Play interactive tour

Edit tour

Analysis Report PO#4018-308875.exe

Overview

General Information

Sample Name:	PO#4018-308875.exe
Analysis ID:	342477
MD5:	26b17b353c8950ca0a55e1ea21678d9e
SHA1:	c5f2e80f53a312bd1b8dd3bba438af27a4ba44e3
SHA256:	43bdef53f8ff0d262c2086a46c66d76f8c5e2b9df085959c70a5a3c679474767
Tags:	exeNanoCoreRAT
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Yara detected Nanocore RAT

.NET source code contains very large array initializations

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Uses dynamic DNS services

Writes to foreign memory regions

Antivirus or Machine Learning detection for unpacked file

Contains capabilities to detect virtual machines

Contains functionality to launch a process as a different user

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Yara signature match

Classification

Startup

System is w10x64

PO#4018-308875.exe (PID: 5652 cmdline: 'C:\Users\user\Desktop\PO#4018-308875.exe' MD5: 26B17B353C8950CA0A55E1EA21678D9E)

cmd.exe (PID: 4564 cmdline: 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'erwtvsfvc' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\hjfufkimd.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 4496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

reg.exe (PID: 2764 cmdline: REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'erwtvsfvc' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\hjfufkimd.exe' MD5: CEE2A7E57DF2A159A065A34913A055C2)

hjfufkimd.exe (PID: 4408 cmdline: 'C:\Users\user\AppData\Roaming\hjfufkimd.exe' MD5: 26B17B353C8950CA0A55E1EA21678D9E)

InstallUtil.exe (PID: 7088 cmdline: C:\Users\user~1\AppData\Local\Temp\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)

cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["185.162.88.26", "185.162.88.26:2091"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000014.00000002.632887895.0000000004935000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xdb8ef:$x1: NanoCore.ClientPluginHost 0x10e4bf:$x1: NanoCore.ClientPluginHost 0x14107f:$x1: NanoCore.ClientPluginHost 0xdb92c:$x2: IClientNetworkHost 0x10e4fc:$x2: IClientNetworkHost 0x1410bc:$x2: IClientNetworkHost 0xdf45f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x11202f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x144bef:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000014.00000002.632887895.0000000004935000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000014.00000002.632887895.0000000004935000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xdb657:$a: NanoCore 0xdb667:$a: NanoCore 0xdb89b:$a: NanoCore 0xdb8af:$a: NanoCore 0xdb8ef:$a: NanoCore 0x10e227:$a: NanoCore 0x10e237:$a: NanoCore 0x10e46b:$a: NanoCore 0x10e47f:$a: NanoCore 0x10e4bf:$a: NanoCore 0x140de7:$a: NanoCore 0x140df7:$a: NanoCore 0x14102b:$a: NanoCore 0x14103f:$a: NanoCore 0x14107f:$a: NanoCore 0xdb6b6:$b: ClientPlugin 0xdb8b8:$b: ClientPlugin 0xdb8f8:$b: ClientPlugin 0x10e286:$b: ClientPlugin 0x10e488:$b: ClientPlugin 0x10e4c8:$b: ClientPlugin
0000001A.00000002.632805982.0000000005620000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
0000001A.00000002.632805982.0000000005620000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
0000001A.00000002.633000163.0000000005F00000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
0000001A.00000002.633000163.0000000005F00000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
0000001A.00000002.633000163.0000000005F00000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.339312543.00000000047A4000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10b55:$x1: NanoCore.ClientPluginHost 0xdbc9f:$x1: NanoCore.ClientPluginHost 0x10e86f:$x1: NanoCore.ClientPluginHost 0x14142f:$x1: NanoCore.ClientPluginHost 0x10b92:$x2: IClientNetworkHost 0xdbcdc:$x2: IClientNetworkHost 0x10e8ac:$x2: IClientNetworkHost 0x14146c:$x2: IClientNetworkHost 0x146c5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xdf80f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1123df:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x144f9f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.339312543.00000000047A4000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.339312543.00000000047A4000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x108bd:$a: NanoCore 0x108cd:$a: NanoCore 0x10b01:$a: NanoCore 0x10b15:$a: NanoCore 0x10b55:$a: NanoCore 0xdba07:$a: NanoCore 0xdba17:$a: NanoCore 0xdbc4b:$a: NanoCore 0xdbc5f:$a: NanoCore 0xdbc9f:$a: NanoCore 0x10e5d7:$a: NanoCore 0x10e5e7:$a: NanoCore 0x10e81b:$a: NanoCore 0x10e82f:$a: NanoCore 0x10e86f:$a: NanoCore 0x141197:$a: NanoCore 0x1411a7:$a: NanoCore 0x1413db:$a: NanoCore 0x1413ef:$a: NanoCore 0x14142f:$a: NanoCore 0x1091c:$b: ClientPlugin
0000001A.00000002.624554615.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000001A.00000002.624554615.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000001A.00000002.624554615.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000014.00000002.633244626.0000000004ACB000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x107df:$x1: NanoCore.ClientPluginHost 0x4339d:$x1: NanoCore.ClientPluginHost 0x75fdd:$x1: NanoCore.ClientPluginHost 0x1081c:$x2: IClientNetworkHost 0x433da:$x2: IClientNetworkHost 0x7601a:$x2: IClientNetworkHost 0x1434f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x46f0d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x79b4d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000014.00000002.633244626.0000000004ACB000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000014.00000002.633244626.0000000004ACB000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10547:$a: NanoCore 0x10557:$a: NanoCore 0x1078b:$a: NanoCore 0x1079f:$a: NanoCore 0x107df:$a: NanoCore 0x43105:$a: NanoCore 0x43115:$a: NanoCore 0x43349:$a: NanoCore 0x4335d:$a: NanoCore 0x4339d:$a: NanoCore 0x75d45:$a: NanoCore 0x75d55:$a: NanoCore 0x75f89:$a: NanoCore 0x75f9d:$a: NanoCore 0x75fdd:$a: NanoCore 0x105a6:$b: ClientPlugin 0x107a8:$b: ClientPlugin 0x107e8:$b: ClientPlugin 0x43164:$b: ClientPlugin 0x43366:$b: ClientPlugin 0x433a6:$b: ClientPlugin
0000001A.00000002.630562500.0000000003E99000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000001A.00000002.630562500.0000000003E99000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2f3d:$a: NanoCore 0x2f96:$a: NanoCore 0x2fd3:$a: NanoCore 0x304c:$a: NanoCore 0x166f7:$a: NanoCore 0x1670c:$a: NanoCore 0x16741:$a: NanoCore 0x2f1c3:$a: NanoCore 0x2f1d8:$a: NanoCore 0x2f20d:$a: NanoCore 0x2f9f:$b: ClientPlugin 0x2fdc:$b: ClientPlugin 0x38da:$b: ClientPlugin 0x38e7:$b: ClientPlugin 0x164b3:$b: ClientPlugin 0x164ce:$b: ClientPlugin 0x164fe:$b: ClientPlugin 0x16715:$b: ClientPlugin 0x1674a:$b: ClientPlugin 0x2ef7f:$b: ClientPlugin 0x2ef9a:$b: ClientPlugin
Process Memory Space: PO#4018-308875.exe PID: 5652	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x35b82:$x1: NanoCore.ClientPluginHost 0x63335:$x1: NanoCore.ClientPluginHost 0x81fc1:$x1: NanoCore.ClientPluginHost 0xa0c52:$x1: NanoCore.ClientPluginHost 0x35be3:$x2: IClientNetworkHost 0x63396:$x2: IClientNetworkHost 0x82022:$x2: IClientNetworkHost 0xa0cb3:$x2: IClientNetworkHost 0x3afe8:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x48f5a:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x6879b:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7670d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x87427:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x95399:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xa60b8:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xb402a:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: PO#4018-308875.exe PID: 5652	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: PO#4018-308875.exe PID: 5652	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x35687:$a: NanoCore 0x356a3:$a: NanoCore 0x357fe:$a: NanoCore 0x3580d:$a: NanoCore 0x35ae6:$a: NanoCore 0x35b12:$a: NanoCore 0x35b82:$a: NanoCore 0x455c4:$a: NanoCore 0x455d6:$a: NanoCore 0x45612:$a: NanoCore 0x62e3a:$a: NanoCore 0x62e56:$a: NanoCore 0x62fb1:$a: NanoCore 0x62fc0:$a: NanoCore 0x63299:$a: NanoCore 0x632c5:$a: NanoCore 0x63335:$a: NanoCore 0x72d77:$a: NanoCore 0x72d89:$a: NanoCore 0x72dc5:$a: NanoCore 0x81ac6:$a: NanoCore
Process Memory Space: hjfufkimd.exe PID: 4408	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4fcd9:$x1: NanoCore.ClientPluginHost 0x6e94d:$x1: NanoCore.ClientPluginHost 0x8d2ed:$x1: NanoCore.ClientPluginHost 0x4fd3a:$x2: IClientNetworkHost 0x6e9ae:$x2: IClientNetworkHost 0x8d34e:$x2: IClientNetworkHost 0x5513f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x630b1:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x73db3:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x81d25:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x92753:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xa06c5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: hjfufkimd.exe PID: 4408	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: hjfufkimd.exe PID: 4408	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4f7de:$a: NanoCore 0x4f7fa:$a: NanoCore 0x4f955:$a: NanoCore 0x4f964:$a: NanoCore 0x4fc3d:$a: NanoCore 0x4fc69:$a: NanoCore 0x4fcd9:$a: NanoCore 0x5f71b:$a: NanoCore 0x5f72d:$a: NanoCore 0x5f769:$a: NanoCore 0x6e452:$a: NanoCore 0x6e46e:$a: NanoCore 0x6e5c9:$a: NanoCore 0x6e5d8:$a: NanoCore 0x6e8b1:$a: NanoCore 0x6e8dd:$a: NanoCore 0x6e94d:$a: NanoCore 0x7e38f:$a: NanoCore 0x7e3a1:$a: NanoCore 0x7e3dd:$a: NanoCore 0x8cdf2:$a: NanoCore
Process Memory Space: InstallUtil.exe PID: 7088	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe821f:$x1: NanoCore.ClientPluginHost 0xf8533:$x1: NanoCore.ClientPluginHost 0x13d113:$x1: NanoCore.ClientPluginHost 0x142cd2:$x1: NanoCore.ClientPluginHost 0x153b4d:$x1: NanoCore.ClientPluginHost 0x16d068:$x1: NanoCore.ClientPluginHost 0xe8264:$x2: IClientNetworkHost 0xf8594:$x2: IClientNetworkHost 0x13d139:$x2: IClientNetworkHost 0x142d17:$x2: IClientNetworkHost 0x153b92:$x2: IClientNetworkHost 0x16d08e:$x2: IClientNetworkHost 0xfd999:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x10b90b:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: InstallUtil.exe PID: 7088	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: InstallUtil.exe PID: 7088	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe8199:$a: NanoCore 0xe81c6:$a: NanoCore 0xe821f:$a: NanoCore 0xefa2e:$a: NanoCore 0xefa41:$a: NanoCore 0xefa73:$a: NanoCore 0xf8038:$a: NanoCore 0xf8054:$a: NanoCore 0xf81af:$a: NanoCore 0xf81be:$a: NanoCore 0xf8497:$a: NanoCore 0xf84c3:$a: NanoCore 0xf8533:$a: NanoCore 0x107f75:$a: NanoCore 0x107f87:$a: NanoCore 0x107fc3:$a: NanoCore 0x1262be:$a: NanoCore 0x13d005:$a: NanoCore 0x13d0a6:$a: NanoCore 0x13d113:$a: NanoCore 0x13d1d4:$a: NanoCore
Click to see the 23 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
26.2.InstallUtil.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
26.2.InstallUtil.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
26.2.InstallUtil.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
26.2.InstallUtil.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
26.2.InstallUtil.exe.5620000.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
26.2.InstallUtil.exe.5620000.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
26.2.InstallUtil.exe.5f00000.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
26.2.InstallUtil.exe.5f00000.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
26.2.InstallUtil.exe.5f00000.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
26.2.InstallUtil.exe.5f00000.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
26.2.InstallUtil.exe.5f00000.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
26.2.InstallUtil.exe.5f00000.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Click to see the 7 entries

Sigma Overview

System Summary:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, ProcessId: 7088, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: InstallUtil.exe.7088.26.memstr

Malware Configuration Extractor: NanoCore {"C2: ": ["185.162.88.26", "185.162.88.26:2091"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000014.00000002.632887895.0000000004935000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.633000163.0000000005F00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.339312543.00000000047A4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.624554615.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.633244626.0000000004ACB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.630562500.0000000003E99000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO#4018-308875.exe PID: 5652, type: MEMORY
Source: Yara match	File source: Process Memory Space: hjfufkimd.exe PID: 4408, type: MEMORY
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7088, type: MEMORY
Source: Yara match	File source: 26.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.InstallUtil.exe.5f00000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.InstallUtil.exe.5f00000.5.unpack, type: UNPACKEDPE

Source: 26.2.InstallUtil.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 26.2.InstallUtil.exe.5f00000.5.unpack	Avira: Label: TR/NanoCore.fadte

Compliance:

Uses 32bit PE files

Show sources

Source: PO#4018-308875.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: PO#4018-308875.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Binary contains paths to debug symbols

Show sources

Source:	Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: PO#4018-308875.exe, 00000000.00000003.315746155.0000000008151000.00000004.00000001.sdmp, InstallUtil.exe, 0000001A.00000000.418639038.00000000009B2000.00000002.00020000.sdmp, InstallUtil.exe.0.dr
Source:	Binary string: InstallUtil.pdb source: PO#4018-308875.exe, 00000000.00000003.315746155.0000000008151000.00000004.00000001.sdmp, InstallUtil.exe, InstallUtil.exe.0.dr

Software Vulnerabilities:

Source: C:\Users\user\Desktop\PO#4018-308875.exe	Code function: 4x nop then mov esp, ebp	0_2_078CE638
Source: C:\Users\user\Desktop\PO#4018-308875.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_078CD018
Source: C:\Users\user\Desktop\PO#4018-308875.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_078C5FA0
Source: C:\Users\user\Desktop\PO#4018-308875.exe	Code function: 4x nop then push dword ptr [ebp-24h]	0_2_078C6CE0
Source: C:\Users\user\Desktop\PO#4018-308875.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	0_2_078C6CE0
Source: C:\Users\user\Desktop\PO#4018-308875.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_078C7B58
Source: C:\Users\user\Desktop\PO#4018-308875.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	0_2_078CFA40
Source: C:\Users\user\Desktop\PO#4018-308875.exe	Code function: 4x nop then push dword ptr [ebp-20h]	0_2_078C69C0
Source: C:\Users\user\Desktop\PO#4018-308875.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	0_2_078C69C0
Source: C:\Users\user\Desktop\PO#4018-308875.exe	Code function: 4x nop then jmp 078C2026h	0_2_078C1851
Source: C:\Users\user\Desktop\PO#4018-308875.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_078C64DC
Source: C:\Users\user\Desktop\PO#4018-308875.exe	Code function: 4x nop then push dword ptr [ebp-24h]	0_2_078C6CD4
Source: C:\Users\user\Desktop\PO#4018-308875.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	0_2_078C6CD4
Source: C:\Users\user\Desktop\PO#4018-308875.exe	Code function: 4x nop then xor edx, edx	0_2_078C6C0C
Source: C:\Users\user\Desktop\PO#4018-308875.exe	Code function: 4x nop then xor edx, edx	0_2_078C6C18
Source: C:\Users\user\Desktop\PO#4018-308875.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_078C7C38
Source: C:\Users\user\Desktop\PO#4018-308875.exe	Code function: 4x nop then push dword ptr [ebp-20h]	0_2_078C69B4
Source: C:\Users\user\Desktop\PO#4018-308875.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	0_2_078C69B4
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Code function: 4x nop then push dword ptr [ebp-24h]	20_2_056F6CE0
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	20_2_056F6CE0
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	20_2_056F5FA0
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	20_2_056FCEF8
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Code function: 4x nop then push dword ptr [ebp-20h]	20_2_056F69C0
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	20_2_056F69C0
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Code function: 4x nop then jmp 056F2026h	20_2_056F1860
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	20_2_056F7B58
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	20_2_056F64DC
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	20_2_056F7C38
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Code function: 4x nop then xor edx, edx	20_2_056F6C0C
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Code function: 4x nop then xor edx, edx	20_2_056F6C18
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Code function: 4x nop then push dword ptr [ebp-24h]	20_2_056F6CD4
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	20_2_056F6CD4
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	20_2_056FCEE7
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Code function: 4x nop then push dword ptr [ebp-20h]	20_2_056F69B4
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	20_2_056F69B4
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Code function: 4x nop then jmp 056F2026h	20_2_056F1851

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	IPs: 185.162.88.26
Source: Malware configuration extractor	IPs: 185.162.88.26:2091

Uses dynamic DNS services

Show sources

Source: unknown

DNS query: name: fenixalec.ddns.net

Source: global traffic

TCP traffic: 192.168.2.7:49749 -> 185.162.88.26:20911

Source: Joe Sandbox View

IP Address: 185.162.88.26 185.162.88.26

Source: Joe Sandbox View

ASN Name: AS40676US AS40676US

Source: unknown

DNS traffic detected: queries for: fenixalec.ddns.net

Source: hjfufkimd.exe, 00000014.00000002.626448750.00000000016C9000.00000004.00000040.sdmp	String found in binary or memory: http://iptc.tc4xmp
Source: PO#4018-308875.exe, 00000000.00000003.337497700.00000000015A9000.00000004.00000001.sdmp	String found in binary or memory: http://ns.ado/Ident

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Source: PO#4018-308875.exe, 00000000.00000002.338223663.00000000010E8000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: InstallUtil.exe, 0000001A.00000002.633000163.0000000005F00000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000014.00000002.632887895.0000000004935000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.633000163.0000000005F00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.339312543.00000000047A4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.624554615.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.633244626.0000000004ACB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.630562500.0000000003E99000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO#4018-308875.exe PID: 5652, type: MEMORY
Source: Yara match	File source: Process Memory Space: hjfufkimd.exe PID: 4408, type: MEMORY
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7088, type: MEMORY
Source: Yara match	File source: 26.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.InstallUtil.exe.5f00000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.InstallUtil.exe.5f00000.5.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000014.00000002.632887895.0000000004935000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000014.00000002.632887895.0000000004935000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001A.00000002.632805982.0000000005620000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001A.00000002.633000163.0000000005F00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.339312543.00000000047A4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.339312543.00000000047A4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001A.00000002.624554615.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001A.00000002.624554615.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000014.00000002.633244626.0000000004ACB000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000014.00000002.633244626.0000000004ACB000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001A.00000002.630562500.0000000003E99000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: PO#4018-308875.exe PID: 5652, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: PO#4018-308875.exe PID: 5652, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: hjfufkimd.exe PID: 4408, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: hjfufkimd.exe PID: 4408, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: InstallUtil.exe PID: 7088, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: InstallUtil.exe PID: 7088, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 26.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 26.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 26.2.InstallUtil.exe.5620000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 26.2.InstallUtil.exe.5f00000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 26.2.InstallUtil.exe.5f00000.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth

.NET source code contains very large array initializations

Show sources

Source: PO#4018-308875.exe, i7H/Er0.cs	Large array initialization: .cctor: array initializer size 2491
Source: hjfufkimd.exe.0.dr, i7H/Er0.cs	Large array initialization: .cctor: array initializer size 2491
Source: 0.2.PO#4018-308875.exe.9f0000.0.unpack, i7H/Er0.cs	Large array initialization: .cctor: array initializer size 2491
Source: 0.0.PO#4018-308875.exe.9f0000.0.unpack, i7H/Er0.cs	Large array initialization: .cctor: array initializer size 2491
Source: 20.2.hjfufkimd.exe.b70000.0.unpack, i7H/Er0.cs	Large array initialization: .cctor: array initializer size 2491
Source: 20.0.hjfufkimd.exe.b70000.0.unpack, i7H/Er0.cs	Large array initialization: .cctor: array initializer size 2491

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: PO#4018-308875.exe

Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe

Code function: 20_2_056A50D8 CreateProcessAsUserW,

20_2_056A50D8

Source: C:\Users\user\Desktop\PO#4018-308875.exe	Code function: 0_2_010CC060	0_2_010CC060
Source: C:\Users\user\Desktop\PO#4018-308875.exe	Code function: 0_2_010C5558	0_2_010C5558
Source: C:\Users\user\Desktop\PO#4018-308875.exe	Code function: 0_2_010CB568	0_2_010CB568
Source: C:\Users\user\Desktop\PO#4018-308875.exe	Code function: 0_2_010C8C70	0_2_010C8C70
Source: C:\Users\user\Desktop\PO#4018-308875.exe	Code function: 0_2_010CD790	0_2_010CD790
Source: C:\Users\user\Desktop\PO#4018-308875.exe	Code function: 0_2_010CAFC0	0_2_010CAFC0
Source: C:\Users\user\Desktop\PO#4018-308875.exe	Code function: 0_2_078CD598	0_2_078CD598
Source: C:\Users\user\Desktop\PO#4018-308875.exe	Code function: 0_2_078C0040	0_2_078C0040
Source: C:\Users\user\Desktop\PO#4018-308875.exe	Code function: 0_2_078C2050	0_2_078C2050
Source: C:\Users\user\Desktop\PO#4018-308875.exe	Code function: 0_2_078C7E30	0_2_078C7E30
Source: C:\Users\user\Desktop\PO#4018-308875.exe	Code function: 0_2_078C1851	0_2_078C1851
Source: C:\Users\user\Desktop\PO#4018-308875.exe	Code function: 0_2_078CD588	0_2_078CD588
Source: C:\Users\user\Desktop\PO#4018-308875.exe	Code function: 0_2_078C748B	0_2_078C748B
Source: C:\Users\user\Desktop\PO#4018-308875.exe	Code function: 0_2_078C7498	0_2_078C7498
Source: C:\Users\user\Desktop\PO#4018-308875.exe	Code function: 0_2_078CE0A9	0_2_078CE0A9
Source: C:\Users\user\Desktop\PO#4018-308875.exe	Code function: 0_2_078C0007	0_2_078C0007
Source: C:\Users\user\Desktop\PO#4018-308875.exe	Code function: 0_2_078C2040	0_2_078C2040
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Code function: 20_2_016819C0	20_2_016819C0
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Code function: 20_2_0168C070	20_2_0168C070
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Code function: 20_2_0168B578	20_2_0168B578
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Code function: 20_2_01685558	20_2_01685558
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Code function: 20_2_01688C70	20_2_01688C70
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Code function: 20_2_01685CC0	20_2_01685CC0
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Code function: 20_2_0168D7A0	20_2_0168D7A0
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Code function: 20_2_0168C060	20_2_0168C060
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Code function: 20_2_0168B568	20_2_0168B568
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Code function: 20_2_0168AFC0	20_2_0168AFC0
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Code function: 20_2_0168D790	20_2_0168D790
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Code function: 20_2_056A6D28	20_2_056A6D28
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Code function: 20_2_056A0040	20_2_056A0040
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Code function: 20_2_056A4089	20_2_056A4089
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Code function: 20_2_056A1B00	20_2_056A1B00
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Code function: 20_2_056A2230	20_2_056A2230
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Code function: 20_2_056A7958	20_2_056A7958
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Code function: 20_2_056A3800	20_2_056A3800
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Code function: 20_2_056A0006	20_2_056A0006
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Code function: 20_2_056A3810	20_2_056A3810
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Code function: 20_2_056A4B20	20_2_056A4B20
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Code function: 20_2_056A5BE0	20_2_056A5BE0
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Code function: 20_2_056A3388	20_2_056A3388
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Code function: 20_2_056A3398	20_2_056A3398
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Code function: 20_2_056A2220	20_2_056A2220
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Code function: 20_2_056A1AF1	20_2_056A1AF1
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Code function: 20_2_056FF668	20_2_056FF668
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Code function: 20_2_056FD140	20_2_056FD140
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Code function: 20_2_056F0040	20_2_056F0040
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Code function: 20_2_056F2050	20_2_056F2050
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Code function: 20_2_056FEC80	20_2_056FEC80
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Code function: 20_2_056F7E50	20_2_056F7E50
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Code function: 20_2_056F1860	20_2_056F1860
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Code function: 20_2_056F7489	20_2_056F7489
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Code function: 20_2_056F7498	20_2_056F7498
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Code function: 20_2_056FD130	20_2_056FD130
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Code function: 20_2_056F2040	20_2_056F2040
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Code function: 20_2_056F0022	20_2_056F0022
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Code function: 20_2_056F7E30	20_2_056F7E30
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Code function: 20_2_056F1851	20_2_056F1851
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 26_2_009B20B0	26_2_009B20B0
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 26_2_02DBE480	26_2_02DBE480
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 26_2_02DBE471	26_2_02DBE471
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 26_2_02DBBBD4	26_2_02DBBBD4
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 26_2_05496550	26_2_05496550
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 26_2_0549F428	26_2_0549F428
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 26_2_0549C670	26_2_0549C670
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 26_2_05493E30	26_2_05493E30
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 26_2_0549BA58	26_2_0549BA58
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 26_2_05494A50	26_2_05494A50
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 26_2_0549C72E	26_2_0549C72E
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 26_2_05494B08	26_2_05494B08

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\InstallUtil.exe 46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB

Source: PO#4018-308875.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PO#4018-308875.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PO#4018-308875.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: hjfufkimd.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: hjfufkimd.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: hjfufkimd.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: PO#4018-308875.exe, 00000000.00000002.344330242.00000000054E0000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs PO#4018-308875.exe
Source: PO#4018-308875.exe, 00000000.00000002.344330242.00000000054E0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs PO#4018-308875.exe
Source: PO#4018-308875.exe, 00000000.00000003.315746155.0000000008151000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameInstallUtil.exeT vs PO#4018-308875.exe
Source: PO#4018-308875.exe, 00000000.00000002.344104285.00000000053D0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs PO#4018-308875.exe
Source: PO#4018-308875.exe, 00000000.00000002.338938017.0000000003E61000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSHCore1.dll0 vs PO#4018-308875.exe
Source: PO#4018-308875.exe, 00000000.00000002.338223663.00000000010E8000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs PO#4018-308875.exe
Source: PO#4018-308875.exe, 00000000.00000002.344553868.0000000005AB0000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs PO#4018-308875.exe

Source: PO#4018-308875.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: unknown

Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'erwtvsfvc' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\hjfufkimd.exe'

Source: 00000014.00000002.632887895.0000000004935000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000014.00000002.632887895.0000000004935000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001A.00000002.632805982.0000000005620000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001A.00000002.632805982.0000000005620000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000001A.00000002.633000163.0000000005F00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001A.00000002.633000163.0000000005F00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.339312543.00000000047A4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.339312543.00000000047A4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001A.00000002.624554615.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001A.00000002.624554615.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000014.00000002.633244626.0000000004ACB000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000014.00000002.633244626.0000000004ACB000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001A.00000002.630562500.0000000003E99000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: PO#4018-308875.exe PID: 5652, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: PO#4018-308875.exe PID: 5652, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: hjfufkimd.exe PID: 4408, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: hjfufkimd.exe PID: 4408, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: InstallUtil.exe PID: 7088, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: InstallUtil.exe PID: 7088, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 26.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 26.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 26.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 26.2.InstallUtil.exe.5620000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 26.2.InstallUtil.exe.5620000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 26.2.InstallUtil.exe.5f00000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 26.2.InstallUtil.exe.5f00000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 26.2.InstallUtil.exe.5f00000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 26.2.InstallUtil.exe.5f00000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: classification engine

Classification label: mal100.troj.evad.winEXE@10/5@9/2

Source: C:\Users\user\Desktop\PO#4018-308875.exe

File created: C:\Users\user\AppData\Roaming\hjfufkimd.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{4c844ad7-de78-4c04-815b-d468ebb89811}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4496:120:WilError_01

Source: C:\Users\user\Desktop\PO#4018-308875.exe

File created: C:\Users\user~1\AppData\Local\Temp\InstallUtil.exe

Jump to behavior

Source: PO#4018-308875.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\PO#4018-308875.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\Desktop\PO#4018-308875.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\PO#4018-308875.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\PO#4018-308875.exe

File read: C:\Users\user\Desktop\PO#4018-308875.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PO#4018-308875.exe 'C:\Users\user\Desktop\PO#4018-308875.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'erwtvsfvc' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\hjfufkimd.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'erwtvsfvc' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\hjfufkimd.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\hjfufkimd.exe 'C:\Users\user\AppData\Roaming\hjfufkimd.exe'
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user~1\AppData\Local\Temp\InstallUtil.exe
Source: C:\Users\user\Desktop\PO#4018-308875.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'erwtvsfvc' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\hjfufkimd.exe'	Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe	Process created: C:\Users\user\AppData\Roaming\hjfufkimd.exe 'C:\Users\user\AppData\Roaming\hjfufkimd.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'erwtvsfvc' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\hjfufkimd.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Process created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user~1\AppData\Local\Temp\InstallUtil.exe	Jump to behavior

Source: C:\Users\user\Desktop\PO#4018-308875.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\PO#4018-308875.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: PO#4018-308875.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: PO#4018-308875.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: PO#4018-308875.exe, 00000000.00000003.315746155.0000000008151000.00000004.00000001.sdmp, InstallUtil.exe, 0000001A.00000000.418639038.00000000009B2000.00000002.00020000.sdmp, InstallUtil.exe.0.dr
Source:	Binary string: InstallUtil.pdb source: PO#4018-308875.exe, 00000000.00000003.315746155.0000000008151000.00000004.00000001.sdmp, InstallUtil.exe, InstallUtil.exe.0.dr

Data Obfuscation:

Source: C:\Users\user\Desktop\PO#4018-308875.exe	Code function: 0_2_010C16D7 pushad ; iretd		0_2_010C16E1
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Code function: 20_2_016816D7 pushad ; iretd		20_2_016816E1

Persistence and Installation Behavior:

Source: C:\Users\user\Desktop\PO#4018-308875.exe	File created: C:\Users\user\AppData\Roaming\hjfufkimd.exe			Jump to dropped file
Source: C:\Users\user\Desktop\PO#4018-308875.exe	File created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe			Jump to dropped file

Boot Survival:

Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run erwtvsfvc			Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run erwtvsfvc			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\PO#4018-308875.exe	File opened: C:\Users\user\Desktop\PO#4018-308875.exe\:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	File opened: C:\Users\user\AppData\Roaming\hjfufkimd.exe\:Zone.Identifier read attributes \| delete			Jump to behavior

Source: C:\Users\user\Desktop\PO#4018-308875.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\PO#4018-308875.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Source: C:\Users\user\Desktop\PO#4018-308875.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\PO#4018-308875.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\PO#4018-308875.exe	Window / User API: threadDelayed 3017	Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe	Window / User API: threadDelayed 6785	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Window / User API: threadDelayed 2007	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Window / User API: threadDelayed 7810	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Window / User API: threadDelayed 1711	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Window / User API: threadDelayed 7876	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Window / User API: foregroundWindowGot 716	Jump to behavior

Source: C:\Users\user\Desktop\PO#4018-308875.exe TID: 2324	Thread sleep time: -18446744073709540s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe TID: 2324	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe TID: 5428	Thread sleep count: 3017 > 30	Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe TID: 5428	Thread sleep count: 6785 > 30	Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe TID: 2324	Thread sleep count: 37 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe TID: 6212	Thread sleep time: -21213755684765971s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe TID: 6212	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe TID: 5836	Thread sleep count: 2007 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe TID: 5836	Thread sleep count: 7810 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 1400	Thread sleep time: -14757395258967632s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: hjfufkimd.exe, 00000014.00000002.634749028.0000000005660000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: hjfufkimd.exe, 00000014.00000002.634749028.0000000005660000.00000004.00000001.sdmp	Binary or memory string: vmware svga
Source: PO#4018-308875.exe, 00000000.00000002.344104285.00000000053D0000.00000002.00000001.sdmp, InstallUtil.exe, 0000001A.00000002.633192284.00000000067C0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: hjfufkimd.exe, 00000014.00000002.634749028.0000000005660000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: PO#4018-308875.exe, 00000000.00000002.338938017.0000000003E61000.00000004.00000001.sdmp, hjfufkimd.exe, 00000014.00000002.634749028.0000000005660000.00000004.00000001.sdmp	Binary or memory string: tpautoconnsvc#Microsoft Hyper-V
Source: PO#4018-308875.exe, 00000000.00000002.338938017.0000000003E61000.00000004.00000001.sdmp, hjfufkimd.exe, 00000014.00000002.634749028.0000000005660000.00000004.00000001.sdmp	Binary or memory string: cmd.txtQEMUqemu
Source: PO#4018-308875.exe, 00000000.00000002.338938017.0000000003E61000.00000004.00000001.sdmp, hjfufkimd.exe, 00000014.00000002.634749028.0000000005660000.00000004.00000001.sdmp	Binary or memory string: vmusrvc
Source: PO#4018-308875.exe, 00000000.00000002.346318375.000000000814E000.00000004.00000001.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\(
Source: hjfufkimd.exe, 00000014.00000002.634749028.0000000005660000.00000004.00000001.sdmp	Binary or memory string: vmsrvc
Source: hjfufkimd.exe, 00000014.00000002.634749028.0000000005660000.00000004.00000001.sdmp	Binary or memory string: vmtools
Source: hjfufkimd.exe, 00000014.00000002.634749028.0000000005660000.00000004.00000001.sdmp	Binary or memory string: vmware sata5vmware usb pointing device-vmware vmci bus deviceCvmware virtual s scsi disk device
Source: hjfufkimd.exe, 00000014.00000002.634749028.0000000005660000.00000004.00000001.sdmp	Binary or memory string: vboxservicevbox)Microsoft Virtual PC
Source: PO#4018-308875.exe, 00000000.00000002.346318375.000000000814E000.00000004.00000001.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Re
Source: PO#4018-308875.exe, 00000000.00000002.344104285.00000000053D0000.00000002.00000001.sdmp, InstallUtil.exe, 0000001A.00000002.633192284.00000000067C0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: PO#4018-308875.exe, 00000000.00000002.344104285.00000000053D0000.00000002.00000001.sdmp, InstallUtil.exe, 0000001A.00000002.633192284.00000000067C0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: hjfufkimd.exe, 00000014.00000002.634749028.0000000005660000.00000004.00000001.sdmp	Binary or memory string: virtual-vmware pointing device
Source: PO#4018-308875.exe, 00000000.00000002.344104285.00000000053D0000.00000002.00000001.sdmp, InstallUtil.exe, 0000001A.00000002.633192284.00000000067C0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\PO#4018-308875.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Source: C:\Users\user\Desktop\PO#4018-308875.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\PO#4018-308875.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Allocates memory in foreign processes

Show sources

Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe

Memory allocated: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe

Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 420000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 422000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: BCD008	Jump to behavior

Source: C:\Users\user\Desktop\PO#4018-308875.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'erwtvsfvc' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\hjfufkimd.exe'	Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe	Process created: C:\Users\user\AppData\Roaming\hjfufkimd.exe 'C:\Users\user\AppData\Roaming\hjfufkimd.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'erwtvsfvc' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\hjfufkimd.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Process created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user~1\AppData\Local\Temp\InstallUtil.exe	Jump to behavior

Source: hjfufkimd.exe, 00000014.00000002.626496174.0000000001A60000.00000002.00000001.sdmp, InstallUtil.exe, 0000001A.00000002.627042256.00000000018A0000.00000002.00000001.sdmp	Binary or memory string: uProgram Manager
Source: InstallUtil.exe, 0000001A.00000002.633150230.00000000063FD000.00000004.00000001.sdmp	Binary or memory string: Program Managerd
Source: InstallUtil.exe, 0000001A.00000002.630050024.0000000003230000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: hjfufkimd.exe, 00000014.00000002.626496174.0000000001A60000.00000002.00000001.sdmp, InstallUtil.exe, 0000001A.00000002.627042256.00000000018A0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: hjfufkimd.exe, 00000014.00000002.626496174.0000000001A60000.00000002.00000001.sdmp, InstallUtil.exe, 0000001A.00000002.627042256.00000000018A0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: InstallUtil.exe, 0000001A.00000002.633182323.000000000667E000.00000004.00000001.sdmp	Binary or memory string: Program Manager0
Source: InstallUtil.exe, 0000001A.00000002.633062767.000000000606D000.00000004.00000001.sdmp	Binary or memory string: Program Managerdy(
Source: hjfufkimd.exe, 00000014.00000002.626496174.0000000001A60000.00000002.00000001.sdmp, InstallUtil.exe, 0000001A.00000002.627042256.00000000018A0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Source: C:\Users\user\Desktop\PO#4018-308875.exe	Queries volume information: C:\Users\user\Desktop\PO#4018-308875.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#4018-308875.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Queries volume information: C:\Users\user\AppData\Roaming\hjfufkimd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hjfufkimd.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\InstallUtil.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\PO#4018-308875.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000014.00000002.632887895.0000000004935000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.633000163.0000000005F00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.339312543.00000000047A4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.624554615.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.633244626.0000000004ACB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.630562500.0000000003E99000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO#4018-308875.exe PID: 5652, type: MEMORY
Source: Yara match	File source: Process Memory Space: hjfufkimd.exe PID: 4408, type: MEMORY
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7088, type: MEMORY
Source: Yara match	File source: 26.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.InstallUtil.exe.5f00000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.InstallUtil.exe.5f00000.5.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: PO#4018-308875.exe, 00000000.00000002.339312543.00000000047A4000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: hjfufkimd.exe, 00000014.00000002.633244626.0000000004ACB000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: InstallUtil.exe, 0000001A.00000002.633000163.0000000005F00000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: InstallUtil.exe, 0000001A.00000002.630562500.0000000003E99000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000014.00000002.632887895.0000000004935000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.633000163.0000000005F00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.339312543.00000000047A4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.624554615.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.633244626.0000000004ACB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.630562500.0000000003E99000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO#4018-308875.exe PID: 5652, type: MEMORY
Source: Yara match	File source: Process Memory Space: hjfufkimd.exe PID: 4408, type: MEMORY
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7088, type: MEMORY
Source: Yara match	File source: 26.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.InstallUtil.exe.5f00000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.InstallUtil.exe.5f00000.5.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts1	Windows Management Instrumentation	Valid Accounts1	Valid Accounts1	Masquerading1	Input Capture21	Query Registry1	Remote Services	Input Capture21	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Registry Run Keys / Startup Folder1	Access Token Manipulation1	Valid Accounts1	LSASS Memory	Security Software Discovery11	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Process Injection312	Modify Registry1	Security Account Manager	Virtualization/Sandbox Evasion3	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Remote Access Software1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Registry Run Keys / Startup Folder1	Access Token Manipulation1	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Virtualization/Sandbox Evasion3	LSA Secrets	Application Window Discovery1	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol21	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Disable or Modify Tools1	Cached Domain Credentials	File and Directory Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection312	DCSync	System Information Discovery12	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Hidden Files and Directories1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Obfuscated Files or Information2	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Software Packing1	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\InstallUtil.exe	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\InstallUtil.exe	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\InstallUtil.exe	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
26.2.InstallUtil.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7		Download File
26.2.InstallUtil.exe.5f00000.5.unpack	100%	Avira	TR/NanoCore.fadte		Download File

Domains

Source	Detection	Scanner	Label	Link
fenixalec.ddns.net	4%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://ns.ado/Ident	0%	Avira URL Cloud	safe
http://iptc.tc4xmp	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
fenixalec.ddns.net	185.162.88.26	true	true	4%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://ns.ado/Ident	PO#4018-308875.exe, 00000000.00000003.337497700.00000000015A9000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://iptc.tc4xmp	hjfufkimd.exe, 00000014.00000002.626448750.00000000016C9000.00000004.00000040.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.162.88.26:2091	unknown	unknown		unknown	unknown	true
185.162.88.26	unknown	Netherlands		40676	AS40676US	true

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	342477
Start date:	21.01.2021
Start time:	07:18:42
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	PO#4018-308875.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	31
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@10/5@9/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 2% (good quality ratio 1.9%) Quality average: 49.5% Quality standard deviation: 23.9%
HCA Information:	Successful, ratio: 100% Number of executed functions: 79 Number of non-executed functions: 6
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 104.43.139.144, 104.42.151.234, 2.20.84.85, 51.11.168.160, 92.122.213.194, 92.122.213.247, 51.103.5.186, 205.185.216.10, 205.185.216.42, 52.155.217.156, 20.54.26.129, 51.104.139.180 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, wns.notify.windows.com.akadns.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, emea1.notify.windows.com.akadns.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, cds.d2s7q6s2.hwcdn.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, par02p.wns.notify.trafficmanager.net, skypedataprdcolwus16.cloudapp.net Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
07:19:43	API Interceptor	188x Sleep call for process: PO#4018-308875.exe modified
07:19:44	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run erwtvsfvc C:\Users\user\AppData\Roaming\hjfufkimd.exe
07:19:53	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run erwtvsfvc C:\Users\user\AppData\Roaming\hjfufkimd.exe
07:20:30	API Interceptor	204x Sleep call for process: hjfufkimd.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
185.162.88.26	PO#4018-308875.pdf.exe	Get hash	malicious	Browse
	MEDUSI492126.pdf.exe	Get hash	malicious	Browse
	silkOrder00110.pdf.exe	Get hash	malicious	Browse
	Order_BC012356.pdf.exe	Get hash	malicious	Browse
	Document#20014464370.pdf.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
fenixalec.ddns.net	PO#4018-308875.pdf.exe	Get hash	malicious	Browse	185.162.88.26
	MEDUSI492126.pdf.exe	Get hash	malicious	Browse	185.162.88.26
	silkOrder00110.pdf.exe	Get hash	malicious	Browse	185.162.88.26
	Order_BC012356.pdf.exe	Get hash	malicious	Browse	185.162.88.26
	Document#20014464370.pdf.exe	Get hash	malicious	Browse	185.162.88.26

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AS40676US	PO#4018-308875.pdf.exe	Get hash	malicious	Browse	185.162.88.26
	Ulma9B5jo1.exe	Get hash	malicious	Browse	104.149.57.92
	MEDUSI492126.pdf.exe	Get hash	malicious	Browse	185.162.88.26
	Request for Quotation.exe	Get hash	malicious	Browse	45.34.249.53
	silkOrder00110.pdf.exe	Get hash	malicious	Browse	185.162.88.26
	Order_BC012356.pdf.exe	Get hash	malicious	Browse	185.162.88.26
	Document#20014464370.pdf.exe	Get hash	malicious	Browse	185.162.88.26
	t1XJOlYvhExZyrm.exe	Get hash	malicious	Browse	104.225.208.15
	SWIFT_COPY00993Payment_advic4555pdf.exe	Get hash	malicious	Browse	172.106.111.244
	QN08qH1zYv.exe	Get hash	malicious	Browse	104.149.57.92
	SWIFT-COPY Payment advice3243343.exe	Get hash	malicious	Browse	172.106.111.244
	catalogo TAWI group.exe	Get hash	malicious	Browse	107.160.127.252
	Rfq 214871_TAWI Catalog.exe	Get hash	malicious	Browse	107.160.127.252
	Rfq_Catalog.exe	Get hash	malicious	Browse	107.160.127.252
	NPD76122.exe	Get hash	malicious	Browse	104.217.231.247
	h3dFAROdF3.exe	Get hash	malicious	Browse	104.217.231.248
	d2mISAbTQN.exe	Get hash	malicious	Browse	104.217.231.248
	n41pVXkYCe.exe	Get hash	malicious	Browse	104.217.231.248
	kqwqyoFz1C.exe	Get hash	malicious	Browse	104.217.231.248
	53McmgaUJP.exe	Get hash	malicious	Browse	104.217.231.248

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\InstallUtil.exe	IMG_57880.pdf.exe	Get hash	malicious	Browse
	PO 67542 PDF.exe	Get hash	malicious	Browse
	Mi9eI6wu1p.exe	Get hash	malicious	Browse
	OJ4zX7G77Y.exe	Get hash	malicious	Browse
	IMG_50781.pdf.exe	Get hash	malicious	Browse
	IMG_25579.pdf.exe	Get hash	malicious	Browse
	IMG_40317.pdf.exe	Get hash	malicious	Browse
	PO#4018-308875.pdf.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.PackedNET.509.8504.exe	Get hash	malicious	Browse
	IMG_80137.pdf.exe	Get hash	malicious	Browse
	Ziraat Bankasi Swift Mesaji.exe	Get hash	malicious	Browse
	MEDUSI492126.pdf.exe	Get hash	malicious	Browse
	2GNCGUZ6JU.exe	Get hash	malicious	Browse
	IMG_53771.pdf.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Generic.mg.fb5363e0cae04979.exe	Get hash	malicious	Browse
	Ziraat Bankasi Swift Mesaji.exe	Get hash	malicious	Browse
	silkOrder00110.pdf.exe	Get hash	malicious	Browse
	74725794.exe	Get hash	malicious	Browse
	74725794.exe	Get hash	malicious	Browse
	IMG_53091.pdf.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO#4018-308875.exe.log Download File
Process:	C:\Users\user\Desktop\PO#4018-308875.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1451
Entropy (8bit):	5.345862727722058
Encrypted:	false
SSDEEP:	24:ML9E4Ks2eE4O1lEE4UVwPKDE4KhK3VZ9pKhuE4IWUAE4KI6no84G1qE4j:MxHKXeHKlEHU0YHKhQnouHIW7HKjovGm
MD5:	06F54CDBFEF62849AF5AE052722BD7B6
SHA1:	FB0250AAC2057D0B5BCE4CE130891E428F28DA05
SHA-256:	4C039B93A728B546F49C47ED8B448D40A3553CDAABB147067AEE3958133CB446
SHA-512:	34EF5F6D5EAB0E5B11AC81F0D72FC56304291EDEEF6D19DF7145FDECAB5D342767DBBC0B4384B8DECB5741E6B85A4B431DF14FBEB5DDF2DEE103064D2895EABB
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\820a27781e8540ca263d835ec155f1a5\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\889128adc9a7c9370e5e293f65060164\PresentationFramework.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Wi

C:\Users\user\AppData\Local\Temp\InstallUtil.exe Download File
Process:	C:\Users\user\Desktop\PO#4018-308875.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	41064
Entropy (8bit):	6.164873449128079
Encrypted:	false
SSDEEP:	384:FtpFVLK0MsihB9VKS7xdgE7KJ9Yl6dnPU3SERztmbqCJstdMardz/JikPZ+sPZTd:ZBMs2SqdD86Iq8gZZFyViML3an
MD5:	EFEC8C379D165E3F33B536739AEE26A3
SHA1:	C875908ACBA5CAC1E0B40F06A83F0F156A2640FA
SHA-256:	46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB
SHA-512:	497847EC115D9AF78899E6DC20EC32A60B16954F83CF5169A23DD3F1459CB632DAC95417BD898FD1895C9FE2262FCBF7838FCF6919FB3B851A0557FBE07CCFFA
Malicious:	true
Antivirus:	Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: IMG_57880.pdf.exe, Detection: malicious, Browse Filename: PO 67542 PDF.exe, Detection: malicious, Browse Filename: Mi9eI6wu1p.exe, Detection: malicious, Browse Filename: OJ4zX7G77Y.exe, Detection: malicious, Browse Filename: IMG_50781.pdf.exe, Detection: malicious, Browse Filename: IMG_25579.pdf.exe, Detection: malicious, Browse Filename: IMG_40317.pdf.exe, Detection: malicious, Browse Filename: PO#4018-308875.pdf.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.PackedNET.509.8504.exe, Detection: malicious, Browse Filename: IMG_80137.pdf.exe, Detection: malicious, Browse Filename: Ziraat Bankasi Swift Mesaji.exe, Detection: malicious, Browse Filename: MEDUSI492126.pdf.exe, Detection: malicious, Browse Filename: 2GNCGUZ6JU.exe, Detection: malicious, Browse Filename: IMG_53771.pdf.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Generic.mg.fb5363e0cae04979.exe, Detection: malicious, Browse Filename: Ziraat Bankasi Swift Mesaji.exe, Detection: malicious, Browse Filename: silkOrder00110.pdf.exe, Detection: malicious, Browse Filename: 74725794.exe, Detection: malicious, Browse Filename: 74725794.exe, Detection: malicious, Browse Filename: IMG_53091.pdf.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z.Z..............0..T...........r... ........@.. ....................................`.................................4r..O....................b..h>...........p............................................... ............... ..H............text....R... ...T.................. ..`.rsrc................V..............@..@.reloc...............`..............@..B................hr......H........"..\|J..........lm.......o......................................2~.....o.....r...p(....VrK..p(....s...........0..........(....(....o....o....(....o.... .....T(....o....(....o....o ...o!....4(....o....(....o....o ...o".....(....rm..ps#...o....($........(%....o&....ry..p......%.r...p.%.(.....(....('....((.......o)...('........................."..(.....{Q...-...}Q.....(+...(....(,....(+..."..(-.....(......(.....r...p.(/...o0...s....}T...*....0.. .......~S...-.s

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Users\user\AppData\Local\Temp\InstallUtil.exe
File Type:	ISO-8859 text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:R:R
MD5:	2F1BE7A93FA3932139F44045B7093C9D
SHA1:	3BD21ABDB1D8DF0DB4FB6584AE3E957B4BC09F36
SHA-256:	FC8D923CBCB211095CFD934D23AA52DD05FDD272545BD4CB488D15A186BAA53D
SHA-512:	530C64B9C169A53F0721317D1D7AE338C75EED8A6925D512172198875DD3DFF63CE9DB5FECB29685B773E29589DF3AB2FE44D2D035A7539EBFE67CA3DA0680A4
Malicious:	true
Reputation:	low
Preview:	..&- ..H

C:\Users\user\AppData\Roaming\hjfufkimd.exe Download File
Process:	C:\Users\user\Desktop\PO#4018-308875.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	716800
Entropy (8bit):	5.544271789349581
Encrypted:	false
SSDEEP:	12288:jJ050jwcEc6t4HpTkJ23d9ZSn9Vt6DuUx:ji08cEc6t4HpAIZSnb
MD5:	26B17B353C8950CA0A55E1EA21678D9E
SHA1:	C5F2E80F53A312BD1B8DD3BBA438AF27A4BA44E3
SHA-256:	43BDEF53F8FF0D262C2086A46C66D76F8C5E2B9DF085959C70A5A3C679474767
SHA-512:	B90A04A218AE54201A4AB25848C91DC197C829C90BEB4DE4B8CC5F9F54928A962151129796181B9DBF48DA1BE6BB7294F878E3BDF020373B9DF2C8A759E8BE23
Malicious:	true
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...m..G.................~...p......^.... ........@.. .......................@............`.....................................S........l................... ....................................................... ............... ..H............text...d\|... ...~.................. ..`.rsrc....l.......n..................@..@.reloc....... ......................@..B................@.......H........`..0;......<.......6.............................................w............%.v..y.....d..:....m....Q.......4..W.....F..s.n..y!sv.g..+'....=6.S...^..g.L..z...G\|;g\|@.R....Nj..2hLX.^s....Z.[G.4......c..4.b..../.z+..X.%.....K....[...D.?Iq.#."..=...3.-..k.P...^..;.+...6..j..ig.....-...E1.Z.0.e...4........J.G..C.C...1..h...I..N>.U]}..T6jZ...Dq.yDY.y..8.....M.2.Jia&..C\...q...q..t...u$.]N....V.\....U.V....R.._.}N.a....c....h}.J/N..J.i..-`j.SL.....(6.._....

C:\Users\user\AppData\Roaming\hjfufkimd.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\PO#4018-308875.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.544271789349581
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	PO#4018-308875.exe
File size:	716800
MD5:	26b17b353c8950ca0a55e1ea21678d9e
SHA1:	c5f2e80f53a312bd1b8dd3bba438af27a4ba44e3
SHA256:	43bdef53f8ff0d262c2086a46c66d76f8c5e2b9df085959c70a5a3c679474767
SHA512:	b90a04a218ae54201a4ab25848c91dc197c829c90beb4de4b8cc5f9f54928a962151129796181b9dbf48da1be6bb7294f878e3bdf020373b9df2c8a759e8be23
SSDEEP:	12288:jJ050jwcEc6t4HpTkJ23d9ZSn9Vt6DuUx:ji08cEc6t4HpAIZSnb
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...m..G.................~...p......^.... ........@.. .......................@............`................................

File Icon


Icon Hash:	6862eee6b292c66e

Static PE Info

General
Entrypoint:	0x4a9c5e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Time Stamp:	0x471CEA6D [Mon Oct 22 18:22:37 2007 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa9c08	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xaa000	0x6c0e	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xb2000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xa7c64	0xa7e00	False	0.528291953649	data	5.50950484926	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xaa000	0x6c0e	0x6e00	False	0.521803977273	data	5.77182057685	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xb2000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0xaa2c4	0x668	data
RT_ICON	0xaa92c	0x2e8	data
RT_ICON	0xaac14	0x128	GLS_BINARY_LSB_FIRST
RT_ICON	0xaad3c	0xea8	data
RT_ICON	0xabbe4	0x8a8	data
RT_ICON	0xac48c	0x568	GLS_BINARY_LSB_FIRST
RT_ICON	0xac9f4	0x25a8	data
RT_ICON	0xaef9c	0x10a8	data
RT_ICON	0xb0044	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0xb04ac	0x84	data
RT_VERSION	0xb0530	0x4f4	data	English	United States
RT_MANIFEST	0xb0a24	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
LegalCopyright	(c) Nota Inc. All rights reserved.
FileVersion	4.1.4.0
CompanyName	Nota Inc.
Comments	This installation was built with Inno Setup.
ProductName	Gyazo
ProductVersion	4.1.4.0
FileDescription	Gyazo Setup
Translation	0x0000 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 21, 2021 07:21:10.194595098 CET	49749	20911	192.168.2.7	185.162.88.26
Jan 21, 2021 07:21:10.245362997 CET	20911	49749	185.162.88.26	192.168.2.7
Jan 21, 2021 07:21:10.750391960 CET	49749	20911	192.168.2.7	185.162.88.26
Jan 21, 2021 07:21:10.800987005 CET	20911	49749	185.162.88.26	192.168.2.7
Jan 21, 2021 07:21:11.312966108 CET	49749	20911	192.168.2.7	185.162.88.26
Jan 21, 2021 07:21:11.363570929 CET	20911	49749	185.162.88.26	192.168.2.7
Jan 21, 2021 07:21:15.517932892 CET	49750	20911	192.168.2.7	185.162.88.26
Jan 21, 2021 07:21:15.568631887 CET	20911	49750	185.162.88.26	192.168.2.7
Jan 21, 2021 07:21:16.079057932 CET	49750	20911	192.168.2.7	185.162.88.26
Jan 21, 2021 07:21:16.129749060 CET	20911	49750	185.162.88.26	192.168.2.7
Jan 21, 2021 07:21:16.641479969 CET	49750	20911	192.168.2.7	185.162.88.26
Jan 21, 2021 07:21:16.692219973 CET	20911	49750	185.162.88.26	192.168.2.7
Jan 21, 2021 07:21:20.705828905 CET	49751	20911	192.168.2.7	185.162.88.26
Jan 21, 2021 07:21:20.756248951 CET	20911	49751	185.162.88.26	192.168.2.7
Jan 21, 2021 07:21:21.267081976 CET	49751	20911	192.168.2.7	185.162.88.26
Jan 21, 2021 07:21:21.317872047 CET	20911	49751	185.162.88.26	192.168.2.7
Jan 21, 2021 07:21:21.829600096 CET	49751	20911	192.168.2.7	185.162.88.26
Jan 21, 2021 07:21:21.880040884 CET	20911	49751	185.162.88.26	192.168.2.7
Jan 21, 2021 07:21:26.059458971 CET	49753	20911	192.168.2.7	185.162.88.26
Jan 21, 2021 07:21:26.110008955 CET	20911	49753	185.162.88.26	192.168.2.7
Jan 21, 2021 07:21:26.611205101 CET	49753	20911	192.168.2.7	185.162.88.26
Jan 21, 2021 07:21:26.661964893 CET	20911	49753	185.162.88.26	192.168.2.7
Jan 21, 2021 07:21:27.174010992 CET	49753	20911	192.168.2.7	185.162.88.26
Jan 21, 2021 07:21:27.224834919 CET	20911	49753	185.162.88.26	192.168.2.7
Jan 21, 2021 07:21:31.299650908 CET	49755	20911	192.168.2.7	185.162.88.26
Jan 21, 2021 07:21:31.350349903 CET	20911	49755	185.162.88.26	192.168.2.7
Jan 21, 2021 07:21:31.861526012 CET	49755	20911	192.168.2.7	185.162.88.26
Jan 21, 2021 07:21:31.913264036 CET	20911	49755	185.162.88.26	192.168.2.7
Jan 21, 2021 07:21:32.424514055 CET	49755	20911	192.168.2.7	185.162.88.26
Jan 21, 2021 07:21:32.475508928 CET	20911	49755	185.162.88.26	192.168.2.7
Jan 21, 2021 07:21:36.555077076 CET	49756	20911	192.168.2.7	185.162.88.26
Jan 21, 2021 07:21:36.605745077 CET	20911	49756	185.162.88.26	192.168.2.7
Jan 21, 2021 07:21:37.112006903 CET	49756	20911	192.168.2.7	185.162.88.26
Jan 21, 2021 07:21:37.162477016 CET	20911	49756	185.162.88.26	192.168.2.7
Jan 21, 2021 07:21:37.674544096 CET	49756	20911	192.168.2.7	185.162.88.26
Jan 21, 2021 07:21:37.725790977 CET	20911	49756	185.162.88.26	192.168.2.7
Jan 21, 2021 07:21:41.746510983 CET	49757	20911	192.168.2.7	185.162.88.26
Jan 21, 2021 07:21:41.797168016 CET	20911	49757	185.162.88.26	192.168.2.7
Jan 21, 2021 07:21:42.299890041 CET	49757	20911	192.168.2.7	185.162.88.26
Jan 21, 2021 07:21:42.350419998 CET	20911	49757	185.162.88.26	192.168.2.7
Jan 21, 2021 07:21:42.862423897 CET	49757	20911	192.168.2.7	185.162.88.26
Jan 21, 2021 07:21:42.913009882 CET	20911	49757	185.162.88.26	192.168.2.7
Jan 21, 2021 07:21:46.928580999 CET	49758	20911	192.168.2.7	185.162.88.26
Jan 21, 2021 07:21:46.980833054 CET	20911	49758	185.162.88.26	192.168.2.7
Jan 21, 2021 07:21:47.487807035 CET	49758	20911	192.168.2.7	185.162.88.26
Jan 21, 2021 07:21:47.538381100 CET	20911	49758	185.162.88.26	192.168.2.7
Jan 21, 2021 07:21:48.050369978 CET	49758	20911	192.168.2.7	185.162.88.26
Jan 21, 2021 07:21:48.101048946 CET	20911	49758	185.162.88.26	192.168.2.7
Jan 21, 2021 07:21:52.114620924 CET	49759	20911	192.168.2.7	185.162.88.26
Jan 21, 2021 07:21:52.165218115 CET	20911	49759	185.162.88.26	192.168.2.7
Jan 21, 2021 07:21:52.675843954 CET	49759	20911	192.168.2.7	185.162.88.26
Jan 21, 2021 07:21:52.726166010 CET	20911	49759	185.162.88.26	192.168.2.7
Jan 21, 2021 07:21:53.238327026 CET	49759	20911	192.168.2.7	185.162.88.26
Jan 21, 2021 07:21:53.288965940 CET	20911	49759	185.162.88.26	192.168.2.7
Jan 21, 2021 07:21:57.469202995 CET	49760	20911	192.168.2.7	185.162.88.26
Jan 21, 2021 07:21:57.520087004 CET	20911	49760	185.162.88.26	192.168.2.7
Jan 21, 2021 07:21:58.035609961 CET	49760	20911	192.168.2.7	185.162.88.26
Jan 21, 2021 07:21:58.086205959 CET	20911	49760	185.162.88.26	192.168.2.7
Jan 21, 2021 07:21:58.598628998 CET	49760	20911	192.168.2.7	185.162.88.26
Jan 21, 2021 07:21:58.649328947 CET	20911	49760	185.162.88.26	192.168.2.7
Jan 21, 2021 07:22:02.790209055 CET	49761	20911	192.168.2.7	185.162.88.26
Jan 21, 2021 07:22:02.840651989 CET	20911	49761	185.162.88.26	192.168.2.7
Jan 21, 2021 07:22:03.350677967 CET	49761	20911	192.168.2.7	185.162.88.26
Jan 21, 2021 07:22:03.401880980 CET	20911	49761	185.162.88.26	192.168.2.7
Jan 21, 2021 07:22:03.910955906 CET	49761	20911	192.168.2.7	185.162.88.26
Jan 21, 2021 07:22:03.961889982 CET	20911	49761	185.162.88.26	192.168.2.7
Jan 21, 2021 07:22:09.391566992 CET	49762	20911	192.168.2.7	185.162.88.26
Jan 21, 2021 07:22:09.442047119 CET	20911	49762	185.162.88.26	192.168.2.7
Jan 21, 2021 07:22:09.952791929 CET	49762	20911	192.168.2.7	185.162.88.26
Jan 21, 2021 07:22:10.004659891 CET	20911	49762	185.162.88.26	192.168.2.7
Jan 21, 2021 07:22:10.506259918 CET	49762	20911	192.168.2.7	185.162.88.26
Jan 21, 2021 07:22:10.556945086 CET	20911	49762	185.162.88.26	192.168.2.7
Jan 21, 2021 07:22:14.601311922 CET	49763	20911	192.168.2.7	185.162.88.26
Jan 21, 2021 07:22:14.652283907 CET	20911	49763	185.162.88.26	192.168.2.7
Jan 21, 2021 07:22:15.162935019 CET	49763	20911	192.168.2.7	185.162.88.26
Jan 21, 2021 07:22:15.215492964 CET	20911	49763	185.162.88.26	192.168.2.7
Jan 21, 2021 07:22:15.725584984 CET	49763	20911	192.168.2.7	185.162.88.26
Jan 21, 2021 07:22:15.777245045 CET	20911	49763	185.162.88.26	192.168.2.7
Jan 21, 2021 07:22:19.805321932 CET	49764	20911	192.168.2.7	185.162.88.26
Jan 21, 2021 07:22:19.856096029 CET	20911	49764	185.162.88.26	192.168.2.7
Jan 21, 2021 07:22:20.366501093 CET	49764	20911	192.168.2.7	185.162.88.26
Jan 21, 2021 07:22:20.417002916 CET	20911	49764	185.162.88.26	192.168.2.7
Jan 21, 2021 07:22:20.928977966 CET	49764	20911	192.168.2.7	185.162.88.26
Jan 21, 2021 07:22:20.979587078 CET	20911	49764	185.162.88.26	192.168.2.7
Jan 21, 2021 07:22:25.120189905 CET	49765	20911	192.168.2.7	185.162.88.26
Jan 21, 2021 07:22:25.170635939 CET	20911	49765	185.162.88.26	192.168.2.7
Jan 21, 2021 07:22:25.679419041 CET	49765	20911	192.168.2.7	185.162.88.26
Jan 21, 2021 07:22:25.730566978 CET	20911	49765	185.162.88.26	192.168.2.7
Jan 21, 2021 07:22:26.241952896 CET	49765	20911	192.168.2.7	185.162.88.26
Jan 21, 2021 07:22:26.292938948 CET	20911	49765	185.162.88.26	192.168.2.7
Jan 21, 2021 07:22:30.421901941 CET	49766	20911	192.168.2.7	185.162.88.26
Jan 21, 2021 07:22:30.472906113 CET	20911	49766	185.162.88.26	192.168.2.7
Jan 21, 2021 07:22:30.976934910 CET	49766	20911	192.168.2.7	185.162.88.26
Jan 21, 2021 07:22:31.027550936 CET	20911	49766	185.162.88.26	192.168.2.7
Jan 21, 2021 07:22:31.539257050 CET	49766	20911	192.168.2.7	185.162.88.26
Jan 21, 2021 07:22:31.589936972 CET	20911	49766	185.162.88.26	192.168.2.7
Jan 21, 2021 07:22:35.667542934 CET	49767	20911	192.168.2.7	185.162.88.26
Jan 21, 2021 07:22:35.718305111 CET	20911	49767	185.162.88.26	192.168.2.7
Jan 21, 2021 07:22:36.227289915 CET	49767	20911	192.168.2.7	185.162.88.26
Jan 21, 2021 07:22:36.277928114 CET	20911	49767	185.162.88.26	192.168.2.7
Jan 21, 2021 07:22:36.789805889 CET	49767	20911	192.168.2.7	185.162.88.26
Jan 21, 2021 07:22:36.840408087 CET	20911	49767	185.162.88.26	192.168.2.7
Jan 21, 2021 07:22:40.910835028 CET	49768	20911	192.168.2.7	185.162.88.26
Jan 21, 2021 07:22:40.961294889 CET	20911	49768	185.162.88.26	192.168.2.7
Jan 21, 2021 07:22:41.461968899 CET	49768	20911	192.168.2.7	185.162.88.26
Jan 21, 2021 07:22:41.512542963 CET	20911	49768	185.162.88.26	192.168.2.7
Jan 21, 2021 07:22:42.024513960 CET	49768	20911	192.168.2.7	185.162.88.26
Jan 21, 2021 07:22:42.075789928 CET	20911	49768	185.162.88.26	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 21, 2021 07:19:39.187886953 CET	55411	53	192.168.2.7	8.8.8.8
Jan 21, 2021 07:19:39.244185925 CET	53	55411	8.8.8.8	192.168.2.7
Jan 21, 2021 07:19:40.364118099 CET	63668	53	192.168.2.7	8.8.8.8
Jan 21, 2021 07:19:40.414766073 CET	53	63668	8.8.8.8	192.168.2.7
Jan 21, 2021 07:19:41.766908884 CET	54640	53	192.168.2.7	8.8.8.8
Jan 21, 2021 07:19:41.817589045 CET	53	54640	8.8.8.8	192.168.2.7
Jan 21, 2021 07:19:42.781416893 CET	58739	53	192.168.2.7	8.8.8.8
Jan 21, 2021 07:19:42.829230070 CET	53	58739	8.8.8.8	192.168.2.7
Jan 21, 2021 07:19:44.003678083 CET	60338	53	192.168.2.7	8.8.8.8
Jan 21, 2021 07:19:44.054332018 CET	53	60338	8.8.8.8	192.168.2.7
Jan 21, 2021 07:19:44.998965025 CET	58717	53	192.168.2.7	8.8.8.8
Jan 21, 2021 07:19:45.058206081 CET	53	58717	8.8.8.8	192.168.2.7
Jan 21, 2021 07:19:46.099541903 CET	59762	53	192.168.2.7	8.8.8.8
Jan 21, 2021 07:19:46.147551060 CET	53	59762	8.8.8.8	192.168.2.7
Jan 21, 2021 07:19:47.129146099 CET	54329	53	192.168.2.7	8.8.8.8
Jan 21, 2021 07:19:47.176958084 CET	53	54329	8.8.8.8	192.168.2.7
Jan 21, 2021 07:19:48.157058001 CET	58052	53	192.168.2.7	8.8.8.8
Jan 21, 2021 07:19:48.207770109 CET	53	58052	8.8.8.8	192.168.2.7
Jan 21, 2021 07:19:49.116137028 CET	54008	53	192.168.2.7	8.8.8.8
Jan 21, 2021 07:19:49.174880028 CET	53	54008	8.8.8.8	192.168.2.7
Jan 21, 2021 07:19:49.974899054 CET	59451	53	192.168.2.7	8.8.8.8
Jan 21, 2021 07:19:50.031143904 CET	53	59451	8.8.8.8	192.168.2.7
Jan 21, 2021 07:19:50.726120949 CET	52914	53	192.168.2.7	8.8.8.8
Jan 21, 2021 07:19:50.782291889 CET	53	52914	8.8.8.8	192.168.2.7
Jan 21, 2021 07:19:51.991139889 CET	64569	53	192.168.2.7	8.8.8.8
Jan 21, 2021 07:19:52.041958094 CET	53	64569	8.8.8.8	192.168.2.7
Jan 21, 2021 07:19:54.407627106 CET	52816	53	192.168.2.7	8.8.8.8
Jan 21, 2021 07:19:54.466856003 CET	53	52816	8.8.8.8	192.168.2.7
Jan 21, 2021 07:19:55.777554035 CET	50781	53	192.168.2.7	8.8.8.8
Jan 21, 2021 07:19:55.825472116 CET	53	50781	8.8.8.8	192.168.2.7
Jan 21, 2021 07:19:56.764731884 CET	54230	53	192.168.2.7	8.8.8.8
Jan 21, 2021 07:19:56.820934057 CET	53	54230	8.8.8.8	192.168.2.7
Jan 21, 2021 07:19:58.272994041 CET	54911	53	192.168.2.7	8.8.8.8
Jan 21, 2021 07:19:58.324692011 CET	53	54911	8.8.8.8	192.168.2.7
Jan 21, 2021 07:19:59.522815943 CET	49958	53	192.168.2.7	8.8.8.8
Jan 21, 2021 07:19:59.581321001 CET	53	49958	8.8.8.8	192.168.2.7
Jan 21, 2021 07:20:01.119352102 CET	50860	53	192.168.2.7	8.8.8.8
Jan 21, 2021 07:20:01.167102098 CET	53	50860	8.8.8.8	192.168.2.7
Jan 21, 2021 07:20:02.199868917 CET	50452	53	192.168.2.7	8.8.8.8
Jan 21, 2021 07:20:02.250752926 CET	53	50452	8.8.8.8	192.168.2.7
Jan 21, 2021 07:20:02.385554075 CET	59730	53	192.168.2.7	8.8.8.8
Jan 21, 2021 07:20:02.436297894 CET	53	59730	8.8.8.8	192.168.2.7
Jan 21, 2021 07:20:07.982062101 CET	59310	53	192.168.2.7	8.8.8.8
Jan 21, 2021 07:20:08.038496971 CET	53	59310	8.8.8.8	192.168.2.7
Jan 21, 2021 07:20:18.294717073 CET	51919	53	192.168.2.7	8.8.8.8
Jan 21, 2021 07:20:18.345320940 CET	53	51919	8.8.8.8	192.168.2.7
Jan 21, 2021 07:20:18.652225971 CET	64296	53	192.168.2.7	8.8.8.8
Jan 21, 2021 07:20:18.703476906 CET	53	64296	8.8.8.8	192.168.2.7
Jan 21, 2021 07:20:23.751013041 CET	56680	53	192.168.2.7	8.8.8.8
Jan 21, 2021 07:20:23.807271004 CET	53	56680	8.8.8.8	192.168.2.7
Jan 21, 2021 07:20:29.860162020 CET	58820	53	192.168.2.7	8.8.8.8
Jan 21, 2021 07:20:29.919303894 CET	53	58820	8.8.8.8	192.168.2.7
Jan 21, 2021 07:20:30.506624937 CET	60983	53	192.168.2.7	8.8.8.8
Jan 21, 2021 07:20:30.563065052 CET	53	60983	8.8.8.8	192.168.2.7
Jan 21, 2021 07:20:31.142412901 CET	49247	53	192.168.2.7	8.8.8.8
Jan 21, 2021 07:20:31.198556900 CET	53	49247	8.8.8.8	192.168.2.7
Jan 21, 2021 07:20:31.685444117 CET	52286	53	192.168.2.7	8.8.8.8
Jan 21, 2021 07:20:31.742531061 CET	53	52286	8.8.8.8	192.168.2.7
Jan 21, 2021 07:20:32.250085115 CET	56064	53	192.168.2.7	8.8.8.8
Jan 21, 2021 07:20:32.309338093 CET	53	56064	8.8.8.8	192.168.2.7
Jan 21, 2021 07:20:32.971565962 CET	63744	53	192.168.2.7	8.8.8.8
Jan 21, 2021 07:20:33.019469976 CET	53	63744	8.8.8.8	192.168.2.7
Jan 21, 2021 07:20:33.227957010 CET	61457	53	192.168.2.7	8.8.8.8
Jan 21, 2021 07:20:33.295059919 CET	53	61457	8.8.8.8	192.168.2.7
Jan 21, 2021 07:20:33.645874977 CET	58367	53	192.168.2.7	8.8.8.8
Jan 21, 2021 07:20:33.702230930 CET	53	58367	8.8.8.8	192.168.2.7
Jan 21, 2021 07:20:34.865190983 CET	60599	53	192.168.2.7	8.8.8.8
Jan 21, 2021 07:20:34.922327042 CET	53	60599	8.8.8.8	192.168.2.7
Jan 21, 2021 07:20:35.781820059 CET	59571	53	192.168.2.7	8.8.8.8
Jan 21, 2021 07:20:35.829627991 CET	53	59571	8.8.8.8	192.168.2.7
Jan 21, 2021 07:20:36.496061087 CET	52689	53	192.168.2.7	8.8.8.8
Jan 21, 2021 07:20:36.552227020 CET	53	52689	8.8.8.8	192.168.2.7
Jan 21, 2021 07:21:08.226511002 CET	50290	53	192.168.2.7	8.8.8.8
Jan 21, 2021 07:21:08.275254965 CET	53	50290	8.8.8.8	192.168.2.7
Jan 21, 2021 07:21:24.251454115 CET	60427	53	192.168.2.7	8.8.8.8
Jan 21, 2021 07:21:24.307600975 CET	53	60427	8.8.8.8	192.168.2.7
Jan 21, 2021 07:21:25.996978045 CET	56209	53	192.168.2.7	8.8.8.8
Jan 21, 2021 07:21:26.057513952 CET	53	56209	8.8.8.8	192.168.2.7
Jan 21, 2021 07:21:27.343066931 CET	59582	53	192.168.2.7	8.8.8.8
Jan 21, 2021 07:21:27.390883923 CET	53	59582	8.8.8.8	192.168.2.7
Jan 21, 2021 07:21:31.240375042 CET	60949	53	192.168.2.7	8.8.8.8
Jan 21, 2021 07:21:31.298129082 CET	53	60949	8.8.8.8	192.168.2.7
Jan 21, 2021 07:21:36.494344950 CET	58542	53	192.168.2.7	8.8.8.8
Jan 21, 2021 07:21:36.553634882 CET	53	58542	8.8.8.8	192.168.2.7
Jan 21, 2021 07:21:57.401041031 CET	59179	53	192.168.2.7	8.8.8.8
Jan 21, 2021 07:21:57.457227945 CET	53	59179	8.8.8.8	192.168.2.7
Jan 21, 2021 07:22:02.728920937 CET	60927	53	192.168.2.7	8.8.8.8
Jan 21, 2021 07:22:02.788012981 CET	53	60927	8.8.8.8	192.168.2.7
Jan 21, 2021 07:22:09.289910078 CET	57854	53	192.168.2.7	8.8.8.8
Jan 21, 2021 07:22:09.349340916 CET	53	57854	8.8.8.8	192.168.2.7
Jan 21, 2021 07:22:30.361867905 CET	62026	53	192.168.2.7	8.8.8.8
Jan 21, 2021 07:22:30.419929981 CET	53	62026	8.8.8.8	192.168.2.7
Jan 21, 2021 07:22:35.605401039 CET	59453	53	192.168.2.7	8.8.8.8
Jan 21, 2021 07:22:35.663017988 CET	53	59453	8.8.8.8	192.168.2.7
Jan 21, 2021 07:22:40.853759050 CET	62468	53	192.168.2.7	8.8.8.8
Jan 21, 2021 07:22:40.910154104 CET	53	62468	8.8.8.8	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 21, 2021 07:21:25.996978045 CET	192.168.2.7	8.8.8.8	0x34f5	Standard query (0)	fenixalec.ddns.net	A (IP address)	IN (0x0001)
Jan 21, 2021 07:21:31.240375042 CET	192.168.2.7	8.8.8.8	0x4116	Standard query (0)	fenixalec.ddns.net	A (IP address)	IN (0x0001)
Jan 21, 2021 07:21:36.494344950 CET	192.168.2.7	8.8.8.8	0x2199	Standard query (0)	fenixalec.ddns.net	A (IP address)	IN (0x0001)
Jan 21, 2021 07:21:57.401041031 CET	192.168.2.7	8.8.8.8	0x8b50	Standard query (0)	fenixalec.ddns.net	A (IP address)	IN (0x0001)
Jan 21, 2021 07:22:02.728920937 CET	192.168.2.7	8.8.8.8	0x6ffa	Standard query (0)	fenixalec.ddns.net	A (IP address)	IN (0x0001)
Jan 21, 2021 07:22:09.289910078 CET	192.168.2.7	8.8.8.8	0x8ace	Standard query (0)	fenixalec.ddns.net	A (IP address)	IN (0x0001)
Jan 21, 2021 07:22:30.361867905 CET	192.168.2.7	8.8.8.8	0xb7d8	Standard query (0)	fenixalec.ddns.net	A (IP address)	IN (0x0001)
Jan 21, 2021 07:22:35.605401039 CET	192.168.2.7	8.8.8.8	0xdeab	Standard query (0)	fenixalec.ddns.net	A (IP address)	IN (0x0001)
Jan 21, 2021 07:22:40.853759050 CET	192.168.2.7	8.8.8.8	0x60d	Standard query (0)	fenixalec.ddns.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Jan 21, 2021 07:21:26.057513952 CET	8.8.8.8	192.168.2.7	0x34f5	No error (0)	fenixalec.ddns.net	185.162.88.26	A (IP address)	IN (0x0001)
Jan 21, 2021 07:21:31.298129082 CET	8.8.8.8	192.168.2.7	0x4116	No error (0)	fenixalec.ddns.net	185.162.88.26	A (IP address)	IN (0x0001)
Jan 21, 2021 07:21:36.553634882 CET	8.8.8.8	192.168.2.7	0x2199	No error (0)	fenixalec.ddns.net	185.162.88.26	A (IP address)	IN (0x0001)
Jan 21, 2021 07:21:57.457227945 CET	8.8.8.8	192.168.2.7	0x8b50	No error (0)	fenixalec.ddns.net	185.162.88.26	A (IP address)	IN (0x0001)
Jan 21, 2021 07:22:02.788012981 CET	8.8.8.8	192.168.2.7	0x6ffa	No error (0)	fenixalec.ddns.net	185.162.88.26	A (IP address)	IN (0x0001)
Jan 21, 2021 07:22:09.349340916 CET	8.8.8.8	192.168.2.7	0x8ace	No error (0)	fenixalec.ddns.net	185.162.88.26	A (IP address)	IN (0x0001)
Jan 21, 2021 07:22:30.419929981 CET	8.8.8.8	192.168.2.7	0xb7d8	No error (0)	fenixalec.ddns.net	185.162.88.26	A (IP address)	IN (0x0001)
Jan 21, 2021 07:22:35.663017988 CET	8.8.8.8	192.168.2.7	0xdeab	No error (0)	fenixalec.ddns.net	185.162.88.26	A (IP address)	IN (0x0001)
Jan 21, 2021 07:22:40.910154104 CET	8.8.8.8	192.168.2.7	0x60d	No error (0)	fenixalec.ddns.net	185.162.88.26	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: PO#4018-308875.exe PID: 5652 Parent PID: 5668

General

Start time:	07:19:36
Start date:	21/01/2021
Path:	C:\Users\user\Desktop\PO#4018-308875.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\PO#4018-308875.exe'
Imagebase:	0x9f0000
File size:	716800 bytes
MD5 hash:	26B17B353C8950CA0A55E1EA21678D9E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.339312543.00000000047A4000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.339312543.00000000047A4000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.339312543.00000000047A4000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 4564 Parent PID: 5652

General

Start time:	07:19:41
Start date:	21/01/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'erwtvsfvc' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\hjfufkimd.exe'
Imagebase:	0x1310000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 4496 Parent PID: 4564

General

Start time:	07:19:41
Start date:	21/01/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff774ee0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: reg.exe PID: 2764 Parent PID: 4564

General

Start time:	07:19:42
Start date:	21/01/2021
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'erwtvsfvc' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\hjfufkimd.exe'
Imagebase:	0xd00000
File size:	59392 bytes
MD5 hash:	CEE2A7E57DF2A159A065A34913A055C2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: hjfufkimd.exe PID: 4408 Parent PID: 5652

General

Start time:	07:20:23
Start date:	21/01/2021
Path:	C:\Users\user\AppData\Roaming\hjfufkimd.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\hjfufkimd.exe'
Imagebase:	0xb70000
File size:	716800 bytes
MD5 hash:	26B17B353C8950CA0A55E1EA21678D9E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000002.632887895.0000000004935000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000002.632887895.0000000004935000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000014.00000002.632887895.0000000004935000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000002.633244626.0000000004ACB000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000002.633244626.0000000004ACB000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000014.00000002.633244626.0000000004ACB000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: InstallUtil.exe PID: 7088 Parent PID: 4408

General

Start time:	07:21:01
Start date:	21/01/2021
Path:	C:\Users\user\AppData\Local\Temp\InstallUtil.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user~1\AppData\Local\Temp\InstallUtil.exe
Imagebase:	0x9b0000
File size:	41064 bytes
MD5 hash:	EFEC8C379D165E3F33B536739AEE26A3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001A.00000002.632805982.0000000005620000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000001A.00000002.632805982.0000000005620000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001A.00000002.633000163.0000000005F00000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000001A.00000002.633000163.0000000005F00000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001A.00000002.633000163.0000000005F00000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001A.00000002.624554615.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001A.00000002.624554615.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000001A.00000002.624554615.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001A.00000002.630562500.0000000003E99000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000001A.00000002.630562500.0000000003E99000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Antivirus matches:	Detection: 0%, Virustotal, Browse Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	moderate

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: PO#4018-308875.exe PID: 5652 Parent PID: 5668 PO#4018-308875.exeCOMMON

Executed Functions

Function 078C0040, Relevance: 6.0, Strings: 4, Instructions: 974COMMON

Download Yara Rule

Strings

(, xrefs: 078C06C6
<, xrefs: 078C025C
ntin, xrefs: 078C056D
ntin, xrefs: 078C0A9F

Memory Dump Source

Source File: 00000000.00000002.345924177.00000000078C0000.00000040.00000001.sdmp, Offset: 078C0000, based on PE: false

Similarity

API ID:
String ID: ($<$ntin$ntin
API String ID: 0-2884023141
Opcode ID: 33f4d1ee8c533a6fddd93d2307b6d1b86e6924a0d8368031445156bdefeb58c5
Instruction ID: 5ca07ed26ca8d8c90903728f6242d1e961f58eebe95fc4e0c7ee6f7fa2868bf1
Opcode Fuzzy Hash: 33f4d1ee8c533a6fddd93d2307b6d1b86e6924a0d8368031445156bdefeb58c5
Instruction Fuzzy Hash: B6A2E0B4E04219CFDB14CF99C985B9DFBB2BF99304F24C1A9D508AB255D730AA81CF61

Uniqueness

Uniqueness Score: -1.00%

Function 010C5558, Relevance: 4.6, Strings: 3, Instructions: 897COMMON

Download Yara Rule

Strings

D0Jl, xrefs: 010C5A2D
D0Jl, xrefs: 010C5B2D
D0Jl, xrefs: 010C59A0

Memory Dump Source

Source File: 00000000.00000002.338149659.00000000010C0000.00000040.00000001.sdmp, Offset: 010C0000, based on PE: false

Similarity

API ID:
String ID: D0Jl$D0Jl$D0Jl
API String ID: 0-2613827940
Opcode ID: b4d7a8443dbaa174acf66c3cb224422fa227d88ad5e6c47208e527f0f6a43340
Instruction ID: 78ab139943f17db71be8db3cf6e2d2f68290e0f90c15e5beee1c7a8811651963
Opcode Fuzzy Hash: b4d7a8443dbaa174acf66c3cb224422fa227d88ad5e6c47208e527f0f6a43340
Instruction Fuzzy Hash: F3727D34B002198FDB58CF69C894AAEBBF2BF88704F148569E545AB361DB35EC41CF91

Uniqueness

Uniqueness Score: -1.00%

Function 078C1851, Relevance: 4.2, Strings: 3, Instructions: 461COMMON

Download Yara Rule

Strings

xEl, xrefs: 078C1F56
+!8l^, xrefs: 078C1E00, 078C1E05
xEl, xrefs: 078C1E18

Memory Dump Source

Source File: 00000000.00000002.345924177.00000000078C0000.00000040.00000001.sdmp, Offset: 078C0000, based on PE: false

Similarity

API ID:
String ID: xEl$xEl$+!8l^
API String ID: 0-1260320397
Opcode ID: fd9784c03f0fc9ab459987cf61a57aca6e9e5e7807ed2e404e74d596c0b40c09
Instruction ID: 49a70044d216838cf285f6d99ad4fe5ad48f97275db8d2c91e51ad4d6f45cbed
Opcode Fuzzy Hash: fd9784c03f0fc9ab459987cf61a57aca6e9e5e7807ed2e404e74d596c0b40c09
Instruction Fuzzy Hash: 0A22F6B4D01228CFDB69DF65D894BDDBBB2BF89301F1085AAD40AA7350DB759A81CF10

Uniqueness

Uniqueness Score: -1.00%

Function 078C0007, Relevance: 4.1, Strings: 3, Instructions: 329COMMON

Download Yara Rule

Strings

<, xrefs: 078C025C
ntin, xrefs: 078C056D
ntin, xrefs: 078C0343

Memory Dump Source

Source File: 00000000.00000002.345924177.00000000078C0000.00000040.00000001.sdmp, Offset: 078C0000, based on PE: false

Similarity

API ID:
String ID: <$ntin$ntin
API String ID: 0-1029651476
Opcode ID: 499e0cd3e7e04e712a5f0cbb5df1def1275c93f073a53a98b07e59cd786661fd
Instruction ID: c37a26e8a2a3d94e17925d5a893c500e4b7c9821111370d3dc91fd75f0d84025
Opcode Fuzzy Hash: 499e0cd3e7e04e712a5f0cbb5df1def1275c93f073a53a98b07e59cd786661fd
Instruction Fuzzy Hash: D3E1B4B1E046198FDB18CFAAC9416DEFBF2BF89300F14C1AAD508AB265D7349A41CF51

Uniqueness

Uniqueness Score: -1.00%

Function 010CB568, Relevance: 3.2, Strings: 2, Instructions: 653COMMON

Download Yara Rule

Strings

<, xrefs: 010CB69D
@, xrefs: 010CBE7D

Memory Dump Source

Source File: 00000000.00000002.338149659.00000000010C0000.00000040.00000001.sdmp, Offset: 010C0000, based on PE: false

Similarity

API ID:
String ID: <$@
API String ID: 0-1426351568
Opcode ID: b96b5aeaf4991c415bc900b2b924ffc8aaa4a5b6f673f3ba033bbff21fbcf473
Instruction ID: ddaf6f545bdbac7327da91ded66abf9e1455e62d6be1920e075f56a05df02769
Opcode Fuzzy Hash: b96b5aeaf4991c415bc900b2b924ffc8aaa4a5b6f673f3ba033bbff21fbcf473
Instruction Fuzzy Hash: D062EC70E00219CFEB64CFA9CA85A9DFBF2BF48754F15C1A9D548AB221E7309981CF51

Uniqueness

Uniqueness Score: -1.00%

Function 010C8C70, Relevance: .9, Instructions: 899COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.338149659.00000000010C0000.00000040.00000001.sdmp, Offset: 010C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec7d87ae5b96e927aaba737e0868b9cb537df9871eb239aec03f5b9876435307
Instruction ID: 75b5567f389207356b6e0518887e4c4d89943ae26f91fde42c13d3669c34cfb6
Opcode Fuzzy Hash: ec7d87ae5b96e927aaba737e0868b9cb537df9871eb239aec03f5b9876435307
Instruction Fuzzy Hash: CF828E30A00609CFCB15CF68C584AAEBBF2FF88714F1585A9E9859B2A2D731ED51CF54

Uniqueness

Uniqueness Score: -1.00%

Function 010CD790, Relevance: .5, Instructions: 515COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.338149659.00000000010C0000.00000040.00000001.sdmp, Offset: 010C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e24f375650ff535a0e27426eceda79a086bbd135b3cee30661e663d61f364bc1
Instruction ID: 2e038a71739dde2db5e8e66c8aa20b25a2d2992c696d93043721d21d62027481
Opcode Fuzzy Hash: e24f375650ff535a0e27426eceda79a086bbd135b3cee30661e663d61f364bc1
Instruction Fuzzy Hash: CB427074E01219CFDB54DFA9C984B9DBBB2FF88310F2586A9D809A7355D730AA81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 010CC060, Relevance: .5, Instructions: 512COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.338149659.00000000010C0000.00000040.00000001.sdmp, Offset: 010C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9037b06dd4935f51246b17ac9dc86e951d5afc3e6bb34a0359cd89b5ec95c58c
Instruction ID: ae5cbab62709c59e8544ebefda8e8830df0678b42a82b5da2149cff56526f8ab
Opcode Fuzzy Hash: 9037b06dd4935f51246b17ac9dc86e951d5afc3e6bb34a0359cd89b5ec95c58c
Instruction Fuzzy Hash: EA32D370900218CFEB50DBA9CA88A9DFBF2BF49615F55C199C54CAB221DB30DD85CF62

Uniqueness

Uniqueness Score: -1.00%

Function 078CD588, Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.345924177.00000000078C0000.00000040.00000001.sdmp, Offset: 078C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 170d61bb922d04ce6d14436c9b482d29c1d7196c9c32f749df71c22f7b77eadb
Instruction ID: 8384340f2dc0c10c898d47423aa7dd235f7e1046df76561a3b76210b4947d7c2
Opcode Fuzzy Hash: 170d61bb922d04ce6d14436c9b482d29c1d7196c9c32f749df71c22f7b77eadb
Instruction Fuzzy Hash: 6AD1C2B4E01218CFDB28DFA5D954BEDBBF1BB8A305F2081AAD809A7354DB345A45CF10

Uniqueness

Uniqueness Score: -1.00%

Function 078CD598, Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.345924177.00000000078C0000.00000040.00000001.sdmp, Offset: 078C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1baaad9eda5539ac1aaf85cb2e65d8ad261c0957aac55a1a181c218e678fc572
Instruction ID: 9f7855614fe0fdf75a1c826717291c45cb25610b2b83d0028b76224df18eb602
Opcode Fuzzy Hash: 1baaad9eda5539ac1aaf85cb2e65d8ad261c0957aac55a1a181c218e678fc572
Instruction Fuzzy Hash: 7AD1A1B4E01218CFDB28DFA5D954BEDBBF1BB8A305F2081AAD809A7354DB345A45CF50

Uniqueness

Uniqueness Score: -1.00%

Function 078C2050, Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.345924177.00000000078C0000.00000040.00000001.sdmp, Offset: 078C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 403e4f965d58f27ced9f3a9b8f38a3cb89ed70bf2f1450f23b1b78d7f8a9f003
Instruction ID: e4c94a77cde9b89d99e464fdb66865c68d588463bd3a6ee56250aae3a36eec7b
Opcode Fuzzy Hash: 403e4f965d58f27ced9f3a9b8f38a3cb89ed70bf2f1450f23b1b78d7f8a9f003
Instruction Fuzzy Hash: 0FD1B0B4E00218CFDB54DFA9D944B9DBBB2BF88304F1085AAD949AB354DB309E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 078C7B58, Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.345924177.00000000078C0000.00000040.00000001.sdmp, Offset: 078C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 585aec38aadac7d8f14379296f8c6361b7fc27872d92cc4bdb9097f387533d55
Instruction ID: 078e9c63a6c7fdcce5347673c896ffa648ca08985fab1404291954dfdc80bf7d
Opcode Fuzzy Hash: 585aec38aadac7d8f14379296f8c6361b7fc27872d92cc4bdb9097f387533d55
Instruction Fuzzy Hash: B3B126B0E003099FCB14DFA9C494A9EBBF1EF99314F24852DE509AB350DB74A985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 078C7E30, Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.345924177.00000000078C0000.00000040.00000001.sdmp, Offset: 078C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6707f0b4a0d3bb1a575a889facaebf56b982c46c1ba35c2739303eb019f2e4b9
Instruction ID: 596e7e28ffda83d7e181f66a3ebca3e971f8803ed3a32bfde747c94aeb6d2fe0
Opcode Fuzzy Hash: 6707f0b4a0d3bb1a575a889facaebf56b982c46c1ba35c2739303eb019f2e4b9
Instruction Fuzzy Hash: 1CB1E4B1E002588FDB14DFA9C944ADDBBB2BF89304F2481AAD448AB355EB319985CF51

Uniqueness

Uniqueness Score: -1.00%

Function 078C2040, Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.345924177.00000000078C0000.00000040.00000001.sdmp, Offset: 078C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a944fcdd3ad70b3f8f0f89f9bb7cbfd8f7f36e0af4b094db90e3f3ed8092ec7
Instruction ID: 5b0a1f46012439763e8d31bb900b246ad2aec6e02ae8d18e1b0479bcd9399960
Opcode Fuzzy Hash: 9a944fcdd3ad70b3f8f0f89f9bb7cbfd8f7f36e0af4b094db90e3f3ed8092ec7
Instruction Fuzzy Hash: AEA1D174D00618CFDB54EFA9D944B9DFBB2FF88304F1085AAD448AB264DB305A95CF51

Uniqueness

Uniqueness Score: -1.00%

Function 078CD018, Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.345924177.00000000078C0000.00000040.00000001.sdmp, Offset: 078C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dcd3b99563ebff02b68e5c5262548168093f14a4482f45c09c0462aeace6a84
Instruction ID: 6ae66ab8876a935a6b155dccd0869f5679abe99fe59e95c3dac9de3d7e0d8065
Opcode Fuzzy Hash: 0dcd3b99563ebff02b68e5c5262548168093f14a4482f45c09c0462aeace6a84
Instruction Fuzzy Hash: 555144B4E00258CFDB18DFA9C8887EDBBB2AF4A314F248129D401BB394C7759986CF14

Uniqueness

Uniqueness Score: -1.00%

Function 078C7C38, Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.345924177.00000000078C0000.00000040.00000001.sdmp, Offset: 078C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fec4afa2b464812f9c1f5b56a0b1f1553a2a55f326d7dcd76d7ff7732657a674
Instruction ID: 4fa8a91518036ec8aa93bb30de870f882984031564926a0cc114433a9bfb391d
Opcode Fuzzy Hash: fec4afa2b464812f9c1f5b56a0b1f1553a2a55f326d7dcd76d7ff7732657a674
Instruction Fuzzy Hash: B041A9B4D002489FDB10CFA9C588ADEBBF0AB09304F20912AE919BB350D774A949CF95

Uniqueness

Uniqueness Score: -1.00%

Function 078C64DC, Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.345924177.00000000078C0000.00000040.00000001.sdmp, Offset: 078C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ffd418ac1c4b967059c315e3d4e3fed7ca98eb832337c83c8eef7a39d551214
Instruction ID: 78d9bc768ba2ffabce01b1e935054658020364b0bdbe6bc551d29b9b49a7fbff
Opcode Fuzzy Hash: 3ffd418ac1c4b967059c315e3d4e3fed7ca98eb832337c83c8eef7a39d551214
Instruction Fuzzy Hash: 6A41B9B4E052489FDB10CFA9C584BDEFBF0AB09314F20902AE415BB250DB75A989CF55

Uniqueness

Uniqueness Score: -1.00%

Function 078C5FA0, Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.345924177.00000000078C0000.00000040.00000001.sdmp, Offset: 078C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6896d81a10782cb630fde17b27afc0cf50104349eaa13637f07e306bebe25694
Instruction ID: 760ddf8cb01c80b3577e8662826f5ba2685b0484ee952b588406124fe4d286d7
Opcode Fuzzy Hash: 6896d81a10782cb630fde17b27afc0cf50104349eaa13637f07e306bebe25694
Instruction Fuzzy Hash: 1F41B9B4E052089FDB10CFA9C584BDEFBF0AB09314F20902EE405BB250DB74A949CF99

Uniqueness

Uniqueness Score: -1.00%

Function 078CFA40, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.345924177.00000000078C0000.00000040.00000001.sdmp, Offset: 078C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43a68897a8ddd7ff76f1830debd2be8f95270fddbe6401b73d15bcbd60738f11
Instruction ID: 4b89962052ff0114049b546f6dbe0873e3705a0a8a1855f114385df0b09efa08
Opcode Fuzzy Hash: 43a68897a8ddd7ff76f1830debd2be8f95270fddbe6401b73d15bcbd60738f11
Instruction Fuzzy Hash: E12134B1D012289FDB04DFA4D818BEEBBB1EB8A315F40546AC151B32A0CB785945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 078C69B4, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.345924177.00000000078C0000.00000040.00000001.sdmp, Offset: 078C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8f141d474e2f6ac3ad60ddb02e8b9412c8e209432cf4b980a07dcda467b19ac
Instruction ID: 1639db4ad3bb8507c3e0a862ebc5802125c0c70a4ae443e37199e23ae63dd1fc
Opcode Fuzzy Hash: a8f141d474e2f6ac3ad60ddb02e8b9412c8e209432cf4b980a07dcda467b19ac
Instruction Fuzzy Hash: 18318CB4E01209EFCB14CFAAD484AADBBB2BB49310F24912AE814B7350D7349985CF58

Uniqueness

Uniqueness Score: -1.00%

Function 078C69C0, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.345924177.00000000078C0000.00000040.00000001.sdmp, Offset: 078C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d035a4118c1fbf4be952295aac240b8174bc5b8cabeb0676dbb028fff996e32
Instruction ID: 7938b67cf2cb817f997088295d03c8744e40d129aa628f4433c089c17679075e
Opcode Fuzzy Hash: 7d035a4118c1fbf4be952295aac240b8174bc5b8cabeb0676dbb028fff996e32
Instruction Fuzzy Hash: 4E315DB4E05209EFCB14CFAAD584AADBBF2BB49350F24D129E814B7350D7349945CF58

Uniqueness

Uniqueness Score: -1.00%

Function 078C6CD4, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.345924177.00000000078C0000.00000040.00000001.sdmp, Offset: 078C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d64026496abc9781dcec538abda743b3c8d93c28a6919a8e55ba9d2c6286ff58
Instruction ID: 71d65079bca88b1cc2f0eb458760d734c39d0c34d42b78d002e13e1160936978
Opcode Fuzzy Hash: d64026496abc9781dcec538abda743b3c8d93c28a6919a8e55ba9d2c6286ff58
Instruction Fuzzy Hash: 4E21A3B4D04209DFDB04DFAAD4446EDBBF1AB5A320F24E129E824B73A4E7348581CF58

Uniqueness

Uniqueness Score: -1.00%

Function 078C6CE0, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.345924177.00000000078C0000.00000040.00000001.sdmp, Offset: 078C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cfc6d7b6e43c6cd7019a21947658c3f38225ef4fb389883e9ab86f26b768281
Instruction ID: 545d05654436f78a6ee5bc23de2a2b8ac5225f1215cbefcb69ec576b4089c937
Opcode Fuzzy Hash: 4cfc6d7b6e43c6cd7019a21947658c3f38225ef4fb389883e9ab86f26b768281
Instruction Fuzzy Hash: 1921C0B4E00209DFDB04CFAAC4446EDBBF1AB5A320F14E129E824B7364E7348941CF58

Uniqueness

Uniqueness Score: -1.00%

Function 078CE638, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.345924177.00000000078C0000.00000040.00000001.sdmp, Offset: 078C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd832590ef106ce8aad4410bdda3b70b5a27a792883772de15e9545b47b5850c
Instruction ID: 8bdb850442408941471298bd3d5889a3a7cd2a34468a2c5592b7dc70aab022b4
Opcode Fuzzy Hash: cd832590ef106ce8aad4410bdda3b70b5a27a792883772de15e9545b47b5850c
Instruction Fuzzy Hash: 520156B0D192899FCB01DFB8C914BEEBFB0AF0A204F1085AAC044A7291D7744A56CF81

Uniqueness

Uniqueness Score: -1.00%

Function 078C7E24, Relevance: 1.8, APIs: 1, Instructions: 273COMMON

Download Yara Rule

APIs

CopyFileExW.KERNELBASE(?,?,?,?,?,?), ref: 078CE9D9

Memory Dump Source

Source File: 00000000.00000002.345924177.00000000078C0000.00000040.00000001.sdmp, Offset: 078C0000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: d4668cbc753c89d421fc26618e7dcf74e76d6b481b54be94f61e15bf030548dd
Instruction ID: 859c474ecefec8a55f694855ecf794600df7b5a1ecfa437afb0d0bd6f5f3c2ab
Opcode Fuzzy Hash: d4668cbc753c89d421fc26618e7dcf74e76d6b481b54be94f61e15bf030548dd
Instruction Fuzzy Hash: C2C1DEB4E00218CFDB24CFA9C981B9DBBB1FF59304F1481A9E449A7351DB34AA85CF45

Uniqueness

Uniqueness Score: -1.00%

Function 078C7E17, Relevance: 1.8, APIs: 1, Instructions: 267COMMON

Download Yara Rule

APIs

CopyFileExW.KERNELBASE(?,?,?,?,?,?), ref: 078CE9D9

Memory Dump Source

Source File: 00000000.00000002.345924177.00000000078C0000.00000040.00000001.sdmp, Offset: 078C0000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: f64796a6de07c675db261dbcea80f7e43aa828298e0f8fb99152814fcd64440d
Instruction ID: 96ddf0f22038bd84344ff9c4b5d5e00854fa5f2d1d74679ca8c1eb10184b08a2
Opcode Fuzzy Hash: f64796a6de07c675db261dbcea80f7e43aa828298e0f8fb99152814fcd64440d
Instruction Fuzzy Hash: 29B1FFB4E00219CFDB24CFA9C981B9DBBB1FF59304F1481A9E849A7351DB34AA85CF45

Uniqueness

Uniqueness Score: -1.00%

Function 078CE72C, Relevance: 1.8, APIs: 1, Instructions: 264COMMON

Download Yara Rule

APIs

CopyFileExW.KERNELBASE(?,?,?,?,?,?), ref: 078CE9D9

Memory Dump Source

Source File: 00000000.00000002.345924177.00000000078C0000.00000040.00000001.sdmp, Offset: 078C0000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 9af994862f8ed65110bb7008745158ec25cd101b7995475c93f4b4d6ea76f728
Instruction ID: d35ac03f818c6258d17b0ffc58f4406341266895d4abc2438f9d92fa22b00840
Opcode Fuzzy Hash: 9af994862f8ed65110bb7008745158ec25cd101b7995475c93f4b4d6ea76f728
Instruction Fuzzy Hash: CBB1EFB4E002198FDB24CFA9C981B9DBBB1FF49304F1481A9E858B7351DB34AA85CF45

Uniqueness

Uniqueness Score: -1.00%

Function 078C0E38, Relevance: 1.6, APIs: 1, Instructions: 137memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 078C0EE7

Memory Dump Source

Source File: 00000000.00000002.345924177.00000000078C0000.00000040.00000001.sdmp, Offset: 078C0000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: d72e849255b8c2390b27580543f37faf51b1c00476d3603c1a9e4f473b91e4bb
Instruction ID: 8b8588a1c6dedafea5517e8078a35e5c60933630a9d42d297e0417c841369778
Opcode Fuzzy Hash: d72e849255b8c2390b27580543f37faf51b1c00476d3603c1a9e4f473b91e4bb
Instruction Fuzzy Hash: CB41BBB5D04258DFCF10CFA9E884AEEFBB0AB59314F24906AE814B7250C735A946CF64

Uniqueness

Uniqueness Score: -1.00%

Function 010CBF58, Relevance: 1.6, APIs: 1, Instructions: 99memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 010CC007

Memory Dump Source

Source File: 00000000.00000002.338149659.00000000010C0000.00000040.00000001.sdmp, Offset: 010C0000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 0aa392fc5d385c14f617b48d9603e9a39be978af19bf3692d899519ffa7374e8
Instruction ID: 6e5298ca10e998f77684385323125808bbc7324b0a3730e803eee950259bf102
Opcode Fuzzy Hash: 0aa392fc5d385c14f617b48d9603e9a39be978af19bf3692d899519ffa7374e8
Instruction Fuzzy Hash: 2E31BBB4D042589FCB10CFA9D584AEEFBB1BB49310F24902AE854B7210C335A946CF64

Uniqueness

Uniqueness Score: -1.00%

Function 078C15A8, Relevance: 1.6, APIs: 1, Instructions: 98fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 078C1649

Memory Dump Source

Source File: 00000000.00000002.345924177.00000000078C0000.00000040.00000001.sdmp, Offset: 078C0000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: be7ad0ba5a12ffa8174b683a058d9eb14be431eba2da0baa3bb6a4a151bdf597
Instruction ID: 42ee3a0e158927910265abe9b56b15b74933fecbf98cfa277418317198d4d9b0
Opcode Fuzzy Hash: be7ad0ba5a12ffa8174b683a058d9eb14be431eba2da0baa3bb6a4a151bdf597
Instruction Fuzzy Hash: 4D41FBB4D05218DFCB00CFA9E588AEEFBF1AB49314F14906AE809B7311D734AA46CF54

Uniqueness

Uniqueness Score: -1.00%

Function 010CBF60, Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 010CC007

Memory Dump Source

Source File: 00000000.00000002.338149659.00000000010C0000.00000040.00000001.sdmp, Offset: 010C0000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 65a4c54e5ba35deb02859ee49d7edbdbff86e335ef617f95c10e0d4a43875662
Instruction ID: a6ce17f1cd4477e14c857d2d99314b81c0817e8cd17e0c1e7f296b67dfc77a55
Opcode Fuzzy Hash: 65a4c54e5ba35deb02859ee49d7edbdbff86e335ef617f95c10e0d4a43875662
Instruction Fuzzy Hash: 023198B9D042589FCF10CFA9E584AEEFBF0BB49310F24902AE818B7210D735A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 078C0E40, Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 078C0EE7

Memory Dump Source

Source File: 00000000.00000002.345924177.00000000078C0000.00000040.00000001.sdmp, Offset: 078C0000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: dd3850798b88e646944f40ae9ba4c118a09854ff2697ea0321173fb35c21aed2
Instruction ID: 49a95b9973710c2de77e20a1cd42f74e0b04324d700ee3c2a9d811750572adfe
Opcode Fuzzy Hash: dd3850798b88e646944f40ae9ba4c118a09854ff2697ea0321173fb35c21aed2
Instruction Fuzzy Hash: 4C3197B9D05258DFCF10CFA9E884AEEFBB4BB59310F14902AE814B7210D734A985CF64

Uniqueness

Uniqueness Score: -1.00%

Function 078C15B0, Relevance: 1.6, APIs: 1, Instructions: 83fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 078C1649

Memory Dump Source

Source File: 00000000.00000002.345924177.00000000078C0000.00000040.00000001.sdmp, Offset: 078C0000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 973c7c2e70001454d8c8d1f6ce242417ce8087dde639ca62d0e40aa38da777d1
Instruction ID: b5237830358c3d7a3b70640cf0661755a7fd342ea325c42ff791f60ca5b8bdc3
Opcode Fuzzy Hash: 973c7c2e70001454d8c8d1f6ce242417ce8087dde639ca62d0e40aa38da777d1
Instruction Fuzzy Hash: F531C9B4D01258DFCB10CFA9D888AEEFBF4BB49314F14842AE404B7210D734AA45CFA4

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 010CAFC0, Relevance: 1.5, Strings: 1, Instructions: 260COMMON

Download Yara Rule

Strings

D0Jl, xrefs: 010CB2BC

Memory Dump Source

Source File: 00000000.00000002.338149659.00000000010C0000.00000040.00000001.sdmp, Offset: 010C0000, based on PE: false

Similarity

API ID:
String ID: D0Jl
API String ID: 0-1607171866
Opcode ID: dc812ba13230596476cd7c5450dc65ce32cb58ce4907814876bf4dd5b0b6421c
Instruction ID: e74dbf2f3f48e90fc4fbe0e18b20b87b4a1ef8079e000140d72c6591ddc50a9b
Opcode Fuzzy Hash: dc812ba13230596476cd7c5450dc65ce32cb58ce4907814876bf4dd5b0b6421c
Instruction Fuzzy Hash: AC81A030F04218CBCF18EBB5945567EB6A3BFC9650F05892EE586E7388DF399C018B95

Uniqueness

Uniqueness Score: -1.00%

Function 078CE0A9, Relevance: .4, Instructions: 373COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.345924177.00000000078C0000.00000040.00000001.sdmp, Offset: 078C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b516ecfb94a1b43b7296795ec92c71782945227b71119707c98c65e8155ee073
Instruction ID: a41a16bdd79e36acb274600e7e088a966bc8cf4ec57e240168a81b2656c48a7a
Opcode Fuzzy Hash: b516ecfb94a1b43b7296795ec92c71782945227b71119707c98c65e8155ee073
Instruction Fuzzy Hash: 4C02F6B4D05228CFDB24CFA5D944BEDBBB2BF49314F1481A9D448AB391DB349A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 078C748B, Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.345924177.00000000078C0000.00000040.00000001.sdmp, Offset: 078C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1643ddfc74f4e132691778a4e3e226027a9bfd30d76cb87221a75243584043e
Instruction ID: 5f8bb09bddd66500222ba466af8a74e23f3375b6e7936b8f0278f583d962ef23
Opcode Fuzzy Hash: a1643ddfc74f4e132691778a4e3e226027a9bfd30d76cb87221a75243584043e
Instruction Fuzzy Hash: C4D11A30C1075A9ADB10EB68C990ADDB7B1FFA5300F61979AD1497B214EB706AC4CB91

Uniqueness

Uniqueness Score: -1.00%

Function 078C7498, Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.345924177.00000000078C0000.00000040.00000001.sdmp, Offset: 078C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bda7361e2d354193ada057df94ff430fbdc33b65cc7cb4bccfb1f3fdc247d38f
Instruction ID: 1a6e985c7ebddf48098e7c70229f23ce15bc221aad14d1ed348e837b783722f2
Opcode Fuzzy Hash: bda7361e2d354193ada057df94ff430fbdc33b65cc7cb4bccfb1f3fdc247d38f
Instruction Fuzzy Hash: 1ED11A30C1075A9ADB10EB68C990ADDB7B1FFE5300F619B9AD1497B214EB706AC4CF91

Uniqueness

Uniqueness Score: -1.00%

Function 078C6C0C, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.345924177.00000000078C0000.00000040.00000001.sdmp, Offset: 078C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c10099a47f7286a768e3416e5efd393111ca38b170da5c2b57fd0c159f762eab
Instruction ID: cc8efd888a41608eaec149c5b52efc92f1b9e53a159949677b73a49044794ca4
Opcode Fuzzy Hash: c10099a47f7286a768e3416e5efd393111ca38b170da5c2b57fd0c159f762eab
Instruction Fuzzy Hash: BC015FB5D052099F8B04DFA9E4414EEFBF2AB5A310F10A16AE845B7314E73499518FA8

Uniqueness

Uniqueness Score: -1.00%

Function 078C6C18, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.345924177.00000000078C0000.00000040.00000001.sdmp, Offset: 078C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eb7edaa31dfbf35867dc96d8b8f8c426529f6e1b54484e160c576f9eb5ddf33
Instruction ID: 3883438588ca2d37a55d0b2aa08df82e5a6e533fd00936ea0ee61dcdf710b11c
Opcode Fuzzy Hash: 9eb7edaa31dfbf35867dc96d8b8f8c426529f6e1b54484e160c576f9eb5ddf33
Instruction Fuzzy Hash: AEF042B5E0520C9F8F04DFA9D5418EEFBF2AB5A310F10A16AE814B3310E73599518FA8

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: hjfufkimd.exe PID: 4408 Parent PID: 5652 hjfufkimd.exeCOMMON

Executed Functions

Function 056A50D8, Relevance: 1.8, APIs: 1, Instructions: 253processCOMMON

Download Yara Rule

APIs

CreateProcessAsUserW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,?,056A555D,?,?,?), ref: 056A57C4

Memory Dump Source

Source File: 00000014.00000002.634968291.00000000056A0000.00000040.00000001.sdmp, Offset: 056A0000, based on PE: false

Similarity

API ID: CreateProcessUser
String ID:
API String ID: 2217836671-0
Opcode ID: fced9795625f0974f90fa6ed057be0b139c098acf6bc027dad585a4850cdfe96
Instruction ID: 523fa9d6beab5dacbf3154da46400fe68d17a25b7492363468126b54abaea122
Opcode Fuzzy Hash: fced9795625f0974f90fa6ed057be0b139c098acf6bc027dad585a4850cdfe96
Instruction Fuzzy Hash: 9A91DF71D0426C9FCF25CFA4C884BDDBBB1AB59304F0490AAE549B7220DB70AE85CF94

Uniqueness

Uniqueness Score: -1.00%

Function 056A55CC, Relevance: 1.8, APIs: 1, Instructions: 257processCOMMON

Download Yara Rule

APIs

CreateProcessAsUserW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,?,056A555D,?,?,?), ref: 056A57C4

Memory Dump Source

Source File: 00000014.00000002.634968291.00000000056A0000.00000040.00000001.sdmp, Offset: 056A0000, based on PE: false

Similarity

API ID: CreateProcessUser
String ID:
API String ID: 2217836671-0
Opcode ID: baadcc22c2729c09c95dc04fdaabb78b4598447bb9dbd95cd5bfe0980a9e3921
Instruction ID: 9ad42decee913ab76f02908b9d9ec41b9626e9453e7ab816b64db4cd8ffb9bae
Opcode Fuzzy Hash: baadcc22c2729c09c95dc04fdaabb78b4598447bb9dbd95cd5bfe0980a9e3921
Instruction Fuzzy Hash: ED91DF75D0426D9FCF25CFA4C880BDDBBB1AB59304F0490AAE549B7220DB70AE85CF94

Uniqueness

Uniqueness Score: -1.00%

Function 056A83A0, Relevance: 1.6, APIs: 1, Instructions: 118injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 056A847B

Memory Dump Source

Source File: 00000014.00000002.634968291.00000000056A0000.00000040.00000001.sdmp, Offset: 056A0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 3f762df0af20f54b854472e1f8c2b56ef64643287bcebf17ef0aacacda859a3f
Instruction ID: fb3dfde1ee97bba4375b5d9b9df7372c911b16e26dcd60271c03b9ba800cf79d
Opcode Fuzzy Hash: 3f762df0af20f54b854472e1f8c2b56ef64643287bcebf17ef0aacacda859a3f
Instruction Fuzzy Hash: AB41BAB5D052589FCF00CFA9D984AEEFBF1BB49314F14902AE815B7250D738AA45CF54

Uniqueness

Uniqueness Score: -1.00%

Function 056A83A8, Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 056A847B

Memory Dump Source

Source File: 00000014.00000002.634968291.00000000056A0000.00000040.00000001.sdmp, Offset: 056A0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 0e64ecf3b782851d95c9d151a166303fc9cb442f591275e2d6879b17e0cb6cc2
Instruction ID: 5f06bf55dc22a650ca1cc0b692c4b38de07e5e9b2eee6b89e1d8d5e165c06460
Opcode Fuzzy Hash: 0e64ecf3b782851d95c9d151a166303fc9cb442f591275e2d6879b17e0cb6cc2
Instruction Fuzzy Hash: 67418AB5D052589FCF00CFA9D984ADEBBF1BB49314F14942AE815B7210D738AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 056A80B8, Relevance: 1.6, APIs: 1, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 056A816A

Memory Dump Source

Source File: 00000014.00000002.634968291.00000000056A0000.00000040.00000001.sdmp, Offset: 056A0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d96e098a068fe9ea6f3aa99ec3452aeb5a13dec772e364de9e9f3b489a715c3d
Instruction ID: 529abc3c2c47e15137de78963247c5155f68536603c10771f68d6b7678877f43
Opcode Fuzzy Hash: d96e098a068fe9ea6f3aa99ec3452aeb5a13dec772e364de9e9f3b489a715c3d
Instruction Fuzzy Hash: 8C31A9B9D04258DFCF00CFA9D884ADEBBB1BB49320F14942AE815B7710C735A946CF95

Uniqueness

Uniqueness Score: -1.00%

Function 056A80C0, Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 056A816A

Memory Dump Source

Source File: 00000014.00000002.634968291.00000000056A0000.00000040.00000001.sdmp, Offset: 056A0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0842b807716100b6a4b2c94bd7c3698252b9105ec45a62753850f8cd650fc1cc
Instruction ID: 2304945c076de6b6b0bfaf58cefc4d865ada92d8dcdc36123b21bf8b9d03cb23
Opcode Fuzzy Hash: 0842b807716100b6a4b2c94bd7c3698252b9105ec45a62753850f8cd650fc1cc
Instruction Fuzzy Hash: D93186B9D042589FCF10CFA9D884ADEFBB1BB49310F14942AE815B7310D735A946CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 056A8920, Relevance: 1.6, APIs: 1, Instructions: 98threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,?), ref: 056A89D7

Memory Dump Source

Source File: 00000014.00000002.634968291.00000000056A0000.00000040.00000001.sdmp, Offset: 056A0000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 8180c9f6641a61b47ae8792199c2956fbc5071d26530753d148e8a2723ee1eee
Instruction ID: 9c4d579cc109bd9c27a7f13590cb3a181c59dc0269bf113a3caab260958383b0
Opcode Fuzzy Hash: 8180c9f6641a61b47ae8792199c2956fbc5071d26530753d148e8a2723ee1eee
Instruction Fuzzy Hash: 7841DBB5D052589FDB14CFA9D884AEEFBF1BF48314F14842AE415B7200D738A985CF94

Uniqueness

Uniqueness Score: -1.00%

Function 056A75C0, Relevance: 1.6, APIs: 1, Instructions: 98threadCOMMON

Download Yara Rule

APIs

GetThreadContext.KERNELBASE(?,?), ref: 056A7677

Memory Dump Source

Source File: 00000014.00000002.634968291.00000000056A0000.00000040.00000001.sdmp, Offset: 056A0000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: f784ee71e4bd0bb8fcafff371d0aa7aafddaa30efee034e4db57c787e54b321f
Instruction ID: b007828ff653ebc2063670f1feaa8d5320e41f031fa81783ece918b936b6be81
Opcode Fuzzy Hash: f784ee71e4bd0bb8fcafff371d0aa7aafddaa30efee034e4db57c787e54b321f
Instruction Fuzzy Hash: 2541CAB5D052589FCB10CFA9D884AEEFBF1BF48314F14942AE419B7600C738A985CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0168AC1C, Relevance: 1.6, APIs: 1, Instructions: 97memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,514A1B1F,DBBDF2D4), ref: 0168C007

Memory Dump Source

Source File: 00000014.00000002.626261199.0000000001680000.00000040.00000001.sdmp, Offset: 01680000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: a7c3af3bf84b43e50c6e969a1a4af501a9238740f9361287d47ac6a5af0a273e
Instruction ID: fdfb44959a10b7862557d2e971fc78264f9d15a562550f0ce8f37638bd49c084
Opcode Fuzzy Hash: a7c3af3bf84b43e50c6e969a1a4af501a9238740f9361287d47ac6a5af0a273e
Instruction Fuzzy Hash: 183199B9D042589FCB10CFA9D884AEEFBF0BB19310F24902AE815B7310D775A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0168BF58, Relevance: 1.6, APIs: 1, Instructions: 97memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,514A1B1F,DBBDF2D4), ref: 0168C007

Memory Dump Source

Source File: 00000014.00000002.626261199.0000000001680000.00000040.00000001.sdmp, Offset: 01680000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 53e47770a24c19034598cdac07be75ff8315ad46b0582f0c355f5974a9cb30f5
Instruction ID: 4d424ab0c0a3cbd8274a68e861701de881d19b121da01834fd0c22f42a1b1837
Opcode Fuzzy Hash: 53e47770a24c19034598cdac07be75ff8315ad46b0582f0c355f5974a9cb30f5
Instruction Fuzzy Hash: A73199B9D042589FCB10CFA9E884AEEFBB0BB19310F14902AE814B7310D735A946CF64

Uniqueness

Uniqueness Score: -1.00%

Function 056F0E3A, Relevance: 1.6, APIs: 1, Instructions: 96memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 056F0EE7

Memory Dump Source

Source File: 00000014.00000002.635061490.00000000056F0000.00000040.00000001.sdmp, Offset: 056F0000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 89198bc67f16afbe06e784858eba6b2c03074838b9cf44ca509721d53792ce7d
Instruction ID: 91f1d33f16d4a1183410ee3c497a8db31a72be40053950ea025633302551a292
Opcode Fuzzy Hash: 89198bc67f16afbe06e784858eba6b2c03074838b9cf44ca509721d53792ce7d
Instruction Fuzzy Hash: FE3199B9D052589FCB10CFA9D884ADEFBF0BB09320F14902AE815B7310D735A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 056A8928, Relevance: 1.6, APIs: 1, Instructions: 94threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,?), ref: 056A89D7

Memory Dump Source

Source File: 00000014.00000002.634968291.00000000056A0000.00000040.00000001.sdmp, Offset: 056A0000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 952a6da490ad59ec743b413b63872a1f40c6bc45ba2a01378c763019426c5b18
Instruction ID: a36baf5512448eae0e9bd232e2c93e98c02d40e97144292c2fbe90d0a877354d
Opcode Fuzzy Hash: 952a6da490ad59ec743b413b63872a1f40c6bc45ba2a01378c763019426c5b18
Instruction Fuzzy Hash: 2931DAB5D042589FCB10CFAAD884AEEFBF1BF48314F14802AE415B7200D738A985CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 056A75C8, Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON

Download Yara Rule

APIs

GetThreadContext.KERNELBASE(?,?), ref: 056A7677

Memory Dump Source

Source File: 00000014.00000002.634968291.00000000056A0000.00000040.00000001.sdmp, Offset: 056A0000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 90b0c51985be9d995bcc941c020a0e264d3d8a61048c0ff240eff4dac65bfc65
Instruction ID: f6e0810c21de0c48169797a4a78cd6cc73e8b41b26d8caedda0df6c720c56a8b
Opcode Fuzzy Hash: 90b0c51985be9d995bcc941c020a0e264d3d8a61048c0ff240eff4dac65bfc65
Instruction Fuzzy Hash: D231BBB5D052589FDB10CFAAD884AEEFBF1BB49314F14802AE415B7240C738A985CF94

Uniqueness

Uniqueness Score: -1.00%

Function 056F0E40, Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 056F0EE7

Memory Dump Source

Source File: 00000014.00000002.635061490.00000000056F0000.00000040.00000001.sdmp, Offset: 056F0000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 0a8d3cee44c13ed303b4a768a49389ac7d0f2090490b410d67d9bd65cad42ed5
Instruction ID: 5ebad1db5858bd014401d47a6e1400771d3a8149674b82762152a7dcfa9435e0
Opcode Fuzzy Hash: 0a8d3cee44c13ed303b4a768a49389ac7d0f2090490b410d67d9bd65cad42ed5
Instruction Fuzzy Hash: 9B3197B9D052589FCB10CFA9E884ADEFBB0BB09320F14902AE815B7310D734AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 056F15A8, Relevance: 1.6, APIs: 1, Instructions: 87fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 056F1649

Memory Dump Source

Source File: 00000014.00000002.635061490.00000000056F0000.00000040.00000001.sdmp, Offset: 056F0000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: ca546b7dbecdd44ab1915a36311971ca72da969dcde7a04cdfb4c260c5f29bc4
Instruction ID: b268f93034436dd64a9b4b3a415ec4b17db1fe39566e688765797f10da498337
Opcode Fuzzy Hash: ca546b7dbecdd44ab1915a36311971ca72da969dcde7a04cdfb4c260c5f29bc4
Instruction Fuzzy Hash: F531CCB4D05218DFCB00CFA9D984AAEFBF1BF49314F14846AE515B7610D334A986CF54

Uniqueness

Uniqueness Score: -1.00%

Function 056F15B0, Relevance: 1.6, APIs: 1, Instructions: 83fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 056F1649

Memory Dump Source

Source File: 00000014.00000002.635061490.00000000056F0000.00000040.00000001.sdmp, Offset: 056F0000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: bdfc47f2dd6f1a3472d28b95a15298b200d9c3eda8f8920ecd1b2fb3b81b7dc5
Instruction ID: b3edcc37759af8c575a3d0e5a01c62674f75251f0cbf2a2db2a26f0464a91826
Opcode Fuzzy Hash: bdfc47f2dd6f1a3472d28b95a15298b200d9c3eda8f8920ecd1b2fb3b81b7dc5
Instruction Fuzzy Hash: B731B8B4D05218DFCB10CFA9D884AEEFBF5BB49314F14806AE515B7210D734AA86CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 056A8B78, Relevance: 1.6, APIs: 1, Instructions: 76threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 056A8BFE

Memory Dump Source

Source File: 00000014.00000002.634968291.00000000056A0000.00000040.00000001.sdmp, Offset: 056A0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 9cf5f819603394fb301caa5ca9a4c1e2037fbdc9e9379570de1e97127dfc3f70
Instruction ID: adcd1ee53fb66623931936391d17cefffd2e3da2b9b6d6dd852500f125be1eba
Opcode Fuzzy Hash: 9cf5f819603394fb301caa5ca9a4c1e2037fbdc9e9379570de1e97127dfc3f70
Instruction Fuzzy Hash: 3C31CAB5D052189FDF14CFA9D984AEEFBB1AF48314F14842AE815B7700CB34A941CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 056A8B80, Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 056A8BFE

Memory Dump Source

Source File: 00000014.00000002.634968291.00000000056A0000.00000040.00000001.sdmp, Offset: 056A0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 42bf677313b0b1a7ba34917fd45b9b93f3f24d26c220bc9f220a3f99d9b0ef0c
Instruction ID: 7842466801910ff53153d4336c17d691fc34f06dc592f9a9669c5d06ced1cab9
Opcode Fuzzy Hash: 42bf677313b0b1a7ba34917fd45b9b93f3f24d26c220bc9f220a3f99d9b0ef0c
Instruction Fuzzy Hash: 7D31AAB5D052589FDF14CFA9D884AEEFBB5AB49314F14842AE815B7300CB34A941CFA4

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: InstallUtil.exe PID: 7088 Parent PID: 4408 InstallUtil.exeCOMMON

Executed Functions

Function 02DBB6C0, Relevance: 6.1, APIs: 4, Instructions: 129threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 02DBB730
GetCurrentThread.KERNEL32 ref: 02DBB76D
GetCurrentProcess.KERNEL32 ref: 02DBB7AA
GetCurrentThreadId.KERNEL32 ref: 02DBB803

Memory Dump Source

Source File: 0000001A.00000002.627213472.0000000002DB0000.00000040.00000001.sdmp, Offset: 02DB0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 31a429bdb69e5bd5798902064a4bc6a1999e54b4480ce9f297eec9c4a9dce577
Instruction ID: a20a0363f50edfd13731a6bdaecd475cfc39ea7231be682b9377beef4afe6a2e
Opcode Fuzzy Hash: 31a429bdb69e5bd5798902064a4bc6a1999e54b4480ce9f297eec9c4a9dce577
Instruction Fuzzy Hash: 3C5144B4A057458FDB10CFA9C548BEEBBF0AF48318F24845AE419A7350C734AC45CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02DBB6D0, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 02DBB730
GetCurrentThread.KERNEL32 ref: 02DBB76D
GetCurrentProcess.KERNEL32 ref: 02DBB7AA
GetCurrentThreadId.KERNEL32 ref: 02DBB803

Memory Dump Source

Source File: 0000001A.00000002.627213472.0000000002DB0000.00000040.00000001.sdmp, Offset: 02DB0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 36d60e6d661389e9eb9ae1549eec347eb51dc75db52e856230c7bc2fee40dd57
Instruction ID: 25ee577f587c18c7c5076615d5a14db0c7a591fe546665a029cf22f56463100a
Opcode Fuzzy Hash: 36d60e6d661389e9eb9ae1549eec347eb51dc75db52e856230c7bc2fee40dd57
Instruction Fuzzy Hash: 645124B4A057498FDB14CFA9C548BDEBBF1AF48318F20845AE419A7350C774AC45CF65

Uniqueness

Uniqueness Score: -1.00%

Function 05EF3378, Relevance: 1.7, APIs: 1, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.632984589.0000000005EF0000.00000040.00000001.sdmp, Offset: 05EF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f14065823bde443d878a3d39aeede61430a3b0c05b1b476e49740c19abe2f4a
Instruction ID: 4ad0e12b7fad25841c450491acf41d7752455365d46f809f9ca30f292633a238
Opcode Fuzzy Hash: 1f14065823bde443d878a3d39aeede61430a3b0c05b1b476e49740c19abe2f4a
Instruction Fuzzy Hash: C0817A71D04209DFDB10DFA9C880AEEFBB1FF88314F14852AE955BB250EB709945CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02DB93E8, Relevance: 1.7, APIs: 1, Instructions: 194COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02DB962E

Memory Dump Source

Source File: 0000001A.00000002.627213472.0000000002DB0000.00000040.00000001.sdmp, Offset: 02DB0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 530f6a6e09559a0aaa0bf9891eaff38a329e0024235149746d617dcf5cb010d8
Instruction ID: 44fea432c924c541dd8b8b370c73ef52b21ca0dcd58b39992a59d33f87e367c0
Opcode Fuzzy Hash: 530f6a6e09559a0aaa0bf9891eaff38a329e0024235149746d617dcf5cb010d8
Instruction Fuzzy Hash: 99711270A00B458FD765DF2AC06079ABBF2BF88218F008A2DD58AD7B50DB34E845CF91

Uniqueness

Uniqueness Score: -1.00%

Function 05491A4C, Relevance: 1.7, APIs: 1, Instructions: 185registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE(00000000,05495F31,00020119,00000000,00000000,?), ref: 054962FF

Memory Dump Source

Source File: 0000001A.00000002.632444953.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 8cd1b266448db8a1965d02a6be8a47ed378646b29d42724ff8b150202b2ac7bf
Instruction ID: 6ad20040be5eac5b26547671bffc39b978f43e97a9737442d2cfa3ac75c3f12a
Opcode Fuzzy Hash: 8cd1b266448db8a1965d02a6be8a47ed378646b29d42724ff8b150202b2ac7bf
Instruction Fuzzy Hash: 05714770E042089FDF18CFA9C886BEEBBB1BF48314F15816AE855A7351DB749845CF91

Uniqueness

Uniqueness Score: -1.00%

Function 05496136, Relevance: 1.7, APIs: 1, Instructions: 183registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE(00000000,05495F31,00020119,00000000,00000000,?), ref: 054962FF

Memory Dump Source

Source File: 0000001A.00000002.632444953.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 0f1672d6f09263ea54c28f5959c87a0a687692b5bf3a91f18f746b462a14a839
Instruction ID: 4c19e8534ed84f1037adaceaf2e567fdb41feb2a178ec3ec2e18064e0515fe10
Opcode Fuzzy Hash: 0f1672d6f09263ea54c28f5959c87a0a687692b5bf3a91f18f746b462a14a839
Instruction Fuzzy Hash: 25713770D042089FDF18CFA9C886BDEBBB1BF48314F15816AE855AB351DB749845CF91

Uniqueness

Uniqueness Score: -1.00%

Function 05EF3440, Relevance: 1.6, APIs: 1, Instructions: 137networkCOMMON

Download Yara Rule

APIs

DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 05EF3568

Memory Dump Source

Source File: 0000001A.00000002.632984589.0000000005EF0000.00000040.00000001.sdmp, Offset: 05EF0000, based on PE: false

Similarity

API ID: Query_
String ID:
API String ID: 428220571-0
Opcode ID: cc48bcd979c40ce96fe5d82133324c65d8028f75689bcdb3f71b79311337e6d7
Instruction ID: ea439f3edbfc6cb62b24841127ae78a84f9bb22b34a1cba5b3f40880feba364a
Opcode Fuzzy Hash: cc48bcd979c40ce96fe5d82133324c65d8028f75689bcdb3f71b79311337e6d7
Instruction Fuzzy Hash: B95127B1D042599FDF10CFA9C880ADEBBB1FF48318F24852AE955B7250DB709986CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02DBFBEC, Relevance: 1.6, APIs: 1, Instructions: 119COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02DBFD0A

Memory Dump Source

Source File: 0000001A.00000002.627213472.0000000002DB0000.00000040.00000001.sdmp, Offset: 02DB0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: db93303b03da5376b31f2374f556ad88d6fffc9ec180742db8b18b564c7a7f3f
Instruction ID: 5c201e3a73c7ce1278af342b951d15eb17a88a8caf06691762cccaa04e0e74be
Opcode Fuzzy Hash: db93303b03da5376b31f2374f556ad88d6fffc9ec180742db8b18b564c7a7f3f
Instruction Fuzzy Hash: F151D0B1D10308DFDB15CFA9D894ADEBBB1FF48314F24812AE819AB210D7749985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02DBFBF8, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02DBFD0A

Memory Dump Source

Source File: 0000001A.00000002.627213472.0000000002DB0000.00000040.00000001.sdmp, Offset: 02DB0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 333920aaf84bb6baf89b08e6e2328254315a78ee62f25fb048c2dcdeee43b6eb
Instruction ID: 281cee1baf36bc1fdc2d18888d49cf5d330b0c7fecd39c17cfa060a9e6be5b38
Opcode Fuzzy Hash: 333920aaf84bb6baf89b08e6e2328254315a78ee62f25fb048c2dcdeee43b6eb
Instruction Fuzzy Hash: 6441AFB1D10309DFDB15CF99C894ADEBBB5FF48314F24812AE819AB210D7749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 05495FBC, Relevance: 1.6, APIs: 1, Instructions: 100registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(80000002,?,00000000,?,?), ref: 054960AF

Memory Dump Source

Source File: 0000001A.00000002.632444953.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: d586f9239b670c70cc6c84ce831f6d4f6344df73def81c8f0251388e9697a379
Instruction ID: a4df01df29d71a111638fe6a9a4a86ebdaf10b0a37c533199fa62b96a894325e
Opcode Fuzzy Hash: d586f9239b670c70cc6c84ce831f6d4f6344df73def81c8f0251388e9697a379
Instruction Fuzzy Hash: 7D4142B1D003189FDF14CFA9C986BDEBBB1BF48310F14852AE819AB340DB749841CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05491A40, Relevance: 1.6, APIs: 1, Instructions: 100registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(80000002,?,00000000,?,?), ref: 054960AF

Memory Dump Source

Source File: 0000001A.00000002.632444953.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 44f8023917c2291e283737b076ded510a45793075d14e3d246d4cfb28ada6512
Instruction ID: a3916766a471161782a97a1d5bddb1d1a1ee5a6e315756eebb61162f24f46572
Opcode Fuzzy Hash: 44f8023917c2291e283737b076ded510a45793075d14e3d246d4cfb28ada6512
Instruction Fuzzy Hash: 554131B1D003589FDF14CFA9C886BDEBFB1BB48314F15812AE819AB350DB749845CB91

Uniqueness

Uniqueness Score: -1.00%

Function 054904C8, Relevance: 1.6, APIs: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32 ref: 0549049D

Memory Dump Source

Source File: 0000001A.00000002.632444953.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: d8589a7ff0bcd7ef4feb8e3844274e98421e3032002a8816d7745b7380e2ad62
Instruction ID: 4fe4b416b054321410d27fbb0c028fd7454d264916dd1cd24d166f680fd76eb6
Opcode Fuzzy Hash: d8589a7ff0bcd7ef4feb8e3844274e98421e3032002a8816d7745b7380e2ad62
Instruction Fuzzy Hash: D63148B4A04258CFDF18CFA9D849AEEBBF1BF49324F0581AAD419A7361C7349844CF61

Uniqueness

Uniqueness Score: -1.00%

Function 05495A58, Relevance: 1.6, APIs: 1, Instructions: 79registryCOMMON

Download Yara Rule

APIs

RegCloseKey.KERNELBASE(00000000), ref: 0549642F

Memory Dump Source

Source File: 0000001A.00000002.632444953.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: ceea91f230c3009d742c42457e2ce5bfa97a3968e563fb65bb55ec8edecbcfed
Instruction ID: cbd4af1d2101fd167ba948630203e7827e3a2ba50133dafe30414a43b1321bd8
Opcode Fuzzy Hash: ceea91f230c3009d742c42457e2ce5bfa97a3968e563fb65bb55ec8edecbcfed
Instruction Fuzzy Hash: A831B1718083888FDB11DFA9C495BDABFF0EF15214F4584AFC055E7641D7389885CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02DBBCF9, Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02DBBD87

Memory Dump Source

Source File: 0000001A.00000002.627213472.0000000002DB0000.00000040.00000001.sdmp, Offset: 02DB0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 6bc675502854132f1b286671715515a15ad3e8742873e7229c03606eaba9efab
Instruction ID: 099fa771f56d1a804418b0cc6df9a8ecdb0448c0b9d5df009477fa2cebc7528e
Opcode Fuzzy Hash: 6bc675502854132f1b286671715515a15ad3e8742873e7229c03606eaba9efab
Instruction Fuzzy Hash: A821D2B5901208DFDB11CFA9D984AEEBBF4EB48324F14842AE955A3310D778A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02DBBD00, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02DBBD87

Memory Dump Source

Source File: 0000001A.00000002.627213472.0000000002DB0000.00000040.00000001.sdmp, Offset: 02DB0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 10c00550225f04f3823caa852955f57acb07833f17f9ae3cf22096d17c6d5d80
Instruction ID: 5a07ddc3f8b52cc65c00db10b9483e94373f0e31e84fea0f8ba35136801b76ff
Opcode Fuzzy Hash: 10c00550225f04f3823caa852955f57acb07833f17f9ae3cf22096d17c6d5d80
Instruction Fuzzy Hash: E821C2B5901208DFDB10CFAAD984ADEBBF8FB48324F14841AE955A3310D378A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02DB9849, Relevance: 1.6, APIs: 1, Instructions: 57libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02DB96A9,00000800,00000000,00000000), ref: 02DB98BA

Memory Dump Source

Source File: 0000001A.00000002.627213472.0000000002DB0000.00000040.00000001.sdmp, Offset: 02DB0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e4d0e33198448e2eaa623543114d18683918d8345269a2c3dcf2db49da762439
Instruction ID: 034b8bbdb056ce35b9318f3b46123655637063378541fa09c6a27cbbbfe8e7c1
Opcode Fuzzy Hash: e4d0e33198448e2eaa623543114d18683918d8345269a2c3dcf2db49da762439
Instruction Fuzzy Hash: AD2122B6900249CFDB11CF9AC444ADEBBF4AF88324F00842ED516A7700C374A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02DB8768, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02DB96A9,00000800,00000000,00000000), ref: 02DB98BA

Memory Dump Source

Source File: 0000001A.00000002.627213472.0000000002DB0000.00000040.00000001.sdmp, Offset: 02DB0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 156628d9e5d5ce2273ab3088b1965299c53b152d68bd616ad5950a3d80ea9342
Instruction ID: 1912db349024c1e3b9f2eb898a3027d202607ca795a5b7a5762da8e32ef41f9b
Opcode Fuzzy Hash: 156628d9e5d5ce2273ab3088b1965299c53b152d68bd616ad5950a3d80ea9342
Instruction Fuzzy Hash: 6F11F2B69002499FDB10CF9AC444BDEBBF4EB48324F04842EE516B7700C375A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02DBFE38, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 02DBFE9D

Memory Dump Source

Source File: 0000001A.00000002.627213472.0000000002DB0000.00000040.00000001.sdmp, Offset: 02DB0000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: b416f52e142e3f96c39c9869e844f3441ba73a1574628f3ba64820c99c9c0ac5
Instruction ID: 8f3878cf45819b5b9b400c2f2d9d094d99bc342dad214e7c5375b8e44ee7c082
Opcode Fuzzy Hash: b416f52e142e3f96c39c9869e844f3441ba73a1574628f3ba64820c99c9c0ac5
Instruction Fuzzy Hash: 8211E0B5900249CFDB20CF99D589BEEBBF4EB48324F10845AE859B7701C375A985CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05490438, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32 ref: 0549049D

Memory Dump Source

Source File: 0000001A.00000002.632444953.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: c1743c781774a2bb577d58f83c73f0f52d085ed6ffb66155a7da0798cd02d3b6
Instruction ID: 592a44e3e241d2e09b81d73fc92caa9a0589bcde012c9faaf3f40e712c8571d4
Opcode Fuzzy Hash: c1743c781774a2bb577d58f83c73f0f52d085ed6ffb66155a7da0798cd02d3b6
Instruction Fuzzy Hash: 5E11E0B1D046498FDB10CF9AD948BDEBBF4AB48324F10862AD529A3250D378A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02DB95C8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02DB962E

Memory Dump Source

Source File: 0000001A.00000002.627213472.0000000002DB0000.00000040.00000001.sdmp, Offset: 02DB0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 674ac91b44ee72112f53f5eabe4d8c60cd39f3fb8810221a7042b6dcb0fb94bf
Instruction ID: 50319de2e6d56f27719aac653a5abf97ad41d88505955c5c8d064252e055b25c
Opcode Fuzzy Hash: 674ac91b44ee72112f53f5eabe4d8c60cd39f3fb8810221a7042b6dcb0fb94bf
Instruction Fuzzy Hash: 4B11DFB6D002898FDB10CFAAC444BDEFBF4AF89224F14842AD529A7700C374A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05495A48, Relevance: 1.5, APIs: 1, Instructions: 46registryCOMMON

Download Yara Rule

APIs

RegCloseKey.KERNELBASE(00000000), ref: 0549642F

Memory Dump Source

Source File: 0000001A.00000002.632444953.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 387dc0d490847f82c2c6b4c5b23697665cfa28a322ebc5766e360cee2cd2f03f
Instruction ID: 0cf35a61293867aa8920c6d339e8b4349bdae8dd3358fe5215329d427dc26dac
Opcode Fuzzy Hash: 387dc0d490847f82c2c6b4c5b23697665cfa28a322ebc5766e360cee2cd2f03f
Instruction Fuzzy Hash: 1F1130B19042488FCB20DF9AC489BEEBBF4EB88324F10842AD519B7640C774A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 054963CA, Relevance: 1.5, APIs: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegCloseKey.KERNELBASE(00000000), ref: 0549642F

Memory Dump Source

Source File: 0000001A.00000002.632444953.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: b0cc8a3897f961157193d0a84117c70c0783b1fc1aa2fd8c81963b7d9b818eb0
Instruction ID: b4e7f39692b0f954ccbbba3eb56589164b90ced5b100d9e62c157a9f62abecec
Opcode Fuzzy Hash: b0cc8a3897f961157193d0a84117c70c0783b1fc1aa2fd8c81963b7d9b818eb0
Instruction Fuzzy Hash: 771112B1900248CFDB10DF9AD589BDEBBF4FB48324F10845AD519A7640C774A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02DBFE40, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 02DBFE9D

Memory Dump Source

Source File: 0000001A.00000002.627213472.0000000002DB0000.00000040.00000001.sdmp, Offset: 02DB0000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 08fced6062fc5bcce121b7fb6f2ca7123230684f4cf2ae0d889ed7d5cc6e323f
Instruction ID: 5fc4c3467437ff8bf97c03fdf967aa5eb169a15b7a6a12b94db0e5fde762f54a
Opcode Fuzzy Hash: 08fced6062fc5bcce121b7fb6f2ca7123230684f4cf2ae0d889ed7d5cc6e323f
Instruction Fuzzy Hash: 601100B5900208CFDB10CF99D989BEFBBF8EB48324F10841AE819A7700C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05490440, Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32 ref: 0549049D

Memory Dump Source

Source File: 0000001A.00000002.632444953.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 94d6344d650fd85b7fd641feb4477012f0fd4c91c2853b719d64148bc1cd7585
Instruction ID: a7ff90dffb357c9fff1c80dadf92c6b6531636ce0fd05474be5dc43dd45f7600
Opcode Fuzzy Hash: 94d6344d650fd85b7fd641feb4477012f0fd4c91c2853b719d64148bc1cd7585
Instruction Fuzzy Hash: 1311CEB1D046498FDB10DF9AD548BDEBBF4EB48324F10852AD429A3600D378A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 011AD4A0, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.626222127.00000000011AD000.00000040.00000001.sdmp, Offset: 011AD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0a531c1cb7034ff46771f9f93c967e8c418b4397e86662fa27b21c602e6e90a
Instruction ID: f48d00537145066980b3098de7f826b11870096aa3a226532faa83e21408c4bb
Opcode Fuzzy Hash: f0a531c1cb7034ff46771f9f93c967e8c418b4397e86662fa27b21c602e6e90a
Instruction Fuzzy Hash: 892136B9504600DFDF09CF54E8C0B26BF71FB88328F60C568E9054AA07C336D846CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 011BD01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.626306726.00000000011BD000.00000040.00000001.sdmp, Offset: 011BD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41fcfb30cac38968ad6809fcf7ff3e2c29356778bab968d66283a1ff45e4a664
Instruction ID: 199172117af337daece1500a0fe7549303732841b1191242509c1983308cb049
Opcode Fuzzy Hash: 41fcfb30cac38968ad6809fcf7ff3e2c29356778bab968d66283a1ff45e4a664
Instruction Fuzzy Hash: 99212575608200DFDF1DCF54E4C0B66BB61FB88368F24C5ADD9094B246C336D847CA62

Uniqueness

Uniqueness Score: -1.00%

Function 011BD006, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.626306726.00000000011BD000.00000040.00000001.sdmp, Offset: 011BD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55b4ba45f256770816f391d026369838773b34d2fd7e9bba1ddfe59a6ff268e4
Instruction ID: aa1dbfea9e7abcd4e812ec6a0b443e51ca99460325f674cf894a1fb37a75c01a
Opcode Fuzzy Hash: 55b4ba45f256770816f391d026369838773b34d2fd7e9bba1ddfe59a6ff268e4
Instruction Fuzzy Hash: C02180755083809FCB06CF24D9D4B11BF71EB46214F28C5DAD8498F2A7C33AD856CB62

Uniqueness

Uniqueness Score: -1.00%

Function 011AD49B, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.626222127.00000000011AD000.00000040.00000001.sdmp, Offset: 011AD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5d041c195b4e30d341d02aae4de4fdaf8836022265772e994b819b8081c2768
Instruction ID: 5bb1760576ba0d5527c99bd21713068d7076008e3767f068d594a7feb31ef960
Opcode Fuzzy Hash: b5d041c195b4e30d341d02aae4de4fdaf8836022265772e994b819b8081c2768
Instruction Fuzzy Hash: CB11DF76904280CFCF06CF54D5C0B16BF71FB84324F2486A9D8454B617C336D456CBA2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report PO#4018-308875.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre