967295 RT_ICON 0x8f36c 0x25a8 data Russian Russia RT_ICON 0x91914 0x1a68 data Russian Russia RT_ICON 0x9337c 0x10a8 data Russian Russia RT_ICON 0x94424 0x988 data Russian Russia RT_ICON 0x94dac 0x468 GLS_BINARY_LSB_FIRST Russian Russia RT_STRING 0x95214 0x200 data RT_STRING 0x95414 0x100 data RT_STRING 0x95514 0xcc data RT_STRING 0x955e0 0x390 data RT_STRING 0x95970 0x3b8 data RT_STRING 0x95d28 0x3dc data RT_STRING 0x96104 0x384 data RT_STRING 0x96488 0x3f0 data RT_STRING 0x96878 0x19c data RT_STRING 0x96a14 0xcc data RT_STRING 0x96ae0 0x194 data RT_STRING 0x96c74 0x3b0 data RT_STRING 0x97024 0x368 data RT_STRING 0x9738c 0x294 data RT_RCDATA 0x97620 0x82e8 data English United States RT_RCDATA 0x9f908 0x10 data RT_RCDATA 0x9f918 0x2a0 data RT_RCDATA 0x9fbb8 0x1068 Delphi compiled form 'TMain' RT_GROUP_CURSOR 0xa0c20 0x14 Lotus unknown worksheet or configuration, revision English United States 0x1 RT_GROUP_CURSOR 0xa0c34 0x14 Lotus unknown worksheet or configuration, revision English United States 0x1 RT_GROUP_CURSOR 0xa0c48 0x14 Lotus unknown worksheet or configuration, revision English United States 0x1 RT_GROUP_CURSOR 0xa0c5c 0x14 Lotus unknown worksheet or configuration, revision English United States 0x1 RT_GROUP_CURSOR 0xa0c70 0x14 Lotus unknown worksheet or configuration, revision English United States 0x1 RT_GROUP_CURSOR 0xa0c84 0x14 Lotus unknown worksheet or configuration, revision English United States 0x1 RT_GROUP_CURSOR 0xa0c98 0x14 Lotus unknown worksheet or configuration, revision English United States 0x1 RT_GROUP_ICON 0xa0cac 0x5a data Russian Russia RT_VERSION 0xa0d08 0x314 data Russian Russia RT_MANIFEST 0xa101c 0x352 XML 1.0 document, ASCII text, with CRLF line Russian Russia terminators
Imports
DLL Import oleaut32.dll SysFreeString, SysReAllocStringLen, SysAllocStringLen advapi32.dll RegQueryValueExW, RegOpenKeyExW, RegCloseKey user32.dll GetKeyboardType, LoadStringW, MessageBoxA, CharNextW kernel32.dll GetACP, Sleep, VirtualFree, VirtualAlloc, GetSystemInfo, GetVersion, GetCurrentThreadId, VirtualQuery, WideCharToMultiByte, SetCurrentDirectoryW, MultiByteToWideChar, lstrlenW, lstrcpynW, LoadLibraryExW, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetCurrentDirectoryW, GetCommandLineW, FreeLibrary, FindFirstFileW, FindClose, ExitProcess, ExitThread, CreateThread, CompareStringW, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle, CloseHandle kernel32.dll TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleW
Copyright Joe Security LLC 2019 Page 15 of 27 DLL Import user32.dll CreateWindowExW, WindowFromPoint, WaitMessage, UpdateWindow, UnregisterClassW, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, TrackMouseEvent, SystemParametersInfoW, ShowWindow, ShowScrollBar, ShowOwnedPopups, SetWindowsHookExW, SetWindowTextW, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropW, SetParent, SetMenuItemInfoW, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongW, SetCapture, SetActiveWindow, SendMessageTimeoutW, SendMessageA, SendMessageW, ScrollWindow, ScreenToClient, RemovePropW, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageW, RegisterClipboardFormatW, RegisterClassW, RedrawWindow, PostQuitMessage, PostMessageW, PeekMessageA, PeekMessageW, OffsetRect, MsgWaitForMultipleObjectsEx, MsgWaitForMultipleObjects, MessageBoxW, MapWindowPoints, MapVirtualKeyW, LoadStringW, LoadKeyboardLayoutW, LoadIconW, LoadCursorW, LoadBitmapW, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsIconic, IsDialogMessageA, IsDialogMessageW, IsChild, InvalidateRect, IntersectRect, InsertMenuItemW, InsertMenuW, InflateRect, GetWindowThreadProcessId, GetWindowTextW, GetWindowRect, GetWindowPlacement, GetWindowLongW, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropW, GetParent, GetWindow, GetMessagePos, GetMenuStringW, GetMenuState, GetMenuItemInfoW, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameW, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextW, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClientRect, GetClassLongW, GetClassInfoW, GetCapture, GetActiveWindow, FrameRect, FindWindowExW, FindWindowW, FillRect, EnumWindows, EnumThreadWindows, EnumChildWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextExW, DrawTextW, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageA, DispatchMessageW, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcW, DefMDIChildProcW, DefFrameProcW, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CharUpperBuffW, CharNextW, CharLowerW, CallWindowProcW, CallNextHookEx, BeginPaint, AdjustWindowRectEx, ActivateKeyboardLayout msimg32.dll AlphaBlend gdi32.dll UnrealizeObject, StretchBlt, SetWindowOrgEx, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SelectClipRgn, SaveDC, RoundRect, RestoreDC, Rectangle, RectVisible, RealizePalette, Polyline, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetTextMetricsW, GetTextExtentPoint32W, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectW, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, FrameRgn, ExtTextOutW, ExcludeClipRect, Ellipse, DeleteObject, DeleteDC, CreateSolidBrush, CreateRectRgn, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectW, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, BitBlt version.dll VerQueryValueW, GetFileVersionInfoSizeW, GetFileVersionInfoW kernel32.dll lstrcpynW, lstrcpyW, WriteFile, WideCharToMultiByte, WaitForSingleObject, WaitForMultipleObjectsEx, VirtualQueryEx, VirtualQuery, VirtualProtectEx, VirtualAlloc, SwitchToThread, SizeofResource, SignalObjectAndWait, SetThreadLocale, SetLastError, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResumeThread, ResetEvent, ReadFile, MultiByteToWideChar, MulDiv, LockResource, LoadResource, LoadLibraryW, LeaveCriticalSection, IsBadReadPtr, InitializeCriticalSection, GlobalFindAtomW, GlobalDeleteAtom, GlobalAddAtomW, GetVersionExW, GetVersion, GetTickCount, GetThreadLocale, GetStdHandle, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetLocalTime, GetLastError, GetFullPathNameW, GetExitCodeThread, GetDiskFreeSpaceW, GetDateFormatW, GetCurrentThreadId, GetCurrentThread, GetCurrentProcessId, GetCurrentProcess, GetCPInfo, FreeResource, InterlockedIncrement, InterlockedExchangeAdd, InterlockedExchange, InterlockedDecrement, InterlockedCompareExchange, FreeLibrary, FormatMessageW, FindResourceW, EnumCalendarInfoW, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateMutexW, CreateFileW, CreateEventW, CompareStringW, CloseHandle advapi32.dll RegSetValueExW, RegQueryValueExW, RegOpenKeyExW, RegFlushKey, RegCreateKeyExW, RegCloseKey user32.dll wsprintfW ole32.dll OleUninitialize, OleInitialize, CoInitialize kernel32.dll Sleep oleaut32.dll SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit comctl32.dll InitializeFlatSB, FlatSB_SetScrollProp, FlatSB_SetScrollPos, FlatSB_SetScrollInfo, FlatSB_GetScrollPos, FlatSB_GetScrollInfo, _TrackMouseEvent, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_Add, ImageList_SetImageCount, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create shell32.dll ShellExecuteW shlwapi.dll kernel32.dll IsWow64Process advapi32.dll RegDeleteKeyExW
Version Infos
Description Data LegalCopyright (c) Tihiy 2014 InternalName The ONE FileVersion 1.1.8.4 CompanyName Tihiy LegalTrademarks OldNewExplorer Comments ProductName OldNewExplorer ProductVersion 1.0.0.0 FileDescription OldNewExplorer configuration OriginalFilename Translation 0x0419 0x04e3
Possible Origin Copyright Joe Security LLC 2019 Page 16 of 27 Language of compilation system Country where language is spoken Map
English United States
Russian Russia
Network Behavior
No network behavior found
Code Manipulations
Statistics
Behavior
• OldNewExplorerCfg.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe
Click to jump to process
System Behavior
Copyright Joe Security LLC 2019 Page 17 of 27 Analysis Process: OldNewExplorerCfg.exe PID: 3760 Parent PID: 4364
General
Start time: 03:49:10 Start date: 15/07/2019 Path: C:\Users\user\Desktop\OldNewExplorerCfg.exe Wow64 process (32bit): true Commandline: 'C:\Users\user\Desktop\OldNewExplorerCfg.exe' Imagebase: 0x400000 File size: 615936 bytes MD5 hash: 65BE2E79D41C7408A1BB3F9EC1AA0812 Has administrator privileges: true Programmed in: Borland Delphi Reputation: low
File Activities
Source File Path Access Attributes Options Completion Count Address Symbol
Source File Path Offset Length Completion Count Address Symbol
Analysis Process: regsvr32.exe PID: 2884 Parent PID: 3760
General
Start time: 03:49:15 Start date: 15/07/2019 Path: C:\Windows\SysWOW64\regsvr32.exe Wow64 process (32bit): true Commandline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer64.dll' Imagebase: 0x9c0000 File size: 20992 bytes MD5 hash: 426E7499F6A7346F0410DEAD0805586B Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate
Analysis Process: regsvr32.exe PID: 4220 Parent PID: 3760
General
Start time: 03:49:15 Start date: 15/07/2019 Path: C:\Windows\SysWOW64\regsvr32.exe Wow64 process (32bit): true Commandline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer32.dll' Imagebase: 0x9c0000 File size: 20992 bytes MD5 hash: 426E7499F6A7346F0410DEAD0805586B Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate
Analysis Process: regsvr32.exe PID: 1708 Parent PID: 3760
Copyright Joe Security LLC 2019 Page 18 of 27 General
Start time: 03:49:19 Start date: 15/07/2019 Path: C:\Windows\SysWOW64\regsvr32.exe Wow64 process (32bit): true Commandline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer64.dll' Imagebase: 0x9c0000 File size: 20992 bytes MD5 hash: 426E7499F6A7346F0410DEAD0805586B Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate
Analysis Process: regsvr32.exe PID: 4572 Parent PID: 3760
General
Start time: 03:49:19 Start date: 15/07/2019 Path: C:\Windows\SysWOW64\regsvr32.exe Wow64 process (32bit): true Commandline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer32.dll' Imagebase: 0x9c0000 File size: 20992 bytes MD5 hash: 426E7499F6A7346F0410DEAD0805586B Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate
Analysis Process: regsvr32.exe PID: 4588 Parent PID: 3760
General
Start time: 03:49:23 Start date: 15/07/2019 Path: C:\Windows\SysWOW64\regsvr32.exe Wow64 process (32bit): true Commandline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer64.dll' Imagebase: 0x9c0000 File size: 20992 bytes MD5 hash: 426E7499F6A7346F0410DEAD0805586B Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate
Analysis Process: regsvr32.exe PID: 1832 Parent PID: 3760
General
Start time: 03:49:23 Start date: 15/07/2019 Path: C:\Windows\SysWOW64\regsvr32.exe Wow64 process (32bit): true Commandline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer32.dll' Imagebase: 0x9c0000 File size: 20992 bytes MD5 hash: 426E7499F6A7346F0410DEAD0805586B
Copyright Joe Security LLC 2019 Page 19 of 27 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate
Analysis Process: regsvr32.exe PID: 5056 Parent PID: 3760
General
Start time: 03:49:27 Start date: 15/07/2019 Path: C:\Windows\SysWOW64\regsvr32.exe Wow64 process (32bit): true Commandline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer64.dll' Imagebase: 0x9c0000 File size: 20992 bytes MD5 hash: 426E7499F6A7346F0410DEAD0805586B Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate
Analysis Process: regsvr32.exe PID: 4428 Parent PID: 3760
General
Start time: 03:49:27 Start date: 15/07/2019 Path: C:\Windows\SysWOW64\regsvr32.exe Wow64 process (32bit): true Commandline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer32.dll' Imagebase: 0x9c0000 File size: 20992 bytes MD5 hash: 426E7499F6A7346F0410DEAD0805586B Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate
Analysis Process: regsvr32.exe PID: 2888 Parent PID: 3760
General
Start time: 03:49:30 Start date: 15/07/2019 Path: C:\Windows\SysWOW64\regsvr32.exe Wow64 process (32bit): true Commandline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer64.dll' Imagebase: 0x9c0000 File size: 20992 bytes MD5 hash: 426E7499F6A7346F0410DEAD0805586B Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate
Analysis Process: regsvr32.exe PID: 4464 Parent PID: 3760
General
Copyright Joe Security LLC 2019 Page 20 of 27 Start time: 03:49:31 Start date: 15/07/2019 Path: C:\Windows\SysWOW64\regsvr32.exe Wow64 process (32bit): true Commandline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer32.dll' Imagebase: 0x9c0000 File size: 20992 bytes MD5 hash: 426E7499F6A7346F0410DEAD0805586B Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate
Analysis Process: regsvr32.exe PID: 1596 Parent PID: 3760
General
Start time: 03:49:34 Start date: 15/07/2019 Path: C:\Windows\SysWOW64\regsvr32.exe Wow64 process (32bit): true Commandline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer64.dll' Imagebase: 0x9c0000 File size: 20992 bytes MD5 hash: 426E7499F6A7346F0410DEAD0805586B Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate
Analysis Process: regsvr32.exe PID: 2808 Parent PID: 3760
General
Start time: 03:49:34 Start date: 15/07/2019 Path: C:\Windows\SysWOW64\regsvr32.exe Wow64 process (32bit): true Commandline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer32.dll' Imagebase: 0x9c0000 File size: 20992 bytes MD5 hash: 426E7499F6A7346F0410DEAD0805586B Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate
Analysis Process: regsvr32.exe PID: 3752 Parent PID: 3760
General
Start time: 03:49:38 Start date: 15/07/2019 Path: C:\Windows\SysWOW64\regsvr32.exe Wow64 process (32bit): true Commandline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer64.dll' Imagebase: 0x9c0000 File size: 20992 bytes MD5 hash: 426E7499F6A7346F0410DEAD0805586B Has administrator privileges: true Programmed in: C, C++ or other language
Copyright Joe Security LLC 2019 Page 21 of 27 Reputation: moderate
Analysis Process: regsvr32.exe PID: 3016 Parent PID: 3760
General
Start time: 03:49:38 Start date: 15/07/2019 Path: C:\Windows\SysWOW64\regsvr32.exe Wow64 process (32bit): true Commandline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer32.dll' Imagebase: 0x9c0000 File size: 20992 bytes MD5 hash: 426E7499F6A7346F0410DEAD0805586B Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate
Analysis Process: regsvr32.exe PID: 4460 Parent PID: 3760
General
Start time: 03:49:42 Start date: 15/07/2019 Path: C:\Windows\SysWOW64\regsvr32.exe Wow64 process (32bit): true Commandline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer64.dll' Imagebase: 0x9c0000 File size: 20992 bytes MD5 hash: 426E7499F6A7346F0410DEAD0805586B Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate
Analysis Process: regsvr32.exe PID: 2500 Parent PID: 3760
General
Start time: 03:49:42 Start date: 15/07/2019 Path: C:\Windows\SysWOW64\regsvr32.exe Wow64 process (32bit): true Commandline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer32.dll' Imagebase: 0x9c0000 File size: 20992 bytes MD5 hash: 426E7499F6A7346F0410DEAD0805586B Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate
Analysis Process: regsvr32.exe PID: 228 Parent PID: 3760
General
Start time: 03:49:46 Start date: 15/07/2019 Copyright Joe Security LLC 2019 Page 22 of 27 Path: C:\Windows\SysWOW64\regsvr32.exe Wow64 process (32bit): true Commandline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer64.dll' Imagebase: 0x9c0000 File size: 20992 bytes MD5 hash: 426E7499F6A7346F0410DEAD0805586B Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate
Analysis Process: regsvr32.exe PID: 2440 Parent PID: 3760
General
Start time: 03:49:46 Start date: 15/07/2019 Path: C:\Windows\SysWOW64\regsvr32.exe Wow64 process (32bit): true Commandline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer32.dll' Imagebase: 0x9c0000 File size: 20992 bytes MD5 hash: 426E7499F6A7346F0410DEAD0805586B Has administrator privileges: true Programmed in: C, C++ or other language
Analysis Process: regsvr32.exe PID: 4288 Parent PID: 3760
General
Start time: 03:49:50 Start date: 15/07/2019 Path: C:\Windows\SysWOW64\regsvr32.exe Wow64 process (32bit): true Commandline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer64.dll' Imagebase: 0x9c0000 File size: 20992 bytes MD5 hash: 426E7499F6A7346F0410DEAD0805586B Has administrator privileges: true Programmed in: C, C++ or other language
Analysis Process: regsvr32.exe PID: 1876 Parent PID: 3760
General
Start time: 03:49:50 Start date: 15/07/2019 Path: C:\Windows\SysWOW64\regsvr32.exe Wow64 process (32bit): true Commandline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer32.dll' Imagebase: 0x9c0000 File size: 20992 bytes MD5 hash: 426E7499F6A7346F0410DEAD0805586B Has administrator privileges: true Programmed in: C, C++ or other language
Analysis Process: regsvr32.exe PID: 2128 Parent PID: 3760 Copyright Joe Security LLC 2019 Page 23 of 27 General
Start time: 03:49:53 Start date: 15/07/2019 Path: C:\Windows\SysWOW64\regsvr32.exe Wow64 process (32bit): true Commandline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer64.dll' Imagebase: 0x9c0000 File size: 20992 bytes MD5 hash: 426E7499F6A7346F0410DEAD0805586B Has administrator privileges: true Programmed in: C, C++ or other language
Analysis Process: regsvr32.exe PID: 4716 Parent PID: 3760
General
Start time: 03:49:54 Start date: 15/07/2019 Path: C:\Windows\SysWOW64\regsvr32.exe Wow64 process (32bit): true Commandline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer32.dll' Imagebase: 0x9c0000 File size: 20992 bytes MD5 hash: 426E7499F6A7346F0410DEAD0805586B Has administrator privileges: true Programmed in: C, C++ or other language
Analysis Process: regsvr32.exe PID: 2212 Parent PID: 3760
General
Start time: 03:49:57 Start date: 15/07/2019 Path: C:\Windows\SysWOW64\regsvr32.exe Wow64 process (32bit): true Commandline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer64.dll' Imagebase: 0x9c0000 File size: 20992 bytes MD5 hash: 426E7499F6A7346F0410DEAD0805586B Has administrator privileges: true Programmed in: C, C++ or other language
Analysis Process: regsvr32.exe PID: 5060 Parent PID: 3760
General
Start time: 03:49:57 Start date: 15/07/2019 Path: C:\Windows\SysWOW64\regsvr32.exe Wow64 process (32bit): true Commandline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer32.dll' Imagebase: 0x9c0000 File size: 20992 bytes MD5 hash: 426E7499F6A7346F0410DEAD0805586B Has administrator privileges: true Programmed in: C, C++ or other language
Copyright Joe Security LLC 2019 Page 24 of 27 Analysis Process: regsvr32.exe PID: 2720 Parent PID: 3760
General
Start time: 03:50:01 Start date: 15/07/2019 Path: C:\Windows\SysWOW64\regsvr32.exe Wow64 process (32bit): true Commandline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer64.dll' Imagebase: 0x9c0000 File size: 20992 bytes MD5 hash: 426E7499F6A7346F0410DEAD0805586B Has administrator privileges: true Programmed in: C, C++ or other language
Analysis Process: regsvr32.exe PID: 3536 Parent PID: 3760
General
Start time: 03:50:01 Start date: 15/07/2019 Path: C:\Windows\SysWOW64\regsvr32.exe Wow64 process (32bit): true Commandline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer32.dll' Imagebase: 0x9c0000 File size: 20992 bytes MD5 hash: 426E7499F6A7346F0410DEAD0805586B Has administrator privileges: true Programmed in: C, C++ or other language
Analysis Process: regsvr32.exe PID: 3828 Parent PID: 3760
General
Start time: 03:50:05 Start date: 15/07/2019 Path: C:\Windows\SysWOW64\regsvr32.exe Wow64 process (32bit): true Commandline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer64.dll' Imagebase: 0x9c0000 File size: 20992 bytes MD5 hash: 426E7499F6A7346F0410DEAD0805586B Has administrator privileges: true Programmed in: C, C++ or other language
Analysis Process: regsvr32.exe PID: 4648 Parent PID: 3760
General
Start time: 03:50:05 Start date: 15/07/2019 Path: C:\Windows\SysWOW64\regsvr32.exe Wow64 process (32bit): true Commandline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer32.dll' Imagebase: 0x9c0000
Copyright Joe Security LLC 2019 Page 25 of 27 File size: 20992 bytes MD5 hash: 426E7499F6A7346F0410DEAD0805586B Has administrator privileges: true Programmed in: C, C++ or other language
Analysis Process: regsvr32.exe PID: 4500 Parent PID: 3760
General
Start time: 03:50:09 Start date: 15/07/2019 Path: C:\Windows\SysWOW64\regsvr32.exe Wow64 process (32bit): true Commandline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer64.dll' Imagebase: 0x9c0000 File size: 20992 bytes MD5 hash: 426E7499F6A7346F0410DEAD0805586B Has administrator privileges: true Programmed in: C, C++ or other language
Analysis Process: regsvr32.exe PID: 3736 Parent PID: 3760
General
Start time: 03:50:09 Start date: 15/07/2019 Path: C:\Windows\SysWOW64\regsvr32.exe Wow64 process (32bit): true Commandline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer32.dll' Imagebase: 0x9c0000 File size: 20992 bytes MD5 hash: 426E7499F6A7346F0410DEAD0805586B Has administrator privileges: true Programmed in: C, C++ or other language
Analysis Process: regsvr32.exe PID: 2772 Parent PID: 3760
General
Start time: 03:50:13 Start date: 15/07/2019 Path: C:\Windows\SysWOW64\regsvr32.exe Wow64 process (32bit): true Commandline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer64.dll' Imagebase: 0x9c0000 File size: 20992 bytes MD5 hash: 426E7499F6A7346F0410DEAD0805586B Has administrator privileges: true Programmed in: C, C++ or other language
Analysis Process: regsvr32.exe PID: 3460 Parent PID: 3760
General
Start time: 03:50:13 Start date: 15/07/2019 Copyright Joe Security LLC 2019 Page 26 of 27 Path: C:\Windows\SysWOW64\regsvr32.exe Wow64 process (32bit): true Commandline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer32.dll' Imagebase: 0x9c0000 File size: 20992 bytes MD5 hash: 426E7499F6A7346F0410DEAD0805586B Has administrator privileges: true Programmed in: C, C++ or other language
Analysis Process: regsvr32.exe PID: 2600 Parent PID: 3760
General
Start time: 03:50:17 Start date: 15/07/2019 Path: C:\Windows\SysWOW64\regsvr32.exe Wow64 process (32bit): true Commandline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\Desktop\OldNewExplorer64.dll' Imagebase: 0x9c0000 File size: 20992 bytes MD5 hash: 426E7499F6A7346F0410DEAD0805586B Has administrator privileges: true Programmed in: C, C++ or other language
Disassembly
Code Analysis
Copyright Joe Security LLC 2019 Page 27 of 27