Play interactive tour

Edit tour

Analysis Report company profile.scr

Overview

General Information

Sample Name:	company profile.scr (renamed file extension from scr to exe)
Analysis ID:	342227
MD5:	02f3eef9da2ef90d0cf59bfaca176886
SHA1:	6bca96158d72284a8b5a9e1fe01eb8504a1a05ff
SHA256:	76ffd919e86b374004bcbc276cb6e18be4b63287d0ce6f7d9b1b756bfd79d47e
Tags:	NanoCoreRATscr
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM_3

Yara detected Nanocore RAT

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

PE file has nameless sections

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Uses schtasks.exe or at.exe to add and modify task schedules

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

company profile.exe (PID: 5960 cmdline: 'C:\Users\user\Desktop\company profile.exe' MD5: 02F3EEF9DA2EF90D0CF59BFACA176886)

schtasks.exe (PID: 5976 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UnShSbgF' /XML 'C:\Users\user\AppData\Local\Temp\tmp75B1.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 2212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

company profile.exe (PID: 204 cmdline: {path} MD5: 02F3EEF9DA2EF90D0CF59BFACA176886)

company profile.exe (PID: 2540 cmdline: {path} MD5: 02F3EEF9DA2EF90D0CF59BFACA176886)

company profile.exe (PID: 6080 cmdline: {path} MD5: 02F3EEF9DA2EF90D0CF59BFACA176886)

schtasks.exe (PID: 5864 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp132E.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

company profile.exe (PID: 4920 cmdline: 'C:\Users\user\Desktop\company profile.exe' 0 MD5: 02F3EEF9DA2EF90D0CF59BFACA176886)

schtasks.exe (PID: 6368 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UnShSbgF' /XML 'C:\Users\user\AppData\Local\Temp\tmpCFD7.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

company profile.exe (PID: 6412 cmdline: {path} MD5: 02F3EEF9DA2EF90D0CF59BFACA176886)

company profile.exe (PID: 6420 cmdline: {path} MD5: 02F3EEF9DA2EF90D0CF59BFACA176886)

company profile.exe (PID: 6440 cmdline: {path} MD5: 02F3EEF9DA2EF90D0CF59BFACA176886)

company profile.exe (PID: 6456 cmdline: {path} MD5: 02F3EEF9DA2EF90D0CF59BFACA176886)

cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["105.112.102.172"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000002.586154490.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000006.00000002.586154490.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000006.00000002.586154490.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000B.00000002.309768585.0000000002DB3000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0000000B.00000002.312703625.0000000003CE1000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x144bd:$x1: NanoCore.ClientPluginHost 0x144fa:$x2: IClientNetworkHost 0x1802d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000B.00000002.312703625.0000000003CE1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000B.00000002.312703625.0000000003CE1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x14225:$a: NanoCore 0x14235:$a: NanoCore 0x14469:$a: NanoCore 0x1447d:$a: NanoCore 0x144bd:$a: NanoCore 0x14284:$b: ClientPlugin 0x14486:$b: ClientPlugin 0x144c6:$b: ClientPlugin 0x143ab:$c: ProjectData 0x14db2:$d: DESCrypto 0x1c77e:$e: KeepAlive 0x1a76c:$g: LogClientMessage 0x16967:$i: get_Connected 0x150e8:$j: #=q 0x15118:$j: #=q 0x15134:$j: #=q 0x15164:$j: #=q 0x15180:$j: #=q 0x1519c:$j: #=q 0x151cc:$j: #=q 0x151e8:$j: #=q
00000001.00000002.252435267.000000000341D000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000006.00000002.590173141.00000000031E1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000006.00000002.594725698.0000000004229000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000006.00000002.594725698.0000000004229000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x35b5:$a: NanoCore 0x360e:$a: NanoCore 0x364b:$a: NanoCore 0x36c4:$a: NanoCore 0x16d6f:$a: NanoCore 0x16d84:$a: NanoCore 0x16db9:$a: NanoCore 0x2fd5b:$a: NanoCore 0x2fd70:$a: NanoCore 0x2fda5:$a: NanoCore 0x3617:$b: ClientPlugin 0x3654:$b: ClientPlugin 0x3f52:$b: ClientPlugin 0x3f5f:$b: ClientPlugin 0x16b2b:$b: ClientPlugin 0x16b46:$b: ClientPlugin 0x16b76:$b: ClientPlugin 0x16d8d:$b: ClientPlugin 0x16dc2:$b: ClientPlugin 0x2fb17:$b: ClientPlugin 0x2fb32:$b: ClientPlugin
00000019.00000002.329006639.0000000003AA9000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000019.00000002.329006639.0000000003AA9000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x435b5:$a: NanoCore 0x4360e:$a: NanoCore 0x4364b:$a: NanoCore 0x436c4:$a: NanoCore 0x56d6f:$a: NanoCore 0x56d84:$a: NanoCore 0x56db9:$a: NanoCore 0x6fd5b:$a: NanoCore 0x6fd70:$a: NanoCore 0x6fda5:$a: NanoCore 0x43617:$b: ClientPlugin 0x43654:$b: ClientPlugin 0x43f52:$b: ClientPlugin 0x43f5f:$b: ClientPlugin 0x56b2b:$b: ClientPlugin 0x56b46:$b: ClientPlugin 0x56b76:$b: ClientPlugin 0x56d8d:$b: ClientPlugin 0x56dc2:$b: ClientPlugin 0x6fb17:$b: ClientPlugin 0x6fb32:$b: ClientPlugin
00000001.00000002.253304124.00000000043C1000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x144bd:$x1: NanoCore.ClientPluginHost 0x144fa:$x2: IClientNetworkHost 0x1802d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000001.00000002.253304124.00000000043C1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000001.00000002.253304124.00000000043C1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x14225:$a: NanoCore 0x14235:$a: NanoCore 0x14469:$a: NanoCore 0x1447d:$a: NanoCore 0x144bd:$a: NanoCore 0x14284:$b: ClientPlugin 0x14486:$b: ClientPlugin 0x144c6:$b: ClientPlugin 0x143ab:$c: ProjectData 0x14db2:$d: DESCrypto 0x1c77e:$e: KeepAlive 0x1a76c:$g: LogClientMessage 0x16967:$i: get_Connected 0x150e8:$j: #=q 0x15118:$j: #=q 0x15134:$j: #=q 0x15164:$j: #=q 0x15180:$j: #=q 0x1519c:$j: #=q 0x151cc:$j: #=q 0x151e8:$j: #=q
0000000B.00000002.312777066.0000000003D37000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x90cd5:$x1: NanoCore.ClientPluginHost 0x90d12:$x2: IClientNetworkHost 0x94845:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000B.00000002.312777066.0000000003D37000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000B.00000002.312777066.0000000003D37000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x90a3d:$a: NanoCore 0x90a4d:$a: NanoCore 0x90c81:$a: NanoCore 0x90c95:$a: NanoCore 0x90cd5:$a: NanoCore 0x90a9c:$b: ClientPlugin 0x90c9e:$b: ClientPlugin 0x90cde:$b: ClientPlugin 0x90bc3:$c: ProjectData 0x915ca:$d: DESCrypto 0x98f96:$e: KeepAlive 0x96f84:$g: LogClientMessage 0x9317f:$i: get_Connected 0x91900:$j: #=q 0x91930:$j: #=q 0x9194c:$j: #=q 0x9197c:$j: #=q 0x91998:$j: #=q 0x919b4:$j: #=q 0x919e4:$j: #=q 0x91a00:$j: #=q
00000006.00000002.596680972.0000000005BD0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
00000006.00000002.596680972.0000000005BD0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
00000019.00000002.328915349.0000000002AA1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000019.00000002.328915349.0000000002AA1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x69383:$a: NanoCore 0x693dc:$a: NanoCore 0x69419:$a: NanoCore 0x69492:$a: NanoCore 0x693e5:$b: ClientPlugin 0x69422:$b: ClientPlugin 0x69d20:$b: ClientPlugin 0x69d2d:$b: ClientPlugin 0x5f500:$e: KeepAlive 0x6986d:$g: LogClientMessage 0x697ed:$i: get_Connected 0x597b9:$j: #=q 0x597e9:$j: #=q 0x59825:$j: #=q 0x5984d:$j: #=q 0x5987d:$j: #=q 0x598ad:$j: #=q 0x598dd:$j: #=q 0x5990d:$j: #=q 0x59929:$j: #=q 0x59959:$j: #=q
00000001.00000002.253470598.0000000004415000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x91c0d:$x1: NanoCore.ClientPluginHost 0x91c4a:$x2: IClientNetworkHost 0x9577d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000001.00000002.253470598.0000000004415000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000001.00000002.253470598.0000000004415000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x91975:$a: NanoCore 0x91985:$a: NanoCore 0x91bb9:$a: NanoCore 0x91bcd:$a: NanoCore 0x91c0d:$a: NanoCore 0x919d4:$b: ClientPlugin 0x91bd6:$b: ClientPlugin 0x91c16:$b: ClientPlugin 0x91afb:$c: ProjectData 0x92502:$d: DESCrypto 0x99ece:$e: KeepAlive 0x97ebc:$g: LogClientMessage 0x940b7:$i: get_Connected 0x92838:$j: #=q 0x92868:$j: #=q 0x92884:$j: #=q 0x928b4:$j: #=q 0x928d0:$j: #=q 0x928ec:$j: #=q 0x9291c:$j: #=q 0x92938:$j: #=q
00000019.00000002.327635694.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000019.00000002.327635694.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000019.00000002.327635694.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000006.00000002.597017105.0000000006840000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
00000006.00000002.597017105.0000000006840000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
00000006.00000002.597017105.0000000006840000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: company profile.exe PID: 4920	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4e741:$x1: NanoCore.ClientPluginHost 0x4e7a2:$x2: IClientNetworkHost 0x53ba7:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x61b19:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: company profile.exe PID: 4920	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: company profile.exe PID: 4920	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: company profile.exe PID: 4920	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4e246:$a: NanoCore 0x4e262:$a: NanoCore 0x4e3bd:$a: NanoCore 0x4e3cc:$a: NanoCore 0x4e6a5:$a: NanoCore 0x4e6d1:$a: NanoCore 0x4e741:$a: NanoCore 0x5e183:$a: NanoCore 0x5e195:$a: NanoCore 0x5e1d1:$a: NanoCore 0x4e2ed:$b: ClientPlugin 0x4e416:$b: ClientPlugin 0x4e6da:$b: ClientPlugin 0x4e74a:$b: ClientPlugin 0x5e19e:$b: ClientPlugin 0x5e1da:$b: ClientPlugin 0x44861:$c: ProjectData 0x46d10:$c: ProjectData 0x4e563:$c: ProjectData 0x5e0d0:$c: ProjectData 0xce96b:$c: ProjectData
Process Memory Space: company profile.exe PID: 5960	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xa626d:$x1: NanoCore.ClientPluginHost 0xa62ce:$x2: IClientNetworkHost 0xab6d3:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xb9645:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: company profile.exe PID: 5960	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: company profile.exe PID: 5960	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: company profile.exe PID: 5960	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xa5d72:$a: NanoCore 0xa5d8e:$a: NanoCore 0xa5ee9:$a: NanoCore 0xa5ef8:$a: NanoCore 0xa61d1:$a: NanoCore 0xa61fd:$a: NanoCore 0xa626d:$a: NanoCore 0xb5caf:$a: NanoCore 0xb5cc1:$a: NanoCore 0xb5cfd:$a: NanoCore 0xa5e19:$b: ClientPlugin 0xa5f42:$b: ClientPlugin 0xa6206:$b: ClientPlugin 0xa6276:$b: ClientPlugin 0xb5cca:$b: ClientPlugin 0xb5d06:$b: ClientPlugin 0x53ddc:$c: ProjectData 0x5628b:$c: ProjectData 0xa608f:$c: ProjectData 0xb5bfc:$c: ProjectData 0x27b039:$c: ProjectData
Process Memory Space: company profile.exe PID: 6456	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6e3f:$x1: NanoCore.ClientPluginHost 0xc9fe:$x1: NanoCore.ClientPluginHost 0x1dda7:$x1: NanoCore.ClientPluginHost 0x5b21b:$x1: NanoCore.ClientPluginHost 0x68ee9:$x1: NanoCore.ClientPluginHost 0x6e65:$x2: IClientNetworkHost 0xca43:$x2: IClientNetworkHost 0x1ddec:$x2: IClientNetworkHost 0x5b241:$x2: IClientNetworkHost 0x68f4a:$x2: IClientNetworkHost 0x6e34f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7c2c1:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: company profile.exe PID: 6456	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: company profile.exe PID: 6456	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x6d31:$a: NanoCore 0x6dd2:$a: NanoCore 0x6e3f:$a: NanoCore 0x6f00:$a: NanoCore 0x7dd1:$a: NanoCore 0x7e24:$a: NanoCore 0x7e5d:$a: NanoCore 0x7ed0:$a: NanoCore 0xc978:$a: NanoCore 0xc9a5:$a: NanoCore 0xc9fe:$a: NanoCore 0x1420d:$a: NanoCore 0x14220:$a: NanoCore 0x14252:$a: NanoCore 0x1dd21:$a: NanoCore 0x1dd4e:$a: NanoCore 0x1dda7:$a: NanoCore 0x255b6:$a: NanoCore 0x255c9:$a: NanoCore 0x255fb:$a: NanoCore 0x33ee1:$a: NanoCore
Process Memory Space: company profile.exe PID: 6080	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1528d:$x1: NanoCore.ClientPluginHost 0x68f60:$x1: NanoCore.ClientPluginHost 0x877b7:$x1: NanoCore.ClientPluginHost 0x8d376:$x1: NanoCore.ClientPluginHost 0x9e71f:$x1: NanoCore.ClientPluginHost 0x22efb1:$x1: NanoCore.ClientPluginHost 0x152ee:$x2: IClientNetworkHost 0x68f86:$x2: IClientNetworkHost 0x877dd:$x2: IClientNetworkHost 0x8d3bb:$x2: IClientNetworkHost 0x9e764:$x2: IClientNetworkHost 0x22eff6:$x2: IClientNetworkHost 0x1a6f3:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x28665:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: company profile.exe PID: 6080	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: company profile.exe PID: 6080	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x14d92:$a: NanoCore 0x14dae:$a: NanoCore 0x14f09:$a: NanoCore 0x14f18:$a: NanoCore 0x151f1:$a: NanoCore 0x1521d:$a: NanoCore 0x1528d:$a: NanoCore 0x24ccf:$a: NanoCore 0x24ce1:$a: NanoCore 0x24d1d:$a: NanoCore 0x4199d:$a: NanoCore 0x41a04:$a: NanoCore 0x41aa7:$a: NanoCore 0x68e52:$a: NanoCore 0x68ef3:$a: NanoCore 0x68f60:$a: NanoCore 0x69021:$a: NanoCore 0x69ef2:$a: NanoCore 0x69f45:$a: NanoCore 0x69f7e:$a: NanoCore 0x69ff1:$a: NanoCore
Click to see the 41 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
6.2.company profile.exe.6840000.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
6.2.company profile.exe.6840000.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
6.2.company profile.exe.6840000.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
25.2.company profile.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
25.2.company profile.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
25.2.company profile.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
25.2.company profile.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
6.2.company profile.exe.6840000.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
6.2.company profile.exe.6840000.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
6.2.company profile.exe.6840000.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.2.company profile.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
6.2.company profile.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
6.2.company profile.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.2.company profile.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
6.2.company profile.exe.5bd0000.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
6.2.company profile.exe.5bd0000.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
Click to see the 11 entries

Sigma Overview

System Summary:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\company profile.exe, ProcessId: 6080, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Sigma detected: Scheduled temp file as task from temp location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UnShSbgF' /XML 'C:\Users\user\AppData\Local\Temp\tmp75B1.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UnShSbgF' /XML 'C:\Users\user\AppData\Local\Temp\tmp75B1.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\company profile.exe' , ParentImage: C:\Users\user\Desktop\company profile.exe, ParentProcessId: 5960, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UnShSbgF' /XML 'C:\Users\user\AppData\Local\Temp\tmp75B1.tmp', ProcessId: 5976

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: company profile.exe.6080.6.memstr

Malware Configuration Extractor: NanoCore {"C2: ": ["105.112.102.172"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\UnShSbgF.exe	Virustotal: Detection: 33%			Perma Link
Source: C:\Users\user\AppData\Roaming\UnShSbgF.exe	ReversingLabs: Detection: 37%

Multi AV Scanner detection for submitted file

Show sources

Source: company profile.exe	Virustotal: Detection: 33%			Perma Link
Source: company profile.exe	ReversingLabs: Detection: 37%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000006.00000002.586154490.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.312703625.0000000003CE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.590173141.00000000031E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.594725698.0000000004229000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.329006639.0000000003AA9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.253304124.00000000043C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.312777066.0000000003D37000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.328915349.0000000002AA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.253470598.0000000004415000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.327635694.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.597017105.0000000006840000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: company profile.exe PID: 4920, type: MEMORY
Source: Yara match	File source: Process Memory Space: company profile.exe PID: 5960, type: MEMORY
Source: Yara match	File source: Process Memory Space: company profile.exe PID: 6456, type: MEMORY
Source: Yara match	File source: Process Memory Space: company profile.exe PID: 6080, type: MEMORY
Source: Yara match	File source: 6.2.company profile.exe.6840000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.company profile.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.company profile.exe.6840000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.company profile.exe.400000.0.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\UnShSbgF.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: company profile.exe

Joe Sandbox ML: detected

Source: 25.2.company profile.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 6.2.company profile.exe.6840000.5.unpack	Avira: Label: TR/NanoCore.fadte
Source: 6.2.company profile.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Compliance:

Uses 32bit PE files

Show sources

Source: company profile.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: company profile.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Software Vulnerabilities:

Source: C:\Users\user\Desktop\company profile.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	1_2_03341670
Source: C:\Users\user\Desktop\company profile.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	1_2_0334FD48
Source: C:\Users\user\Desktop\company profile.exe	Code function: 4x nop then push dword ptr [ebp-20h]	1_2_0334FEB8
Source: C:\Users\user\Desktop\company profile.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	1_2_0334FEB8
Source: C:\Users\user\Desktop\company profile.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	1_2_03341590
Source: C:\Users\user\Desktop\company profile.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	1_2_033415D1
Source: C:\Users\user\Desktop\company profile.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	1_2_059CD750
Source: C:\Users\user\Desktop\company profile.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	1_2_059CD748
Source: C:\Users\user\Desktop\company profile.exe	Code function: 4x nop then xor edx, edx	1_2_059CFF56
Source: C:\Users\user\Desktop\company profile.exe	Code function: 4x nop then xor edx, edx	1_2_059CFF60
Source: C:\Users\user\Desktop\company profile.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	11_2_052FD74B
Source: C:\Users\user\Desktop\company profile.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	11_2_052FD750
Source: C:\Users\user\Desktop\company profile.exe	Code function: 4x nop then xor edx, edx	11_2_052FFF60
Source: C:\Users\user\Desktop\company profile.exe	Code function: 4x nop then xor edx, edx	11_2_052FFF57

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

IPs: 105.112.102.172

Uses dynamic DNS services

Show sources

Source: unknown	DNS query: name: kcfresh.duckdns.org
Source: unknown	DNS query: name: kcfresh.ddns.net

Source: global traffic	TCP traffic: 192.168.2.3:49713 -> 185.140.53.227:5050
Source: global traffic	TCP traffic: 192.168.2.3:49721 -> 105.112.102.172:5050

Source: Joe Sandbox View	ASN Name: DAVID_CRAIGGG DAVID_CRAIGGG
Source: Joe Sandbox View	ASN Name: VNL1-ASNG VNL1-ASNG

Source: unknown

DNS traffic detected: queries for: kcfresh.duckdns.org

Source: company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: company profile.exe, 00000001.00000002.252392608.0000000003407000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.309406249.0000000002D27000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: company profile.exe, 0000000B.00000003.280780605.00000000035D3000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/experimentDataSet.xsd
Source: company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Source: company profile.exe, 00000006.00000002.594725698.0000000004229000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000006.00000002.586154490.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.312703625.0000000003CE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.590173141.00000000031E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.594725698.0000000004229000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.329006639.0000000003AA9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.253304124.00000000043C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.312777066.0000000003D37000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.328915349.0000000002AA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.253470598.0000000004415000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.327635694.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.597017105.0000000006840000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: company profile.exe PID: 4920, type: MEMORY
Source: Yara match	File source: Process Memory Space: company profile.exe PID: 5960, type: MEMORY
Source: Yara match	File source: Process Memory Space: company profile.exe PID: 6456, type: MEMORY
Source: Yara match	File source: Process Memory Space: company profile.exe PID: 6080, type: MEMORY
Source: Yara match	File source: 6.2.company profile.exe.6840000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.company profile.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.company profile.exe.6840000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.company profile.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000006.00000002.586154490.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.586154490.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.312703625.0000000003CE1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000002.312703625.0000000003CE1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.594725698.0000000004229000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000019.00000002.329006639.0000000003AA9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.253304124.00000000043C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.253304124.00000000043C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.312777066.0000000003D37000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000002.312777066.0000000003D37000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.596680972.0000000005BD0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000019.00000002.328915349.0000000002AA1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.253470598.0000000004415000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.253470598.0000000004415000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000019.00000002.327635694.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000019.00000002.327635694.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.597017105.0000000006840000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: company profile.exe PID: 4920, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: company profile.exe PID: 4920, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: company profile.exe PID: 5960, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: company profile.exe PID: 5960, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: company profile.exe PID: 6456, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: company profile.exe PID: 6456, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: company profile.exe PID: 6080, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: company profile.exe PID: 6080, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.company profile.exe.6840000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 25.2.company profile.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 25.2.company profile.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.company profile.exe.6840000.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.company profile.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.company profile.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.company profile.exe.5bd0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth

PE file contains section with special chars

Show sources

Source: company profile.exe	Static PE information: section name: EMP;sb
Source: UnShSbgF.exe.1.dr	Static PE information: section name: EMP;sb

PE file has nameless sections

Show sources

Source: company profile.exe	Static PE information: section name:
Source: UnShSbgF.exe.1.dr	Static PE information: section name:

Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_03342B48	1_2_03342B48
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_03346B4A	1_2_03346B4A
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_0334BA20	1_2_0334BA20
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_03340512	1_2_03340512
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_0334355A	1_2_0334355A
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_03344DA8	1_2_03344DA8
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_03342410	1_2_03342410
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_0334B4D0	1_2_0334B4D0
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_03342379	1_2_03342379
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_03342FF8	1_2_03342FF8
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_03345E20	1_2_03345E20
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_03345E10	1_2_03345E10
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_033452E0	1_2_033452E0
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_033466E0	1_2_033466E0
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_033452D0	1_2_033452D0
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_033466D1	1_2_033466D1
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_03346932	1_2_03346932
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_03346940	1_2_03346940
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_03341590	1_2_03341590
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_03345582	1_2_03345582
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_033475F4	1_2_033475F4
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_033415D1	1_2_033415D1
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_0334AC10	1_2_0334AC10
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_03346C06	1_2_03346C06
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_0334500A	1_2_0334500A
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_033464A8	1_2_033464A8
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_03341891	1_2_03341891
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_03346498	1_2_03346498
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_0334609A	1_2_0334609A
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_033448D2	1_2_033448D2
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_059CC72C	1_2_059CC72C
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_059CCC98	1_2_059CCC98
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_059CAC70	1_2_059CAC70
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_059CAC6B	1_2_059CAC6B
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_059C9838	1_2_059C9838
Source: C:\Users\user\Desktop\company profile.exe	Code function: 4_2_003F016C	4_2_003F016C
Source: C:\Users\user\Desktop\company profile.exe	Code function: 4_2_003F0949	4_2_003F0949
Source: C:\Users\user\Desktop\company profile.exe	Code function: 4_2_003F09B7	4_2_003F09B7
Source: C:\Users\user\Desktop\company profile.exe	Code function: 4_2_003ECA09	4_2_003ECA09
Source: C:\Users\user\Desktop\company profile.exe	Code function: 4_2_003ECA75	4_2_003ECA75
Source: C:\Users\user\Desktop\company profile.exe	Code function: 4_2_003F03B7	4_2_003F03B7
Source: C:\Users\user\Desktop\company profile.exe	Code function: 5_2_002D016C	5_2_002D016C
Source: C:\Users\user\Desktop\company profile.exe	Code function: 5_2_002D0949	5_2_002D0949
Source: C:\Users\user\Desktop\company profile.exe	Code function: 5_2_002D09B7	5_2_002D09B7
Source: C:\Users\user\Desktop\company profile.exe	Code function: 5_2_002CCA09	5_2_002CCA09
Source: C:\Users\user\Desktop\company profile.exe	Code function: 5_2_002CCA75	5_2_002CCA75
Source: C:\Users\user\Desktop\company profile.exe	Code function: 5_2_002D03B7	5_2_002D03B7
Source: C:\Users\user\Desktop\company profile.exe	Code function: 6_2_00EB09B7	6_2_00EB09B7
Source: C:\Users\user\Desktop\company profile.exe	Code function: 6_2_00EB016C	6_2_00EB016C
Source: C:\Users\user\Desktop\company profile.exe	Code function: 6_2_00EB0949	6_2_00EB0949
Source: C:\Users\user\Desktop\company profile.exe	Code function: 6_2_00EACA75	6_2_00EACA75
Source: C:\Users\user\Desktop\company profile.exe	Code function: 6_2_00EACA09	6_2_00EACA09
Source: C:\Users\user\Desktop\company profile.exe	Code function: 6_2_00EB03B7	6_2_00EB03B7
Source: C:\Users\user\Desktop\company profile.exe	Code function: 6_2_031AE471	6_2_031AE471
Source: C:\Users\user\Desktop\company profile.exe	Code function: 6_2_031AE480	6_2_031AE480
Source: C:\Users\user\Desktop\company profile.exe	Code function: 6_2_031ABBD4	6_2_031ABBD4
Source: C:\Users\user\Desktop\company profile.exe	Code function: 6_2_06C20040	6_2_06C20040
Source: C:\Users\user\Desktop\company profile.exe	Code function: 11_2_052FC72C	11_2_052FC72C
Source: C:\Users\user\Desktop\company profile.exe	Code function: 11_2_052FAC6B	11_2_052FAC6B
Source: C:\Users\user\Desktop\company profile.exe	Code function: 11_2_052FAC70	11_2_052FAC70
Source: C:\Users\user\Desktop\company profile.exe	Code function: 11_2_052FCCA3	11_2_052FCCA3
Source: C:\Users\user\Desktop\company profile.exe	Code function: 11_2_052F9838	11_2_052F9838
Source: C:\Users\user\Desktop\company profile.exe	Code function: 22_2_004B0949	22_2_004B0949
Source: C:\Users\user\Desktop\company profile.exe	Code function: 22_2_004B016C	22_2_004B016C
Source: C:\Users\user\Desktop\company profile.exe	Code function: 22_2_004B09B7	22_2_004B09B7
Source: C:\Users\user\Desktop\company profile.exe	Code function: 22_2_004ACA75	22_2_004ACA75
Source: C:\Users\user\Desktop\company profile.exe	Code function: 22_2_004ACA09	22_2_004ACA09
Source: C:\Users\user\Desktop\company profile.exe	Code function: 22_2_004B03B7	22_2_004B03B7

Source: company profile.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: UnShSbgF.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: company profile.exe	Binary or memory string: OriginalFilename vs company profile.exe
Source: company profile.exe, 00000001.00000002.257978885.00000000063B0000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs company profile.exe
Source: company profile.exe, 00000001.00000002.257978885.00000000063B0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs company profile.exe
Source: company profile.exe, 00000001.00000002.257548044.00000000062B0000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs company profile.exe
Source: company profile.exe, 00000001.00000002.252435267.000000000341D000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAssemblyReferenceEntry.exeD vs company profile.exe
Source: company profile.exe, 00000001.00000000.214189125.0000000000FB8000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename8v.exe. vs company profile.exe
Source: company profile.exe, 00000001.00000003.247183418.0000000003952000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameTypeLibImporterFlags.dll4 vs company profile.exe
Source: company profile.exe, 00000001.00000002.262266350.000000000D7C0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs company profile.exe
Source: company profile.exe	Binary or memory string: OriginalFilename vs company profile.exe
Source: company profile.exe, 00000004.00000000.245747138.00000000003E8000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename8v.exe. vs company profile.exe
Source: company profile.exe	Binary or memory string: OriginalFilename vs company profile.exe
Source: company profile.exe, 00000005.00000000.247912364.00000000002C8000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename8v.exe. vs company profile.exe
Source: company profile.exe	Binary or memory string: OriginalFilename vs company profile.exe
Source: company profile.exe, 00000006.00000002.587386894.0000000000EA8000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename8v.exe. vs company profile.exe
Source: company profile.exe, 00000006.00000002.590173141.00000000031E1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs company profile.exe
Source: company profile.exe, 00000006.00000002.594725698.0000000004229000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs company profile.exe
Source: company profile.exe, 00000006.00000002.594725698.0000000004229000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs company profile.exe
Source: company profile.exe, 00000006.00000002.588949042.00000000015DA000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs company profile.exe
Source: company profile.exe, 00000006.00000002.596906937.0000000006750000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs company profile.exe
Source: company profile.exe, 00000006.00000002.596330468.00000000057F0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs company profile.exe
Source: company profile.exe, 00000006.00000002.597580362.0000000007230000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs company profile.exe
Source: company profile.exe	Binary or memory string: OriginalFilename vs company profile.exe
Source: company profile.exe, 0000000B.00000002.312572551.00000000031EE000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameTypeLibImporterFlags.dll4 vs company profile.exe
Source: company profile.exe, 0000000B.00000002.308481106.000000000107A000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs company profile.exe
Source: company profile.exe, 0000000B.00000002.309768585.0000000002DB3000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAssemblyReferenceEntry.exeD vs company profile.exe
Source: company profile.exe, 0000000B.00000000.261152804.0000000000948000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename8v.exe. vs company profile.exe
Source: company profile.exe, 0000000B.00000002.315557540.0000000005CB0000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs company profile.exe
Source: company profile.exe, 0000000B.00000002.315557540.0000000005CB0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs company profile.exe
Source: company profile.exe, 0000000B.00000002.318131650.000000000CB20000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs company profile.exe
Source: company profile.exe, 0000000B.00000002.314637005.0000000005BB0000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs company profile.exe
Source: company profile.exe	Binary or memory string: OriginalFilename vs company profile.exe
Source: company profile.exe, 00000016.00000002.302743728.00000000004A8000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename8v.exe. vs company profile.exe
Source: company profile.exe, 00000017.00000002.304090131.00000000004C8000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename8v.exe. vs company profile.exe
Source: company profile.exe, 00000018.00000002.305392852.00000000001E8000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename8v.exe. vs company profile.exe
Source: company profile.exe, 00000019.00000002.329006639.0000000003AA9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs company profile.exe
Source: company profile.exe, 00000019.00000002.329006639.0000000003AA9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs company profile.exe
Source: company profile.exe, 00000019.00000002.329006639.0000000003AA9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs company profile.exe
Source: company profile.exe, 00000019.00000002.327797268.0000000000668000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename8v.exe. vs company profile.exe
Source: company profile.exe	Binary or memory string: OriginalFilename8v.exe. vs company profile.exe

Source: company profile.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 00000006.00000002.586154490.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.586154490.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000002.312703625.0000000003CE1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000002.312703625.0000000003CE1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000002.594725698.0000000004229000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000019.00000002.329006639.0000000003AA9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.253304124.00000000043C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.253304124.00000000043C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000002.312777066.0000000003D37000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000002.312777066.0000000003D37000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000002.596680972.0000000005BD0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.596680972.0000000005BD0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000019.00000002.328915349.0000000002AA1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.253470598.0000000004415000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.253470598.0000000004415000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000019.00000002.327635694.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000019.00000002.327635694.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000002.597017105.0000000006840000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.597017105.0000000006840000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: company profile.exe PID: 4920, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: company profile.exe PID: 4920, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: company profile.exe PID: 5960, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: company profile.exe PID: 5960, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: company profile.exe PID: 6456, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: company profile.exe PID: 6456, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: company profile.exe PID: 6080, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: company profile.exe PID: 6080, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.company profile.exe.6840000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.company profile.exe.6840000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 25.2.company profile.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 25.2.company profile.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 25.2.company profile.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.company profile.exe.6840000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.company profile.exe.6840000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.company profile.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.company profile.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.company profile.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.company profile.exe.5bd0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.company profile.exe.5bd0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: company profile.exe	Static PE information: Section: EMP;sb ZLIB complexity 1.00031569693
Source: UnShSbgF.exe.1.dr	Static PE information: Section: EMP;sb ZLIB complexity 1.00031569693

Source: 6.2.company profile.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 6.2.company profile.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 6.2.company profile.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 25.2.company profile.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 25.2.company profile.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 25.2.company profile.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 25.2.company profile.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 25.2.company profile.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 6.2.company profile.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 6.2.company profile.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: classification engine

Classification label: mal100.troj.evad.winEXE@25/7@16/3

Source: C:\Users\user\Desktop\company profile.exe

File created: C:\Users\user\AppData\Roaming\UnShSbgF.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5636:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2212:120:WilError_01
Source: C:\Users\user\Desktop\company profile.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{0af7db9b-e643-4242-8d33-72a12cf49afa}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6376:120:WilError_01

Source: C:\Users\user\Desktop\company profile.exe

File created: C:\Users\user\AppData\Local\Temp\tmp75B1.tmp

Jump to behavior

Source: C:\Users\user\Desktop\company profile.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\Desktop\company profile.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\company profile.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: company profile.exe, 00000001.00000003.236561919.0000000003CB3000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000003.280780605.00000000035D3000.00000004.00000001.sdmp

Binary or memory string: select * from PMS;select * from PMS where

Source: company profile.exe	Virustotal: Detection: 33%
Source: company profile.exe	ReversingLabs: Detection: 37%

Source: C:\Users\user\Desktop\company profile.exe

File read: C:\Users\user\Desktop\company profile.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\company profile.exe 'C:\Users\user\Desktop\company profile.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UnShSbgF' /XML 'C:\Users\user\AppData\Local\Temp\tmp75B1.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\company profile.exe {path}
Source: unknown	Process created: C:\Users\user\Desktop\company profile.exe {path}
Source: unknown	Process created: C:\Users\user\Desktop\company profile.exe {path}
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp132E.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\company profile.exe 'C:\Users\user\Desktop\company profile.exe' 0
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UnShSbgF' /XML 'C:\Users\user\AppData\Local\Temp\tmpCFD7.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\company profile.exe {path}
Source: unknown	Process created: C:\Users\user\Desktop\company profile.exe {path}
Source: unknown	Process created: C:\Users\user\Desktop\company profile.exe {path}
Source: unknown	Process created: C:\Users\user\Desktop\company profile.exe {path}
Source: C:\Users\user\Desktop\company profile.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UnShSbgF' /XML 'C:\Users\user\AppData\Local\Temp\tmp75B1.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process created: C:\Users\user\Desktop\company profile.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process created: C:\Users\user\Desktop\company profile.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process created: C:\Users\user\Desktop\company profile.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp132E.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UnShSbgF' /XML 'C:\Users\user\AppData\Local\Temp\tmpCFD7.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process created: C:\Users\user\Desktop\company profile.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process created: C:\Users\user\Desktop\company profile.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process created: C:\Users\user\Desktop\company profile.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process created: C:\Users\user\Desktop\company profile.exe {path}	Jump to behavior

Source: C:\Users\user\Desktop\company profile.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\company profile.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: company profile.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: company profile.exe

Static file information: File size 1499648 > 1048576

Source: company profile.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\Desktop\company profile.exe	Unpacked PE file: 1.2.company profile.exe.ec0000.0.unpack EMP;:EW;.text:ER;.rsrc:R;.reloc:R;Unknown_Section4:ER; vs Unknown_Section0:EW;Unknown_Section1:ER;Unknown_Section2:R;Unknown_Section3:R;Unknown_Section4:ER;
Source: C:\Users\user\Desktop\company profile.exe	Unpacked PE file: 11.2.company profile.exe.850000.0.unpack EMP;:EW;.text:ER;.rsrc:R;.reloc:R;Unknown_Section4:ER; vs Unknown_Section0:EW;Unknown_Section1:ER;Unknown_Section2:R;Unknown_Section3:R;Unknown_Section4:ER;

.NET source code contains potential unpacker

Show sources

Source: 6.2.company profile.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.2.company profile.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 25.2.company profile.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 25.2.company profile.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: company profile.exe	Static PE information: section name: EMP;sb
Source: company profile.exe	Static PE information: section name:
Source: UnShSbgF.exe.1.dr	Static PE information: section name: EMP;sb
Source: UnShSbgF.exe.1.dr	Static PE information: section name:

Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_00F1A58E push edx; retf	1_2_00F1A5AC
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_00F1BC3D push cs; retf	1_2_00F1BC40
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_00F1A612 push edx; retf	1_2_00F1A5AC
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_033437C3 push edx; retf	1_2_033437C5
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_059C800B push 5D5F5E59h; ret	1_2_059C8003
Source: C:\Users\user\Desktop\company profile.exe	Code function: 4_2_003F402E push esi; retn 0003h	4_2_003F4077
Source: C:\Users\user\Desktop\company profile.exe	Code function: 4_2_003F374E push es; retf	4_2_003F375C
Source: C:\Users\user\Desktop\company profile.exe	Code function: 5_2_002D402E push esi; retn 0003h	5_2_002D4077
Source: C:\Users\user\Desktop\company profile.exe	Code function: 5_2_002D374E push es; retf	5_2_002D375C
Source: C:\Users\user\Desktop\company profile.exe	Code function: 6_2_00EB402E push esi; retn 0003h	6_2_00EB4077
Source: C:\Users\user\Desktop\company profile.exe	Code function: 6_2_00EB374E push es; retf	6_2_00EB375C
Source: C:\Users\user\Desktop\company profile.exe	Code function: 11_2_008AA58E push edx; retf	11_2_008AA5AC
Source: C:\Users\user\Desktop\company profile.exe	Code function: 11_2_008AA612 push edx; retf	11_2_008AA5AC
Source: C:\Users\user\Desktop\company profile.exe	Code function: 11_2_008ABC3D push cs; retf	11_2_008ABC40
Source: C:\Users\user\Desktop\company profile.exe	Code function: 11_2_052F0580 push edi; retf	11_2_052F0586
Source: C:\Users\user\Desktop\company profile.exe	Code function: 11_2_052F043B push esp; retf	11_2_052F0442
Source: C:\Users\user\Desktop\company profile.exe	Code function: 11_2_052F0439 push esp; retf	11_2_052F043A
Source: C:\Users\user\Desktop\company profile.exe	Code function: 11_2_052FF138 push esp; retf	11_2_052FF139
Source: C:\Users\user\Desktop\company profile.exe	Code function: 11_2_052F6FE3 pushfd ; retf	11_2_052F6FEA
Source: C:\Users\user\Desktop\company profile.exe	Code function: 11_2_052F6FDF pushfd ; retf	11_2_052F6FE2
Source: C:\Users\user\Desktop\company profile.exe	Code function: 11_2_052F1E2B pushad ; retf	11_2_052F1E32
Source: C:\Users\user\Desktop\company profile.exe	Code function: 22_2_004B402E push esi; retn 0003h	22_2_004B4077
Source: C:\Users\user\Desktop\company profile.exe	Code function: 22_2_004B374E push es; retf	22_2_004B375C

Source: initial sample	Static PE information: section name: EMP;sb entropy: 7.99980466465
Source: initial sample	Static PE information: section name: EMP;sb entropy: 7.99980466465

Source: 6.2.company profile.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 6.2.company profile.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 25.2.company profile.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 25.2.company profile.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Persistence and Installation Behavior:

Source: C:\Users\user\Desktop\company profile.exe

File created: C:\Users\user\AppData\Roaming\UnShSbgF.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: unknown

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UnShSbgF' /XML 'C:\Users\user\AppData\Local\Temp\tmp75B1.tmp'

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\company profile.exe

File opened: C:\Users\user\Desktop\company profile.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM_3

Show sources

Source: Yara match	File source: 0000000B.00000002.309768585.0000000002DB3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.252435267.000000000341D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: company profile.exe PID: 4920, type: MEMORY
Source: Yara match	File source: Process Memory Space: company profile.exe PID: 5960, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: company profile.exe, 00000001.00000002.252435267.000000000341D000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.311986136.0000000002FE2000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: company profile.exe, 00000001.00000002.252435267.000000000341D000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.311986136.0000000002FE2000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\company profile.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\company profile.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\company profile.exe	Window / User API: threadDelayed 4701	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Window / User API: threadDelayed 4744	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Window / User API: foregroundWindowGot 1245	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Window / User API: foregroundWindowGot 413	Jump to behavior

Source: C:\Users\user\Desktop\company profile.exe TID: 2396	Thread sleep time: -31500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe TID: 6140	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe TID: 5328	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe TID: 5856	Thread sleep time: -31500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe TID: 5260	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe TID: 6488	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: company profile.exe, 0000000B.00000002.311986136.0000000002FE2000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: company profile.exe, 00000006.00000002.597580362.0000000007230000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: company profile.exe, 0000000B.00000002.311986136.0000000002FE2000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: company profile.exe, 0000000B.00000002.311986136.0000000002FE2000.00000004.00000001.sdmp	Binary or memory string: l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: company profile.exe, 0000000B.00000002.311986136.0000000002FE2000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: company profile.exe, 0000000B.00000002.311986136.0000000002FE2000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: company profile.exe, 00000006.00000002.597580362.0000000007230000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: company profile.exe, 00000006.00000002.597580362.0000000007230000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: company profile.exe, 0000000B.00000002.311986136.0000000002FE2000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: company profile.exe, 0000000B.00000002.311986136.0000000002FE2000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: company profile.exe, 0000000B.00000002.311986136.0000000002FE2000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: company profile.exe, 0000000B.00000002.311986136.0000000002FE2000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: company profile.exe, 0000000B.00000002.311986136.0000000002FE2000.00000004.00000001.sdmp	Binary or memory string: l"SOFTWARE\VMware, Inc.\VMware Tools
Source: company profile.exe, 00000006.00000002.589235943.000000000167D000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: company profile.exe, 00000006.00000002.597580362.0000000007230000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\company profile.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Show sources

Source: C:\Users\user\Desktop\company profile.exe

Code function: 1_2_03341670 CheckRemoteDebuggerPresent,

1_2_03341670

Source: C:\Users\user\Desktop\company profile.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\company profile.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\company profile.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Source: C:\Users\user\Desktop\company profile.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UnShSbgF' /XML 'C:\Users\user\AppData\Local\Temp\tmp75B1.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process created: C:\Users\user\Desktop\company profile.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process created: C:\Users\user\Desktop\company profile.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process created: C:\Users\user\Desktop\company profile.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp132E.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UnShSbgF' /XML 'C:\Users\user\AppData\Local\Temp\tmpCFD7.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process created: C:\Users\user\Desktop\company profile.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process created: C:\Users\user\Desktop\company profile.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process created: C:\Users\user\Desktop\company profile.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process created: C:\Users\user\Desktop\company profile.exe {path}	Jump to behavior

Source: company profile.exe, 00000006.00000002.597562460.00000000071ED000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: company profile.exe, 00000006.00000002.589576694.0000000001BE0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: company profile.exe, 00000006.00000002.589576694.0000000001BE0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: company profile.exe, 00000006.00000002.591492562.000000000330E000.00000004.00000001.sdmp	Binary or memory string: Program ManagerHa&l
Source: company profile.exe, 00000006.00000002.589576694.0000000001BE0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Users\user\Desktop\company profile.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Users\user\Desktop\company profile.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Users\user\Desktop\company profile.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Users\user\Desktop\company profile.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\company profile.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000006.00000002.586154490.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.312703625.0000000003CE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.590173141.00000000031E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.594725698.0000000004229000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.329006639.0000000003AA9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.253304124.00000000043C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.312777066.0000000003D37000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.328915349.0000000002AA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.253470598.0000000004415000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.327635694.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.597017105.0000000006840000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: company profile.exe PID: 4920, type: MEMORY
Source: Yara match	File source: Process Memory Space: company profile.exe PID: 5960, type: MEMORY
Source: Yara match	File source: Process Memory Space: company profile.exe PID: 6456, type: MEMORY
Source: Yara match	File source: Process Memory Space: company profile.exe PID: 6080, type: MEMORY
Source: Yara match	File source: 6.2.company profile.exe.6840000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.company profile.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.company profile.exe.6840000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.company profile.exe.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: company profile.exe, 00000001.00000002.253304124.00000000043C1000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: company profile.exe, 00000006.00000002.586154490.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: company profile.exe, 00000006.00000002.590173141.00000000031E1000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: company profile.exe, 0000000B.00000002.312703625.0000000003CE1000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: company profile.exe, 00000019.00000002.329006639.0000000003AA9000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: company profile.exe, 00000019.00000002.329006639.0000000003AA9000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000006.00000002.586154490.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.312703625.0000000003CE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.590173141.00000000031E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.594725698.0000000004229000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.329006639.0000000003AA9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.253304124.00000000043C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.312777066.0000000003D37000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.328915349.0000000002AA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.253470598.0000000004415000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.327635694.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.597017105.0000000006840000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: company profile.exe PID: 4920, type: MEMORY
Source: Yara match	File source: Process Memory Space: company profile.exe PID: 5960, type: MEMORY
Source: Yara match	File source: Process Memory Space: company profile.exe PID: 6456, type: MEMORY
Source: Yara match	File source: Process Memory Space: company profile.exe PID: 6080, type: MEMORY
Source: Yara match	File source: 6.2.company profile.exe.6840000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.company profile.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.company profile.exe.6840000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.company profile.exe.400000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scheduled Task/Job1	Scheduled Task/Job1	Process Injection12	Masquerading1	Input Capture11	Security Software Discovery321	Remote Services	Input Capture11	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Scheduled Task/Job1	Virtualization/Sandbox Evasion4	LSASS Memory	Virtualization/Sandbox Evasion4	Remote Desktop Protocol	Archive Collected Data11	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Disable or Modify Tools1	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Remote Access Software1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection12	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	File and Directory Discovery1	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol21	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Hidden Files and Directories1	Cached Domain Credentials	System Information Discovery12	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information3	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Software Packing23	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
company profile.exe	34%	Virustotal		Browse
company profile.exe	38%	ReversingLabs	Win32.Trojan.Wacatac
company profile.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\UnShSbgF.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\UnShSbgF.exe	34%	Virustotal		Browse
C:\Users\user\AppData\Roaming\UnShSbgF.exe	38%	ReversingLabs	Win32.Trojan.Wacatac

Unpacked PE Files

Source	Detection	Scanner	Label	Download
11.2.company profile.exe.850000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
25.2.company profile.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
6.2.company profile.exe.6840000.5.unpack	100%	Avira	TR/NanoCore.fadte	Download File
6.2.company profile.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
1.2.company profile.exe.ec0000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

Source	Detection	Scanner	Label	Link
kcfresh.duckdns.org	1%	Virustotal		Browse
kcfresh.ddns.net	3%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
kcfresh.duckdns.org	185.140.53.227	true	true	1%, Virustotal, Browse	unknown
kcfresh.ddns.net	105.112.102.172	true	true	3%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	false		high
http://www.tiro.com	company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	false		high
http://www.goodfont.co.kr	company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.coml	company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn	company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/	company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	false		high
http://www.fonts.com	company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	company profile.exe, 00000001.00000002.252392608.0000000003407000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.309406249.0000000002D27000.00000004.00000001.sdmp	false		high
http://www.sakkal.com	company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.140.53.227	unknown	Sweden		209623	DAVID_CRAIGGG	true
105.112.102.172	unknown	Nigeria		36873	VNL1-ASNG	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	342227
Start date:	20.01.2021
Start time:	17:09:39
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 24s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	company profile.scr (renamed file extension from scr to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@25/7@16/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 2.1% (good quality ratio 1.1%) Quality average: 30.7% Quality standard deviation: 34.6%
HCA Information:	Successful, ratio: 97% Number of executed functions: 64 Number of non-executed functions: 27
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe Excluded IPs from analysis (whitelisted): 168.61.161.212, 13.88.21.125, 104.42.151.234, 23.210.248.85, 51.104.144.132, 8.248.147.254, 8.248.115.254, 8.253.204.121, 67.27.157.126, 67.27.159.126, 20.54.26.129, 92.122.213.194, 92.122.213.247, 51.104.139.180, 52.155.217.156 Excluded domains from analysis (whitelisted): displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, fs.microsoft.com, arc.msn.com.nsatc.net, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, skypedataprdcolwus15.cloudapp.net, skypedataprdcolwus16.cloudapp.net, au-bg-shim.trafficmanager.net Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
17:12:42	API Interceptor	1305x Sleep call for process: company profile.exe modified
17:12:54	Task Scheduler	Run new task: DHCP Monitor path: "C:\Users\user\Desktop\company profile.exe" s>$(Arg0)

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
185.140.53.227	New Order.exe	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DAVID_CRAIGGG	NEWORDERrefno0992883jpg.exe	Get hash	malicious	Browse	185.140.53.253
	richiealvin.exe	Get hash	malicious	Browse	91.193.75.185
	Quotation.exe	Get hash	malicious	Browse	185.140.53.154
	DHL Delivery Shipping Cargo. Pdf.exe	Get hash	malicious	Browse	185.244.30.18
	CompanyLicense.exe	Get hash	malicious	Browse	185.140.53.253
	Purchase Order 2094742424.exe	Get hash	malicious	Browse	185.244.30.132
	PURCHASE OREDER. PRINT. pdf.exe	Get hash	malicious	Browse	91.193.75.45
	PO.exe	Get hash	malicious	Browse	185.140.53.234
	SWIFT.exe	Get hash	malicious	Browse	185.140.53.154
	SecuriteInfo.com.BScope.Trojan-Dropper.Injector.exe	Get hash	malicious	Browse	185.140.53.234
	PROOF OF PAYMENT.exe	Get hash	malicious	Browse	185.140.53.131
	Orden n.#U00ba STL21119, pdf.exe	Get hash	malicious	Browse	185.140.53.129
	Proof of Payment.exe	Get hash	malicious	Browse	185.244.30.51
	DxCHoDnNLn.exe	Get hash	malicious	Browse	185.140.53.202
	T7gzTHDZ7g.rtf	Get hash	malicious	Browse	185.140.53.202
	PO - 2021-000511.exe	Get hash	malicious	Browse	185.244.30.69
	PO AR483-1590436 _ J-3000 PROJT.xlsx	Get hash	malicious	Browse	185.140.53.202
	Qotation.exe	Get hash	malicious	Browse	185.140.53.154
	PO - 2021-000511.exe	Get hash	malicious	Browse	185.244.30.69
	file.exe	Get hash	malicious	Browse	91.193.75.155
VNL1-ASNG	Order_List_PO# 081929.exe	Get hash	malicious	Browse	105.112.102.160
	Doc#6620200947535257653.exe	Get hash	malicious	Browse	105.112.102.162
	Doc#6620200947535257653.exe	Get hash	malicious	Browse	105.112.106.128
	DHL_file 187652345643476245.exe	Get hash	malicious	Browse	105.112.113.90
	DHL_file 187652345643476245.exe	Get hash	malicious	Browse	105.112.113.90
	DHL_file 187652345643476245.exe	Get hash	malicious	Browse	105.112.113.90
	DHL_file 187652345643476245.exe	Get hash	malicious	Browse	105.112.113.90
	Confirmation Copy RefNo-MT102.exe	Get hash	malicious	Browse	105.112.102.57
	FedExs AWB#5305323204643.exe	Get hash	malicious	Browse	105.112.113.90
	PAYMENT COPY.exe	Get hash	malicious	Browse	105.112.109.37
	PO456789.exe	Get hash	malicious	Browse	105.112.96.12
	DHL_10177_R293_DOCUMENT.exe	Get hash	malicious	Browse	105.112.101.201
	ibgcrnNmhB.exe	Get hash	malicious	Browse	105.112.25.130
	purchase order.exe	Get hash	malicious	Browse	105.112.25.74
	packing list.xlsx.exe	Get hash	malicious	Browse	105.112.69.142
	9087654.exe	Get hash	malicious	Browse	105.112.101.151
	RFQ.exe	Get hash	malicious	Browse	105.112.100.239
	LOI.exe	Get hash	malicious	Browse	105.112.100.239
	corporate-tax.exe	Get hash	malicious	Browse	105.112.101.84
	QUOTATION - COVID 19 PROTECTION SOLUTIONS - final.exe	Get hash	malicious	Browse	105.112.124.8

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\company profile.exe.log Download File
Process:	C:\Users\user\Desktop\company profile.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:ML9E4Ks29E4Kx1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MxHKX9HKx1qHiYHKhQnoPtHoxHhAHKzr
MD5:	B666A4404B132B2BF6C04FBF848EB948
SHA1:	D2EFB3D43F8B8806544D3A47F7DAEE8534981739
SHA-256:	7870616D981C8C0DE9A54E7383CD035470DB20CBF75ACDF729C32889D4B6ED96
SHA-512:	00E955EE9F14CEAE07E571A8EF2E103200CF421BAE83A66ED9F9E1AA6A9F449B653EDF1BFDB662A364D58ECF9B5FE4BB69D590DB2653F2F46A09F4D47719A862
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Temp\tmp132E.tmp Download File
Process:	C:\Users\user\Desktop\company profile.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1305
Entropy (8bit):	5.095160776157076
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK00lxtn:cbk4oL600QydbQxIYODOLedq37j
MD5:	4F99D40B064D2DF7C7D4C116C77F3D4A
SHA1:	7A3169F99997B406FEA127C0B9A7E8D6ACE00CA1
SHA-256:	13EA833AE6E2760DE9D70F0B3AB442CCA6DF2240206120DAE783F66147778B30
SHA-512:	E7064B43AF7C38D18CAF462524D2A8A2DC3CF93DD4CBE5495AD5762D81365EE26C4CB54AAAA387A6C25D3151F264183926AF46C9684CC07F039AF780F571488B
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Local\Temp\tmp75B1.tmp Download File
Process:	C:\Users\user\Desktop\company profile.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1641
Entropy (8bit):	5.186538159731165
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBEItn:cbh47TlNQ//rydbz9I3YODOLNdq3j
MD5:	5D4EB8C36D9B89226BDC5ADB52FDDFC0
SHA1:	AF597C7A4A7C686AFFAF2482DB75417D5F92315D
SHA-256:	93466395E1FD944F5ED9AFD1063E0B46CE6CA6F8CF5CE0E89BD2CE049862175F
SHA-512:	7C7B7AFD07D5444A373CE4113F200C1BBCA840399D473EC144562B51174D404B1442A660E63CA47BA6C83492BC676839852C80157F2503B2FAD9A1C92B81D95A
Malicious:	true
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Local\Temp\tmpCFD7.tmp Download File
Process:	C:\Users\user\Desktop\company profile.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1641
Entropy (8bit):	5.186538159731165
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBEItn:cbh47TlNQ//rydbz9I3YODOLNdq3j
MD5:	5D4EB8C36D9B89226BDC5ADB52FDDFC0
SHA1:	AF597C7A4A7C686AFFAF2482DB75417D5F92315D
SHA-256:	93466395E1FD944F5ED9AFD1063E0B46CE6CA6F8CF5CE0E89BD2CE049862175F
SHA-512:	7C7B7AFD07D5444A373CE4113F200C1BBCA840399D473EC144562B51174D404B1442A660E63CA47BA6C83492BC676839852C80157F2503B2FAD9A1C92B81D95A
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Users\user\Desktop\company profile.exe
File Type:	ISO-8859 text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:reCYP:KCYP
MD5:	8B9C7557FD06FFDB6AB44F46DC5604D4
SHA1:	D1E1B759695E4473A8241ED6FD686B085DE6AC9B
SHA-256:	B7BB0299B1B8D42CABBA97A91C9AB732DEBDE40B8D5CA84904C938AB443F3ABC
SHA-512:	A9BDE3F3F6DE9608AE9FA5BC4422BB4735BC6540482DC8D74DD87DCB2F400D52BBCDE5F685A11D21758CCDC0266C08C4F6CECCCF7CE96D570A4E81DA6BC4C2E3
Malicious:	true
Preview:	d.{....H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat Download File
Process:	C:\Users\user\Desktop\company profile.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	42
Entropy (8bit):	4.424955744609936
Encrypted:	false
SSDEEP:	3:oNWXp5vGKIVE4XoJ:oNWXpFGTiJ
MD5:	97913E49D175BDD85E9DF3F71519605F
SHA1:	B6D8C0E8D4888A71AE16529A5332A745D2F6E6FB
SHA-256:	C46B23847096F56A5952D29B05027728B48DB4B1B98A804CBEF9B88659CD5D2B
SHA-512:	77916F0BF82170A6398C251FF77A578741039D9D03915EE83BA374F6E0FD09BF550AAAE0B91277FBF21F5B91709AF5D987C0D566960488E93E2A64E46AAA5833
Malicious:	false
Preview:	C:\Users\user\Desktop\company profile.exe

C:\Users\user\AppData\Roaming\UnShSbgF.exe Download File
Process:	C:\Users\user\Desktop\company profile.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1499648
Entropy (8bit):	7.424594248821242
Encrypted:	false
SSDEEP:	24576:Wb8xxR5pV+4Xd8LO6TVz7uxgHf8JnHkDasy:E8f7jWdTVei/OHkDq
MD5:	02F3EEF9DA2EF90D0CF59BFACA176886
SHA1:	6BCA96158D72284A8B5A9E1FE01EB8504A1A05FF
SHA-256:	76FFD919E86B374004BCBC276CB6E18BE4B63287D0CE6F7D9B1B756BFD79D47E
SHA-512:	CE64211FA30C6C1F8541D8889E0E373A829ABD4E786B1EF6B473E851E9E7CF7C5109D0B2F85936494D4D3125CF63FFC6A282C75E1A34CDCF052111753AC35747
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 34%, Browse Antivirus: ReversingLabs, Detection: 38%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............0..............@....... ....@.. .......................`............@.....................................K....`....................... .......................................................@..................H...........EMP;.s.bPD... ...F..................@....text................J.............. ..`.rsrc........`.......&..............@..@.reloc....... ......................@..B.............@...................... ..`........................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.424594248821242
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.96% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	company profile.exe
File size:	1499648
MD5:	02f3eef9da2ef90d0cf59bfaca176886
SHA1:	6bca96158d72284a8b5a9e1fe01eb8504a1a05ff
SHA256:	76ffd919e86b374004bcbc276cb6e18be4b63287d0ce6f7d9b1b756bfd79d47e
SHA512:	ce64211fa30c6c1f8541d8889e0e373a829abd4e786b1ef6b473e851e9e7cf7c5109d0b2f85936494d4d3125cf63ffc6a282c75e1a34cdcf052111753ac35747
SSDEEP:	24576:Wb8xxR5pV+4Xd8LO6TVz7uxgHf8JnHkDasy:E8f7jWdTVei/OHkDq
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............0..............@....... ....@.. .......................`............@................................

File Icon


Icon Hash:	926cd8b0b4d24f92

Static PE Info

General
Entrypoint:	0x57400a
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6007DFD9 [Wed Jan 20 07:46:33 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00574000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xf8890	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x156000	0x1b788	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x172000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x174000	0x8
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0xf8000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
EMP;sb	0x2000	0xf4450	0xf4600	False	1.00031569693	data	7.99980466465	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.text	0xf8000	0x5dae8	0x5dc00	False	0.2996171875	data	4.37913403496	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x156000	0x1b788	0x1b800	False	0.186780894886	data	3.43599224394	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x172000	0xc	0x200	False	0.044921875	data	0.0980041756627	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
	0x174000	0x10	0x200	False	0.044921875	data	0.142635768149	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x156220	0x468	GLS_BINARY_LSB_FIRST
RT_ICON	0x156688	0x2ad0	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_ICON	0x159158	0x25a8	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 3892081920, next used block 3187504384
RT_ICON	0x15b700	0x10a8	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 4294866176, next used block 4294866176
RT_ICON	0x15c7a8	0x10828	dBase III DBT, version number 0, next free block index 40
RT_ICON	0x16cfd0	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 670987520, next used block 0
RT_GROUP_ICON	0x1711f8	0x5a	data
RT_VERSION	0x171254	0x342	data
RT_MANIFEST	0x171598	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright Hewlett-Packard 2016
Assembly Version	46.3.0.0
InternalName	8v.exe
FileVersion	46.3.0.0
CompanyName	Hewlett-Packard
LegalTrademarks
Comments
ProductName
ProductVersion	46.3.0.0
FileDescription
OriginalFilename	8v.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 20, 2021 17:12:53.951412916 CET	49713	5050	192.168.2.3	185.140.53.227
Jan 20, 2021 17:12:54.000073910 CET	5050	49713	185.140.53.227	192.168.2.3
Jan 20, 2021 17:12:54.504492998 CET	49713	5050	192.168.2.3	185.140.53.227
Jan 20, 2021 17:12:54.553361893 CET	5050	49713	185.140.53.227	192.168.2.3
Jan 20, 2021 17:12:55.064599037 CET	49713	5050	192.168.2.3	185.140.53.227
Jan 20, 2021 17:12:55.113152027 CET	5050	49713	185.140.53.227	192.168.2.3
Jan 20, 2021 17:12:59.254609108 CET	49717	5050	192.168.2.3	185.140.53.227
Jan 20, 2021 17:12:59.303097963 CET	5050	49717	185.140.53.227	192.168.2.3
Jan 20, 2021 17:12:59.830631971 CET	49717	5050	192.168.2.3	185.140.53.227
Jan 20, 2021 17:12:59.879139900 CET	5050	49717	185.140.53.227	192.168.2.3
Jan 20, 2021 17:13:00.493585110 CET	49717	5050	192.168.2.3	185.140.53.227
Jan 20, 2021 17:13:00.542746067 CET	5050	49717	185.140.53.227	192.168.2.3
Jan 20, 2021 17:13:04.674650908 CET	49718	5050	192.168.2.3	185.140.53.227
Jan 20, 2021 17:13:04.723083019 CET	5050	49718	185.140.53.227	192.168.2.3
Jan 20, 2021 17:13:05.331134081 CET	49718	5050	192.168.2.3	185.140.53.227
Jan 20, 2021 17:13:05.379919052 CET	5050	49718	185.140.53.227	192.168.2.3
Jan 20, 2021 17:13:06.034282923 CET	49718	5050	192.168.2.3	185.140.53.227
Jan 20, 2021 17:13:06.083101034 CET	5050	49718	185.140.53.227	192.168.2.3
Jan 20, 2021 17:13:10.632256985 CET	49721	5050	192.168.2.3	105.112.102.172
Jan 20, 2021 17:13:13.659883976 CET	49721	5050	192.168.2.3	105.112.102.172
Jan 20, 2021 17:13:19.676093102 CET	49721	5050	192.168.2.3	105.112.102.172
Jan 20, 2021 17:13:27.459836960 CET	49725	5050	192.168.2.3	105.112.102.172
Jan 20, 2021 17:13:30.473774910 CET	49725	5050	192.168.2.3	105.112.102.172
Jan 20, 2021 17:13:36.489917994 CET	49725	5050	192.168.2.3	105.112.102.172
Jan 20, 2021 17:13:44.849807978 CET	49733	5050	192.168.2.3	105.112.102.172
Jan 20, 2021 17:13:47.850276947 CET	49733	5050	192.168.2.3	105.112.102.172
Jan 20, 2021 17:13:53.850784063 CET	49733	5050	192.168.2.3	105.112.102.172
Jan 20, 2021 17:14:01.686594963 CET	49742	5050	192.168.2.3	185.140.53.227
Jan 20, 2021 17:14:01.735313892 CET	5050	49742	185.140.53.227	192.168.2.3
Jan 20, 2021 17:14:02.242161989 CET	49742	5050	192.168.2.3	185.140.53.227
Jan 20, 2021 17:14:02.291104078 CET	5050	49742	185.140.53.227	192.168.2.3
Jan 20, 2021 17:14:02.804785967 CET	49742	5050	192.168.2.3	185.140.53.227
Jan 20, 2021 17:14:02.853647947 CET	5050	49742	185.140.53.227	192.168.2.3
Jan 20, 2021 17:14:06.974219084 CET	49743	5050	192.168.2.3	185.140.53.227
Jan 20, 2021 17:14:07.023099899 CET	5050	49743	185.140.53.227	192.168.2.3
Jan 20, 2021 17:14:07.523895979 CET	49743	5050	192.168.2.3	185.140.53.227
Jan 20, 2021 17:14:07.572540045 CET	5050	49743	185.140.53.227	192.168.2.3
Jan 20, 2021 17:14:08.086697102 CET	49743	5050	192.168.2.3	185.140.53.227
Jan 20, 2021 17:14:08.135360956 CET	5050	49743	185.140.53.227	192.168.2.3
Jan 20, 2021 17:14:12.538840055 CET	49744	5050	192.168.2.3	185.140.53.227
Jan 20, 2021 17:14:12.587572098 CET	5050	49744	185.140.53.227	192.168.2.3
Jan 20, 2021 17:14:13.102432966 CET	49744	5050	192.168.2.3	185.140.53.227
Jan 20, 2021 17:14:13.151457071 CET	5050	49744	185.140.53.227	192.168.2.3
Jan 20, 2021 17:14:13.665100098 CET	49744	5050	192.168.2.3	185.140.53.227
Jan 20, 2021 17:14:13.713771105 CET	5050	49744	185.140.53.227	192.168.2.3
Jan 20, 2021 17:14:17.888115883 CET	49745	5050	192.168.2.3	105.112.102.172
Jan 20, 2021 17:14:20.884325981 CET	49745	5050	192.168.2.3	105.112.102.172
Jan 20, 2021 17:14:26.900515079 CET	49745	5050	192.168.2.3	105.112.102.172
Jan 20, 2021 17:14:34.720561028 CET	49748	5050	192.168.2.3	105.112.102.172
Jan 20, 2021 17:14:37.729413986 CET	49748	5050	192.168.2.3	105.112.102.172
Jan 20, 2021 17:14:43.729974031 CET	49748	5050	192.168.2.3	105.112.102.172
Jan 20, 2021 17:14:51.353595972 CET	49749	5050	192.168.2.3	105.112.102.172
Jan 20, 2021 17:14:54.355807066 CET	49749	5050	192.168.2.3	105.112.102.172
Jan 20, 2021 17:15:00.356338024 CET	49749	5050	192.168.2.3	105.112.102.172
Jan 20, 2021 17:15:08.322185040 CET	49750	5050	192.168.2.3	185.140.53.227
Jan 20, 2021 17:15:08.370486021 CET	5050	49750	185.140.53.227	192.168.2.3
Jan 20, 2021 17:15:08.872690916 CET	49750	5050	192.168.2.3	185.140.53.227
Jan 20, 2021 17:15:08.921380043 CET	5050	49750	185.140.53.227	192.168.2.3
Jan 20, 2021 17:15:09.435206890 CET	49750	5050	192.168.2.3	185.140.53.227
Jan 20, 2021 17:15:09.483859062 CET	5050	49750	185.140.53.227	192.168.2.3
Jan 20, 2021 17:15:13.769426107 CET	49751	5050	192.168.2.3	185.140.53.227
Jan 20, 2021 17:15:13.818001032 CET	5050	49751	185.140.53.227	192.168.2.3
Jan 20, 2021 17:15:14.326442003 CET	49751	5050	192.168.2.3	185.140.53.227
Jan 20, 2021 17:15:14.374986887 CET	5050	49751	185.140.53.227	192.168.2.3
Jan 20, 2021 17:15:14.893300056 CET	49751	5050	192.168.2.3	185.140.53.227
Jan 20, 2021 17:15:14.942029953 CET	5050	49751	185.140.53.227	192.168.2.3
Jan 20, 2021 17:15:19.113058090 CET	49757	5050	192.168.2.3	185.140.53.227
Jan 20, 2021 17:15:19.161782980 CET	5050	49757	185.140.53.227	192.168.2.3
Jan 20, 2021 17:15:19.686198950 CET	49757	5050	192.168.2.3	185.140.53.227
Jan 20, 2021 17:15:19.734893084 CET	5050	49757	185.140.53.227	192.168.2.3
Jan 20, 2021 17:15:20.288041115 CET	49757	5050	192.168.2.3	185.140.53.227
Jan 20, 2021 17:15:20.336539984 CET	5050	49757	185.140.53.227	192.168.2.3
Jan 20, 2021 17:15:24.561131954 CET	49763	5050	192.168.2.3	105.112.102.172
Jan 20, 2021 17:15:27.711155891 CET	49763	5050	192.168.2.3	105.112.102.172
Jan 20, 2021 17:15:33.727176905 CET	49763	5050	192.168.2.3	105.112.102.172

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 20, 2021 17:12:30.115456104 CET	60152	53	192.168.2.3	8.8.8.8
Jan 20, 2021 17:12:30.171864986 CET	53	60152	8.8.8.8	192.168.2.3
Jan 20, 2021 17:12:31.108071089 CET	57544	53	192.168.2.3	8.8.8.8
Jan 20, 2021 17:12:31.164551973 CET	53	57544	8.8.8.8	192.168.2.3
Jan 20, 2021 17:12:33.920929909 CET	55984	53	192.168.2.3	8.8.8.8
Jan 20, 2021 17:12:33.971705914 CET	53	55984	8.8.8.8	192.168.2.3
Jan 20, 2021 17:12:36.327366114 CET	64185	53	192.168.2.3	8.8.8.8
Jan 20, 2021 17:12:36.375221014 CET	53	64185	8.8.8.8	192.168.2.3
Jan 20, 2021 17:12:37.282816887 CET	65110	53	192.168.2.3	8.8.8.8
Jan 20, 2021 17:12:37.330900908 CET	53	65110	8.8.8.8	192.168.2.3
Jan 20, 2021 17:12:47.214193106 CET	58361	53	192.168.2.3	8.8.8.8
Jan 20, 2021 17:12:47.262096882 CET	53	58361	8.8.8.8	192.168.2.3
Jan 20, 2021 17:12:48.410496950 CET	63492	53	192.168.2.3	8.8.8.8
Jan 20, 2021 17:12:48.461219072 CET	53	63492	8.8.8.8	192.168.2.3
Jan 20, 2021 17:12:50.876347065 CET	60831	53	192.168.2.3	8.8.8.8
Jan 20, 2021 17:12:50.926973104 CET	53	60831	8.8.8.8	192.168.2.3
Jan 20, 2021 17:12:52.303313971 CET	60100	53	192.168.2.3	8.8.8.8
Jan 20, 2021 17:12:52.362260103 CET	53	60100	8.8.8.8	192.168.2.3
Jan 20, 2021 17:12:53.715147018 CET	53195	53	192.168.2.3	8.8.8.8
Jan 20, 2021 17:12:53.936311007 CET	53	53195	8.8.8.8	192.168.2.3
Jan 20, 2021 17:12:57.024483919 CET	50141	53	192.168.2.3	8.8.8.8
Jan 20, 2021 17:12:57.085048914 CET	53	50141	8.8.8.8	192.168.2.3
Jan 20, 2021 17:12:59.203219891 CET	53023	53	192.168.2.3	8.8.8.8
Jan 20, 2021 17:12:59.251117945 CET	53	53023	8.8.8.8	192.168.2.3
Jan 20, 2021 17:13:04.612528086 CET	49563	53	192.168.2.3	8.8.8.8
Jan 20, 2021 17:13:04.668864012 CET	53	49563	8.8.8.8	192.168.2.3
Jan 20, 2021 17:13:06.832524061 CET	51352	53	192.168.2.3	8.8.8.8
Jan 20, 2021 17:13:06.880430937 CET	53	51352	8.8.8.8	192.168.2.3
Jan 20, 2021 17:13:10.573229074 CET	59349	53	192.168.2.3	8.8.8.8
Jan 20, 2021 17:13:10.630872011 CET	53	59349	8.8.8.8	192.168.2.3
Jan 20, 2021 17:13:15.194449902 CET	57084	53	192.168.2.3	8.8.8.8
Jan 20, 2021 17:13:16.192384958 CET	57084	53	192.168.2.3	8.8.8.8
Jan 20, 2021 17:13:16.240313053 CET	53	57084	8.8.8.8	192.168.2.3
Jan 20, 2021 17:13:24.219270945 CET	58823	53	192.168.2.3	8.8.8.8
Jan 20, 2021 17:13:24.267188072 CET	53	58823	8.8.8.8	192.168.2.3
Jan 20, 2021 17:13:26.721561909 CET	57568	53	192.168.2.3	8.8.8.8
Jan 20, 2021 17:13:26.769531012 CET	53	57568	8.8.8.8	192.168.2.3
Jan 20, 2021 17:13:27.398511887 CET	50540	53	192.168.2.3	8.8.8.8
Jan 20, 2021 17:13:27.457781076 CET	53	50540	8.8.8.8	192.168.2.3
Jan 20, 2021 17:13:27.945595026 CET	54366	53	192.168.2.3	8.8.8.8
Jan 20, 2021 17:13:27.993823051 CET	53	54366	8.8.8.8	192.168.2.3
Jan 20, 2021 17:13:30.246763945 CET	53034	53	192.168.2.3	8.8.8.8
Jan 20, 2021 17:13:30.294702053 CET	53	53034	8.8.8.8	192.168.2.3
Jan 20, 2021 17:13:31.382765055 CET	57762	53	192.168.2.3	8.8.8.8
Jan 20, 2021 17:13:31.430870056 CET	53	57762	8.8.8.8	192.168.2.3
Jan 20, 2021 17:13:32.011482954 CET	55435	53	192.168.2.3	8.8.8.8
Jan 20, 2021 17:13:32.082386971 CET	53	55435	8.8.8.8	192.168.2.3
Jan 20, 2021 17:13:32.660548925 CET	50713	53	192.168.2.3	8.8.8.8
Jan 20, 2021 17:13:32.711457014 CET	53	50713	8.8.8.8	192.168.2.3
Jan 20, 2021 17:13:35.258546114 CET	56132	53	192.168.2.3	8.8.8.8
Jan 20, 2021 17:13:35.309422970 CET	53	56132	8.8.8.8	192.168.2.3
Jan 20, 2021 17:13:36.446857929 CET	58987	53	192.168.2.3	8.8.8.8
Jan 20, 2021 17:13:36.494741917 CET	53	58987	8.8.8.8	192.168.2.3
Jan 20, 2021 17:13:44.700119019 CET	56579	53	192.168.2.3	8.8.8.8
Jan 20, 2021 17:13:44.757843018 CET	53	56579	8.8.8.8	192.168.2.3
Jan 20, 2021 17:13:45.841614962 CET	60633	53	192.168.2.3	8.8.8.8
Jan 20, 2021 17:13:45.889656067 CET	53	60633	8.8.8.8	192.168.2.3
Jan 20, 2021 17:13:51.571892023 CET	61292	53	192.168.2.3	8.8.8.8
Jan 20, 2021 17:13:51.629636049 CET	53	61292	8.8.8.8	192.168.2.3
Jan 20, 2021 17:14:01.463038921 CET	63619	53	192.168.2.3	8.8.8.8
Jan 20, 2021 17:14:01.684941053 CET	53	63619	8.8.8.8	192.168.2.3
Jan 20, 2021 17:14:06.915060997 CET	64938	53	192.168.2.3	8.8.8.8
Jan 20, 2021 17:14:06.971584082 CET	53	64938	8.8.8.8	192.168.2.3
Jan 20, 2021 17:14:12.313934088 CET	61946	53	192.168.2.3	8.8.8.8
Jan 20, 2021 17:14:12.535736084 CET	53	61946	8.8.8.8	192.168.2.3
Jan 20, 2021 17:14:17.765189886 CET	64910	53	192.168.2.3	8.8.8.8
Jan 20, 2021 17:14:17.825486898 CET	53	64910	8.8.8.8	192.168.2.3
Jan 20, 2021 17:14:21.005423069 CET	52123	53	192.168.2.3	8.8.8.8
Jan 20, 2021 17:14:21.056504965 CET	53	52123	8.8.8.8	192.168.2.3
Jan 20, 2021 17:14:23.060621977 CET	56130	53	192.168.2.3	8.8.8.8
Jan 20, 2021 17:14:23.119894981 CET	53	56130	8.8.8.8	192.168.2.3
Jan 20, 2021 17:14:34.662410975 CET	56338	53	192.168.2.3	8.8.8.8
Jan 20, 2021 17:14:34.718652010 CET	53	56338	8.8.8.8	192.168.2.3
Jan 20, 2021 17:14:51.294055939 CET	59420	53	192.168.2.3	8.8.8.8
Jan 20, 2021 17:14:51.350522041 CET	53	59420	8.8.8.8	192.168.2.3
Jan 20, 2021 17:15:07.953716993 CET	58784	53	192.168.2.3	8.8.8.8
Jan 20, 2021 17:15:08.320425987 CET	53	58784	8.8.8.8	192.168.2.3
Jan 20, 2021 17:15:13.571491957 CET	63978	53	192.168.2.3	8.8.8.8
Jan 20, 2021 17:15:13.628048897 CET	53	63978	8.8.8.8	192.168.2.3
Jan 20, 2021 17:15:16.234194040 CET	62938	53	192.168.2.3	8.8.8.8
Jan 20, 2021 17:15:16.310164928 CET	53	62938	8.8.8.8	192.168.2.3
Jan 20, 2021 17:15:16.842221975 CET	55708	53	192.168.2.3	8.8.8.8
Jan 20, 2021 17:15:16.903183937 CET	53	55708	8.8.8.8	192.168.2.3
Jan 20, 2021 17:15:17.525993109 CET	56803	53	192.168.2.3	8.8.8.8
Jan 20, 2021 17:15:17.582118034 CET	53	56803	8.8.8.8	192.168.2.3
Jan 20, 2021 17:15:18.020863056 CET	57145	53	192.168.2.3	8.8.8.8
Jan 20, 2021 17:15:18.077400923 CET	53	57145	8.8.8.8	192.168.2.3
Jan 20, 2021 17:15:18.668761969 CET	55359	53	192.168.2.3	8.8.8.8
Jan 20, 2021 17:15:18.727881908 CET	53	55359	8.8.8.8	192.168.2.3
Jan 20, 2021 17:15:19.055500031 CET	58306	53	192.168.2.3	8.8.8.8
Jan 20, 2021 17:15:19.111709118 CET	53	58306	8.8.8.8	192.168.2.3
Jan 20, 2021 17:15:19.295212030 CET	64124	53	192.168.2.3	8.8.8.8
Jan 20, 2021 17:15:19.343066931 CET	53	64124	8.8.8.8	192.168.2.3
Jan 20, 2021 17:15:19.796638966 CET	49361	53	192.168.2.3	8.8.8.8
Jan 20, 2021 17:15:19.852883101 CET	53	49361	8.8.8.8	192.168.2.3
Jan 20, 2021 17:15:20.430563927 CET	63150	53	192.168.2.3	8.8.8.8
Jan 20, 2021 17:15:20.486757994 CET	53	63150	8.8.8.8	192.168.2.3
Jan 20, 2021 17:15:21.181947947 CET	53279	53	192.168.2.3	8.8.8.8
Jan 20, 2021 17:15:21.232682943 CET	53	53279	8.8.8.8	192.168.2.3
Jan 20, 2021 17:15:21.677417994 CET	56881	53	192.168.2.3	8.8.8.8
Jan 20, 2021 17:15:21.733674049 CET	53	56881	8.8.8.8	192.168.2.3
Jan 20, 2021 17:15:24.502064943 CET	53642	53	192.168.2.3	8.8.8.8
Jan 20, 2021 17:15:24.559706926 CET	53	53642	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 20, 2021 17:12:53.715147018 CET	192.168.2.3	8.8.8.8	0x8479	Standard query (0)	kcfresh.duckdns.org	A (IP address)	IN (0x0001)
Jan 20, 2021 17:12:59.203219891 CET	192.168.2.3	8.8.8.8	0xe3ae	Standard query (0)	kcfresh.duckdns.org	A (IP address)	IN (0x0001)
Jan 20, 2021 17:13:04.612528086 CET	192.168.2.3	8.8.8.8	0x8ef4	Standard query (0)	kcfresh.duckdns.org	A (IP address)	IN (0x0001)
Jan 20, 2021 17:13:10.573229074 CET	192.168.2.3	8.8.8.8	0xe472	Standard query (0)	kcfresh.ddns.net	A (IP address)	IN (0x0001)
Jan 20, 2021 17:13:27.398511887 CET	192.168.2.3	8.8.8.8	0xca6e	Standard query (0)	kcfresh.ddns.net	A (IP address)	IN (0x0001)
Jan 20, 2021 17:13:44.700119019 CET	192.168.2.3	8.8.8.8	0x351d	Standard query (0)	kcfresh.ddns.net	A (IP address)	IN (0x0001)
Jan 20, 2021 17:14:01.463038921 CET	192.168.2.3	8.8.8.8	0x94d4	Standard query (0)	kcfresh.duckdns.org	A (IP address)	IN (0x0001)
Jan 20, 2021 17:14:06.915060997 CET	192.168.2.3	8.8.8.8	0xc850	Standard query (0)	kcfresh.duckdns.org	A (IP address)	IN (0x0001)
Jan 20, 2021 17:14:12.313934088 CET	192.168.2.3	8.8.8.8	0x9af0	Standard query (0)	kcfresh.duckdns.org	A (IP address)	IN (0x0001)
Jan 20, 2021 17:14:17.765189886 CET	192.168.2.3	8.8.8.8	0x8715	Standard query (0)	kcfresh.ddns.net	A (IP address)	IN (0x0001)
Jan 20, 2021 17:14:34.662410975 CET	192.168.2.3	8.8.8.8	0x70d	Standard query (0)	kcfresh.ddns.net	A (IP address)	IN (0x0001)
Jan 20, 2021 17:14:51.294055939 CET	192.168.2.3	8.8.8.8	0x5b8e	Standard query (0)	kcfresh.ddns.net	A (IP address)	IN (0x0001)
Jan 20, 2021 17:15:07.953716993 CET	192.168.2.3	8.8.8.8	0x40c7	Standard query (0)	kcfresh.duckdns.org	A (IP address)	IN (0x0001)
Jan 20, 2021 17:15:13.571491957 CET	192.168.2.3	8.8.8.8	0x7292	Standard query (0)	kcfresh.duckdns.org	A (IP address)	IN (0x0001)
Jan 20, 2021 17:15:19.055500031 CET	192.168.2.3	8.8.8.8	0x5a57	Standard query (0)	kcfresh.duckdns.org	A (IP address)	IN (0x0001)
Jan 20, 2021 17:15:24.502064943 CET	192.168.2.3	8.8.8.8	0x377b	Standard query (0)	kcfresh.ddns.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Jan 20, 2021 17:12:53.936311007 CET	8.8.8.8	192.168.2.3	0x8479	No error (0)	kcfresh.duckdns.org	185.140.53.227	A (IP address)	IN (0x0001)
Jan 20, 2021 17:12:59.251117945 CET	8.8.8.8	192.168.2.3	0xe3ae	No error (0)	kcfresh.duckdns.org	185.140.53.227	A (IP address)	IN (0x0001)
Jan 20, 2021 17:13:04.668864012 CET	8.8.8.8	192.168.2.3	0x8ef4	No error (0)	kcfresh.duckdns.org	185.140.53.227	A (IP address)	IN (0x0001)
Jan 20, 2021 17:13:10.630872011 CET	8.8.8.8	192.168.2.3	0xe472	No error (0)	kcfresh.ddns.net	105.112.102.172	A (IP address)	IN (0x0001)
Jan 20, 2021 17:13:27.457781076 CET	8.8.8.8	192.168.2.3	0xca6e	No error (0)	kcfresh.ddns.net	105.112.102.172	A (IP address)	IN (0x0001)
Jan 20, 2021 17:13:44.757843018 CET	8.8.8.8	192.168.2.3	0x351d	No error (0)	kcfresh.ddns.net	105.112.102.172	A (IP address)	IN (0x0001)
Jan 20, 2021 17:14:01.684941053 CET	8.8.8.8	192.168.2.3	0x94d4	No error (0)	kcfresh.duckdns.org	185.140.53.227	A (IP address)	IN (0x0001)
Jan 20, 2021 17:14:06.971584082 CET	8.8.8.8	192.168.2.3	0xc850	No error (0)	kcfresh.duckdns.org	185.140.53.227	A (IP address)	IN (0x0001)
Jan 20, 2021 17:14:12.535736084 CET	8.8.8.8	192.168.2.3	0x9af0	No error (0)	kcfresh.duckdns.org	185.140.53.227	A (IP address)	IN (0x0001)
Jan 20, 2021 17:14:17.825486898 CET	8.8.8.8	192.168.2.3	0x8715	No error (0)	kcfresh.ddns.net	105.112.102.172	A (IP address)	IN (0x0001)
Jan 20, 2021 17:14:34.718652010 CET	8.8.8.8	192.168.2.3	0x70d	No error (0)	kcfresh.ddns.net	105.112.102.172	A (IP address)	IN (0x0001)
Jan 20, 2021 17:14:51.350522041 CET	8.8.8.8	192.168.2.3	0x5b8e	No error (0)	kcfresh.ddns.net	105.112.102.172	A (IP address)	IN (0x0001)
Jan 20, 2021 17:15:08.320425987 CET	8.8.8.8	192.168.2.3	0x40c7	No error (0)	kcfresh.duckdns.org	185.140.53.227	A (IP address)	IN (0x0001)
Jan 20, 2021 17:15:13.628048897 CET	8.8.8.8	192.168.2.3	0x7292	No error (0)	kcfresh.duckdns.org	185.140.53.227	A (IP address)	IN (0x0001)
Jan 20, 2021 17:15:19.111709118 CET	8.8.8.8	192.168.2.3	0x5a57	No error (0)	kcfresh.duckdns.org	185.140.53.227	A (IP address)	IN (0x0001)
Jan 20, 2021 17:15:24.559706926 CET	8.8.8.8	192.168.2.3	0x377b	No error (0)	kcfresh.ddns.net	105.112.102.172	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: company profile.exe PID: 5960 Parent PID: 5652

General

Start time:	17:12:32
Start date:	20/01/2021
Path:	C:\Users\user\Desktop\company profile.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\company profile.exe'
Imagebase:	0xec0000
File size:	1499648 bytes
MD5 hash:	02F3EEF9DA2EF90D0CF59BFACA176886
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.252435267.000000000341D000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.253304124.00000000043C1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.253304124.00000000043C1000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000001.00000002.253304124.00000000043C1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.253470598.0000000004415000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.253470598.0000000004415000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000001.00000002.253470598.0000000004415000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 5976 Parent PID: 5960

General

Start time:	17:12:45
Start date:	20/01/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UnShSbgF' /XML 'C:\Users\user\AppData\Local\Temp\tmp75B1.tmp'
Imagebase:	0x1310000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 2212 Parent PID: 5976

General

Start time:	17:12:46
Start date:	20/01/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: company profile.exe PID: 204 Parent PID: 5960

General

Start time:	17:12:47
Start date:	20/01/2021
Path:	C:\Users\user\Desktop\company profile.exe
Wow64 process (32bit):	false
Commandline:	{path}
Imagebase:	0x2f0000
File size:	1499648 bytes
MD5 hash:	02F3EEF9DA2EF90D0CF59BFACA176886
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: company profile.exe PID: 2540 Parent PID: 5960

General

Start time:	17:12:48
Start date:	20/01/2021
Path:	C:\Users\user\Desktop\company profile.exe
Wow64 process (32bit):	false
Commandline:	{path}
Imagebase:	0x1d0000
File size:	1499648 bytes
MD5 hash:	02F3EEF9DA2EF90D0CF59BFACA176886
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: company profile.exe PID: 6080 Parent PID: 5960

General

Start time:	17:12:48
Start date:	20/01/2021
Path:	C:\Users\user\Desktop\company profile.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0xdb0000
File size:	1499648 bytes
MD5 hash:	02F3EEF9DA2EF90D0CF59BFACA176886
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.586154490.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.586154490.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000006.00000002.586154490.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.590173141.00000000031E1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.594725698.0000000004229000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000006.00000002.594725698.0000000004229000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.596680972.0000000005BD0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000006.00000002.596680972.0000000005BD0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.597017105.0000000006840000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000006.00000002.597017105.0000000006840000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.597017105.0000000006840000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 5864 Parent PID: 6080

General

Start time:	17:12:51
Start date:	20/01/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp132E.tmp'
Imagebase:	0xb90000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 5636 Parent PID: 5864

General

Start time:	17:12:51
Start date:	20/01/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: company profile.exe PID: 4920 Parent PID: 528

General

Start time:	17:12:54
Start date:	20/01/2021
Path:	C:\Users\user\Desktop\company profile.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\company profile.exe' 0
Imagebase:	0x850000
File size:	1499648 bytes
MD5 hash:	02F3EEF9DA2EF90D0CF59BFACA176886
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000B.00000002.309768585.0000000002DB3000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.312703625.0000000003CE1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.312703625.0000000003CE1000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.312703625.0000000003CE1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.312777066.0000000003D37000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.312777066.0000000003D37000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.312777066.0000000003D37000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 6368 Parent PID: 4920

General

Start time:	17:13:12
Start date:	20/01/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UnShSbgF' /XML 'C:\Users\user\AppData\Local\Temp\tmpCFD7.tmp'
Imagebase:	0xb90000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6376 Parent PID: 6368

General

Start time:	17:13:13
Start date:	20/01/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: company profile.exe PID: 6412 Parent PID: 4920

General

Start time:	17:13:13
Start date:	20/01/2021
Path:	C:\Users\user\Desktop\company profile.exe
Wow64 process (32bit):	false
Commandline:	{path}
Imagebase:	0x3b0000
File size:	1499648 bytes
MD5 hash:	02F3EEF9DA2EF90D0CF59BFACA176886
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: company profile.exe PID: 6420 Parent PID: 4920

General

Start time:	17:13:14
Start date:	20/01/2021
Path:	C:\Users\user\Desktop\company profile.exe
Wow64 process (32bit):	false
Commandline:	{path}
Imagebase:	0x3d0000
File size:	1499648 bytes
MD5 hash:	02F3EEF9DA2EF90D0CF59BFACA176886
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: company profile.exe PID: 6440 Parent PID: 4920

General

Start time:	17:13:15
Start date:	20/01/2021
Path:	C:\Users\user\Desktop\company profile.exe
Wow64 process (32bit):	false
Commandline:	{path}
Imagebase:	0xf0000
File size:	1499648 bytes
MD5 hash:	02F3EEF9DA2EF90D0CF59BFACA176886
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: company profile.exe PID: 6456 Parent PID: 4920

General

Start time:	17:13:15
Start date:	20/01/2021
Path:	C:\Users\user\Desktop\company profile.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0x570000
File size:	1499648 bytes
MD5 hash:	02F3EEF9DA2EF90D0CF59BFACA176886
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000019.00000002.329006639.0000000003AA9000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000019.00000002.329006639.0000000003AA9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000019.00000002.328915349.0000000002AA1000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000019.00000002.328915349.0000000002AA1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000019.00000002.327635694.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000019.00000002.327635694.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000019.00000002.327635694.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: company profile.exe PID: 5960 Parent PID: 5652 company profile.exeCOMMON

Executed Functions

Function 03340512, Relevance: 2.6, Strings: 2, Instructions: 142COMMON

Download Yara Rule

Strings

\bn#, xrefs: 033406B6
<, xrefs: 03340631

Memory Dump Source

Source File: 00000001.00000002.252212293.0000000003340000.00000040.00000001.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID:
String ID: <$\bn#
API String ID: 0-1705670590
Opcode ID: 5596bbaac9ebf806b77a921bf7c744284f50000ac7db1b087b715c6e1898c54c
Instruction ID: 230821dfcea063d16d8bbbdff3be4ab0f5600012e7524d1d233b1a74bfe35585
Opcode Fuzzy Hash: 5596bbaac9ebf806b77a921bf7c744284f50000ac7db1b087b715c6e1898c54c
Instruction Fuzzy Hash: D551A775E046188FDB58CFAAC9506DDFBF2BF89304F14C1AAD519AB224EB345A81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 03341590, Relevance: 1.7, APIs: 1, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.252212293.0000000003340000.00000040.00000001.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 207a55348d1b82ece8eea06790e81b50a46325def9d01261be95d93333167a6f
Instruction ID: 9d6164adfda27d452ca8935b1d232a663936a813f272c8d7fa06553aed10a1f6
Opcode Fuzzy Hash: 207a55348d1b82ece8eea06790e81b50a46325def9d01261be95d93333167a6f
Instruction Fuzzy Hash: A9610375D092589FCF51CFB8D8806EEFBF0AF0A314F19949AD841AB211D335AA46DB50

Uniqueness

Uniqueness Score: -1.00%

Function 033415D1, Relevance: 1.7, APIs: 1, Instructions: 167COMMON

Download Yara Rule

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 0334170C

Memory Dump Source

Source File: 00000001.00000002.252212293.0000000003340000.00000040.00000001.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 7f567bebf52d25b8c753cb48325430b2a80f29c675ce25439858e734c1ccf63b
Instruction ID: 783e482e3f42824aeabac40916de04953075ece4ed5a54ac3f0ede5e10227e8c
Opcode Fuzzy Hash: 7f567bebf52d25b8c753cb48325430b2a80f29c675ce25439858e734c1ccf63b
Instruction Fuzzy Hash: 78510579D092589FCF11CFA8D8806EEFBF0BF0A314F29945AD444AB211D334A946DF60

Uniqueness

Uniqueness Score: -1.00%

Function 03341670, Relevance: 1.6, APIs: 1, Instructions: 94COMMON

Download Yara Rule

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 0334170C

Memory Dump Source

Source File: 00000001.00000002.252212293.0000000003340000.00000040.00000001.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: fb24a4549e257d2bd17068c625d2d83f3cc527fbdb3f2346b61c2b3fd5b4f8e5
Instruction ID: 2c04b85e535407bdc3d9fa00059ecdb2dd85a1884f36b2a3c03a6bbc2ea5a808
Opcode Fuzzy Hash: fb24a4549e257d2bd17068c625d2d83f3cc527fbdb3f2346b61c2b3fd5b4f8e5
Instruction Fuzzy Hash: D841BCB9D04258DFCB00CFA9D584AEEFBF4AB09314F14905AE414B7250D738AA89CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0334B4D0, Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

>hNG, xrefs: 0334B590

Memory Dump Source

Source File: 00000001.00000002.252212293.0000000003340000.00000040.00000001.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID:
String ID: >hNG
API String ID: 0-4046879918
Opcode ID: 717a0d71178032a8c68b6e268e047357c0bed689249743952cb33f78df051994
Instruction ID: 2a0874789c9a9c486e609b4c860a7c76dc2434d642d653bc81598f4df51951d3
Opcode Fuzzy Hash: 717a0d71178032a8c68b6e268e047357c0bed689249743952cb33f78df051994
Instruction Fuzzy Hash: 9D51F074E046198BCB14DFE9C9805DDFBB6BF89300F24862AD51AAB614EB70A985CF00

Uniqueness

Uniqueness Score: -1.00%

Function 0334BA20, Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.252212293.0000000003340000.00000040.00000001.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d23af1ec4e8acac24ef2a4e9adadefb05c6ed2f655df57d45e167ed7f56ef463
Instruction ID: f886ce0c842127ffb58df31fde3cc6a4053dea579752d87681ea2ed484bb6ca6
Opcode Fuzzy Hash: d23af1ec4e8acac24ef2a4e9adadefb05c6ed2f655df57d45e167ed7f56ef463
Instruction Fuzzy Hash: 83C14570E05218CFCB24DFA9D9846DDFBFAFB89300F108469D54AAB654DB34A941CF25

Uniqueness

Uniqueness Score: -1.00%

Function 03342379, Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.252212293.0000000003340000.00000040.00000001.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc7a8f2a3f226abb575ddc4e9abb9149a320a02305d3b2871991bc8e909deb30
Instruction ID: a23313944b02e91bb0435d7f9a2e77781609fcf9cbc56ff7426b3da786ffa453
Opcode Fuzzy Hash: dc7a8f2a3f226abb575ddc4e9abb9149a320a02305d3b2871991bc8e909deb30
Instruction Fuzzy Hash: D7B11474E142598FCB05CFE9D8806EEFBF2EF8A300F14986AD915AB255D730A946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 059CC72C, Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.257083901.00000000059C0000.00000040.00000001.sdmp, Offset: 059C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98e8fcef2cb242aad7b1722e9f2d9ed294f2254867800b63f66dbb83f91f453c
Instruction ID: cb7eece29903f6969b8714ded0e56c15b7342a3596bf0e4d2d26a49f9eae2933
Opcode Fuzzy Hash: 98e8fcef2cb242aad7b1722e9f2d9ed294f2254867800b63f66dbb83f91f453c
Instruction Fuzzy Hash: 4491A235E003198FCB04DBA4D8949DDBBBAFF89304F248659E41AAB7A4DB30A945CB51

Uniqueness

Uniqueness Score: -1.00%

Function 059CCC98, Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.257083901.00000000059C0000.00000040.00000001.sdmp, Offset: 059C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89de57f4761c68f8fa9d29542ee2ce7ae3a02c462e9d315d9b13c9bcd2b14cf3
Instruction ID: 70b79551d1d3cff4c7aa44e20bde0e4888da4917f28bf3e1e562f01ab0cdc9ae
Opcode Fuzzy Hash: 89de57f4761c68f8fa9d29542ee2ce7ae3a02c462e9d315d9b13c9bcd2b14cf3
Instruction Fuzzy Hash: 46818135E003199FCB04DFE0D8948DDBBBAFF8A300F258259E415AB764EB30A985CB50

Uniqueness

Uniqueness Score: -1.00%

Function 03342410, Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.252212293.0000000003340000.00000040.00000001.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d53c5f9cd21660aaa33cb4cb7ece9d31601441d7af1776cd5094651d206bf28
Instruction ID: ba7737b9ba6a455d9d64817e8ec739c01c5065fa66c4ca3ad5d05579eae78126
Opcode Fuzzy Hash: 7d53c5f9cd21660aaa33cb4cb7ece9d31601441d7af1776cd5094651d206bf28
Instruction Fuzzy Hash: 9C81B074E142198FDB08CFE9D880AAEFBB6EF89300F14942AE519BB354D734A941CF54

Uniqueness

Uniqueness Score: -1.00%

Function 03342B48, Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.252212293.0000000003340000.00000040.00000001.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1863fcc9e3164af818caa124da8d898445e069ae3f574f0ee693ef03db845be
Instruction ID: 781a69bc019a502646b9a75100ff0abf8be0938c57fefe4d3be04eb8686dbdb1
Opcode Fuzzy Hash: c1863fcc9e3164af818caa124da8d898445e069ae3f574f0ee693ef03db845be
Instruction Fuzzy Hash: 166126B0D052198FCB09CFA9D8906AEFBF2FF8A200F18C96AD409F7255D7345A41CB65

Uniqueness

Uniqueness Score: -1.00%

Function 03346B4A, Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.252212293.0000000003340000.00000040.00000001.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a96cb6511648a0838e4a547e78004a3752f45523f0140fb53e8560f51c6e184a
Instruction ID: bd73d24e7eb7e8a4beed6ed0263ddc0a1e9ef9b143753fb5c2af711f449f8a21
Opcode Fuzzy Hash: a96cb6511648a0838e4a547e78004a3752f45523f0140fb53e8560f51c6e184a
Instruction Fuzzy Hash: 7051E474E056188FDB54CFAAC984A8EFBF7BF89314F08C5A6C408AB215D730A985CF51

Uniqueness

Uniqueness Score: -1.00%

Function 03344DA8, Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.252212293.0000000003340000.00000040.00000001.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd4ffd496acf220777d9663b89515f35d4449bbcb6f5c616ac9095e1ece5635d
Instruction ID: c05d29ac5f90eba9b9475a7b3d8acb9d3f1846cfe39136a0e309d5d1ea870163
Opcode Fuzzy Hash: cd4ffd496acf220777d9663b89515f35d4449bbcb6f5c616ac9095e1ece5635d
Instruction Fuzzy Hash: 1B410A74E1521ADFCB44CFAAC580AAEFBF6FF85200F14C9AAC415A7215D334AA418F91

Uniqueness

Uniqueness Score: -1.00%

Function 0334FD48, Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.252212293.0000000003340000.00000040.00000001.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0066e6445827765bf011b21578896c1243b27792da104daef9a800409d2ea393
Instruction ID: 5bc46b635106bdf02660242a673323b79d9d681ddc31c744c8d68747c4f60c32
Opcode Fuzzy Hash: 0066e6445827765bf011b21578896c1243b27792da104daef9a800409d2ea393
Instruction Fuzzy Hash: FA41CBB4D002189FDB10CFA9C984BDEFBF0BB09304F24902AE404BB261CB74A989CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0334355A, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.252212293.0000000003340000.00000040.00000001.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c5ce94867cf4c7873a420bcc38f8c718aeaa59e41704aa5beceec2a1762b725
Instruction ID: c4505d9b4674edc02b6f64cd8a899ab11cd9c4e81831a1505b7ca4f4ddc1b99f
Opcode Fuzzy Hash: 5c5ce94867cf4c7873a420bcc38f8c718aeaa59e41704aa5beceec2a1762b725
Instruction Fuzzy Hash: 6B31F871E006188BDB18CFAAD8843DEBBF2AFC9310F14C16AD408A7258DB741A56CF50

Uniqueness

Uniqueness Score: -1.00%

Function 059C80BB, Relevance: 6.1, APIs: 4, Instructions: 125threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 059C8128
GetCurrentThread.KERNEL32 ref: 059C8165
GetCurrentProcess.KERNEL32 ref: 059C81A2
GetCurrentThreadId.KERNEL32 ref: 059C81FB

Memory Dump Source

Source File: 00000001.00000002.257083901.00000000059C0000.00000040.00000001.sdmp, Offset: 059C0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 5c01c6fa2a4f62a3f369a846734a29d190bdc34a33d0feaf93b18ed04619f976
Instruction ID: a30aefa5c6b5b05e12e3f6e2cf597003118e3cd5d79792a6c973347ca21462f2
Opcode Fuzzy Hash: 5c01c6fa2a4f62a3f369a846734a29d190bdc34a33d0feaf93b18ed04619f976
Instruction Fuzzy Hash: 9D5154B09007498FDB10CFA9DA88BEEBFF4FF49304F258499E009A7291D7345884CB66

Uniqueness

Uniqueness Score: -1.00%

Function 059C80C8, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 059C8128
GetCurrentThread.KERNEL32 ref: 059C8165
GetCurrentProcess.KERNEL32 ref: 059C81A2
GetCurrentThreadId.KERNEL32 ref: 059C81FB

Memory Dump Source

Source File: 00000001.00000002.257083901.00000000059C0000.00000040.00000001.sdmp, Offset: 059C0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 85310b6a173c4291d7240a02348d45caec0a7ff83664bd828e5d028f42cd1f20
Instruction ID: 9aee147e4e8b6c0374a0009caed8ecb7b54996a0b04c881ff62da07894bfcc31
Opcode Fuzzy Hash: 85310b6a173c4291d7240a02348d45caec0a7ff83664bd828e5d028f42cd1f20
Instruction Fuzzy Hash: DA5143B09007499FDB10CFA9DA88BEEBFF5FF48304F218459E409A7290D7345884CB66

Uniqueness

Uniqueness Score: -1.00%

Function 059C5C90, Relevance: 1.7, APIs: 1, Instructions: 223COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(?), ref: 059C5F02

Memory Dump Source

Source File: 00000001.00000002.257083901.00000000059C0000.00000040.00000001.sdmp, Offset: 059C0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: f734713e538d6a012981a666049e31d0cd3ccbd05468ebd683f7ee4e12923022
Instruction ID: cfd8e14e27d69aad4976efdb2bd40af35e0fa3d8f89549461539cc5966f4a92e
Opcode Fuzzy Hash: f734713e538d6a012981a666049e31d0cd3ccbd05468ebd683f7ee4e12923022
Instruction Fuzzy Hash: 0991F370A00B098FDB24CF69D484AAABBF5BF89304F11896EE446E7B50D734A845CF91

Uniqueness

Uniqueness Score: -1.00%

Function 059CC46F, Relevance: 1.7, APIs: 1, Instructions: 184COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 059CC639

Memory Dump Source

Source File: 00000001.00000002.257083901.00000000059C0000.00000040.00000001.sdmp, Offset: 059C0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: f680994db5b11092126e1b0e8527a948e405d70439f158d79f25f15c2497c725
Instruction ID: 8db6226e11e9016548c402574f33ddc78330450f6690aef16522d5d789e830e8
Opcode Fuzzy Hash: f680994db5b11092126e1b0e8527a948e405d70439f158d79f25f15c2497c725
Instruction Fuzzy Hash: 05717AB4D04218DFDF20CFA9D984ADDBBF1BB09314F54A1AAE818B7211D730AA85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 059CC478, Relevance: 1.7, APIs: 1, Instructions: 182COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 059CC639

Memory Dump Source

Source File: 00000001.00000002.257083901.00000000059C0000.00000040.00000001.sdmp, Offset: 059C0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: b658eb79cef420dffbc150b9e752c316ff75566b5719eba87cec37e44925456d
Instruction ID: 8d20fff38306529965b1cbffbb8dbc9d20fdb1f4c6933ad50c3d1af95e16f2d1
Opcode Fuzzy Hash: b658eb79cef420dffbc150b9e752c316ff75566b5719eba87cec37e44925456d
Instruction Fuzzy Hash: 49717AB4D042189FDF20CFA9D984ADDBBF1BB09304F5491AAE818B7211D730AA85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 059C1BF4, Relevance: 1.6, APIs: 1, Instructions: 129COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 059C1CF1

Memory Dump Source

Source File: 00000001.00000002.257083901.00000000059C0000.00000040.00000001.sdmp, Offset: 059C0000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 712993c9edf856d894d34a9c49d6fe33ae95cc9b9ad77aee1f3c3c7f676e7f6b
Instruction ID: 4cd4cd635292778d2ab40b17f2afab57eb7abc569755eb7c75909f6ab1e5fe55
Opcode Fuzzy Hash: 712993c9edf856d894d34a9c49d6fe33ae95cc9b9ad77aee1f3c3c7f676e7f6b
Instruction Fuzzy Hash: 6751E771D0462D8FDB20CFA8C880BDEBBB5BF45304F1184AAD509AB251DB756A89CF91

Uniqueness

Uniqueness Score: -1.00%

Function 059C0308, Relevance: 1.6, APIs: 1, Instructions: 126COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 059C1CF1

Memory Dump Source

Source File: 00000001.00000002.257083901.00000000059C0000.00000040.00000001.sdmp, Offset: 059C0000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 44205cb9d88afff235c8a2af51887ce91bafcd79f3525a160382b2e7ff4c2a19
Instruction ID: 7dc2ce9a95b01081249ebcc5c606b392c8cc6c2038f4a891884c9b14d8efc89c
Opcode Fuzzy Hash: 44205cb9d88afff235c8a2af51887ce91bafcd79f3525a160382b2e7ff4c2a19
Instruction Fuzzy Hash: EB51F671D0462C8FDB20CFA8C880BDEBBB5FF45304F1184AAD509AB251DB756A89CF91

Uniqueness

Uniqueness Score: -1.00%

Function 059C82E8, Relevance: 1.6, APIs: 1, Instructions: 112COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 059C83BB

Memory Dump Source

Source File: 00000001.00000002.257083901.00000000059C0000.00000040.00000001.sdmp, Offset: 059C0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 66712a6bee1ef74f36ee459b3f084893e687d5c75dc788195cae8bc9b5169e7d
Instruction ID: 50a72dac0be06a347041a499cd5ebf94876caabc9ebaf1cbbced9f730a1c0629
Opcode Fuzzy Hash: 66712a6bee1ef74f36ee459b3f084893e687d5c75dc788195cae8bc9b5169e7d
Instruction Fuzzy Hash: 4D4165B9D042589FCF00CFA9D984ADEBBF5BB09310F15906AE918BB310D335A985CF55

Uniqueness

Uniqueness Score: -1.00%

Function 059C82F0, Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 059C83BB

Memory Dump Source

Source File: 00000001.00000002.257083901.00000000059C0000.00000040.00000001.sdmp, Offset: 059C0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 3a7b8a097784cbfd1d1dba56b1771157db29edb894e365265cc01602c024e943
Instruction ID: 67b6e4403160c80573eabf6c051d3391198b5c9702d8744d8c54b321dedf9f46
Opcode Fuzzy Hash: 3a7b8a097784cbfd1d1dba56b1771157db29edb894e365265cc01602c024e943
Instruction Fuzzy Hash: 114166B9D042589FCF00CFA9D984ADEBBF5BB09310F15906AE918BB310D335A945CF94

Uniqueness

Uniqueness Score: -1.00%

Function 059C6178, Relevance: 1.6, APIs: 1, Instructions: 99libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(?,?,?), ref: 059C622A

Memory Dump Source

Source File: 00000001.00000002.257083901.00000000059C0000.00000040.00000001.sdmp, Offset: 059C0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6786b44c941d73922f746df251e5ce423b4fa23de931184f9c801843c559e1d6
Instruction ID: 7fa73b4e83156c5c68f847a255509e78dfb67704e92a0cd088cbe86f0649aa60
Opcode Fuzzy Hash: 6786b44c941d73922f746df251e5ce423b4fa23de931184f9c801843c559e1d6
Instruction Fuzzy Hash: 5141A9B4D042589FCF10CFA9D884ADEFBF5BB09310F14906AE818BB210D334A946CF65

Uniqueness

Uniqueness Score: -1.00%

Function 059C5930, Relevance: 1.6, APIs: 1, Instructions: 97libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(?,?,?), ref: 059C622A

Memory Dump Source

Source File: 00000001.00000002.257083901.00000000059C0000.00000040.00000001.sdmp, Offset: 059C0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c50e849697ba11753986d80460ea0577da474cd37baac6e7543734d44bcd00b8
Instruction ID: 684aa920798a8ee37a33ed3e535101aff40a32c25396451dae02deb84fb63e1f
Opcode Fuzzy Hash: c50e849697ba11753986d80460ea0577da474cd37baac6e7543734d44bcd00b8
Instruction Fuzzy Hash: DC4197B4D042589FCB10CFAAD884AAEFBF5BB49310F14906AE915B7310D334A946CF55

Uniqueness

Uniqueness Score: -1.00%

Function 059CC82C, Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 059CF0A1

Memory Dump Source

Source File: 00000001.00000002.257083901.00000000059C0000.00000040.00000001.sdmp, Offset: 059C0000, based on PE: false

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: bc1fb5f99da124e967e7580c008fd36d0d905a390c6e4039eb874fa180807069
Instruction ID: eaf576a3e1deb17b58c40990007de5562ffb86f54258cc165c817543dcda8e9f
Opcode Fuzzy Hash: bc1fb5f99da124e967e7580c008fd36d0d905a390c6e4039eb874fa180807069
Instruction Fuzzy Hash: 504149B8A00605CFCB14CF99C488AAABFF6FB88314F15C489D519AB321D735A841CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 03341788, Relevance: 1.6, APIs: 1, Instructions: 97memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 03341837

Memory Dump Source

Source File: 00000001.00000002.252212293.0000000003340000.00000040.00000001.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 5d8c976fe781f5df039d81e2b9361c266e08b8634b4e13b6f23a715c2eb9420d
Instruction ID: 8cc252686ad0d3e479b9f346a869fecd41c8d2d60c8a57802df7f2dfde709beb
Opcode Fuzzy Hash: 5d8c976fe781f5df039d81e2b9361c266e08b8634b4e13b6f23a715c2eb9420d
Instruction Fuzzy Hash: C03198B9D042589FCF10CFA9E984AEEFBF5BB59310F14902AE814B7210D735A985CF64

Uniqueness

Uniqueness Score: -1.00%

Function 03349D58, Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 03349DFF

Memory Dump Source

Source File: 00000001.00000002.252212293.0000000003340000.00000040.00000001.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 3bf50509919374e654d9c5c7911f2318e4f03d8fa3476ffad0463713ea23c67c
Instruction ID: 9577c97419fa44e2e452563ea21ea445616bd6b868aabd67142a2de0b12bdcbe
Opcode Fuzzy Hash: 3bf50509919374e654d9c5c7911f2318e4f03d8fa3476ffad0463713ea23c67c
Instruction Fuzzy Hash: 0D3198B9D042589FCF10CFA9D984AEEFBF5BB09314F14902AE814B7210D735A985CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 03341790, Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 03341837

Memory Dump Source

Source File: 00000001.00000002.252212293.0000000003340000.00000040.00000001.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: b25c5237f0f8beba469b3147a0a960ad9cb5f61b7b5cb60a094eeda93217aa36
Instruction ID: 749933dc5521fc5ac2eb7f54a07a92cca0bdf0f555fcf5c34e5ad5d6626a446a
Opcode Fuzzy Hash: b25c5237f0f8beba469b3147a0a960ad9cb5f61b7b5cb60a094eeda93217aa36
Instruction Fuzzy Hash: 383189B9D042589FCF10CFA9D984ADEFBF5BB09314F14902AE814B7210D775A985CF64

Uniqueness

Uniqueness Score: -1.00%

Function 03349F0C, Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNELBASE(?), ref: 0334C2AA

Memory Dump Source

Source File: 00000001.00000002.252212293.0000000003340000.00000040.00000001.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: 22f7f405d5e707f9015c7d81e73d4919e76ab642bf24258915693a831bee2475
Instruction ID: e0da97fa8aa6307fe66e2c25bf857ecdd3badba4c2e72567dfb2a1f9333f70ce
Opcode Fuzzy Hash: 22f7f405d5e707f9015c7d81e73d4919e76ab642bf24258915693a831bee2475
Instruction Fuzzy Hash: 5431BAB4D052189FCF10CFA9D984ADEFBF5AB49314F14902AE818B7320D775A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 059C5E70, Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(?), ref: 059C5F02

Memory Dump Source

Source File: 00000001.00000002.257083901.00000000059C0000.00000040.00000001.sdmp, Offset: 059C0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 71bd52b92e0c4e8b133dccf13ca3beb5699bbe7aa96e58256e4ba8e0a08f8299
Instruction ID: 2e13c0ec378ed9401ba659c1772de055dd4584a6180a03cf0744ced878376a45
Opcode Fuzzy Hash: 71bd52b92e0c4e8b133dccf13ca3beb5699bbe7aa96e58256e4ba8e0a08f8299
Instruction Fuzzy Hash: CC31C7B4D002189FCB14CFAAD884ADEFBF5BB49314F15806AE818B7320D334A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0190D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.251915008.000000000190D000.00000040.00000001.sdmp, Offset: 0190D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f978006f031cc65b15297ea4810de7c6f79fd091a38d5af7cfb3f7495dc053d8
Instruction ID: a3d6dc26f609ceb8cf60c87ea76e7b05f457196d5e1aa7d6a5731ca0d7e67883
Opcode Fuzzy Hash: f978006f031cc65b15297ea4810de7c6f79fd091a38d5af7cfb3f7495dc053d8
Instruction Fuzzy Hash: 5821F571504244DFDB16CFA4D9C4B26BBB9FB88354F24C96DD90D4B286C337D846CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0190D017, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.251915008.000000000190D000.00000040.00000001.sdmp, Offset: 0190D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1634690fb963a58e4e786e327c84160adc3c6b9f5f52cf29ba2d57553d863054
Instruction ID: 9726a1575fbb9633876b36bc97c71fdc72a94d1f9fab94515815a6ad4ab40642
Opcode Fuzzy Hash: 1634690fb963a58e4e786e327c84160adc3c6b9f5f52cf29ba2d57553d863054
Instruction Fuzzy Hash: 4C118B75504280DFDB12CF94D5C4B15BBB2FB84324F28C6AAD84D4B696C33AD45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 018FD731, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.251900439.00000000018FD000.00000040.00000001.sdmp, Offset: 018FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 570526db6a90df8a945d6ec321bd0a74cf2d3c531d2d49ddbe50888d7d35d210
Instruction ID: 43b4bb6fdf4d0add112d5603f7223403b4db8ae4fc58e8bde7c7b76ac2334009
Opcode Fuzzy Hash: 570526db6a90df8a945d6ec321bd0a74cf2d3c531d2d49ddbe50888d7d35d210
Instruction Fuzzy Hash: FD01A7714083C89AE7104AA9CD847A7FB9CEF45368F18C65DEF049F242D7799944CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 018FD730, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.251900439.00000000018FD000.00000040.00000001.sdmp, Offset: 018FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8bd97d8a453fccd851f309a380daf5f880943607cc4604933cea7e2c40cc71c
Instruction ID: ac790f269373a09d6e02f68f8ea8dee0d8e83cc99d534364f84d8298c672c674
Opcode Fuzzy Hash: f8bd97d8a453fccd851f309a380daf5f880943607cc4604933cea7e2c40cc71c
Instruction Fuzzy Hash: 0DF068714042849EE7118A59CD84766FF98EB41774F18C55AEE045F282D3759844CA71

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 033466E0, Relevance: 3.9, Strings: 3, Instructions: 161COMMON

Download Yara Rule

Strings

n}$, xrefs: 033467D3
n}$, xrefs: 033467B5
n}$, xrefs: 033467AE

Memory Dump Source

Source File: 00000001.00000002.252212293.0000000003340000.00000040.00000001.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID:
String ID: n}$$n}$$n}$
API String ID: 0-2441052029
Opcode ID: 6578231a664e445f00d0aa01887db482609e65470a320219bbdf9ed181b3452a
Instruction ID: bcfc73fe8971c39ecce0b3f6cb24eac9e5f9ac0aab72bb4a44bb5d97ffb842ba
Opcode Fuzzy Hash: 6578231a664e445f00d0aa01887db482609e65470a320219bbdf9ed181b3452a
Instruction Fuzzy Hash: 0F61F574E15209CFCB08CFAAC5855DEFBF6BF89210F24956AE415BB314D334AA418F64

Uniqueness

Uniqueness Score: -1.00%

Function 033466D1, Relevance: 3.9, Strings: 3, Instructions: 160COMMON

Download Yara Rule

Strings

n}$, xrefs: 033467D3
n}$, xrefs: 033467B5
n}$, xrefs: 033467AE

Memory Dump Source

Source File: 00000001.00000002.252212293.0000000003340000.00000040.00000001.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID:
String ID: n}$$n}$$n}$
API String ID: 0-2441052029
Opcode ID: 817e427a217df78e347a8a5f55bec2faf4e3bb67c439086951b35b3a7881dfab
Instruction ID: 50ba23e9ea11feb0e4627a705fd0508c074ec8f8d630269a1c22eb9ed28fc6ea
Opcode Fuzzy Hash: 817e427a217df78e347a8a5f55bec2faf4e3bb67c439086951b35b3a7881dfab
Instruction Fuzzy Hash: B2611474E05209CFCB08CFAAC5855EEFBF6FF89210F24956AE415BB354D334AA418B64

Uniqueness

Uniqueness Score: -1.00%

Function 0334500A, Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

m/, xrefs: 03344F56

Memory Dump Source

Source File: 00000001.00000002.252212293.0000000003340000.00000040.00000001.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID:
String ID: m/
API String ID: 0-1649136663
Opcode ID: 7533b4f92eedcb35beddfc7dccef1b9c71d3419a744dfe1f397b2f04b74a1048
Instruction ID: 2955a6bb430352af280ee8908194f3e368f7d8758d26c16adfa4a250b4038210
Opcode Fuzzy Hash: 7533b4f92eedcb35beddfc7dccef1b9c71d3419a744dfe1f397b2f04b74a1048
Instruction Fuzzy Hash: 35517D74E1460ACFDB04CFA9C5C06AEFBF6FF86300F6486A9C909A7205D7346A41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 059CAC70, Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.257083901.00000000059C0000.00000040.00000001.sdmp, Offset: 059C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6febd35b3debf4216d76b64df2775b491ac45c052ec902b94cbfd518ce8948cb
Instruction ID: f03f4ec060507ff1bd75565c77ae6e34d905e87d94bc77514aa218e64a88a17f
Opcode Fuzzy Hash: 6febd35b3debf4216d76b64df2775b491ac45c052ec902b94cbfd518ce8948cb
Instruction Fuzzy Hash: 0612B9F14917468BD310EF65FA9C1893BB1F7E6328B70C289D1611BAD8DBB9114ACF84

Uniqueness

Uniqueness Score: -1.00%

Function 059C9838, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.257083901.00000000059C0000.00000040.00000001.sdmp, Offset: 059C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c1d5754780cbdfef6ad6da304ece21e9176543b005f58a4d8d4463bef028260
Instruction ID: a36fb76dd2ff62e1f76013b6e2ba911d6edd5dcba9a164336fc40fa60a68825c
Opcode Fuzzy Hash: 8c1d5754780cbdfef6ad6da304ece21e9176543b005f58a4d8d4463bef028260
Instruction Fuzzy Hash: 8DA18032E00219CFCF05DFB5C8485DEBBB6FF85300B1581AAE806AB225EB35A945CB41

Uniqueness

Uniqueness Score: -1.00%

Function 03345582, Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.252212293.0000000003340000.00000040.00000001.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a82f3443365caf0501b2ad71bf3d6b3d5bfa8a13cd68bab2622464e08e1cdae0
Instruction ID: 4528432bf2b320e29d507700c8a547c2b8ecc4eff6b974506e76453ec977acdb
Opcode Fuzzy Hash: a82f3443365caf0501b2ad71bf3d6b3d5bfa8a13cd68bab2622464e08e1cdae0
Instruction Fuzzy Hash: 09A1F474E15219CFDB44CFA9D5809AEFBF2FF4A310F2495A9E41AAB210D334AA41CF51

Uniqueness

Uniqueness Score: -1.00%

Function 059CAC6B, Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.257083901.00000000059C0000.00000040.00000001.sdmp, Offset: 059C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1f2497e7c19fb55b2c64e8b45aceb4b716dee6018aef716917e02494a6c1ade
Instruction ID: 22fd8632d36970b41a4ef74dbac64971a9ccfca413dce543e5a2f98cf0b76062
Opcode Fuzzy Hash: b1f2497e7c19fb55b2c64e8b45aceb4b716dee6018aef716917e02494a6c1ade
Instruction Fuzzy Hash: 79C118B18517458AD310EF64FA8C1893BB1FBE6328F708288D1612B6D8DBB9154ACF84

Uniqueness

Uniqueness Score: -1.00%

Function 03342FF8, Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.252212293.0000000003340000.00000040.00000001.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56f380642d8e02b9f7a57196cef3e873ab5111407f0ea7da5901f088a461f27b
Instruction ID: b44eb63dae2383bc71aec37913032445aa2c882582a546e198e268826d28f9ff
Opcode Fuzzy Hash: 56f380642d8e02b9f7a57196cef3e873ab5111407f0ea7da5901f088a461f27b
Instruction Fuzzy Hash: C2814AB8D0520ADFCB04CF99D5809AEFBF5FF88360F14952AD456AB210C338AA51CF94

Uniqueness

Uniqueness Score: -1.00%

Function 033452E0, Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.252212293.0000000003340000.00000040.00000001.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03d0b46970587c6f3d16a45b509c98a772a7092fcf5e66577eb318134a528369
Instruction ID: 68a8d1f85c23a9a4f3fb536dc59a32af64f2295d2923c276394f9f6cfc780fbb
Opcode Fuzzy Hash: 03d0b46970587c6f3d16a45b509c98a772a7092fcf5e66577eb318134a528369
Instruction Fuzzy Hash: 4C81FF74E14219CFDB44CFA9D5809AEFBF2FF89210F249569E409AB324D370AA42CF54

Uniqueness

Uniqueness Score: -1.00%

Function 033452D0, Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.252212293.0000000003340000.00000040.00000001.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113c332cce75010f44f849f446bac445a0ece82b08306886b09196b00762a19b
Instruction ID: eef017b504b6b2a7e9d109a56ef691fb16b01a6be04e97122277964361af8096
Opcode Fuzzy Hash: 113c332cce75010f44f849f446bac445a0ece82b08306886b09196b00762a19b
Instruction Fuzzy Hash: 0981EF74E15219CFDB44CFA9D5809AEFBF2FF8A310F14956AE405AB220D370AA42CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0334609A, Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.252212293.0000000003340000.00000040.00000001.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27f4400ac5374c5a86315f6f6a9eeb9d077e9d7811ea3dcda695ff1d28f88117
Instruction ID: 6f3eb98817eb824aa09c5386f1a21834f69a8fc5d018fcfa2e9ae77da06a48c3
Opcode Fuzzy Hash: 27f4400ac5374c5a86315f6f6a9eeb9d077e9d7811ea3dcda695ff1d28f88117
Instruction Fuzzy Hash: 7A811274E0520ACFCB00CFA9C5809EEFBF5FF4A210F188566D415A7255D334A982CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 033475F4, Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.252212293.0000000003340000.00000040.00000001.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6816544e4a41da42fb679289f45c3f457fc282d2bef11182f96de18b0e4e5260
Instruction ID: 5dadb0643c56e31d41fbce556d33f2dceaae68cff292425e9b37bf5c3ad804e0
Opcode Fuzzy Hash: 6816544e4a41da42fb679289f45c3f457fc282d2bef11182f96de18b0e4e5260
Instruction Fuzzy Hash: F5710BB1D056188BDB19DF7B8D8429AFBF3BFC6300F19D0AAC418AB215DB345A429F51

Uniqueness

Uniqueness Score: -1.00%

Function 03345E20, Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.252212293.0000000003340000.00000040.00000001.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97a4fe01633705d6fb5fa5f86fec139d062d4ab788c0513fe8246964f72a792e
Instruction ID: c19326c9cac296df50d0ab5d6f9d76d25b55a7001c31770ee3561ecc4412e770
Opcode Fuzzy Hash: 97a4fe01633705d6fb5fa5f86fec139d062d4ab788c0513fe8246964f72a792e
Instruction Fuzzy Hash: 407103B4D0520ACFCB04CF99C5808EEFBF6FF89240F588529D416AB224D334A982CF94

Uniqueness

Uniqueness Score: -1.00%

Function 03345E10, Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.252212293.0000000003340000.00000040.00000001.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 468eff2523cf4a9e738640eec110eca3fadf8845b47ac5631404291d98dc34a9
Instruction ID: 0aafa08482a6c8505ff41fe903eb2cf31d8ec021a03d81900ca3c3b377790ac7
Opcode Fuzzy Hash: 468eff2523cf4a9e738640eec110eca3fadf8845b47ac5631404291d98dc34a9
Instruction Fuzzy Hash: 0B710474E0520ADFCB04CFA9C5809AEFBF6FF8A310F188566D415A7225D334A982CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0334AC10, Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.252212293.0000000003340000.00000040.00000001.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d38f19580cf191ca61e1f6bf69b9b2f1a4d6adf82947951fc6ab685bd97739f9
Instruction ID: 635344d5bfcdf138175e6441052c9310f5c636076a38703c0766f6db384f0cf7
Opcode Fuzzy Hash: d38f19580cf191ca61e1f6bf69b9b2f1a4d6adf82947951fc6ab685bd97739f9
Instruction Fuzzy Hash: 60514E74E14119CBDB14CF9AD9806AEFBF6FB89304F24C5A9D418A7315D730A9418FA1

Uniqueness

Uniqueness Score: -1.00%

Function 03346932, Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.252212293.0000000003340000.00000040.00000001.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94c1bc0628b470da629e6ea46b2c3f91576427ae1c53a94544d5db6f6e6abbd5
Instruction ID: 9e3565d16efc5852b96112432706061ebced9288192030dedc112711244a5e8c
Opcode Fuzzy Hash: 94c1bc0628b470da629e6ea46b2c3f91576427ae1c53a94544d5db6f6e6abbd5
Instruction Fuzzy Hash: 5A511874E1520ADFCB08CFA9C5825AEFBF2FF8A350F24E56AC405A7214D3709A41CB95

Uniqueness

Uniqueness Score: -1.00%

Function 03346940, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.252212293.0000000003340000.00000040.00000001.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5e9bd8e05f344ea7caf9dcbe354197c6b329f7f8a90ce252d28742eba3a1329
Instruction ID: 037df434fc8e373e20f5f595668303e2cbb63afd1a150949c8c219fe8a5975c3
Opcode Fuzzy Hash: d5e9bd8e05f344ea7caf9dcbe354197c6b329f7f8a90ce252d28742eba3a1329
Instruction Fuzzy Hash: 94510974E1520ADBCB04CFA9C5825AEFBF6FF89350F24E46AC505B7214D370AA41CB95

Uniqueness

Uniqueness Score: -1.00%

Function 03346498, Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.252212293.0000000003340000.00000040.00000001.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b344579bfb6e46a79287f959a36b36ae07cac690eb6d294cb1a62541dfd32ad9
Instruction ID: 1047343d8e4e65839a78b2014a265464333a92b83549dc725f706043c6b17637
Opcode Fuzzy Hash: b344579bfb6e46a79287f959a36b36ae07cac690eb6d294cb1a62541dfd32ad9
Instruction Fuzzy Hash: B541E874E0460A9FCB48DFAAC5815AEFBF2FF8A300F14C56AC415A7258D734AA41CF95

Uniqueness

Uniqueness Score: -1.00%

Function 033464A8, Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.252212293.0000000003340000.00000040.00000001.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b377378956ef3a3a028cac22472c5a4f0a7de7cdf0de7a418021e82df8a5c52
Instruction ID: fc37f89cf1f3250a639ac61ae4295eebb0ac50309ad14017c3e6431d25993db2
Opcode Fuzzy Hash: 0b377378956ef3a3a028cac22472c5a4f0a7de7cdf0de7a418021e82df8a5c52
Instruction Fuzzy Hash: B041E9B4E0460A9FCB08DFAAC5815AEFBF6FF89300F14D46AC415A7258D734AA418F95

Uniqueness

Uniqueness Score: -1.00%

Function 033448D2, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.252212293.0000000003340000.00000040.00000001.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b29a388e6ceaa23970c6902203b7c1b96c1633e89b2a3049df906ecfdca22b73
Instruction ID: 166efe84c5a52586fe2b7501540b619d841a4487fdc18c8803d7623c8a3e5062
Opcode Fuzzy Hash: b29a388e6ceaa23970c6902203b7c1b96c1633e89b2a3049df906ecfdca22b73
Instruction Fuzzy Hash: 96411674E152198FCB44CFAAC4809EEBBF5BF89210F14966AD415B7224D7309A41CF51

Uniqueness

Uniqueness Score: -1.00%

Function 03346C06, Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.252212293.0000000003340000.00000040.00000001.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92072faa45db5a8bae6cd035694fdfae7e944e650a393c7e167bbec9ab17b0e1
Instruction ID: d8681dcdf0abf0f6a7588e31da8a81c9c9cd688c243bb49b7d1bb518342cbed4
Opcode Fuzzy Hash: 92072faa45db5a8bae6cd035694fdfae7e944e650a393c7e167bbec9ab17b0e1
Instruction Fuzzy Hash: 4E411374A10219CFDB50CFA9C985A8EFBF6BF8A310F09C695D409AB216C334E981CF50

Uniqueness

Uniqueness Score: -1.00%

Function 059CD748, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.257083901.00000000059C0000.00000040.00000001.sdmp, Offset: 059C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 378241ff1cc3f745ae935f49a4e48cf59e9a6b3902a2a7dbe950448cdd0b512d
Instruction ID: c5c2ea39aa0f15000aae3f55d78ff8efbdfa7d8b60340d4a64e295100ab51b03
Opcode Fuzzy Hash: 378241ff1cc3f745ae935f49a4e48cf59e9a6b3902a2a7dbe950448cdd0b512d
Instruction Fuzzy Hash: 6831BBB8D052589FCB10CFA9E984ADEFBF5BB49314F24906AE404B7310D335A945CF95

Uniqueness

Uniqueness Score: -1.00%

Function 059CD750, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.257083901.00000000059C0000.00000040.00000001.sdmp, Offset: 059C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 215eccc8017a15479350af05832562d0c142e1f43bc46c8d70540a93808ac2b1
Instruction ID: 78c4644f4f24c04e45eb8d28674bcc9c69a8e8bb261c96e4b63883264ea1b9f6
Opcode Fuzzy Hash: 215eccc8017a15479350af05832562d0c142e1f43bc46c8d70540a93808ac2b1
Instruction Fuzzy Hash: 6731AAB9D052589FCB10CFA9E984ADEFBF5BB49314F24906AE405B7310D334A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0334FEB8, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.252212293.0000000003340000.00000040.00000001.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e40063cb37c732296798920d73dce8a6754f4d2a1af27b1d680bd9137ea7a15d
Instruction ID: 6d2738994a32fb00dd4edb4591a1843b5be3e1816d11462ad0face4f2fea3b06
Opcode Fuzzy Hash: e40063cb37c732296798920d73dce8a6754f4d2a1af27b1d680bd9137ea7a15d
Instruction Fuzzy Hash: 3B313FB4D05218DFCB14CFA9D984AAEFBF2BB4A350F249229E814B7350D7349945CF54

Uniqueness

Uniqueness Score: -1.00%

Function 03341891, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.252212293.0000000003340000.00000040.00000001.sdmp, Offset: 03340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56bdd8c23a0d07c23f51c6c68619d5adceab3b35b27a57426c848d28c3057649
Instruction ID: 1daca37a0be10f9bd3eb1f0bab988ea9fcec05dc548816cc1f5b50914ee2c224
Opcode Fuzzy Hash: 56bdd8c23a0d07c23f51c6c68619d5adceab3b35b27a57426c848d28c3057649
Instruction Fuzzy Hash: 4F21CA71E056188FEB18CFABD84069EFBF7AFC9200F04C5BAC918A6264EB3415458F51

Uniqueness

Uniqueness Score: -1.00%

Function 059CFF56, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.257083901.00000000059C0000.00000040.00000001.sdmp, Offset: 059C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02dc5001691143cd6af34857922e5fd6bb4d302917b1b25b603fa4a053e72d94
Instruction ID: 82ae117630e17efd78e598ba48ace89bc1d6ce480a2e9f299bfea2eeb4e6a3bb
Opcode Fuzzy Hash: 02dc5001691143cd6af34857922e5fd6bb4d302917b1b25b603fa4a053e72d94
Instruction Fuzzy Hash: 3601DB76D052099F8B14DF99D5818DEFBF2FB5A310F14906AE815B3310D331A911CF58

Uniqueness

Uniqueness Score: -1.00%

Function 059CFF60, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.257083901.00000000059C0000.00000040.00000001.sdmp, Offset: 059C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eb7edaa31dfbf35867dc96d8b8f8c426529f6e1b54484e160c576f9eb5ddf33
Instruction ID: 7b4fbf9275103414a557b1e6a1b9fe583d5bb921438578c19e0c6c4aa0f8a99e
Opcode Fuzzy Hash: 9eb7edaa31dfbf35867dc96d8b8f8c426529f6e1b54484e160c576f9eb5ddf33
Instruction Fuzzy Hash: C3F042B5D0520C9F8F04DFA9D5418EEFBF2AB9A310F10A16AE814B3310E7359951CFA8

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: company profile.exe PID: 6080 Parent PID: 5960 company profile.exeCOMMON

Executed Functions

Function 031AB6C0, Relevance: 6.1, APIs: 4, Instructions: 129threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 031AB730
GetCurrentThread.KERNEL32 ref: 031AB76D
GetCurrentProcess.KERNEL32 ref: 031AB7AA
GetCurrentThreadId.KERNEL32 ref: 031AB803

Memory Dump Source

Source File: 00000006.00000002.589838424.00000000031A0000.00000040.00000001.sdmp, Offset: 031A0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 560a965fcb22062cd4816e61174aa44ccfed9fa14f35b8676fea9ddf07444c4f
Instruction ID: f61909d47e9204d6f0071c837e09ed82ad9dd716ed45c155c17be753b25877af
Opcode Fuzzy Hash: 560a965fcb22062cd4816e61174aa44ccfed9fa14f35b8676fea9ddf07444c4f
Instruction Fuzzy Hash: 885172B49046888FDB14CFA9D688BEEBBF0AF4C315F24C45AE009B7391D7749884CB61

Uniqueness

Uniqueness Score: -1.00%

Function 031AB6D0, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 031AB730
GetCurrentThread.KERNEL32 ref: 031AB76D
GetCurrentProcess.KERNEL32 ref: 031AB7AA
GetCurrentThreadId.KERNEL32 ref: 031AB803

Memory Dump Source

Source File: 00000006.00000002.589838424.00000000031A0000.00000040.00000001.sdmp, Offset: 031A0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 420db4d20909b323ce83bda3587caf8d9c3860025437d3ed3c9ef87ffd1eb9d5
Instruction ID: ed8696e379048690669a1f9a0b1c71f040ed8a555f685e3a1bf84e1a7637816e
Opcode Fuzzy Hash: 420db4d20909b323ce83bda3587caf8d9c3860025437d3ed3c9ef87ffd1eb9d5
Instruction Fuzzy Hash: 885154B49046888FDB14CFA9D648BEEBBF0BF4C304F248459E119B7391D7749884CB61

Uniqueness

Uniqueness Score: -1.00%

Function 06C23560, Relevance: 1.7, APIs: 1, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.597261233.0000000006C20000.00000040.00000001.sdmp, Offset: 06C20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 135e9889cfc97ca48e039007f5a7cf8ab3df748fef5581d2e484b8958324da00
Instruction ID: eefe46cefe58de1fa68de6f1e01b1f5b528940cc82bd9a5300021103f7b4b4e3
Opcode Fuzzy Hash: 135e9889cfc97ca48e039007f5a7cf8ab3df748fef5581d2e484b8958324da00
Instruction Fuzzy Hash: 448158B1D0426ACFDB10CFA9C9806DEBBB5FF49314F10852AD819AB250DB789949CB91

Uniqueness

Uniqueness Score: -1.00%

Function 031A93E8, Relevance: 1.7, APIs: 1, Instructions: 194COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 031A962E

Memory Dump Source

Source File: 00000006.00000002.589838424.00000000031A0000.00000040.00000001.sdmp, Offset: 031A0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: ef7fdfbd494feb39f72b3da1ee6ba7bfc8c87d66026b2eed756e24bfab8bcd55
Instruction ID: 83254c55ee702bb42ba3e4be853ac3feff6a67b768c4ee0008cc5fc342fedf80
Opcode Fuzzy Hash: ef7fdfbd494feb39f72b3da1ee6ba7bfc8c87d66026b2eed756e24bfab8bcd55
Instruction Fuzzy Hash: 66716774A00B098FD764DF6AC5417AABBF5FF88205F04892ED44ADBA40EB34E845CF91

Uniqueness

Uniqueness Score: -1.00%

Function 031AFB81, Relevance: 1.7, APIs: 1, Instructions: 156COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 031AFD0A

Memory Dump Source

Source File: 00000006.00000002.589838424.00000000031A0000.00000040.00000001.sdmp, Offset: 031A0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 658bb306034f7d1e0fc574e8a7c1e94f2185613a12ff7a27c1118c057672da4d
Instruction ID: 8894833e6e7b55f621de05f014aed267f91b05cfb792695b3b2f3d208c6f732c
Opcode Fuzzy Hash: 658bb306034f7d1e0fc574e8a7c1e94f2185613a12ff7a27c1118c057672da4d
Instruction Fuzzy Hash: 9A610275C04249AFCF16CFA9D880ACEBFB5FF49314F19816AE818AB221D7759846CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06C2360C, Relevance: 1.6, APIs: 1, Instructions: 140networkCOMMON

Download Yara Rule

APIs

DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 06C23740

Memory Dump Source

Source File: 00000006.00000002.597261233.0000000006C20000.00000040.00000001.sdmp, Offset: 06C20000, based on PE: false

Similarity

API ID: Query_
String ID:
API String ID: 428220571-0
Opcode ID: 31cb94166094282f0010c8c866632d61d374501ed611ea0792ce43a7a6b33709
Instruction ID: 38737829d643d3e4403f90477a54312e24e7a523c9fd7871a105ba04f9022128
Opcode Fuzzy Hash: 31cb94166094282f0010c8c866632d61d374501ed611ea0792ce43a7a6b33709
Instruction Fuzzy Hash: 275134B1D00269DFDF10CFA9C9847DDBBB5BF49704F248529E818AB250DB789945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 06C21FDC, Relevance: 1.6, APIs: 1, Instructions: 140networkCOMMON

Download Yara Rule

APIs

DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 06C23740

Memory Dump Source

Source File: 00000006.00000002.597261233.0000000006C20000.00000040.00000001.sdmp, Offset: 06C20000, based on PE: false

Similarity

API ID: Query_
String ID:
API String ID: 428220571-0
Opcode ID: 07c521444408513f7a3b91462ddb4121badb3832ef863b43355a7c6af3353573
Instruction ID: 24760ba469f0fc0490e1dd0397bb3b473e9066f7218469462e3168dbf4dcc0b5
Opcode Fuzzy Hash: 07c521444408513f7a3b91462ddb4121badb3832ef863b43355a7c6af3353573
Instruction Fuzzy Hash: 905125B1D002699FDF10CFA9C9847DEBBB5FF48704F248529E818A7250DB785945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 031AFBF8, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 031AFD0A

Memory Dump Source

Source File: 00000006.00000002.589838424.00000000031A0000.00000040.00000001.sdmp, Offset: 031A0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 732dcb194e106700011763a980f3d46ee14aa528206a7f228229d97dbbb483af
Instruction ID: 806cdc4ace0f6ec2b9ef307a141921cf36becac3c10e579d73d37b34c3bfe0b1
Opcode Fuzzy Hash: 732dcb194e106700011763a980f3d46ee14aa528206a7f228229d97dbbb483af
Instruction Fuzzy Hash: 7141C0B5D003499FDB14CF99C984ADEFBB5FF48314F24812AE819AB210D7759885CF90

Uniqueness

Uniqueness Score: -1.00%

Function 031ABCF9, Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 031ABD87

Memory Dump Source

Source File: 00000006.00000002.589838424.00000000031A0000.00000040.00000001.sdmp, Offset: 031A0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: affb5b4cd8044c5b28765f6a5b6d3ce2d891eaa41bfea071d4b63402e1fc4793
Instruction ID: a1f47e7f6d5d06aba3d1f6668387e80eb019fe2086bdcdc12801771acee54f85
Opcode Fuzzy Hash: affb5b4cd8044c5b28765f6a5b6d3ce2d891eaa41bfea071d4b63402e1fc4793
Instruction Fuzzy Hash: D02114B59002489FCB10CFA9D984ADEFFF8FB48324F15801AE918A3310D379A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 031ABD00, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 031ABD87

Memory Dump Source

Source File: 00000006.00000002.589838424.00000000031A0000.00000040.00000001.sdmp, Offset: 031A0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d3cb8f96058d59b7aa89761392d57b1075788d0ac9494235deee6260876c058a
Instruction ID: 518a7f6d114ccf7c2027db70b0fa55719fe1842efed1714ff77fadd96ff58ca4
Opcode Fuzzy Hash: d3cb8f96058d59b7aa89761392d57b1075788d0ac9494235deee6260876c058a
Instruction Fuzzy Hash: 1721C4B59002499FDB10CF99D984ADEBFF8FB48324F15841AE918A7350D378A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 031A9849, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,031A96A9,00000800,00000000,00000000), ref: 031A98BA

Memory Dump Source

Source File: 00000006.00000002.589838424.00000000031A0000.00000040.00000001.sdmp, Offset: 031A0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 637b1d4de13f83101b8b6fe8213b8d552c3003ae69543e08220d408ce7a44991
Instruction ID: c9e4ac77ffb3fd8ad2358024972f8e90f8a3b263d5bb8cd98c27cdc2e2c5b672
Opcode Fuzzy Hash: 637b1d4de13f83101b8b6fe8213b8d552c3003ae69543e08220d408ce7a44991
Instruction Fuzzy Hash: 661117B6D006499FCB10CF9AC444ADEFBF8AB49320F05842ED519A7600C375A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 031A8768, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,031A96A9,00000800,00000000,00000000), ref: 031A98BA

Memory Dump Source

Source File: 00000006.00000002.589838424.00000000031A0000.00000040.00000001.sdmp, Offset: 031A0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e9d74db38f0fd10524bc026fab13e53e6b3fe1f30bee01c986458c3288eb5267
Instruction ID: fa95c8c768ba67a73caddbf6c782a2b145e7fdb80956716c6cc1537040e26217
Opcode Fuzzy Hash: e9d74db38f0fd10524bc026fab13e53e6b3fe1f30bee01c986458c3288eb5267
Instruction Fuzzy Hash: AB1103B6D046498FCB10CF9AC544ADEFBF4EB48310F05842ED919B7600C779A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 031AFE38, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 031AFE9D

Memory Dump Source

Source File: 00000006.00000002.589838424.00000000031A0000.00000040.00000001.sdmp, Offset: 031A0000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 931372b79334d7a7ad1de42ad6e2904560e716e463fdb55a4b59ac14a95618fb
Instruction ID: 684dfa9d9784ce87d11e091911b096eabccc241c60bf4021beb5703a46d2678a
Opcode Fuzzy Hash: 931372b79334d7a7ad1de42ad6e2904560e716e463fdb55a4b59ac14a95618fb
Instruction Fuzzy Hash: 951128B5800649DFCB10CF99D984BDFFBF8EB48324F118419D914A7241C375A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 031A95C8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 031A962E

Memory Dump Source

Source File: 00000006.00000002.589838424.00000000031A0000.00000040.00000001.sdmp, Offset: 031A0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: be90e970ed835ffa6a273eb6422d3992e7e882ca81907da41c0f6b1ad188f3ac
Instruction ID: f8536eb1e2ba5da77170a7802c677a22bb457167b23f43a45c2f2802118a86f4
Opcode Fuzzy Hash: be90e970ed835ffa6a273eb6422d3992e7e882ca81907da41c0f6b1ad188f3ac
Instruction Fuzzy Hash: F81110B6C006498FCB10CF9AC944BDEFBF4AF88224F15842AD829A7600D379A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 031AFE40, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 031AFE9D

Memory Dump Source

Source File: 00000006.00000002.589838424.00000000031A0000.00000040.00000001.sdmp, Offset: 031A0000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 505f9a05b21588e676c6ea96369931cadfbaf3c23df80851230093ace4fef99c
Instruction ID: dfe3b6dceb453908f88176131490a1fca5485b622f988aa50306988f45f23675
Opcode Fuzzy Hash: 505f9a05b21588e676c6ea96369931cadfbaf3c23df80851230093ace4fef99c
Instruction Fuzzy Hash: 0F1112B58002498FDB10CF99D984BDFFBF8EB48324F11841AD918A7341C378A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: company profile.exe PID: 4920 Parent PID: 528 company profile.exeCOMMON

Executed Functions

Function 052F80C3, Relevance: 6.1, APIs: 4, Instructions: 121threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 052F8128
GetCurrentThread.KERNEL32 ref: 052F8165
GetCurrentProcess.KERNEL32 ref: 052F81A2
GetCurrentThreadId.KERNEL32 ref: 052F81FB

Memory Dump Source

Source File: 0000000B.00000002.313988877.00000000052F0000.00000040.00000001.sdmp, Offset: 052F0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: e9ee4c8e1cc36dbb52beb03805ed2298e1109d3286ea75bff525d489a14496bb
Instruction ID: 6ae90749222d8b8e6b5e3c4f3792e949f4cc63e63b0d17008f85232e2dd344f6
Opcode Fuzzy Hash: e9ee4c8e1cc36dbb52beb03805ed2298e1109d3286ea75bff525d489a14496bb
Instruction Fuzzy Hash: 825154B09046498FDB10CFA9DA48BEEFBF1BF48314F208569E509A7291D7745848CF65

Uniqueness

Uniqueness Score: -1.00%

Function 052F80C8, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 052F8128
GetCurrentThread.KERNEL32 ref: 052F8165
GetCurrentProcess.KERNEL32 ref: 052F81A2
GetCurrentThreadId.KERNEL32 ref: 052F81FB

Memory Dump Source

Source File: 0000000B.00000002.313988877.00000000052F0000.00000040.00000001.sdmp, Offset: 052F0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: f7cd540e08aef619e5b631fea59ab077949e9245f6117271210d2247d505df15
Instruction ID: a2e19d21b3c5e763ab4e8b09d400dc4e083f9e8204246a68b64f5811cea999be
Opcode Fuzzy Hash: f7cd540e08aef619e5b631fea59ab077949e9245f6117271210d2247d505df15
Instruction Fuzzy Hash: E35144B09046498FDB10CFA9DA48BEEFBF4BF48314F208569E519A7290D7745848CF65

Uniqueness

Uniqueness Score: -1.00%

Function 052F5C90, Relevance: 1.7, APIs: 1, Instructions: 223COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(?), ref: 052F5F02

Memory Dump Source

Source File: 0000000B.00000002.313988877.00000000052F0000.00000040.00000001.sdmp, Offset: 052F0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 4df216bc049cea0fb04c1fd2c9a599686fe4c3c174dc3c14a200d79224b13ca8
Instruction ID: d62ffe11720a9ddb8f8c1a7c2d12639485074e4bf8cf4eb795865e76046fcd4c
Opcode Fuzzy Hash: 4df216bc049cea0fb04c1fd2c9a599686fe4c3c174dc3c14a200d79224b13ca8
Instruction Fuzzy Hash: B391F270A11B099FDB24DF69E444BAAFBF1BF48304F10892AE54AE7B50D774A845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 052FC46F, Relevance: 1.7, APIs: 1, Instructions: 182COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 052FC639

Memory Dump Source

Source File: 0000000B.00000002.313988877.00000000052F0000.00000040.00000001.sdmp, Offset: 052F0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 09fc0e0382f30739ead9a25c195745f57856a504a64e9996ae1430d1887299d4
Instruction ID: cf031f668995464c3e3ae7964869c609e1af41fc77e354ff3d06c573b4b223cb
Opcode Fuzzy Hash: 09fc0e0382f30739ead9a25c195745f57856a504a64e9996ae1430d1887299d4
Instruction Fuzzy Hash: 5D7189B4D042189FDF20CFA9D984BDEBBB1BF49304F1491AAE908B7211D770AA85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 052FC478, Relevance: 1.7, APIs: 1, Instructions: 182COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 052FC639

Memory Dump Source

Source File: 0000000B.00000002.313988877.00000000052F0000.00000040.00000001.sdmp, Offset: 052F0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: b9deb4deada77427968784c54c1625705dba343a2ba9a14b727ea0debb212826
Instruction ID: 6795797acea6c728f6fff8c88172d7a10974f09adae67adb226f58b632248101
Opcode Fuzzy Hash: b9deb4deada77427968784c54c1625705dba343a2ba9a14b727ea0debb212826
Instruction Fuzzy Hash: D07178B4D142189FCF20CFA9D984BDDBBB1BF49304F10A1AAE908B7211D770AA85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 052F0308, Relevance: 1.6, APIs: 1, Instructions: 126COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 052F1CF1

Memory Dump Source

Source File: 0000000B.00000002.313988877.00000000052F0000.00000040.00000001.sdmp, Offset: 052F0000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 051be0a425882adef00a0093e8951d7697b2605346f1d8863f57edfa7dbe43e5
Instruction ID: 62b6b60d7936267e0be933d9eb3059f7065bc3e797e98063508cc335ef0a0d36
Opcode Fuzzy Hash: 051be0a425882adef00a0093e8951d7697b2605346f1d8863f57edfa7dbe43e5
Instruction Fuzzy Hash: 2451E5B1D1461CCFDB20CFA8C880BCEBBB5BF49304F5084A9D509AB250DB756A89CF91

Uniqueness

Uniqueness Score: -1.00%

Function 052F1BFB, Relevance: 1.6, APIs: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 052F1CF1

Memory Dump Source

Source File: 0000000B.00000002.313988877.00000000052F0000.00000040.00000001.sdmp, Offset: 052F0000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 70c0218459600bfc4bd27d8b9af222a84e90fd7bd83d201dad73cdb58b8f76d6
Instruction ID: a3c70af7ab0ab8fa2b166ae23a3cccdced23f020fc53300d576f8907e43e0233
Opcode Fuzzy Hash: 70c0218459600bfc4bd27d8b9af222a84e90fd7bd83d201dad73cdb58b8f76d6
Instruction Fuzzy Hash: B251F671D14618CFDB20CFA8C880BCEBBB5BF49304F1085AAD509AB250DB756A89CF91

Uniqueness

Uniqueness Score: -1.00%

Function 052F82EB, Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 052F83BB

Memory Dump Source

Source File: 0000000B.00000002.313988877.00000000052F0000.00000040.00000001.sdmp, Offset: 052F0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c8e9161f5ebde279bf1662a94b2314076c36a95adaa8715815420afee6cc29fe
Instruction ID: 956031870b392e63e14b72c64f3671e8187c21e87e707fb5833bc2cc7e067021
Opcode Fuzzy Hash: c8e9161f5ebde279bf1662a94b2314076c36a95adaa8715815420afee6cc29fe
Instruction Fuzzy Hash: 3F4164B9D042589FCB00CFA9D984AEEFBF4BF49310F15902AE918AB210D375A945CF54

Uniqueness

Uniqueness Score: -1.00%

Function 052F82F0, Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 052F83BB

Memory Dump Source

Source File: 0000000B.00000002.313988877.00000000052F0000.00000040.00000001.sdmp, Offset: 052F0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 7e929c0142d2688ed5f536c10cafa31598a7f47af656d987d602cda460dc86c0
Instruction ID: 7a3d4c7e689f73a8d1d690c697a8317147b42f4ffaee2086837785366e89bb1c
Opcode Fuzzy Hash: 7e929c0142d2688ed5f536c10cafa31598a7f47af656d987d602cda460dc86c0
Instruction Fuzzy Hash: 844163B9D042589FCB00CFA9D984ADEFBF4BF09310F15902AE918AB310D375A945CF94

Uniqueness

Uniqueness Score: -1.00%

Function 052F5930, Relevance: 1.6, APIs: 1, Instructions: 97libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(?,?,?), ref: 052F622A

Memory Dump Source

Source File: 0000000B.00000002.313988877.00000000052F0000.00000040.00000001.sdmp, Offset: 052F0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 5e3e62945a66be21a24e575c29368146ccdaee57f9f8fb37f53494bd1494b0a2
Instruction ID: 3a0b29a579426ae6ee13c3dcf6f49c19e1229f26f109219686dfc4ebbbd400a0
Opcode Fuzzy Hash: 5e3e62945a66be21a24e575c29368146ccdaee57f9f8fb37f53494bd1494b0a2
Instruction Fuzzy Hash: 3A4185B4D042589FCB10CFA9E884A9EFBF5FB49310F14902AE918BB310D774A946CF94

Uniqueness

Uniqueness Score: -1.00%

Function 052FC82C, Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 052FF0A1

Memory Dump Source

Source File: 0000000B.00000002.313988877.00000000052F0000.00000040.00000001.sdmp, Offset: 052F0000, based on PE: false

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: b9c0909e651c07c2310bf70ad72970814afcbd8c3290b4b68325c88a1f349e9d
Instruction ID: e72675493757e7ea674dd2077f5f394b068ef8a4fc9bfeae69951b06005c8a3b
Opcode Fuzzy Hash: b9c0909e651c07c2310bf70ad72970814afcbd8c3290b4b68325c88a1f349e9d
Instruction Fuzzy Hash: E24158B4A102458FCB10CF99D588AAAFBF5FF88314F25C59CE619A7321D775A841CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 052F617B, Relevance: 1.6, APIs: 1, Instructions: 94libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(?,?,?), ref: 052F622A

Memory Dump Source

Source File: 0000000B.00000002.313988877.00000000052F0000.00000040.00000001.sdmp, Offset: 052F0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 42ee0ff375a65fd657c67ff36a5b0f5e14c679c375bb0c63351cfd2180a63d4d
Instruction ID: efa7b3f2ebf792aee5c5a6654cba8c20420842221ebe6080a8af8e0134e56213
Opcode Fuzzy Hash: 42ee0ff375a65fd657c67ff36a5b0f5e14c679c375bb0c63351cfd2180a63d4d
Instruction Fuzzy Hash: 484166B4D042599FCB10CFA9E484A9EFBF1BF49310F14902AE918B7210D775A945CF54

Uniqueness

Uniqueness Score: -1.00%

Function 052F5E70, Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(?), ref: 052F5F02

Memory Dump Source

Source File: 0000000B.00000002.313988877.00000000052F0000.00000040.00000001.sdmp, Offset: 052F0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: f313437f7b8ae28f90a3a31459aa2030e6903217389904eec894c3d275fcdd4c
Instruction ID: a11cd4edd5643aa6ef2389aa44069d95794fa4c2da8ba457852178d1e4950203
Opcode Fuzzy Hash: f313437f7b8ae28f90a3a31459aa2030e6903217389904eec894c3d275fcdd4c
Instruction Fuzzy Hash: C931B7B4E142099FCB10CFA9E484ADEFBF5AF49310F14906AE818B7310D374A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report company profile.scr

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets