Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
hfrR6WOIt6.exe

Overview

General Information

Sample name:hfrR6WOIt6.exe
renamed because original name is a hash value
Original sample name:164f5bb8a53a488503c7c9f6e2ac36c6.exe
Analysis ID:1628983
MD5:164f5bb8a53a488503c7c9f6e2ac36c6
SHA1:c75e789acf313bb0f6bd73680f8c187b9f9e914c
SHA256:4e5c17b7d749518e574da7f72b3b51f86a8ae01cbde6a6109165af7c85d1443a
Tags:exeuser-abuse_ch
Infos:

Detection

Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (creates a PE file in dynamic memory)
Multi AV Scanner detection for submitted file
Contains functionality to infect the boot sector
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Renames NTDLL to bypass HIPS
Tries to detect virtualization through RDTSC time measurements
Uses known network protocols on non-standard ports
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to detect virtual machines (SGDT)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected non-DNS traffic on DNS port
Detected potential crypto function
Drops PE files
Enables debug privileges
Enables driver privileges
Enables security privileges
Entry point lies outside standard sections
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file does not import any functions
Potential key logger detected (key state polling based)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic

Classification

Process Tree

  • System is w10x64
  • hfrR6WOIt6.exe (PID: 7484 cmdline: "C:\Users\user\Desktop\hfrR6WOIt6.exe" MD5: 164F5BB8A53A488503C7C9F6E2AC36C6)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
hfrR6WOIt6.exeJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    Process Memory Space: hfrR6WOIt6.exe PID: 7484JoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.hfrR6WOIt6.exe.400000.0.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
        0.0.hfrR6WOIt6.exe.400000.0.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security

          Sigma Signatures

          No Sigma rule has matched

          Suricata Signatures

          No Suricata rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus / Scanner detection for submitted sample
          Source: hfrR6WOIt6.exeAvira: detected
          Antivirus detection for URL or domain
          Source: http://124.248.65.63:3843/Miku.exeAvira URL Cloud: Label: malware
          Multi AV Scanner detection for submitted file
          Source: hfrR6WOIt6.exeVirustotal: Detection: 62%Perma Link
          Source: hfrR6WOIt6.exeReversingLabs: Detection: 65%
          Joe Sandbox ML detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 91.4% probability

          Compliance

          barindex
          Detected unpacking (creates a PE file in dynamic memory)
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeUnpacked PE file: 0.2.hfrR6WOIt6.exe.10000000.7.unpack
          Source: hfrR6WOIt6.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeDirectory created: C:\Program Files\Common Files\YoRHaJump to behavior
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeDirectory created: C:\Program Files\Common Files\YoRHa\phantom.dllJump to behavior
          Source: Binary string: devco n.pdbo source: hfrR6WOIt6.exe
          Source: Binary string: wntdll.pdbUGP source: hfrR6WOIt6.exe, 00000000.00000002.2633232483.000000000302A000.00000040.00000020.00020000.00000000.sdmp, hfrR6WOIt6.exe, 00000000.00000003.1379223534.0000000002E78000.00000004.00000020.00020000.00000000.sdmp, 690735.tmp.0.dr
          Source: Binary string: wntdll.pdb source: hfrR6WOIt6.exe, 00000000.00000002.2633232483.000000000302A000.00000040.00000020.00020000.00000000.sdmp, hfrR6WOIt6.exe, 00000000.00000003.1379223534.0000000002E78000.00000004.00000020.00020000.00000000.sdmp, 690735.tmp.0.dr
          Source: Binary string: wuser32.pdb source: hfrR6WOIt6.exe, 00000000.00000002.2633391536.00000000031D8000.00000040.00000020.00020000.00000000.sdmp, hfrR6WOIt6.exe, 00000000.00000003.1380286735.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, 6907a2.tmp.0.dr
          Source: Binary string: DrvInDM U.pdbe source: hfrR6WOIt6.exe
          Source: Binary string: wuser32.pdbUGP source: hfrR6WOIt6.exe, 00000000.00000002.2633391536.00000000031D8000.00000040.00000020.00020000.00000000.sdmp, hfrR6WOIt6.exe, 00000000.00000003.1380286735.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, 6907a2.tmp.0.dr
          Source: Binary string: devc@on.pdb source: hfrR6WOIt6.exe
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_005557F0 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,0_2_005557F0
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp0_2_1000710E
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp0_2_1000710E
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 4x nop then cmp dword ptr [ebp-28h], esp0_2_1000710E
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp0_2_1000710E
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1001A199
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1000833D
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp0_2_100193C2
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 4x nop then cmp dword ptr [ebp-24h], esp0_2_100193C2
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10022A80
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_10018AD3
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_10018AD3
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10006C96
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10007DB8
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_10018EEA
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_10007FDD
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1001A031
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10006051
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10006051
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_10014096
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_10014096
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1000210D
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1000210D
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10003116

          Networking

          barindex
          Uses known network protocols on non-standard ports
          Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 3842
          Source: unknownNetwork traffic detected: HTTP traffic on port 3842 -> 49756
          Source: global trafficTCP traffic: 192.168.2.9:49756 -> 124.248.65.63:3842
          Source: global trafficTCP traffic: 192.168.2.9:57831 -> 162.159.36.2:53
          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencoded; Charset=UTF-8Accept: */*Accept-Language: zh-cnReferer: http://124.248.65.63:3842User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)Content-Length: 57Host: 124.248.65.63:3842
          Source: unknownTCP traffic detected without corresponding DNS query: 124.248.65.63
          Source: unknownTCP traffic detected without corresponding DNS query: 124.248.65.63
          Source: unknownTCP traffic detected without corresponding DNS query: 124.248.65.63
          Source: unknownTCP traffic detected without corresponding DNS query: 124.248.65.63
          Source: unknownTCP traffic detected without corresponding DNS query: 124.248.65.63
          Source: unknownTCP traffic detected without corresponding DNS query: 124.248.65.63
          Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
          Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
          Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
          Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficDNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa
          Source: unknownHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencoded; Charset=UTF-8Accept: */*Accept-Language: zh-cnReferer: http://124.248.65.63:3842User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)Content-Length: 57Host: 124.248.65.63:3842
          Source: hfrR6WOIt6.exeString found in binary or memory: http://110.40.39.178:234/?1080
          Source: hfrR6WOIt6.exeString found in binary or memory: http://124.248.65.63:234
          Source: hfrR6WOIt6.exeString found in binary or memory: http://124.248.65.63:234C:
          Source: hfrR6WOIt6.exeString found in binary or memory: http://124.248.65.63:3842
          Source: hfrR6WOIt6.exe, 00000000.00000002.2632430053.0000000000C53000.00000004.00000020.00020000.00000000.sdmp, hfrR6WOIt6.exe, 00000000.00000002.2633745767.0000000003BCA000.00000004.00000020.00020000.00000000.sdmp, hfrR6WOIt6.exe, 00000000.00000003.2010464176.0000000003BE1000.00000004.00000020.00020000.00000000.sdmp, hfrR6WOIt6.exe, 00000000.00000002.2633857634.0000000003BE4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://124.248.65.63:3842/
          Source: hfrR6WOIt6.exe, 00000000.00000002.2633745767.0000000003BCA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://124.248.65.63:3842/-
          Source: hfrR6WOIt6.exe, 00000000.00000002.2632430053.0000000000C7E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://124.248.65.63:3842P
          Source: hfrR6WOIt6.exeString found in binary or memory: http://124.248.65.63:3842SeDebugPrivilege
          Source: hfrR6WOIt6.exe, 00000000.00000002.2632430053.0000000000C7E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://124.248.65.63:3842odu
          Source: hfrR6WOIt6.exeString found in binary or memory: http://124.248.65.63:3843/Miku.exe
          Source: hfrR6WOIt6.exeString found in binary or memory: http://124.248.65.63:3843/Miku.exehttp://124.248.65.63:3843/mz
          Source: hfrR6WOIt6.exeString found in binary or memory: http://124.248.65.63:3843/mz
          Source: hfrR6WOIt6.exeString found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.cer0
          Source: hfrR6WOIt6.exeString found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.crl0
          Source: hfrR6WOIt6.exeString found in binary or memory: http://crls.ssl.com/ssl.com-rsa-RootCA.crl0
          Source: hfrR6WOIt6.exeString found in binary or memory: http://https://Mozilla/5.0
          Source: hfrR6WOIt6.exeString found in binary or memory: http://ocsp.t
          Source: hfrR6WOIt6.exeString found in binary or memory: http://ocsps.ssl.com0
          Source: hfrR6WOIt6.exeString found in binary or memory: http://ocsps.ssl.com0Q
          Source: hfrR6WOIt6.exeString found in binary or memory: http://s.symcb.com/universal-root.crl0
          Source: hfrR6WOIt6.exeString found in binary or memory: http://s.symcd.com06
          Source: hfrR6WOIt6.exeString found in binary or memory: http://sf.symc
          Source: hfrR6WOIt6.exeString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
          Source: hfrR6WOIt6.exeString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
          Source: hfrR6WOIt6.exeString found in binary or memory: http://ts-ocsp.ws.s
          Source: hfrR6WOIt6.exeString found in binary or memory: http://ts-ocsp.ws.symantec.
          Source: hfrR6WOIt6.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
          Source: hfrR6WOIt6.exeString found in binary or memory: https://d.symcb.com/cps0%
          Source: hfrR6WOIt6.exeString found in binary or memory: https://d.symcb.com/rpa0
          Source: hfrR6WOIt6.exeString found in binary or memory: https://d.symcb.com/rpa0.
          Source: hfrR6WOIt6.exeString found in binary or memory: https://hcnydh4xlnv7.feishu.cn/wiki/E52swZAMCikXIikA4IkcM94knrh
          Source: hfrR6WOIt6.exeString found in binary or memory: https://hcnydh4xlnv7.feishu.cn/wiki/E52swZAMCikXIikA4IkcM94knrhhttps://hcnydh4xlnv7.feishu.cn/wiki/I
          Source: hfrR6WOIt6.exeString found in binary or memory: https://hcnydh4xlnv7.feishu.cn/wiki/IfcvwVKXtiAeZ7kWMA3cyH3Anfh
          Source: hfrR6WOIt6.exeString found in binary or memory: https://ww(w.v
          Source: hfrR6WOIt6.exeString found in binary or memory: https://www.ssl.com/repository0
          Source: hfrR6WOIt6.exe, 00000000.00000002.2632430053.0000000000BAE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: GetRawInputDatamemstr_fec2ee0e-c
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_00559ECA GetKeyState,GetKeyState,GetKeyState,GetKeyState,0_2_00559ECA
          Source: Yara matchFile source: hfrR6WOIt6.exe, type: SAMPLE
          Source: Yara matchFile source: 0.2.hfrR6WOIt6.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.0.hfrR6WOIt6.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: Process Memory Space: hfrR6WOIt6.exe PID: 7484, type: MEMORYSTR
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeMemory allocated: 77680000 page execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeMemory allocated: 75AF0000 page execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_02B2D330 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,0_2_02B2D330
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_02B32AD0 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,0_2_02B32AD0
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_02B27A30 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,0_2_02B27A30
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_02B262B0 IsWindowEnabled,SendMessageA,NtdllDefWindowProc_A,0_2_02B262B0
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_02B26210 IsWindowEnabled,SendMessageA,SendMessageA,SendMessageA,IsZoomed,SendMessageA,NtdllDefWindowProc_A,0_2_02B26210
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_02B2C3F0 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,InvalidateRect,CallWindowProcA,CallWindowProcA,GetCursorPos,GetWindowRect,PtInRect,CallWindowProcA,0_2_02B2C3F0
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_02B3D330 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,0_2_02B3D330
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_02B28310 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,InvalidateRect,CallWindowProcA,0_2_02B28310
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_02B41370 GetPropA,NtdllDefWindowProc_A,IsWindowVisible,ShowWindow,NtdllDefWindowProc_A,NtdllDefWindowProc_A,SendMessageA,0_2_02B41370
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_02B26350 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,0_2_02B26350
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_02B29340 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,InvalidateRect,CallWindowProcA,CallWindowProcA,GetCursorPos,GetWindowRect,PtInRect,CallWindowProcA,0_2_02B29340
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_02B26010 IsWindowEnabled,SendMessageA,SendMessageA,GetWindowRect,IsRectEmpty,PtInRect,PtInRect,GetSystemMenu,GetMenuState,SendMessageA,NtdllDefWindowProc_A,PtInRect,IsIconic,PtInRect,IsZoomed,PtInRect,PtInRect,GetWindowRect,0_2_02B26010
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_02B31630 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,CallWindowProcA,0_2_02B31630
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_02B34790 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,0_2_02B34790
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_02B3E7F0 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,0_2_02B3E7F0
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_02B28710 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,GetParent,0_2_02B28710
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_02B2F750 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,0_2_02B2F750
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_02B414B0 GetPropA,NtdllDefWindowProc_A,0_2_02B414B0
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_02B2E440 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,0_2_02B2E440
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_02B24510 NtdllDefWindowProc_A,0_2_02B24510
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_02B26560 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,0_2_02B26560
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_02B2DA90 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,0_2_02B2DA90
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_02B32BF0 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,0_2_02B32BF0
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_02B24BD0 NtdllDefWindowProc_A,0_2_02B24BD0
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_02B2CBC0 GetPropA,NtdllDefWindowProc_A,0_2_02B2CBC0
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_02B40B70 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,0_2_02B40B70
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_02B298B0 GetPropA,NtdllDefWindowProc_A,KillTimer,IsWindowVisible,IsIconic,SetTimer,0_2_02B298B0
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_02B248E0 NtdllDefWindowProc_A,0_2_02B248E0
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_02B3D8E0 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,InvalidateRect,CallWindowProcA,0_2_02B3D8E0
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_02B3C800 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,0_2_02B3C800
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_02B25900 IsWindowEnabled,EnableWindow,NtdllDefWindowProc_A,0_2_02B25900
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_02B25940 GetCursorPos,GetWindowRect,PtInRect,PtInRect,PtInRect,PtInRect,PtInRect,KillTimer,NtdllDefWindowProc_A,0_2_02B25940
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_02B34EA0 GetPropA,NtdllDefWindowProc_A,0_2_02B34EA0
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_02B3FEA0 GetPropA,NtdllDefWindowProc_A,InvalidateRect,CallWindowProcA,0_2_02B3FEA0
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_02B22E40 NtdllDefWindowProc_A,0_2_02B22E40
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_02B28CB0 GetPropA,NtdllDefWindowProc_A,0_2_02B28CB0
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_02B33DA0 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,0_2_02B33DA0
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_02B2FD50 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,0_2_02B2FD50
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_02B3FD50 GetPropA,GetPropA,NtdllDefWindowProc_A,FindWindowExA,GetPropA,GetWindowRect,0_2_02B3FD50
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_02B28D40 GetPropA,RemovePropA,CallWindowProcA,NtdllDefWindowProc_A,0_2_02B28D40
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_10007FDD NtClose,0_2_10007FDD
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_005166D0: CreateFileA,DeviceIoControl,DeviceIoControl,CloseHandle,CloseHandle,CloseHandle,DeviceIoControl,CloseHandle,CloseHandle,0_2_005166D0
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_004B06900_2_004B0690
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_005576470_2_00557647
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_004C38100_2_004C3810
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_0053A0430_2_0053A043
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_00A1C0BF0_2_00A1C0BF
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_004CE1500_2_004CE150
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_0053A2A30_2_0053A2A3
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_0053C3E30_2_0053C3E3
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_0053E4E60_2_0053E4E6
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_004885740_2_00488574
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_004EA6000_2_004EA600
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_0053EA0A0_2_0053EA0A
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_0041EB330_2_0041EB33
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_0051CC000_2_0051CC00
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_0053ACCA0_2_0053ACCA
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_0053ED8A0_2_0053ED8A
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_005510700_2_00551070
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_0046F1D60_2_0046F1D6
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_0053D1F60_2_0053D1F6
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_0054D4760_2_0054D476
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_0053580E0_2_0053580E
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_0053B9500_2_0053B950
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_005399200_2_00539920
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_004C59B00_2_004C59B0
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_00539D480_2_00539D48
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_004CFF200_2_004CFF20
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_02B375400_2_02B37540
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_02B222500_2_02B22250
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_02B4939F0_2_02B4939F
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_02B2B6E00_2_02B2B6E0
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_02B37BA00_2_02B37BA0
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_02B48B970_2_02B48B97
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_02B239700_2_02B23970
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_02B2EDA00_2_02B2EDA0
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeProcess token adjusted: Load DriverJump to behavior
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeProcess token adjusted: SecurityJump to behavior
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: String function: 00546F54 appears 33 times
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: String function: 02B460E2 appears 34 times
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: String function: 004015B5 appears 49 times
          Source: 690735.tmp.0.drStatic PE information: Resource name: RT_MESSAGETABLE type: PDP-11 separate I&D executable not stripped
          Source: 690735.tmp.0.drStatic PE information: No import functions for PE file found
          Source: hfrR6WOIt6.exe, 00000000.00000002.2631744207.0000000000566000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSkinH_EL.dll vs hfrR6WOIt6.exe
          Source: hfrR6WOIt6.exe, 00000000.00000000.1373724578.000000000063D000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSkinH_EL.dll vs hfrR6WOIt6.exe
          Source: hfrR6WOIt6.exe, 00000000.00000000.1373724578.0000000000566000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSkinH_EL.dll vs hfrR6WOIt6.exe
          Source: hfrR6WOIt6.exe, 00000000.00000002.2633391536.0000000003280000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameuser32j% vs hfrR6WOIt6.exe
          Source: hfrR6WOIt6.exe, 00000000.00000003.1379223534.0000000002F9B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs hfrR6WOIt6.exe
          Source: hfrR6WOIt6.exe, 00000000.00000002.2632945900.0000000002B5C000.00000004.00000001.01000000.00000005.sdmpBinary or memory string: OriginalFilenameSkinH_EL.dll vs hfrR6WOIt6.exe
          Source: hfrR6WOIt6.exe, 00000000.00000003.1380286735.0000000002E70000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameuser32j% vs hfrR6WOIt6.exe
          Source: hfrR6WOIt6.exe, 00000000.00000002.2633232483.0000000003157000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs hfrR6WOIt6.exe
          Source: hfrR6WOIt6.exeBinary or memory string: OriginalFilenameSkinH_EL.dll vs hfrR6WOIt6.exe
          Source: hfrR6WOIt6.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          Source: 690735.tmp.0.drBinary string: \Device\IPT[
          Source: classification engineClassification label: mal100.troj.evad.winEXE@1/4@1/1
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_00401216 LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,0_2_00401216
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_02B3B8F0 GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,FreeLibrary,0_2_02B3B8F0
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeFile created: C:\Program Files\Common Files\YoRHaJump to behavior
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeMutant created: NULL
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeFile created: C:\Users\user\AppData\Local\Temp\690735.tmpJump to behavior
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeFile read: C:\duowan.iniJump to behavior
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: hfrR6WOIt6.exeVirustotal: Detection: 62%
          Source: hfrR6WOIt6.exeReversingLabs: Detection: 65%
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeFile read: C:\Users\user\Desktop\hfrR6WOIt6.exeJump to behavior
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeSection loaded: rasapi32.dllJump to behavior
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeSection loaded: rasman.dllJump to behavior
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeSection loaded: msimg32.dllJump to behavior
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeSection loaded: msvfw32.dllJump to behavior
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeSection loaded: dciman32.dllJump to behavior
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeSection loaded: textshaping.dllJump to behavior
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeSection loaded: textinputframework.dllJump to behavior
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeSection loaded: coreuicomponents.dllJump to behavior
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeSection loaded: sxs.dllJump to behavior
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeSection loaded: jscript.dllJump to behavior
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeSection loaded: winhttpcom.dllJump to behavior
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeSection loaded: webio.dllJump to behavior
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0E59F1D5-1FBE-11D0-8FF2-00A0D10038BC}\InprocServer32Jump to behavior
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeFile written: C:\duowan.iniJump to behavior
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeDirectory created: C:\Program Files\Common Files\YoRHaJump to behavior
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeDirectory created: C:\Program Files\Common Files\YoRHa\phantom.dllJump to behavior
          Source: hfrR6WOIt6.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
          Source: hfrR6WOIt6.exeStatic file information: File size 7622656 > 1048576
          Source: hfrR6WOIt6.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x165000
          Source: hfrR6WOIt6.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x43a000
          Source: hfrR6WOIt6.exeStatic PE information: Raw size of .cnm0 is bigger than: 0x100000 < 0x172000
          Source: Binary string: devco n.pdbo source: hfrR6WOIt6.exe
          Source: Binary string: wntdll.pdbUGP source: hfrR6WOIt6.exe, 00000000.00000002.2633232483.000000000302A000.00000040.00000020.00020000.00000000.sdmp, hfrR6WOIt6.exe, 00000000.00000003.1379223534.0000000002E78000.00000004.00000020.00020000.00000000.sdmp, 690735.tmp.0.dr
          Source: Binary string: wntdll.pdb source: hfrR6WOIt6.exe, 00000000.00000002.2633232483.000000000302A000.00000040.00000020.00020000.00000000.sdmp, hfrR6WOIt6.exe, 00000000.00000003.1379223534.0000000002E78000.00000004.00000020.00020000.00000000.sdmp, 690735.tmp.0.dr
          Source: Binary string: wuser32.pdb source: hfrR6WOIt6.exe, 00000000.00000002.2633391536.00000000031D8000.00000040.00000020.00020000.00000000.sdmp, hfrR6WOIt6.exe, 00000000.00000003.1380286735.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, 6907a2.tmp.0.dr
          Source: Binary string: DrvInDM U.pdbe source: hfrR6WOIt6.exe
          Source: Binary string: wuser32.pdbUGP source: hfrR6WOIt6.exe, 00000000.00000002.2633391536.00000000031D8000.00000040.00000020.00020000.00000000.sdmp, hfrR6WOIt6.exe, 00000000.00000003.1380286735.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, 6907a2.tmp.0.dr
          Source: Binary string: devc@on.pdb source: hfrR6WOIt6.exe

          Data Obfuscation

          barindex
          Detected unpacking (creates a PE file in dynamic memory)
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeUnpacked PE file: 0.2.hfrR6WOIt6.exe.10000000.7.unpack
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_004C4E00 GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary,0_2_004C4E00
          Source: initial sampleStatic PE information: section where entry point is pointing to: .cnm1
          Source: hfrR6WOIt6.exeStatic PE information: section name: .cnm0
          Source: hfrR6WOIt6.exeStatic PE information: section name: .cnm1
          Source: 690735.tmp.0.drStatic PE information: section name: RT
          Source: 690735.tmp.0.drStatic PE information: section name: .mrdata
          Source: 690735.tmp.0.drStatic PE information: section name: .00cfg
          Source: 6907a2.tmp.0.drStatic PE information: section name: .didat
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_00A1209B pushfd ; mov dword ptr [esp], ebx0_2_00A9529C
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_00A1209B pushfd ; mov dword ptr [esp], ebx0_2_00AAC7C8
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_00A1209B pushfd ; mov dword ptr [esp], 689F214Bh0_2_00ABE41E
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_00A120DA push dword ptr [esp+30h]; retn 0034h0_2_00A1210A
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_00A480DA push dword ptr [esp+2Ch]; retn 0030h0_2_00AE83E5
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_00B3803A push dword ptr [esp+40h]; retn 0044h0_2_00B59ECF
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_00AD41A9 push dword ptr [esp+3Ch]; retn 0040h0_2_00AD41D6
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_00A861AD push dword ptr [esp+50h]; retn 0054h0_2_00A861CA
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_0041A16A push dword ptr [esp+44h]; retn 0048h0_2_0041A211
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_00544110 push eax; ret 0_2_0054413E
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_00402116 pushfd ; mov dword ptr [esp], esi0_2_00402117
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_00ABA12B push edi; mov dword ptr [esp], ebx0_2_00ABA176
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_00B5C2EE push dword ptr [esp+2Ch]; retn 0034h0_2_00B5C311
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_00A603B3 push dword ptr [esp+14h]; retn 0018h0_2_00A603DC
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_0040C301 pushfd ; mov dword ptr [esp], ebx0_2_0040CC8A
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_0040C301 pushfd ; mov dword ptr [esp], ebx0_2_0040CC8A
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_00B663C3 push dword ptr [esp+48h]; retn 004Ch0_2_00B663DB
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_0042833B push dword ptr [esp+2Ch]; retn 0030h0_2_0042834A
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_00A8E320 push dword ptr [esp+4Ch]; retn 0050h0_2_00A8E32B
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_0041A3E6 push ebp; mov dword ptr [esp], ecx0_2_0041A3EA
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_00AAC488 push dword ptr [esp+10h]; retn 0014h0_2_00AAC4E3
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_00AA642B push dword ptr [esp+50h]; retn 0058h0_2_00AD3D8B
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_0040C485 pushfd ; mov dword ptr [esp], edx0_2_0040C48C
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_0040C49F push dword ptr [esp+30h]; retn 0034h0_2_0040C4B0
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_0040A50B pushfd ; mov dword ptr [esp], 8811E59Fh0_2_0040A510
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_0041A6F9 push FEA442D1h; mov dword ptr [esp], esi0_2_0041A700
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_00AF667B push dword ptr [esp+40h]; retn 0044h0_2_00AF6688
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_0041A754 push dword ptr [esp+44h]; retn 0048h0_2_0041A7D2
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_0041A709 push dword ptr [esp+44h]; retn 0048h0_2_0041A7D2
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_0041A787 push dword ptr [esp+44h]; retn 0048h0_2_0041A7D2
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_0040A790 push dword ptr [esp+30h]; retn 0034h0_2_0040C4B0
          Source: hfrR6WOIt6.exeStatic PE information: section name: .cnm0 entropy: 7.888736173158202
          Source: hfrR6WOIt6.exeStatic PE information: section name: .cnm1 entropy: 7.4244762734970395
          Source: 690735.tmp.0.drStatic PE information: section name: .text entropy: 6.844715065913507
          Source: initial sampleStatic PE information: section name: UPX0
          Source: initial sampleStatic PE information: section name: UPX1

          Persistence and Installation Behavior

          barindex
          Contains functionality to infect the boot sector
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: CreateFileA,DeviceIoControl,CloseHandle,CloseHandle,CloseHandle,DeviceIoControl,CloseHandle,CloseHandle, \\.\PhysicalDrive%d0_2_00516840
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: CreateFileA,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d0_2_00516D90
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: CreateFileA,DeviceIoControl,DeviceIoControl,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d0_2_005170B0
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: CreateFileA,DeviceIoControl,DeviceIoControl,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d0_2_005173F0
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeFile created: C:\Program Files\Common Files\YoRHa\phantom.dllJump to dropped file
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeFile created: C:\Users\user\AppData\Local\Temp\690735.tmpJump to dropped file
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeFile created: C:\Users\user\AppData\Local\Temp\6907a2.tmpJump to dropped file

          Boot Survival

          barindex
          Contains functionality to infect the boot sector
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: CreateFileA,DeviceIoControl,CloseHandle,CloseHandle,CloseHandle,DeviceIoControl,CloseHandle,CloseHandle, \\.\PhysicalDrive%d0_2_00516840
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: CreateFileA,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d0_2_00516D90
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: CreateFileA,DeviceIoControl,DeviceIoControl,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d0_2_005170B0
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: CreateFileA,DeviceIoControl,DeviceIoControl,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d0_2_005173F0

          Hooking and other Techniques for Hiding and Protection

          barindex
          Overwrites code with unconditional jumps - possibly settings hooks in foreign process
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeMemory written: PID: 7484 base: 77680005 value: E9 2B BA E8 FF Jump to behavior
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeMemory written: PID: 7484 base: 7750BA30 value: E9 6B 4E 50 89 Jump to behavior
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeMemory written: PID: 7484 base: 77680017 value: E9 7C 8E ED FF Jump to behavior
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeMemory written: PID: 7484 base: 77558E90 value: E9 9B 7A 4B 89 Jump to behavior
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeMemory written: PID: 7484 base: 75AF0005 value: E9 8B 8A B4 FF Jump to behavior
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeMemory written: PID: 7484 base: 75638A90 value: E9 1B 7D 3D 8B Jump to behavior
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeMemory written: PID: 7484 base: 75AF0014 value: E9 1C 02 B7 FF Jump to behavior
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeMemory written: PID: 7484 base: 75660230 value: E9 0B 06 3B 8B Jump to behavior
          Uses known network protocols on non-standard ports
          Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 3842
          Source: unknownNetwork traffic detected: HTTP traffic on port 3842 -> 49756
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_004C3810 IsWindow,IsIconic,SetActiveWindow,IsWindow,IsWindow,DestroyAcceleratorTable,DestroyMenu,DestroyAcceleratorTable,DestroyMenu,DestroyAcceleratorTable,DestroyMenu,KiUserCallbackDispatcher,SetWindowPos,IsWindow,SendMessageA,SendMessageA,DestroyAcceleratorTable,IsWindow,IsWindow,IsWindow,IsWindow,IsWindow,GetParent,GetFocus,IsWindow,SendMessageA,IsWindow,GetFocus,SetFocus,0_2_004C3810
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_00542114 IsIconic,GetWindowPlacement,GetWindowRect,0_2_00542114
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_004CCF00 IsIconic,IsZoomed,LoadLibraryA,GetProcAddress,GetProcAddress,FreeLibrary,SystemParametersInfoA,IsWindow,ShowWindow,0_2_004CCF00
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_02B26010 IsWindowEnabled,SendMessageA,SendMessageA,GetWindowRect,IsRectEmpty,PtInRect,PtInRect,GetSystemMenu,GetMenuState,SendMessageA,NtdllDefWindowProc_A,PtInRect,IsIconic,PtInRect,IsZoomed,PtInRect,PtInRect,GetWindowRect,0_2_02B26010
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_02B43070 IsWindowVisible,IsRectEmpty,IsRectEmpty,IsIconic,IsRectEmpty,IsRectEmpty,IsZoomed,IsRectEmpty,GetSystemMenu,GetMenuState,IsRectEmpty,SetBkMode,IsRectEmpty,IsRectEmpty,IsRectEmpty,IsIconic,IsRectEmpty,IsZoomed,IsRectEmpty,0_2_02B43070
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_02B43070 IsWindowVisible,IsRectEmpty,IsRectEmpty,IsIconic,IsRectEmpty,IsRectEmpty,IsZoomed,IsRectEmpty,GetSystemMenu,GetMenuState,IsRectEmpty,SetBkMode,IsRectEmpty,IsRectEmpty,IsRectEmpty,IsIconic,IsRectEmpty,IsZoomed,IsRectEmpty,0_2_02B43070
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_02B45780 IsIconic,IsZoomed,IsRectEmpty,IsWindowVisible,0_2_02B45780
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_02B298B0 GetPropA,NtdllDefWindowProc_A,KillTimer,IsWindowVisible,IsIconic,SetTimer,0_2_02B298B0
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_02B41800 IsZoomed,SendMessageA,IsIconic,SendMessageA,SendMessageA,GetSystemMenu,GetMenuState,SendMessageA,SendMessageA,KillTimer,GetMenuItemID,SendMessageA,CallWindowProcA,0_2_02B41800
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_02B24E30 IsWindowVisible,GetWindowRect,SelectObject,SelectObject,SetBkMode,SelectObject,SetTextColor,DrawIconEx,GetWindowTextA,DrawTextA,IsRectEmpty,IsIconic,IsRectEmpty,IsRectEmpty,IsZoomed,IsRectEmpty,GetSystemMenu,GetMenuState,IsRectEmpty,SetBkMode,SelectObject,DeleteDC,SelectObject,DeleteObject,0_2_02B24E30
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Renames NTDLL to bypass HIPS
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeFile opened: C:\Windows\SysWOW64\ntdll.dllJump to behavior
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeFile opened: C:\Windows\SysWOW64\ntdll.dllJump to behavior
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeRDTSC instruction interceptor: First address: A66EDC second address: AF887F instructions: 0x00000000 rdtsc 0x00000002 call 00007F4C49043873h 0x00000007 pushfd 0x00000008 lea edx, dword ptr [78C71F60h+eax*2] 0x0000000f mov eax, dword ptr [ecx] 0x00000011 jmp 00007F4C48F45648h 0x00000016 mov edx, dword ptr [eax+0Ch] 0x00000019 pushfd 0x0000001a lea esp, dword ptr [esp+10h] 0x0000001e jc 00007F4C48F0DE2Ah 0x00000024 push E485F571h 0x00000029 call 00007F4C48FEC182h 0x0000002e mov dword ptr [esp+04h], 00A230FCh 0x00000036 pushad 0x00000037 mov dword ptr [esp+20h], edi 0x0000003b pushad 0x0000003c call 00007F4C48F7E765h 0x00000041 push edi 0x00000042 mov dword ptr [esp+44h], 00A5DA7Fh 0x0000004a pushfd 0x0000004b push dword ptr [esp] 0x0000004e mov dword ptr [esp+48h], edx 0x00000052 mov byte ptr [esp+08h], dh 0x00000056 mov word ptr [esp+08h], 1E69h 0x0000005d push dword ptr [esp+48h] 0x00000061 retn 004Ch 0x00000064 jmp 00007F4C49061538h 0x00000069 call 00007F4C48F4FFEAh 0x0000006e sub edx, 60FEF360h 0x00000074 sal dh, cl 0x00000076 rcr dh, 00000006h 0x00000079 mov dword ptr [esp], ebp 0x0000007c lahf 0x0000007d pushad 0x0000007e lea ebp, dword ptr [esp+20h] 0x00000082 sar dx, cl 0x00000085 sub esp, 000004B0h 0x0000008b rdtsc
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeRDTSC instruction interceptor: First address: A624C0 second address: A624C0 instructions: 0x00000000 rdtsc 0x00000002 aad B1h 0x00000004 bsr ax, si 0x00000008 lea eax, dword ptr [esi+ecx] 0x0000000b btc dx, 000Fh 0x00000010 cdq 0x00000011 call 00007F4C4902E31Bh 0x00000016 clc 0x00000017 cmc 0x00000018 pushfd 0x00000019 sub eax, edx 0x0000001b bsf dx, di 0x0000001f call 00007F4C48E4CECBh 0x00000024 sub dh, bl 0x00000026 clc 0x00000027 sar eax, 1 0x00000029 inc dl 0x0000002b adc dl, dh 0x0000002d stc 0x0000002e inc dx 0x00000031 movzx edx, word ptr [edi+eax*8+04h] 0x00000036 push CDC0282Eh 0x0000003b pushad 0x0000003c cmc 0x0000003d cmc 0x0000003e cmp dx, bx 0x00000041 call 00007F4C49001BF0h 0x00000046 mov word ptr [esp+04h], bp 0x0000004b mov byte ptr [esp+08h], cl 0x0000004f lea esp, dword ptr [esp+34h] 0x00000053 je 00007F4C48FB8D93h 0x00000059 push E19D80F8h 0x0000005e jmp 00007F4C48EC78F2h 0x00000063 call 00007F4C49023D5Ch 0x00000068 call 00007F4C48FAC5F1h 0x0000006d lea esp, dword ptr [esp+0Ch] 0x00000071 jbe 00007F4C48F34800h 0x00000077 ror ch, cl 0x00000079 lea ecx, dword ptr [eax+01h] 0x0000007c clc 0x0000007d bt edx, 0Eh 0x00000081 cmc 0x00000082 cmp ecx, esi 0x00000084 call 00007F4C48F12AA9h 0x00000089 pushfd 0x0000008a pushad 0x0000008b call 00007F4C48F38BB6h 0x00000090 lea esp, dword ptr [esp+2Ch] 0x00000094 jng 00007F4C48F6B506h 0x0000009a rdtsc
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_0041A16A rdtsc 0_2_0041A16A
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_004D8CF0 sgdt fword ptr [ebp-08h]0_2_004D8CF0
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeDropped PE file which has not been started: C:\Program Files\Common Files\YoRHa\phantom.dllJump to dropped file
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\690735.tmpJump to dropped file
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6907a2.tmpJump to dropped file
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_0-111590
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeAPI coverage: 8.7 %
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exe TID: 7592Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exe TID: 7588Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_005557F0 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,0_2_005557F0
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_004427AB GetSystemInfo,0_2_004427AB
          Source: hfrR6WOIt6.exe, 00000000.00000003.2010538529.0000000003BEC000.00000004.00000020.00020000.00000000.sdmp, hfrR6WOIt6.exe, 00000000.00000002.2632430053.0000000000BAE000.00000004.00000020.00020000.00000000.sdmp, hfrR6WOIt6.exe, 00000000.00000002.2633888907.0000000003BEF000.00000004.00000020.00020000.00000000.sdmp, hfrR6WOIt6.exe, 00000000.00000003.2010464176.0000000003BEA000.00000004.00000020.00020000.00000000.sdmp, hfrR6WOIt6.exe, 00000000.00000003.2010464176.0000000003BE1000.00000004.00000020.00020000.00000000.sdmp, hfrR6WOIt6.exe, 00000000.00000002.2633857634.0000000003BE4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeSystem information queried: ModuleInformationJump to behavior
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeProcess information queried: ProcessInformationJump to behavior

          Anti Debugging

          barindex
          Hides threads from debuggers
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeProcess queried: DebugObjectHandleJump to behavior
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_0041A16A rdtsc 0_2_0041A16A
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_10004B1B LdrInitializeThunk,0_2_10004B1B
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_00A1C906 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00A1C906
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_004C4E00 GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary,0_2_004C4E00
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_0042A396 mov ebx, dword ptr fs:[00000030h]0_2_0042A396
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_00444631 mov ebx, dword ptr fs:[00000030h]0_2_00444631
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_00442E8F mov eax, dword ptr fs:[00000030h]0_2_00442E8F
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_004010DC mov ebx, dword ptr fs:[00000030h]0_2_004010DC
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_0040B2C9 mov ecx, dword ptr fs:[00000030h]0_2_0040B2C9
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_004B1160 GetProcessHeap,RtlAllocateHeap,0_2_004B1160
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_00A1C906 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00A1C906
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_00A18ECB _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00A18ECB
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_00A19019 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00A19019
          Source: hfrR6WOIt6.exe, 00000000.00000002.2632430053.0000000000BAE000.00000004.00000020.00020000.00000000.sdmp, hfrR6WOIt6.exe, 00000000.00000002.2633391536.00000000031D8000.00000040.00000020.00020000.00000000.sdmp, hfrR6WOIt6.exe, 00000000.00000003.1380286735.0000000002E70000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: GetProgmanWindow
          Source: hfrR6WOIt6.exe, 00000000.00000002.2632430053.0000000000BAE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SetProgmanWindowK+
          Source: hfrR6WOIt6.exe, 00000000.00000002.2632430053.0000000000BAE000.00000004.00000020.00020000.00000000.sdmp, hfrR6WOIt6.exe, 00000000.00000002.2633391536.00000000031D8000.00000040.00000020.00020000.00000000.sdmp, hfrR6WOIt6.exe, 00000000.00000003.1380286735.0000000002E70000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SetProgmanWindow
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_0040ACA8 cpuid 0_2_0040ACA8
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: GetLocaleInfoA,0_2_00A1D010
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_00545650 GetLocalTime,GetSystemTime,GetTimeZoneInformation,0_2_00545650
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_0054666A GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,0_2_0054666A
          Source: C:\Users\user\Desktop\hfrR6WOIt6.exeCode function: 0_2_02B39250 70214BC0,GetVersion,0_2_02B39250

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
          Native API          		1
          Bootkit          		1
          Access Token Manipulation          		2
          Masquerading          		1
          Credential API Hooking          		2
          System Time Discovery          		Remote Services1
          Credential API Hooking          		1
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/Job1
          LSASS Driver          		1
          Process Injection          		13
          Virtualization/Sandbox Evasion          		21
          Input Capture          		241
          Security Software Discovery          		Remote Desktop Protocol21
          Input Capture          		11
          Non-Standard Port          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAt1
          DLL Side-Loading          		1
          LSASS Driver          		1
          Access Token Manipulation          		Security Account Manager13
          Virtualization/Sandbox Evasion          		SMB/Windows Admin Shares1
          Archive Collected Data          		2
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
          DLL Side-Loading          		1
          Process Injection          		NTDS2
          Process Discovery          		Distributed Component Object ModelInput Capture12
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          Deobfuscate/Decode Files or Information          		LSA Secrets1
          Application Window Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts41
          Obfuscated Files or Information          		Cached Domain Credentials3
          File and Directory Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
          Bootkit          		DCSync125
          System Information Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job111
          Software Packing          		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
          DLL Side-Loading          		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.