Play interactive tour

Edit tour

Analysis Report SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.25241

Overview

General Information

Sample Name:	SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.25241 (renamed file extension from 25241 to exe)
Analysis ID:	344309
MD5:	81956bb4f67d790e13cfd18f4cdd779b
SHA1:	0bf781a6c1434d789f963d5dc76fdeae28cb01b4
SHA256:	f2b321a162040b2990fe549349f00c9a60c2827ea0e82486f9c2c785d14d1462
Tags:	NanoCore
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM_3

Yara detected Nanocore RAT

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Antivirus or Machine Learning detection for unpacked file

Contains capabilities to detect virtual machines

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Installs a raw input device (often for capturing keystrokes)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Yara signature match

Classification

Startup

System is w10x64

SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe (PID: 2140 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe' MD5: 81956BB4F67D790E13CFD18F4CDD779B)

schtasks.exe (PID: 4144 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\TrXHdHpWh' /XML 'C:\Users\user\AppData\Local\Temp\tmp7261.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 4900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe (PID: 5688 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe MD5: 81956BB4F67D790E13CFD18F4CDD779B)

SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe (PID: 5972 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe MD5: 81956BB4F67D790E13CFD18F4CDD779B)

dhcpmon.exe (PID: 5940 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 81956BB4F67D790E13CFD18F4CDD779B)

schtasks.exe (PID: 5328 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\TrXHdHpWh' /XML 'C:\Users\user\AppData\Local\Temp\tmpCE4C.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

dhcpmon.exe (PID: 5920 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 81956BB4F67D790E13CFD18F4CDD779B)

cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["127.0.0.1:4009"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.223308431.00000000029F4000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000005.00000002.593932054.0000000005DD0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
00000005.00000002.593932054.0000000005DD0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
00000005.00000002.593932054.0000000005DD0000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000B.00000002.279683575.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000B.00000002.279683575.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000B.00000002.279683575.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000000.00000002.224082730.0000000003C5A000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x25edd:$x1: NanoCore.ClientPluginHost 0x25f1a:$x2: IClientNetworkHost 0x29a4d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.224082730.0000000003C5A000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.224082730.0000000003C5A000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x25c45:$a: NanoCore 0x25c55:$a: NanoCore 0x25e89:$a: NanoCore 0x25e9d:$a: NanoCore 0x25edd:$a: NanoCore 0x25ca4:$b: ClientPlugin 0x25ea6:$b: ClientPlugin 0x25ee6:$b: ClientPlugin 0x25dcb:$c: ProjectData 0x267d2:$d: DESCrypto 0x2e19e:$e: KeepAlive 0x2c18c:$g: LogClientMessage 0x28387:$i: get_Connected 0x26b08:$j: #=q 0x26b38:$j: #=q 0x26b54:$j: #=q 0x26b84:$j: #=q 0x26ba0:$j: #=q 0x26bbc:$j: #=q 0x26bec:$j: #=q 0x26c08:$j: #=q
00000006.00000002.265717301.0000000003104000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0000000B.00000002.280508586.00000000042F9000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000B.00000002.280508586.00000000042F9000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x42f0d:$a: NanoCore 0x42f66:$a: NanoCore 0x42fa3:$a: NanoCore 0x4301c:$a: NanoCore 0x566c7:$a: NanoCore 0x566dc:$a: NanoCore 0x56711:$a: NanoCore 0x6f173:$a: NanoCore 0x6f188:$a: NanoCore 0x6f1bd:$a: NanoCore 0x42f6f:$b: ClientPlugin 0x42fac:$b: ClientPlugin 0x438aa:$b: ClientPlugin 0x438b7:$b: ClientPlugin 0x56483:$b: ClientPlugin 0x5649e:$b: ClientPlugin 0x564ce:$b: ClientPlugin 0x566e5:$b: ClientPlugin 0x5671a:$b: ClientPlugin 0x6ef2f:$b: ClientPlugin 0x6ef4a:$b: ClientPlugin
00000005.00000002.592605604.0000000004369000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000002.592605604.0000000004369000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2f0d:$a: NanoCore 0x2f66:$a: NanoCore 0x2fa3:$a: NanoCore 0x301c:$a: NanoCore 0x166c7:$a: NanoCore 0x166dc:$a: NanoCore 0x16711:$a: NanoCore 0x2f173:$a: NanoCore 0x2f188:$a: NanoCore 0x2f1bd:$a: NanoCore 0x2f6f:$b: ClientPlugin 0x2fac:$b: ClientPlugin 0x38aa:$b: ClientPlugin 0x38b7:$b: ClientPlugin 0x16483:$b: ClientPlugin 0x1649e:$b: ClientPlugin 0x164ce:$b: ClientPlugin 0x166e5:$b: ClientPlugin 0x1671a:$b: ClientPlugin 0x2ef2f:$b: ClientPlugin 0x2ef4a:$b: ClientPlugin
00000005.00000002.593888952.0000000005DB0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
00000005.00000002.593888952.0000000005DB0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
00000006.00000002.265566275.0000000003081000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000006.00000002.266031513.0000000004089000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x26ee4d:$x1: NanoCore.ClientPluginHost 0x26ee8a:$x2: IClientNetworkHost 0x2729bd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000006.00000002.266031513.0000000004089000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000006.00000002.266031513.0000000004089000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x26ebb5:$a: NanoCore 0x26ebc5:$a: NanoCore 0x26edf9:$a: NanoCore 0x26ee0d:$a: NanoCore 0x26ee4d:$a: NanoCore 0x26ec14:$b: ClientPlugin 0x26ee16:$b: ClientPlugin 0x26ee56:$b: ClientPlugin 0x1abe25:$c: ProjectData 0x212445:$c: ProjectData 0x26ed3b:$c: ProjectData 0x26f742:$d: DESCrypto 0x27710e:$e: KeepAlive 0x2750fc:$g: LogClientMessage 0x2712f7:$i: get_Connected 0x26fa78:$j: #=q 0x26faa8:$j: #=q 0x26fac4:$j: #=q 0x26faf4:$j: #=q 0x26fb10:$j: #=q 0x26fb2c:$j: #=q
00000000.00000002.223203688.0000000002971000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.223591630.0000000003979000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x26ee4d:$x1: NanoCore.ClientPluginHost 0x26ee8a:$x2: IClientNetworkHost 0x2729bd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.223591630.0000000003979000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.223591630.0000000003979000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x26ebb5:$a: NanoCore 0x26ebc5:$a: NanoCore 0x26edf9:$a: NanoCore 0x26ee0d:$a: NanoCore 0x26ee4d:$a: NanoCore 0x26ec14:$b: ClientPlugin 0x26ee16:$b: ClientPlugin 0x26ee56:$b: ClientPlugin 0x1abe25:$c: ProjectData 0x212445:$c: ProjectData 0x26ed3b:$c: ProjectData 0x26f742:$d: DESCrypto 0x27710e:$e: KeepAlive 0x2750fc:$g: LogClientMessage 0x2712f7:$i: get_Connected 0x26fa78:$j: #=q 0x26faa8:$j: #=q 0x26fac4:$j: #=q 0x26faf4:$j: #=q 0x26fb10:$j: #=q 0x26fb2c:$j: #=q
0000000B.00000002.280435129.00000000032F1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000B.00000002.280435129.00000000032F1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x69437:$a: NanoCore 0x69490:$a: NanoCore 0x694cd:$a: NanoCore 0x69546:$a: NanoCore 0x69499:$b: ClientPlugin 0x694d6:$b: ClientPlugin 0x69dd4:$b: ClientPlugin 0x69de1:$b: ClientPlugin 0x5f078:$e: KeepAlive 0x69921:$g: LogClientMessage 0x698a1:$i: get_Connected 0x5986d:$j: #=q 0x5989d:$j: #=q 0x598d9:$j: #=q 0x59901:$j: #=q 0x59931:$j: #=q 0x59961:$j: #=q 0x59991:$j: #=q 0x599c1:$j: #=q 0x599dd:$j: #=q 0x59a0d:$j: #=q
00000006.00000002.266422489.000000000436B000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x24edd:$x1: NanoCore.ClientPluginHost 0x24f1a:$x2: IClientNetworkHost 0x28a4d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000006.00000002.266422489.000000000436B000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000006.00000002.266422489.000000000436B000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x24c45:$a: NanoCore 0x24c55:$a: NanoCore 0x24e89:$a: NanoCore 0x24e9d:$a: NanoCore 0x24edd:$a: NanoCore 0x24ca4:$b: ClientPlugin 0x24ea6:$b: ClientPlugin 0x24ee6:$b: ClientPlugin 0x24dcb:$c: ProjectData 0x257d2:$d: DESCrypto 0x2d19e:$e: KeepAlive 0x2b18c:$g: LogClientMessage 0x27387:$i: get_Connected 0x25b08:$j: #=q 0x25b38:$j: #=q 0x25b54:$j: #=q 0x25b84:$j: #=q 0x25ba0:$j: #=q 0x25bbc:$j: #=q 0x25bec:$j: #=q 0x25c08:$j: #=q
00000005.00000002.585642797.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000005.00000002.585642797.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000002.585642797.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
Process Memory Space: dhcpmon.exe PID: 5920	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1ff97:$x1: NanoCore.ClientPluginHost 0x41248:$x1: NanoCore.ClientPluginHost 0x46e07:$x1: NanoCore.ClientPluginHost 0x57c45:$x1: NanoCore.ClientPluginHost 0xe2a68:$x1: NanoCore.ClientPluginHost 0x1fff8:$x2: IClientNetworkHost 0x4126e:$x2: IClientNetworkHost 0x46e4c:$x2: IClientNetworkHost 0x57c8a:$x2: IClientNetworkHost 0xe2a8e:$x2: IClientNetworkHost 0x253fd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x3336f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: dhcpmon.exe PID: 5920	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: dhcpmon.exe PID: 5920	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1fa9c:$a: NanoCore 0x1fab8:$a: NanoCore 0x1fc13:$a: NanoCore 0x1fc22:$a: NanoCore 0x1fefb:$a: NanoCore 0x1ff27:$a: NanoCore 0x1ff97:$a: NanoCore 0x2f9d9:$a: NanoCore 0x2f9eb:$a: NanoCore 0x2fa27:$a: NanoCore 0x4113a:$a: NanoCore 0x411db:$a: NanoCore 0x41248:$a: NanoCore 0x41309:$a: NanoCore 0x421da:$a: NanoCore 0x4222d:$a: NanoCore 0x42266:$a: NanoCore 0x422d9:$a: NanoCore 0x46d81:$a: NanoCore 0x46dae:$a: NanoCore 0x46e07:$a: NanoCore
Process Memory Space: SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe PID: 2140	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5d439:$x1: NanoCore.ClientPluginHost 0x5d49a:$x2: IClientNetworkHost 0x6289f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x70811:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe PID: 2140	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe PID: 2140	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe PID: 2140	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x5cf3e:$a: NanoCore 0x5cf5a:$a: NanoCore 0x5d0b5:$a: NanoCore 0x5d0c4:$a: NanoCore 0x5d39d:$a: NanoCore 0x5d3c9:$a: NanoCore 0x5d439:$a: NanoCore 0x6ce7b:$a: NanoCore 0x6ce8d:$a: NanoCore 0x6cec9:$a: NanoCore 0x5cfe5:$b: ClientPlugin 0x5d10e:$b: ClientPlugin 0x5d3d2:$b: ClientPlugin 0x5d442:$b: ClientPlugin 0x6ce96:$b: ClientPlugin 0x6ced2:$b: ClientPlugin 0xa92e:$c: ProjectData 0x1277f:$c: ProjectData 0x14d21:$c: ProjectData 0x5d25b:$c: ProjectData 0x6cdc8:$c: ProjectData
Process Memory Space: dhcpmon.exe PID: 5940	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd4dbe:$x1: NanoCore.ClientPluginHost 0xd4e1f:$x2: IClientNetworkHost 0xda224:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xe8196:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: dhcpmon.exe PID: 5940	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: dhcpmon.exe PID: 5940	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: dhcpmon.exe PID: 5940	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xd48c3:$a: NanoCore 0xd48df:$a: NanoCore 0xd4a3a:$a: NanoCore 0xd4a49:$a: NanoCore 0xd4d22:$a: NanoCore 0xd4d4e:$a: NanoCore 0xd4dbe:$a: NanoCore 0xe4800:$a: NanoCore 0xe4812:$a: NanoCore 0xe484e:$a: NanoCore 0xd496a:$b: ClientPlugin 0xd4a93:$b: ClientPlugin 0xd4d57:$b: ClientPlugin 0xd4dc7:$b: ClientPlugin 0xe481b:$b: ClientPlugin 0xe4857:$b: ClientPlugin 0xa4fc:$c: ProjectData 0x22e91:$c: ProjectData 0x25433:$c: ProjectData 0x6777d:$c: ProjectData 0x69e17:$c: ProjectData
Process Memory Space: SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe PID: 5972	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x14d13f:$x1: NanoCore.ClientPluginHost 0x152cfe:$x1: NanoCore.ClientPluginHost 0x163b27:$x1: NanoCore.ClientPluginHost 0x201a86:$x1: NanoCore.ClientPluginHost 0x2ef55e:$x1: NanoCore.ClientPluginHost 0x14d165:$x2: IClientNetworkHost 0x152d43:$x2: IClientNetworkHost 0x163b6c:$x2: IClientNetworkHost 0x201aac:$x2: IClientNetworkHost 0x2ef5bf:$x2: IClientNetworkHost 0x2f49c4:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x302936:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe PID: 5972	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe PID: 5972	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x5d49d:$a: NanoCore 0x5d504:$a: NanoCore 0x5d5a7:$a: NanoCore 0xdc484:$a: NanoCore 0x14d031:$a: NanoCore 0x14d0d2:$a: NanoCore 0x14d13f:$a: NanoCore 0x14d200:$a: NanoCore 0x14e0d1:$a: NanoCore 0x14e124:$a: NanoCore 0x14e15d:$a: NanoCore 0x14e1d0:$a: NanoCore 0x152c78:$a: NanoCore 0x152ca5:$a: NanoCore 0x152cfe:$a: NanoCore 0x15a50d:$a: NanoCore 0x15a520:$a: NanoCore 0x15a552:$a: NanoCore 0x163aa1:$a: NanoCore 0x163ace:$a: NanoCore 0x163b27:$a: NanoCore
Click to see the 42 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe.5dd0000.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
5.2.SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe.5dd0000.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
5.2.SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe.5dd0000.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe.5db0000.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
5.2.SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe.5db0000.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
5.2.SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe.5dd0000.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
5.2.SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe.5dd0000.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
5.2.SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe.5dd0000.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.2.dhcpmon.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
11.2.dhcpmon.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
11.2.dhcpmon.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.2.dhcpmon.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
5.2.SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.2.SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
5.2.SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
Click to see the 11 entries

Sigma Overview

System Summary:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe, ProcessId: 5972, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Sigma detected: Scheduled temp file as task from temp location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\TrXHdHpWh' /XML 'C:\Users\user\AppData\Local\Temp\tmp7261.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\TrXHdHpWh' /XML 'C:\Users\user\AppData\Local\Temp\tmp7261.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe' , ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe, ParentProcessId: 2140, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\TrXHdHpWh' /XML 'C:\Users\user\AppData\Local\Temp\tmp7261.tmp', ProcessId: 4144

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe.5972.5.memstr

Malware Configuration Extractor: NanoCore {"C2: ": ["127.0.0.1:4009"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Virustotal: Detection: 35%	Perma Link
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	ReversingLabs: Detection: 30%
Source: C:\Users\user\AppData\Roaming\TrXHdHpWh.exe	Virustotal: Detection: 35%	Perma Link
Source: C:\Users\user\AppData\Roaming\TrXHdHpWh.exe	ReversingLabs: Detection: 30%

Multi AV Scanner detection for submitted file

Show sources

Source: SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Virustotal: Detection: 35%			Perma Link
Source: SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	ReversingLabs: Detection: 30%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000005.00000002.593932054.0000000005DD0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.279683575.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.224082730.0000000003C5A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.280508586.00000000042F9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.592605604.0000000004369000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.266031513.0000000004089000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.223591630.0000000003979000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.280435129.00000000032F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.266422489.000000000436B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.585642797.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 5920, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe PID: 2140, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 5940, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe PID: 5972, type: MEMORY
Source: Yara match	File source: 5.2.SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe.5dd0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe.5dd0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe.400000.0.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\TrXHdHpWh.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe

Joe Sandbox ML: detected

Source: 5.2.SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe.5dd0000.4.unpack	Avira: Label: TR/NanoCore.fadte
Source: 11.2.dhcpmon.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 5.2.SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Compliance:

Uses 32bit PE files

Show sources

Source: SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

IPs: 127.0.0.1:4009

Source: dhcpmon.exe, 0000000B.00000002.280060421.00000000015E7000.00000004.00000020.sdmp	String found in binary or memory: http://go.mic
Source: SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe, 00000000.00000002.223308431.00000000029F4000.00000004.00000001.sdmp, dhcpmon.exe, 00000006.00000002.265717301.0000000003104000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Source: SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe, 00000000.00000002.222654499.0000000000DCB000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe, 00000005.00000002.592605604.0000000004369000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000005.00000002.593932054.0000000005DD0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.279683575.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.224082730.0000000003C5A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.280508586.00000000042F9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.592605604.0000000004369000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.266031513.0000000004089000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.223591630.0000000003979000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.280435129.00000000032F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.266422489.000000000436B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.585642797.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 5920, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe PID: 2140, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 5940, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe PID: 5972, type: MEMORY
Source: Yara match	File source: 5.2.SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe.5dd0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe.5dd0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000005.00000002.593932054.0000000005DD0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000002.279683575.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000002.279683575.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.224082730.0000000003C5A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.224082730.0000000003C5A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.280508586.00000000042F9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.592605604.0000000004369000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.593888952.0000000005DB0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.266031513.0000000004089000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.266031513.0000000004089000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.223591630.0000000003979000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.223591630.0000000003979000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.280435129.00000000032F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.266422489.000000000436B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.266422489.000000000436B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.585642797.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.585642797.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 5920, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dhcpmon.exe PID: 5920, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe PID: 2140, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe PID: 2140, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 5940, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dhcpmon.exe PID: 5940, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe PID: 5972, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe PID: 5972, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe.5dd0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe.5db0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe.5dd0000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Code function: 0_2_0116A4D8	0_2_0116A4D8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Code function: 0_2_0116C614	0_2_0116C614
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Code function: 0_2_0116EAD0	0_2_0116EAD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Code function: 0_2_0116EAE0	0_2_0116EAE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Code function: 5_2_01B5E480	5_2_01B5E480
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Code function: 5_2_01B5E471	5_2_01B5E471
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Code function: 5_2_01B5BBD4	5_2_01B5BBD4
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 6_2_054CC614	6_2_054CC614
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 6_2_054CEAD0	6_2_054CEAD0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 6_2_054CEAE0	6_2_054CEAE0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 11_2_031BE471	11_2_031BE471
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 11_2_031BE480	11_2_031BE480
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 11_2_031BBBD4	11_2_031BBBD4

Source: Joe Sandbox View	Dropped File: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe F2B321A162040B2990FE549349F00C9A60C2827EA0E82486F9C2C785D14D1462
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Roaming\TrXHdHpWh.exe F2B321A162040B2990FE549349F00C9A60C2827EA0E82486F9C2C785D14D1462

Source: SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: TrXHdHpWh.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dhcpmon.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe, 00000000.00000002.223308431.00000000029F4000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSoapName.dll2 vs SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe
Source: SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe, 00000000.00000002.222257881.000000000060E000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameEnumInt64TypeInfo.exe. vs SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe
Source: SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe, 00000000.00000002.222654499.0000000000DCB000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe
Source: SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe, 00000000.00000002.227420790.0000000006230000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe
Source: SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe, 00000000.00000002.228213122.0000000006330000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe
Source: SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe, 00000000.00000002.228213122.0000000006330000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe
Source: SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe, 00000004.00000002.220283276.000000000024E000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameEnumInt64TypeInfo.exe. vs SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe
Source: SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe, 00000005.00000002.594056626.00000000065F0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe
Source: SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe, 00000005.00000002.592605604.0000000004369000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe
Source: SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe, 00000005.00000002.592605604.0000000004369000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe
Source: SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe, 00000005.00000002.592605604.0000000004369000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe
Source: SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe, 00000005.00000002.594527145.0000000006FB0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe
Source: SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe, 00000005.00000002.586649807.000000000103E000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameEnumInt64TypeInfo.exe. vs SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe
Source: SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Binary or memory string: OriginalFilenameEnumInt64TypeInfo.exe. vs SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe

Source: SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 00000005.00000002.593932054.0000000005DD0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.593932054.0000000005DD0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000B.00000002.279683575.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000002.279683575.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.224082730.0000000003C5A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.224082730.0000000003C5A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000002.280508586.00000000042F9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.592605604.0000000004369000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.593888952.0000000005DB0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.593888952.0000000005DB0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000006.00000002.266031513.0000000004089000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.266031513.0000000004089000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.223591630.0000000003979000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.223591630.0000000003979000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000002.280435129.00000000032F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000002.266422489.000000000436B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.266422489.000000000436B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.585642797.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.585642797.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dhcpmon.exe PID: 5920, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: dhcpmon.exe PID: 5920, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe PID: 2140, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe PID: 2140, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dhcpmon.exe PID: 5940, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: dhcpmon.exe PID: 5940, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe PID: 5972, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe PID: 5972, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe.5dd0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe.5dd0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe.5db0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe.5db0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe.5dd0000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe.5dd0000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: 5.2.SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.2.SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 5.2.SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 11.2.dhcpmon.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 11.2.dhcpmon.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 5.2.SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 5.2.SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 11.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 11.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: classification engine

Classification label: mal100.troj.evad.winEXE@14/9@0/2

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe

File created: C:\Program Files (x86)\DHCP Monitor

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe

File created: C:\Users\user\AppData\Roaming\TrXHdHpWh.exe

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{b4dbb526-0da4-4453-8602-b00f5f7a8285}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4900:120:WilError_01
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Mutant created: \Sessions\1\BaseNamedObjects\dbtwNmbxuXxomvAczU
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5444:120:WilError_01

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe

File created: C:\Users\user\AppData\Local\Temp\tmp7261.tmp

Jump to behavior

Source: SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Virustotal: Detection: 35%
Source: SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	ReversingLabs: Detection: 30%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\TrXHdHpWh' /XML 'C:\Users\user\AppData\Local\Temp\tmp7261.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe
Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\TrXHdHpWh' /XML 'C:\Users\user\AppData\Local\Temp\tmpCE4C.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\TrXHdHpWh' /XML 'C:\Users\user\AppData\Local\Temp\tmp7261.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\TrXHdHpWh' /XML 'C:\Users\user\AppData\Local\Temp\tmpCE4C.tmp'	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: 5.2.SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.2.dhcpmon.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: initial sample	Static PE information: section name: .text entropy: 7.47933743717
Source: initial sample	Static PE information: section name: .text entropy: 7.47933743717
Source: initial sample	Static PE information: section name: .text entropy: 7.47933743717

Source: 5.2.SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 5.2.SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 11.2.dhcpmon.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 11.2.dhcpmon.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='

Persistence and Installation Behavior:

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	File created: C:\Users\user\AppData\Roaming\TrXHdHpWh.exe			Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe			Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: unknown

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\TrXHdHpWh' /XML 'C:\Users\user\AppData\Local\Temp\tmp7261.tmp'

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe

File opened: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM_3

Show sources

Source: Yara match	File source: 00000000.00000002.223308431.00000000029F4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.265717301.0000000003104000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.265566275.0000000003081000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.223203688.0000000002971000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe PID: 2140, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 5940, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe, 00000000.00000002.223308431.00000000029F4000.00000004.00000001.sdmp, dhcpmon.exe, 00000006.00000002.265717301.0000000003104000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe, 00000000.00000002.223308431.00000000029F4000.00000004.00000001.sdmp, dhcpmon.exe, 00000006.00000002.265717301.0000000003104000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Window / User API: threadDelayed 3669	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Window / User API: threadDelayed 5832	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Window / User API: foregroundWindowGot 474	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Window / User API: foregroundWindowGot 1353	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe TID: 464	Thread sleep time: -49643s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe TID: 5440	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe TID: 3840	Thread sleep time: -11990383647911201s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 2412	Thread sleep time: -52994s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4912	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5904	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: dhcpmon.exe, 00000006.00000002.265717301.0000000003104000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe, 00000005.00000002.594527145.0000000006FB0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: dhcpmon.exe, 00000006.00000002.265717301.0000000003104000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe, 00000005.00000002.594527145.0000000006FB0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe, 00000005.00000002.594527145.0000000006FB0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: dhcpmon.exe, 00000006.00000002.265717301.0000000003104000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe, 00000000.00000002.222723335.0000000000DFF000.00000004.00000020.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe, 00000000.00000002.222723335.0000000000DFF000.00000004.00000020.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: dhcpmon.exe, 00000006.00000002.265717301.0000000003104000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Source: SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe, 00000005.00000002.594527145.0000000006FB0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\TrXHdHpWh' /XML 'C:\Users\user\AppData\Local\Temp\tmp7261.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\TrXHdHpWh' /XML 'C:\Users\user\AppData\Local\Temp\tmpCE4C.tmp'	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Jump to behavior

Source: SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe, 00000005.00000002.594354708.0000000006A6D000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe, 00000005.00000002.588703478.0000000001F10000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe, 00000005.00000002.592390913.0000000003859000.00000004.00000001.sdmp	Binary or memory string: Program Manager88
Source: SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe, 00000005.00000002.588703478.0000000001F10000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe, 00000005.00000002.588703478.0000000001F10000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe, 00000005.00000002.589193315.000000000341E000.00000004.00000001.sdmp	Binary or memory string: Program ManagerHa#lh
Source: SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe, 00000005.00000002.588827159.0000000003377000.00000004.00000001.sdmp	Binary or memory string: Program ManagerD$#l

Language, Device and Operating System Detection:

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000005.00000002.593932054.0000000005DD0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.279683575.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.224082730.0000000003C5A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.280508586.00000000042F9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.592605604.0000000004369000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.266031513.0000000004089000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.223591630.0000000003979000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.280435129.00000000032F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.266422489.000000000436B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.585642797.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 5920, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe PID: 2140, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 5940, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe PID: 5972, type: MEMORY
Source: Yara match	File source: 5.2.SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe.5dd0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe.5dd0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe, 00000000.00000002.224082730.0000000003C5A000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe, 00000005.00000002.592605604.0000000004369000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe, 00000005.00000002.592605604.0000000004369000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: dhcpmon.exe, 00000006.00000002.266422489.000000000436B000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 0000000B.00000002.279683575.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 0000000B.00000002.280508586.00000000042F9000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000005.00000002.593932054.0000000005DD0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.279683575.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.224082730.0000000003C5A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.280508586.00000000042F9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.592605604.0000000004369000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.266031513.0000000004089000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.223591630.0000000003979000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.280435129.00000000032F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.266422489.000000000436B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.585642797.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 5920, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe PID: 2140, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 5940, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe PID: 5972, type: MEMORY
Source: Yara match	File source: 5.2.SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe.5dd0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe.5dd0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe.400000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scheduled Task/Job1	Scheduled Task/Job1	Process Injection12	Masquerading2	Input Capture21	Security Software Discovery211	Remote Services	Input Capture21	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Scheduled Task/Job1	Virtualization/Sandbox Evasion3	LSASS Memory	Virtualization/Sandbox Evasion3	Remote Desktop Protocol	Archive Collected Data11	Exfiltration Over Bluetooth	Remote Access Software1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Disable or Modify Tools1	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection12	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	File and Directory Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Hidden Files and Directories1	Cached Domain Credentials	System Information Discovery12	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information1	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Software Packing12	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	35%	Virustotal		Browse
SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	30%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\TrXHdHpWh.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	35%	Virustotal		Browse
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	30%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
C:\Users\user\AppData\Roaming\TrXHdHpWh.exe	35%	Virustotal		Browse
C:\Users\user\AppData\Roaming\TrXHdHpWh.exe	30%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla

Unpacked PE Files

Source	Detection	Scanner	Label	Download
5.2.SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe.5dd0000.4.unpack	100%	Avira	TR/NanoCore.fadte	Download File
11.2.dhcpmon.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
5.2.SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://go.mic	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe, 00000000.00000002.223308431.00000000029F4000.00000004.00000001.sdmp, dhcpmon.exe, 00000006.00000002.265717301.0000000003104000.00000004.00000001.sdmp	false		high
http://go.mic	dhcpmon.exe, 0000000B.00000002.280060421.00000000015E7000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious

Private

IP
127.0.0.1
127.0.0.1:4009

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	344309
Start date:	26.01.2021
Start time:	12:23:54
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.25241 (renamed file extension from 25241 to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	34
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@14/9@0/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 0.1% (good quality ratio 0.1%) Quality average: 59.9% Quality standard deviation: 18.1%
HCA Information:	Successful, ratio: 100% Number of executed functions: 98 Number of non-executed functions: 4
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:24:48	API Interceptor	1481x Sleep call for process: SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe modified
12:24:58	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
12:25:08	API Interceptor	1x Sleep call for process: dhcpmon.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	PO-FRE590164.xlsx	Get hash	malicious	Browse
C:\Users\user\AppData\Roaming\TrXHdHpWh.exe	PO-FRE590164.xlsx	Get hash	malicious	Browse

Created / dropped Files

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	781824
Entropy (8bit):	6.923780842614681
Encrypted:	false
SSDEEP:	6144:pQj+CfD1Wb4XogN1uFxjWa2dAdo6IW8bqDchIyDINbtxMOlBRE0ffLjVqE6kXI2i:uC4V1tdA8bqwhBAtNdE0XvVH6kS
MD5:	81956BB4F67D790E13CFD18F4CDD779B
SHA1:	0BF781A6C1434D789F963D5DC76FDEAE28CB01B4
SHA-256:	F2B321A162040B2990FE549349F00C9A60C2827EA0E82486F9C2C785D14D1462
SHA-512:	A6EFB7CD565B2DA0811A79C8EEAB2D4DC470296A7ECCB4BADB21DDAF1ADD94EF3F2F02E2223212A19564137B08919434D65E8BE99F1779E9DD475EB11443E9D7
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 35%, Browse Antivirus: ReversingLabs, Detection: 30%
Joe Sandbox View:	Filename: PO-FRE590164.xlsx, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............P..T...........r... ........... .......................@............@.................................lr..O.......P.................... ....................................................... ............... ..H............text....R... ...T.................. ..`.rsrc...P............V..............@..@.reloc....... ......................@..B.................r......H...........d...........D...(.............................................(....&..(......s.........s.........s ........s!........s"...........0...........~....o#....+...0...........~....o$....+...0...........~....o%....+...0...........~....o&....+...0...........~....o'....+..&..((.......0..<........~.....().....,!r...p.....(...o+...s,............~.....+...0...........~.....+.."........0..&........(....rE..p~....o-...(......t$....+.....0..<........~.....().....,!

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe.log Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
MD5:	69206D3AF7D6EFD08F4B4726998856D3
SHA1:	E778D4BF781F7712163CF5E2F5E7C15953E484CF
SHA-256:	A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
SHA-512:	CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
MD5:	69206D3AF7D6EFD08F4B4726998856D3
SHA1:	E778D4BF781F7712163CF5E2F5E7C15953E484CF
SHA-256:	A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
SHA-512:	CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Temp\tmp7261.tmp Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1642
Entropy (8bit):	5.190572181064251
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBAtn:cbh47TlNQ//rydbz9I3YODOLNdq3k
MD5:	9B8DAE50683D5E82527A85241D18D23A
SHA1:	396D9BA714A271A35F2BDBD0191909C1B7B0B6AA
SHA-256:	485BA4B410561795E6DF09517400958D3930DFC35925C48C2F702DD11F57E812
SHA-512:	D33792805AFB31E5997FC12B5271D887EA2FB88475CB5AACC618819AD6E281E292E410875B06AE8F51199E611BE7F630FA0737A0344AC92FA4714E8CF5C0C98C
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Local\Temp\tmpCE4C.tmp Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1642
Entropy (8bit):	5.190572181064251
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBAtn:cbh47TlNQ//rydbz9I3YODOLNdq3k
MD5:	9B8DAE50683D5E82527A85241D18D23A
SHA1:	396D9BA714A271A35F2BDBD0191909C1B7B0B6AA
SHA-256:	485BA4B410561795E6DF09517400958D3930DFC35925C48C2F702DD11F57E812
SHA-512:	D33792805AFB31E5997FC12B5271D887EA2FB88475CB5AACC618819AD6E281E292E410875B06AE8F51199E611BE7F630FA0737A0344AC92FA4714E8CF5C0C98C
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe
File Type:	ISO-8859 text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	2.75
Encrypted:	false
SSDEEP:	3:ud:ud
MD5:	28118F807F7A01BACBE5AB8F768230F2
SHA1:	923C85C167925A747D112AB236E7E0D35CD26AAF
SHA-256:	1436045EFE2197D379E927706C81950B8265DEA31BB5F03F0A49BB6CA6859342
SHA-512:	A3C676D01F0CE7FF931FE25F1C75E4DC6C7D1A43BDB5706288955FF2B2B43EF9B5ACC68B551794CA5C1E4D52D838E5B6D3B74B7FDEC58D50B40A8A4FE1FC683E
Malicious:	true
Preview:	k.8p8..H

C:\Users\user\AppData\Roaming\TrXHdHpWh.exe Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	781824
Entropy (8bit):	6.923780842614681
Encrypted:	false
SSDEEP:	6144:pQj+CfD1Wb4XogN1uFxjWa2dAdo6IW8bqDchIyDINbtxMOlBRE0ffLjVqE6kXI2i:uC4V1tdA8bqwhBAtNdE0XvVH6kS
MD5:	81956BB4F67D790E13CFD18F4CDD779B
SHA1:	0BF781A6C1434D789F963D5DC76FDEAE28CB01B4
SHA-256:	F2B321A162040B2990FE549349F00C9A60C2827EA0E82486F9C2C785D14D1462
SHA-512:	A6EFB7CD565B2DA0811A79C8EEAB2D4DC470296A7ECCB4BADB21DDAF1ADD94EF3F2F02E2223212A19564137B08919434D65E8BE99F1779E9DD475EB11443E9D7
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 35%, Browse Antivirus: ReversingLabs, Detection: 30%
Joe Sandbox View:	Filename: PO-FRE590164.xlsx, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............P..T...........r... ........... .......................@............@.................................lr..O.......P.................... ....................................................... ............... ..H............text....R... ...T.................. ..`.rsrc...P............V..............@..@.reloc....... ......................@..B.................r......H...........d...........D...(.............................................(....&..(......s.........s.........s ........s!........s"...........0...........~....o#....+...0...........~....o$....+...0...........~....o%....+...0...........~....o&....+...0...........~....o'....+..&..((.......0..<........~.....().....,!r...p.....(...o+...s,............~.....+...0...........~.....+.."........0..&........(....rE..p~....o-...(......t$....+.....0..<........~.....().....,!

C:\Users\user\AppData\Roaming\TrXHdHpWh.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.923780842614681
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe
File size:	781824
MD5:	81956bb4f67d790e13cfd18f4cdd779b
SHA1:	0bf781a6c1434d789f963d5dc76fdeae28cb01b4
SHA256:	f2b321a162040b2990fe549349f00c9a60c2827ea0e82486f9c2c785d14d1462
SHA512:	a6efb7cd565b2da0811a79c8eeab2d4dc470296a7eccb4badb21ddaf1add94ef3f2f02e2223212a19564137b08919434d65e8be99f1779e9dd475eb11443e9d7
SSDEEP:	6144:pQj+CfD1Wb4XogN1uFxjWa2dAdo6IW8bqDchIyDINbtxMOlBRE0ffLjVqE6kXI2i:uC4V1tdA8bqwhBAtNdE0XvVH6kS
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............P..T...........r... ........... .......................@............@................................

File Icon


Icon Hash:	0000000000000000

Static PE Info

General
Entrypoint:	0x110a72be
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x11000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x600EA984 [Mon Jan 25 11:20:36 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [11002000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa726c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa8000	0x19550	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc2000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xa52c4	0xa5400	False	0.682253746691	data	7.47933743717	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xa8000	0x19550	0x19600	False	0.0550819735222	data	1.06100151007	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc2000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xa81a0	0x468	GLS_BINARY_LSB_FIRST
RT_ICON	0xa8618	0x860	PNG image data, 256 x 256, 8-bit gray+alpha, non-interlaced
RT_ICON	0xa8e88	0x25a8	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
RT_ICON	0xab440	0x10a8	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
RT_ICON	0xac4f8	0x10828	dBase III DBT, version number 0, next free block index 40
RT_ICON	0xbcd30	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
RT_GROUP_ICON	0xc0f68	0x5a	data
RT_VERSION	0xc0fd4	0x37c	data
RT_MANIFEST	0xc1360	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Bharat Biotech (C) 2021
Assembly Version	48.0.31.9
InternalName	EnumInt64TypeInfo.exe
FileVersion	48.0.31.09
CompanyName	Bharat Biotech
LegalTrademarks
Comments	BBV152
ProductName	BBV152
ProductVersion	48.0.31.09
FileDescription	BBV152
OriginalFilename	EnumInt64TypeInfo.exe

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe PID: 2140 Parent PID: 5508

General

Start time:	12:24:46
Start date:	26/01/2021
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe'
Imagebase:	0x550000
File size:	781824 bytes
MD5 hash:	81956BB4F67D790E13CFD18F4CDD779B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.223308431.00000000029F4000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.224082730.0000000003C5A000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.224082730.0000000003C5A000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.224082730.0000000003C5A000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.223203688.0000000002971000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.223591630.0000000003979000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.223591630.0000000003979000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.223591630.0000000003979000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 4144 Parent PID: 2140

General

Start time:	12:24:49
Start date:	26/01/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\TrXHdHpWh' /XML 'C:\Users\user\AppData\Local\Temp\tmp7261.tmp'
Imagebase:	0x1290000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 4900 Parent PID: 4144

General

Start time:	12:24:49
Start date:	26/01/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe PID: 5688 Parent PID: 2140

General

Start time:	12:24:50
Start date:	26/01/2021
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe
Imagebase:	0x190000
File size:	781824 bytes
MD5 hash:	81956BB4F67D790E13CFD18F4CDD779B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe PID: 5972 Parent PID: 2140

General

Start time:	12:24:50
Start date:	26/01/2021
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe
Imagebase:	0xf80000
File size:	781824 bytes
MD5 hash:	81956BB4F67D790E13CFD18F4CDD779B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.593932054.0000000005DD0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.593932054.0000000005DD0000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.593932054.0000000005DD0000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.592605604.0000000004369000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000002.592605604.0000000004369000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.593888952.0000000005DB0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.593888952.0000000005DB0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.585642797.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.585642797.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000002.585642797.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: dhcpmon.exe PID: 5940 Parent PID: 3388

General

Start time:	12:25:06
Start date:	26/01/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Imagebase:	0xc70000
File size:	781824 bytes
MD5 hash:	81956BB4F67D790E13CFD18F4CDD779B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000006.00000002.265717301.0000000003104000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000006.00000002.265566275.0000000003081000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.266031513.0000000004089000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.266031513.0000000004089000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000006.00000002.266031513.0000000004089000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.266422489.000000000436B000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.266422489.000000000436B000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000006.00000002.266422489.000000000436B000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 35%, Virustotal, Browse Detection: 30%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 5328 Parent PID: 5940

General

Start time:	12:25:09
Start date:	26/01/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\TrXHdHpWh' /XML 'C:\Users\user\AppData\Local\Temp\tmpCE4C.tmp'
Imagebase:	0x1090000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 5444 Parent PID: 5328

General

Start time:	12:25:10
Start date:	26/01/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: dhcpmon.exe PID: 5920 Parent PID: 5940

General

Start time:	12:25:10
Start date:	26/01/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Imagebase:	0xdf0000
File size:	781824 bytes
MD5 hash:	81956BB4F67D790E13CFD18F4CDD779B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.279683575.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.279683575.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.279683575.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.280508586.00000000042F9000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.280508586.00000000042F9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.280435129.00000000032F1000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.280435129.00000000032F1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe PID: 2140 Parent PID: 5508 SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exeCOMMON

Executed Functions

Function 0116BD21, Relevance: 6.1, APIs: 4, Instructions: 123threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 0116BD90
GetCurrentThread.KERNEL32 ref: 0116BDCD
GetCurrentProcess.KERNEL32 ref: 0116BE0A
GetCurrentThreadId.KERNEL32 ref: 0116BE63

Memory Dump Source

Source File: 00000000.00000002.222891516.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: d864161a8848fc09aa0e357229f255d1149686a62db71b288df584887e6886b5
Instruction ID: e21ec965b953fbeb880fc566691d35d4908ace8539aec6502b105630eb7952cc
Opcode Fuzzy Hash: d864161a8848fc09aa0e357229f255d1149686a62db71b288df584887e6886b5
Instruction Fuzzy Hash: C95154B0A047488FDB14CFA9D6487AEBBF0EF88304F248499E019AB251CB745944CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0116BD30, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 0116BD90
GetCurrentThread.KERNEL32 ref: 0116BDCD
GetCurrentProcess.KERNEL32 ref: 0116BE0A
GetCurrentThreadId.KERNEL32 ref: 0116BE63

Memory Dump Source

Source File: 00000000.00000002.222891516.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 57a5717a473c39f9fc9e265e4265244c9855bd78edac3cb43de7d542e2e999c6
Instruction ID: f474e265083179fbcf11225a64da7ad26ec0cda4402e6cbbdf26f7ef305c29c8
Opcode Fuzzy Hash: 57a5717a473c39f9fc9e265e4265244c9855bd78edac3cb43de7d542e2e999c6
Instruction Fuzzy Hash: 9A5152B0A047088FDB14CFA9D648BAEBBF4EB88304F208469E119AB351DB756944CB65

Uniqueness

Uniqueness Score: -1.00%

Function 01169A30, Relevance: 1.7, APIs: 1, Instructions: 196COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 01169C76

Memory Dump Source

Source File: 00000000.00000002.222891516.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 5742ae7d34a86597bfa6e1aa1d09d0128f06a028290fa677b65ca7a402ed2e6f
Instruction ID: 08d644012b8d2ac9e1b06a8599acbb696a489b616d0cca95597c15871545b069
Opcode Fuzzy Hash: 5742ae7d34a86597bfa6e1aa1d09d0128f06a028290fa677b65ca7a402ed2e6f
Instruction Fuzzy Hash: 28714970A00B058FDB28DF29D4417AABBF5FF88204F10892DD596DBA50DB75E815CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0116BF50, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0116BFDF

Memory Dump Source

Source File: 00000000.00000002.222891516.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 5354f49b87ceb2adbefaab648511c12f3c3783e18fcd9165b4c5df2fafc532a0
Instruction ID: dfed4814961808febe6201a906c61587eac52153b1380dbdb5dfc213f850e19c
Opcode Fuzzy Hash: 5354f49b87ceb2adbefaab648511c12f3c3783e18fcd9165b4c5df2fafc532a0
Instruction Fuzzy Hash: 3F2105B5D002499FDB10CFA9D984AEEBBF4FF48320F14805AE914A7250D774AA45CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0116BF58, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0116BFDF

Memory Dump Source

Source File: 00000000.00000002.222891516.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 605625c309c10f687fff985e52550a1f05763b511cb2979150f467b03a488a92
Instruction ID: 8cdb11cae98fcc97f7db02f21211f9a3fce7ee156b6c84d0a53e44bfae433315
Opcode Fuzzy Hash: 605625c309c10f687fff985e52550a1f05763b511cb2979150f467b03a488a92
Instruction Fuzzy Hash: F521F5B59002489FDB10CFAAD984ADEBFF8FB48320F14805AE914B3310D775A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 01168DF8, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01169CF1,00000800,00000000,00000000), ref: 01169F02

Memory Dump Source

Source File: 00000000.00000002.222891516.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6880db8c3919cd2fc5cfa3c631a69ef799deea0aa6fb63dd6b249b9e8531bb11
Instruction ID: c7504424707aa1b3f253660336c84dd4bfbd9fb5a9f88a658e2a194392779d68
Opcode Fuzzy Hash: 6880db8c3919cd2fc5cfa3c631a69ef799deea0aa6fb63dd6b249b9e8531bb11
Instruction Fuzzy Hash: 211114B29043488FDB14CF9AD844ADEFBF8EB88314F11846EE519B7200C775A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01169E91, Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01169CF1,00000800,00000000,00000000), ref: 01169F02

Memory Dump Source

Source File: 00000000.00000002.222891516.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 9187cbfff4a9356a4f5e3e0dd0114f5c90310df5633bb6702eff99ed191a6d02
Instruction ID: b152456d50bde81802b6dc7ab7758f31093b668c00391a20c8453d2879fffcbe
Opcode Fuzzy Hash: 9187cbfff4a9356a4f5e3e0dd0114f5c90310df5633bb6702eff99ed191a6d02
Instruction Fuzzy Hash: 101144B28002488FCB10CFAAD444AEEFFF4EF88324F15846ED555A7200C775A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01169C10, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 01169C76

Memory Dump Source

Source File: 00000000.00000002.222891516.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: d5c04777b9ac6152be1ee27209427f25f6c077fd64dda6bf849336faf96532cf
Instruction ID: 267cabc08b561f7f6c7b8ae1bc98fc0ab2020754d0280bc4d9b5ddcc167a4598
Opcode Fuzzy Hash: d5c04777b9ac6152be1ee27209427f25f6c077fd64dda6bf849336faf96532cf
Instruction Fuzzy Hash: B51110B2C006498FDB14CF9AD544BDEFBF8EB88224F10851AD429B7600C379A546CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BBD4A0, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.222501241.0000000000BBD000.00000040.00000001.sdmp, Offset: 00BBD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c275859849d7dd6855f07680559f3f0cdf310b6198b3c9b45a2f6f9be03af61
Instruction ID: a17e5a07c277c47e12ef1b2178f0763f209c8f4c1af219576481ae4867f82c9c
Opcode Fuzzy Hash: 8c275859849d7dd6855f07680559f3f0cdf310b6198b3c9b45a2f6f9be03af61
Instruction Fuzzy Hash: 35214871504240DFDB11DF14D8C0BB6BFA5FB98328F24C5A8E9090B246D37AD845CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00CDD01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.222546243.0000000000CDD000.00000040.00000001.sdmp, Offset: 00CDD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0bfcc2d229d44770dd0c43d8b8dfd0953659998e2db1ce10a8c0183c1bd385c
Instruction ID: f58d2f49f77afe0f8c61005f237edd737869a8117af1d4afa34299f88433bf25
Opcode Fuzzy Hash: f0bfcc2d229d44770dd0c43d8b8dfd0953659998e2db1ce10a8c0183c1bd385c
Instruction Fuzzy Hash: AB21C575908240DFDB14DF24D9C4B26BBA5FB88314F24C56EEA0A4B346C736E846CA61

Uniqueness

Uniqueness Score: -1.00%

Function 00CDD005, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.222546243.0000000000CDD000.00000040.00000001.sdmp, Offset: 00CDD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2515ca423bce78eca4e0a42f4c17a90a87069c3fade82eeb0e3bbee10fbc4f96
Instruction ID: 48a2cfdf2d6a57dbb0eaab45783449e5c04cd53b767750b1b05b01988890f830
Opcode Fuzzy Hash: 2515ca423bce78eca4e0a42f4c17a90a87069c3fade82eeb0e3bbee10fbc4f96
Instruction Fuzzy Hash: B2217F755093808FCB12CF24D990715BF71AB86314F28C5EBD8498B697C33A990ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00BBD49B, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.222501241.0000000000BBD000.00000040.00000001.sdmp, Offset: 00BBD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 475f330473868ad3c29f7e884537fa5e2c046c0b54d26c118bd7d839c6bfe152
Instruction ID: f843ba45e686623d31ba83cbb67c220b9bd33d411af5745131309715eb9e467f
Opcode Fuzzy Hash: 475f330473868ad3c29f7e884537fa5e2c046c0b54d26c118bd7d839c6bfe152
Instruction Fuzzy Hash: 5111D376504280CFCF12CF14D5C4B6ABFB1FB94324F28C6A9D8050B656C37AD85ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00BBD731, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.222501241.0000000000BBD000.00000040.00000001.sdmp, Offset: 00BBD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2327a5e757220f93165bc7a485bf7e8b6d57c108078ce592d95d1d66de06d467
Instruction ID: 44529c34456de85850ad7ccbdb4da5b290fb3518350d2e6edbc09c1d7c880d8d
Opcode Fuzzy Hash: 2327a5e757220f93165bc7a485bf7e8b6d57c108078ce592d95d1d66de06d467
Instruction Fuzzy Hash: 2B01D461509744ABE7108A27CCC47F6BBD8EF41328F28C499ED044A282EBBC9C44C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 00BBD730, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.222501241.0000000000BBD000.00000040.00000001.sdmp, Offset: 00BBD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e95c951a7d7342d6e7f6f73ed092b3b4ef57f361c3e13559e85ba3ee93f9af8b
Instruction ID: 7eb60a08a8991df79c600229a3bca9d71376bd9a2998de7c2bf4584ca23ad22b
Opcode Fuzzy Hash: e95c951a7d7342d6e7f6f73ed092b3b4ef57f361c3e13559e85ba3ee93f9af8b
Instruction Fuzzy Hash: 77F0C871405244ABE7108A16DC847B2FBDCDB81334F18C59AED044F242D3B89C44CAB0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0116EAE0, Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.222891516.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4f2a85fbb359509fe28fa7c9c7b4f2a61936dacb900b6852a4e117d51ffc956
Instruction ID: 73080eb8505bfb858c7ad235a59d2de28e4e7ede254c55739690f3a216a4e7cc
Opcode Fuzzy Hash: f4f2a85fbb359509fe28fa7c9c7b4f2a61936dacb900b6852a4e117d51ffc956
Instruction Fuzzy Hash: 9012B1B1411F46CAE710DF65FC983897BA1B745328B904308D261BBBF9D7B4214ACFA8

Uniqueness

Uniqueness Score: -1.00%

Function 0116C614, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.222891516.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bb262b8f55855331c655bf322308dea09401b7ac63787a21cb6f3fd40e619ce
Instruction ID: 67e2a044841ab4693b773f59e092e142d404b3bfae9b13c74787f6125b9a4c8a
Opcode Fuzzy Hash: 3bb262b8f55855331c655bf322308dea09401b7ac63787a21cb6f3fd40e619ce
Instruction Fuzzy Hash: 90A18E36E0021ACFCF09DFB5C8445DEBBB6FF84300B15856AE905AB220EB72A955CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0116EAD0, Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.222891516.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61b94c5697a1649f4a2b7a7895ca7c8fb013472ce112f63ff58fd61817002409
Instruction ID: 6e19a47480cde8bd8e04f9809b23948c1da62362a4649c937136f0b9661a481f
Opcode Fuzzy Hash: 61b94c5697a1649f4a2b7a7895ca7c8fb013472ce112f63ff58fd61817002409
Instruction Fuzzy Hash: 03C107B1811B46CAD711DF65FC883897B61BB85328F604309D161BB7F8D7B4204ACFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0116A4D8, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.222891516.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e290504b3c7a2ea80157d388c599103748af8e316c0e16021da7c34a81bf9dd0
Instruction ID: 2509f4499a3bc43ff7b5e313c92b5ccf54081d4755ca428e85acf5e7b8ab2496
Opcode Fuzzy Hash: e290504b3c7a2ea80157d388c599103748af8e316c0e16021da7c34a81bf9dd0
Instruction Fuzzy Hash: E211261118D6E20BE3535A3414A34D5BFD1C89203476E25FC8ED14F1F3EA0AE44BD796

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exe PID: 5972 Parent PID: 2140 SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.exeCOMMON

Executed Functions

Function 06AA323A, Relevance: 3.8, Strings: 3, Instructions: 94COMMON

Download Yara Rule

Strings

%$l, xrefs: 06AA328B
%$l, xrefs: 06AA3270
%$l, xrefs: 06AA32A6

Memory Dump Source

Source File: 00000005.00000002.594402683.0000000006AA0000.00000040.00000001.sdmp, Offset: 06AA0000, based on PE: false

Similarity

API ID:
String ID: %$l$ %$l$ %$l
API String ID: 0-3715886128
Opcode ID: 08037ae304aadf247731457b977ae54c4ac73947042d1087cdc9497f306f949b
Instruction ID: ac1022b8510730c10bb1693b47b4f04f1c1d1fa2af1bd18773b36d85dfacbab6
Opcode Fuzzy Hash: 08037ae304aadf247731457b977ae54c4ac73947042d1087cdc9497f306f949b
Instruction Fuzzy Hash: 00318C353057454BC705EB3084906ABB7A3AFD1258B29C86EC2468FB85EF75FC09C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 01B593E8, Relevance: 1.7, APIs: 1, Instructions: 194COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 01B5962E

Memory Dump Source

Source File: 00000005.00000002.588565274.0000000001B50000.00000040.00000001.sdmp, Offset: 01B50000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 6ece37847d58c494adc79cf25ef1a8fb8a4654a9e19ef63fd02bb4a6f11090e4
Instruction ID: 70bd73573f9da2bc0cd36b59d17e2ceef4793432c850c9133cd02c19ce30e3f6
Opcode Fuzzy Hash: 6ece37847d58c494adc79cf25ef1a8fb8a4654a9e19ef63fd02bb4a6f11090e4
Instruction Fuzzy Hash: 8B712870A00B058FDB68DF2AD44575ABBF5FF88218F108A6DD98AD7A50DB34E805CF91

Uniqueness

Uniqueness Score: -1.00%

Function 01B5FB61, Relevance: 1.7, APIs: 1, Instructions: 162COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 01B5FD0A

Memory Dump Source

Source File: 00000005.00000002.588565274.0000000001B50000.00000040.00000001.sdmp, Offset: 01B50000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 7240c167305415a47ad9b9f9d06ef6a8abef9c8b8131142d668af9ad516d54c7
Instruction ID: 180165d74d7292f1d5bc8c325207df2a129cc00971d3ba38ddc3eb77a9e2d442
Opcode Fuzzy Hash: 7240c167305415a47ad9b9f9d06ef6a8abef9c8b8131142d668af9ad516d54c7
Instruction Fuzzy Hash: 2D6101B1C04349AFCF06CFA9C884ADEBFB1BF49310F1581AAE918AB261D7349945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01B5DA04, Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 01B5FD0A

Memory Dump Source

Source File: 00000005.00000002.588565274.0000000001B50000.00000040.00000001.sdmp, Offset: 01B50000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 6a07fa154d1335babebecd822c4fe8c8ac85686e6c950ba8b1a0dea9e111c584
Instruction ID: a22f50d2f3b0816ee7735dd8e145aa564101075b462664afd1ce3e9ed30baab5
Opcode Fuzzy Hash: 6a07fa154d1335babebecd822c4fe8c8ac85686e6c950ba8b1a0dea9e111c584
Instruction Fuzzy Hash: 16519FB1D00309AFDB14CF99D884ADEFBB5FF48314F24826AE819AB250D7749945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 01B5BDC1, Relevance: 1.6, APIs: 1, Instructions: 110COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,01B5BCC6,?,?,?,?,?), ref: 01B5BD87

Memory Dump Source

Source File: 00000005.00000002.588565274.0000000001B50000.00000040.00000001.sdmp, Offset: 01B50000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 1545e7a463be20f1a9988c66aed1facf8053f277adcc8990b10a1545f5b3e1f6
Instruction ID: 24e431c5f46d28054fd8e79c40a625e1e3caf39f042e0d91cc33d02638eb4770
Opcode Fuzzy Hash: 1545e7a463be20f1a9988c66aed1facf8053f277adcc8990b10a1545f5b3e1f6
Instruction Fuzzy Hash: DE41CD74940B45DFEB128FB0E989BBE3FB5EB89311F24426AEE059B281DB341901CF11

Uniqueness

Uniqueness Score: -1.00%

Function 01B5A14C, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,01B5BCC6,?,?,?,?,?), ref: 01B5BD87

Memory Dump Source

Source File: 00000005.00000002.588565274.0000000001B50000.00000040.00000001.sdmp, Offset: 01B50000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 176af07b1b1b4ee78ce1b9b8882690d7ef67fa0d639829989ad6ee2d74248b7c
Instruction ID: 0d7472637268cf6300503281f79c914a8d329dfb9f685b19c31ea29497dcbb13
Opcode Fuzzy Hash: 176af07b1b1b4ee78ce1b9b8882690d7ef67fa0d639829989ad6ee2d74248b7c
Instruction Fuzzy Hash: 3621E5B5900248AFDB50CF99D984AEEBBF5EB48320F14805AE915A7350D778A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01B5BCF9, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,01B5BCC6,?,?,?,?,?), ref: 01B5BD87

Memory Dump Source

Source File: 00000005.00000002.588565274.0000000001B50000.00000040.00000001.sdmp, Offset: 01B50000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 8dd7d3de61cdf6916567424ddd9e47a0cfcfcbe872c54bedd103456ba1c15339
Instruction ID: f38d0bf74d43c1ba2bfc2421fafa21d23e88ea1191737b578de1a3d1bbced354
Opcode Fuzzy Hash: 8dd7d3de61cdf6916567424ddd9e47a0cfcfcbe872c54bedd103456ba1c15339
Instruction Fuzzy Hash: 3521E4B5D002489FDB10CFA9D984AEEBBF4EF48324F14845AE954B7351C778A944CF61

Uniqueness

Uniqueness Score: -1.00%

Function 01B58768, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01B596A9,00000800,00000000,00000000), ref: 01B598BA

Memory Dump Source

Source File: 00000005.00000002.588565274.0000000001B50000.00000040.00000001.sdmp, Offset: 01B50000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 322a03c8aad4192afab9175f46b5b767bc729fcd5605913fa13de464da7461ee
Instruction ID: 3bfaf8535efdf3ddb3e1a68950828be7a359713c6cb7aa9a1a8dc68fe489ba64
Opcode Fuzzy Hash: 322a03c8aad4192afab9175f46b5b767bc729fcd5605913fa13de464da7461ee
Instruction Fuzzy Hash: B81122B2800208DFDB14CF9AC444B9EBBF4EB48324F10842EE919A7600C778A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 01B59849, Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01B596A9,00000800,00000000,00000000), ref: 01B598BA

Memory Dump Source

Source File: 00000005.00000002.588565274.0000000001B50000.00000040.00000001.sdmp, Offset: 01B50000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: dae52baa58c75bdd717f9655812abf4bb4086b3a3e406e326694e3cac3e22321
Instruction ID: 988a2655659d4faac6ac027d6e67eaf4241c01a0f50228f1b25adccd73739198
Opcode Fuzzy Hash: dae52baa58c75bdd717f9655812abf4bb4086b3a3e406e326694e3cac3e22321
Instruction Fuzzy Hash: F111F2B2800209CFDB14CF9AD444ADEBBB4EB48324F14842ED919A7600C778A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01B595C8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 01B5962E

Memory Dump Source

Source File: 00000005.00000002.588565274.0000000001B50000.00000040.00000001.sdmp, Offset: 01B50000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 9fa146885cffdf177d10150118c78840720a968396239f4a3b36fd9c5f0a3418
Instruction ID: 5e50992a8deb7b9e48ebb549b3e8550a830d026f60100a596d539a762ec787d8
Opcode Fuzzy Hash: 9fa146885cffdf177d10150118c78840720a968396239f4a3b36fd9c5f0a3418
Instruction Fuzzy Hash: 5811E0B6C007498FDB14CF9AD444BDEFBF4EB88224F14856AD829A7600D778A549CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01B5DA3C, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?,?,?,?,?,?,01B5FE28,?,?,?,?), ref: 01B5FE9D

Memory Dump Source

Source File: 00000005.00000002.588565274.0000000001B50000.00000040.00000001.sdmp, Offset: 01B50000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: ac0d782aef8c8dde7e3d707dff97d504761661576d8c330dbf86fe3394f6502c
Instruction ID: b076b0010881f2fbfab4b8740db74b1629ef2af32c66dae4f6036fa447170bf3
Opcode Fuzzy Hash: ac0d782aef8c8dde7e3d707dff97d504761661576d8c330dbf86fe3394f6502c
Instruction Fuzzy Hash: 991122B18002489FDB10DF99D588BEEFBF8EB48320F20845AE915A7301C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01B5FE38, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?,?,?,?,?,?,01B5FE28,?,?,?,?), ref: 01B5FE9D

Memory Dump Source

Source File: 00000005.00000002.588565274.0000000001B50000.00000040.00000001.sdmp, Offset: 01B50000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: f6597d045fd81c0dc38f4d9f418470245f495d596a1156eb53a53c3f0133b954
Instruction ID: 709bbda2ef235cd6bc3bc330f44a8512f86bad679ddf74926535224677436660
Opcode Fuzzy Hash: f6597d045fd81c0dc38f4d9f418470245f495d596a1156eb53a53c3f0133b954
Instruction Fuzzy Hash: 421103B58003499FDB10CF99D585BDEFBF4EB48324F20845AE959A7341C774AA44CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06AA10C0, Relevance: 1.3, Strings: 1, Instructions: 89COMMON

Download Yara Rule

Strings

h?l, xrefs: 06AA1144

Memory Dump Source

Source File: 00000005.00000002.594402683.0000000006AA0000.00000040.00000001.sdmp, Offset: 06AA0000, based on PE: false

Similarity

API ID:
String ID: h?l
API String ID: 0-593827334
Opcode ID: b7e8bd76b873911891495c793c6db1e216f0754f8b6645afea179c46c356e0a5
Instruction ID: 9e9e2d119348696c61ddf3af5b9034abdd431a0a703ef557cd569773504eb9be
Opcode Fuzzy Hash: b7e8bd76b873911891495c793c6db1e216f0754f8b6645afea179c46c356e0a5
Instruction Fuzzy Hash: 8B21D331B10614DFC744DB69D9849A9B7F5EF89324B2181AAE519CB362DB70EC06CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 06AA40C0, Relevance: 1.3, Strings: 1, Instructions: 19COMMON

Download Yara Rule

Strings

C%, xrefs: 06AA40EC

Memory Dump Source

Source File: 00000005.00000002.594402683.0000000006AA0000.00000040.00000001.sdmp, Offset: 06AA0000, based on PE: false

Similarity

API ID:
String ID: C%
API String ID: 0-1952537629
Opcode ID: 8b8141675f807f607128fc7ee6994f6706481eaf7ecb911d993cd8407a4294e5
Instruction ID: 5189dd38bd249ce8e812d0f474908433b8fc8fdf6cdcfa74933e620d6c3565fd
Opcode Fuzzy Hash: 8b8141675f807f607128fc7ee6994f6706481eaf7ecb911d993cd8407a4294e5
Instruction Fuzzy Hash: 90E08C71100A209BC350EB18E44094ABBE6FB8A244B04CE1ED62A8B741DFB1AC028B90

Uniqueness

Uniqueness Score: -1.00%

Function 06AA1BB8, Relevance: 1.3, Strings: 1, Instructions: 16COMMON

Download Yara Rule

Strings

C%, xrefs: 06AA40EC

Memory Dump Source

Source File: 00000005.00000002.594402683.0000000006AA0000.00000040.00000001.sdmp, Offset: 06AA0000, based on PE: false

Similarity

API ID:
String ID: C%
API String ID: 0-1952537629
Opcode ID: 039349736e1cb1bf612faa4e75b4e13ee32a58d08c34378dd700c05742a62972
Instruction ID: fa7019a83bd813587f32d3c949acfae3f1043b1bdbc133f5b801c59f05bc8915
Opcode Fuzzy Hash: 039349736e1cb1bf612faa4e75b4e13ee32a58d08c34378dd700c05742a62972
Instruction Fuzzy Hash: EFD017302006205B83A4EB28E44485AB7E6EB89618300CE5F911B9B741DBA1BD068BD0

Uniqueness

Uniqueness Score: -1.00%

Function 06AA0040, Relevance: .5, Instructions: 497COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.594402683.0000000006AA0000.00000040.00000001.sdmp, Offset: 06AA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23058395f121a7b8f497849ebd7951415e6ff9cdc14040b531e720612be9915a
Instruction ID: a19ae84a3ba3fb07b721072c69470dc605720209ff1bc03470fdcec7d9f15da4
Opcode Fuzzy Hash: 23058395f121a7b8f497849ebd7951415e6ff9cdc14040b531e720612be9915a
Instruction Fuzzy Hash: 90223770A00706CFCB54DF99C484AAEFBB2FF88314B25895AD456AB644DB30E981CF90

Uniqueness

Uniqueness Score: -1.00%

Function 06AA4190, Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.594402683.0000000006AA0000.00000040.00000001.sdmp, Offset: 06AA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c43fdc7ee224ef0cf1feef2fd91cebbb42ad36327786a7749782881cb150fad
Instruction ID: af63f2e7f400e62591398a7ff2024213f598a719326085b3b669a750fd023679
Opcode Fuzzy Hash: 7c43fdc7ee224ef0cf1feef2fd91cebbb42ad36327786a7749782881cb150fad
Instruction Fuzzy Hash: FE919E70A003059FDB64EFA9C980AAEFBF5EF48310F11852BE4599B250D7B4E845CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06AA0007, Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.594402683.0000000006AA0000.00000040.00000001.sdmp, Offset: 06AA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57b0c179bd773a7eb95e1da61efdd6f8c0c5b79df88c91129d2245131216e4ea
Instruction ID: f951d417e69d8655d5483752ed858afb69493fabf232397c6a514bfb836a40cb
Opcode Fuzzy Hash: 57b0c179bd773a7eb95e1da61efdd6f8c0c5b79df88c91129d2245131216e4ea
Instruction Fuzzy Hash: 87915774A00706CFCB44DF55C584AAAFBB2FF88314F29C59AD416AB206C731E942CF90

Uniqueness

Uniqueness Score: -1.00%

Function 06AA38E0, Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.594402683.0000000006AA0000.00000040.00000001.sdmp, Offset: 06AA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49cfcb38073f7bcd8c45cbaa95071622782c1640a8e26d4623480cb55340ad31
Instruction ID: e8fd9b0acab595f9ae8269d85a81d54dfe3c43a3f1fbff991c6e6af524b1851d
Opcode Fuzzy Hash: 49cfcb38073f7bcd8c45cbaa95071622782c1640a8e26d4623480cb55340ad31
Instruction Fuzzy Hash: 58714830A007049FDF94EB65C594BAAB7F2BF88210F14859AD416EB361DB72ED45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06AA1E30, Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.594402683.0000000006AA0000.00000040.00000001.sdmp, Offset: 06AA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 247981320bb85d32868c970a4933f94aafeccbe8bad32f812cba9f1ce5eaa9e7
Instruction ID: 9eb082e82a5452e138371dd3c62b1380951993c3f5833f8fd2df00f5dadf9b14
Opcode Fuzzy Hash: 247981320bb85d32868c970a4933f94aafeccbe8bad32f812cba9f1ce5eaa9e7
Instruction Fuzzy Hash: 7F5156B0E04348DFCB50EFA9C884BDEBBF5AF48314F15812AE509AB250DB749945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06AA068D, Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.594402683.0000000006AA0000.00000040.00000001.sdmp, Offset: 06AA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 618df289424c05bc6c3643d1ae7d4ec41886fdc42e747bf8d45df098f178b29d
Instruction ID: 715d86774f608c1afa3debb381e0c6108b8fcfaa698e1a2e860f5e57e508f895
Opcode Fuzzy Hash: 618df289424c05bc6c3643d1ae7d4ec41886fdc42e747bf8d45df098f178b29d
Instruction Fuzzy Hash: 445100B4D007188FDB54DFA9C884BDDBBB1AF48318F15812AE829BB350DB74A845CF95

Uniqueness

Uniqueness Score: -1.00%

Function 06AA0698, Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.594402683.0000000006AA0000.00000040.00000001.sdmp, Offset: 06AA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35918009f042506fd71b08fb7082b7222d221581a38d2c44ec50f22780d5c042
Instruction ID: 40366b8ecbc69170eed578f36c31645b544bd6a59cb851cd2f4c62083ffcfbb5
Opcode Fuzzy Hash: 35918009f042506fd71b08fb7082b7222d221581a38d2c44ec50f22780d5c042
Instruction Fuzzy Hash: 76510270D007188FDB54DFA9C884BDEBBB0AF48318F15812AE819BB350DB74A845CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06AA2148, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.594402683.0000000006AA0000.00000040.00000001.sdmp, Offset: 06AA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5587ca50cbd3a34b444cba92cb7902733b5a12e339268dd8b16669ddd4099b7a
Instruction ID: c721a9c79efa928661a4831bc0fb3ecf1b1bd1e83f72876dfd28cb877ce7cdec
Opcode Fuzzy Hash: 5587ca50cbd3a34b444cba92cb7902733b5a12e339268dd8b16669ddd4099b7a
Instruction Fuzzy Hash: 2541F430610301CFD768EF69D90463A77F6FFC4304B19886ED5068B680EB36AE56CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 06AA3BF8, Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.594402683.0000000006AA0000.00000040.00000001.sdmp, Offset: 06AA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 135f6e258b17bef9c2891f2655b1652696f15c67b3ceea92021c1788491b5568
Instruction ID: 34f922cf3721d504d8ced4f5f981822d13ed3b912851a22cee4e6028ed611b3f
Opcode Fuzzy Hash: 135f6e258b17bef9c2891f2655b1652696f15c67b3ceea92021c1788491b5568
Instruction Fuzzy Hash: D5310C30A05B50CEDBB8EF2AC8503A6B7F1AF85605F14C86E849BCBA50DB76B445CB40

Uniqueness

Uniqueness Score: -1.00%

Function 06AA36BD, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.594402683.0000000006AA0000.00000040.00000001.sdmp, Offset: 06AA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a435dfd2424fc9fcf3270a350f6d18b3c74b6a1c2200b426ff75daad7d3a2394
Instruction ID: a87a78eaadb661c5d1262be843384513d8d56db810af15c2fb437c45807d1a93
Opcode Fuzzy Hash: a435dfd2424fc9fcf3270a350f6d18b3c74b6a1c2200b426ff75daad7d3a2394
Instruction Fuzzy Hash: 313114B0D01248DFCF10DFAAD584ADEBFF5AF48314F24802AE819AB651DB349945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 06AA33A8, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.594402683.0000000006AA0000.00000040.00000001.sdmp, Offset: 06AA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0272d1d3c9448d47775dc10d14b40bf34d167d68b7d35068d8d6fabae72c7026
Instruction ID: 526eecfef407b855e7ef6b845cae122406f9bb2e8838c411a1e92ee1056f7750
Opcode Fuzzy Hash: 0272d1d3c9448d47775dc10d14b40bf34d167d68b7d35068d8d6fabae72c7026
Instruction Fuzzy Hash: 8F319F307003448FDB51EBA5C441AAAFBF2EF89644B14887EE506DB740DB36ED45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06AA33B8, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.594402683.0000000006AA0000.00000040.00000001.sdmp, Offset: 06AA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 841a04de3d32f0f0706c810304369264bfe4c62138dd8bd66ada2d189f32e59f
Instruction ID: 747003a581e1b08197798f88e97f5729c0a25c0c7b00e18bef5c54ba4c2b41e3
Opcode Fuzzy Hash: 841a04de3d32f0f0706c810304369264bfe4c62138dd8bd66ada2d189f32e59f
Instruction Fuzzy Hash: 7E316D307003048FDB55EB75C445AAAFBF2AF89645B10893EE506DB750DB36E845CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06AA21B0, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.594402683.0000000006AA0000.00000040.00000001.sdmp, Offset: 06AA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0af40e9239aa70bffb78af591a1037af397bd5d847e97b94c6ab7d5ed5b5fe59
Instruction ID: bbae47db6abca00e3234565987c61103337ea9a73090cf21db82d0bbcc10853d
Opcode Fuzzy Hash: 0af40e9239aa70bffb78af591a1037af397bd5d847e97b94c6ab7d5ed5b5fe59
Instruction Fuzzy Hash: 6631B430614305CFE794EFB5D808A7A77B6FB84300F19486AD906E7784EB35AE55CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 06AA36C8, Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.594402683.0000000006AA0000.00000040.00000001.sdmp, Offset: 06AA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 263840b78096db8584cb148df00067184c7b1515b0f012472885a40c5b59e641
Instruction ID: 091dc49f7e36b7fabb4ab0fe1edce9e540852b927362babcd499427f3c1b6f6f
Opcode Fuzzy Hash: 263840b78096db8584cb148df00067184c7b1515b0f012472885a40c5b59e641
Instruction Fuzzy Hash: B83105B0D01248DFCF50DFAAC580ADEBBF5AF48354F24802AE419AB651DB749945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 06AA30C0, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.594402683.0000000006AA0000.00000040.00000001.sdmp, Offset: 06AA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca9004e78d34eb684490c1e507ee9945f49420aaa948731c6e9217a500694963
Instruction ID: 38812a97660e945ae8e2c2c47ce08caa422903cc40b8e8333b85026687eed673
Opcode Fuzzy Hash: ca9004e78d34eb684490c1e507ee9945f49420aaa948731c6e9217a500694963
Instruction Fuzzy Hash: 55219A31B082249BDF95AB68C8046FEB7B2AF88711F10843BD506DB740DB769945CBF1

Uniqueness

Uniqueness Score: -1.00%

Function 06AA2760, Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.594402683.0000000006AA0000.00000040.00000001.sdmp, Offset: 06AA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7282a76e28aa350959f1f52808ea4ec288abd0824497f5b8924d3d71ab7cf97c
Instruction ID: 1db8b1ab4342d0a213bf468017fd23f9d35478419fdbd1623ca8eb6e044e15f5
Opcode Fuzzy Hash: 7282a76e28aa350959f1f52808ea4ec288abd0824497f5b8924d3d71ab7cf97c
Instruction Fuzzy Hash: 1E215C30B143408FD745ABB6941D36EBBF2AF88605F14842AE016E7394DF389B01CB92

Uniqueness

Uniqueness Score: -1.00%

Function 06AA3D18, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.594402683.0000000006AA0000.00000040.00000001.sdmp, Offset: 06AA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31f43ec5b0c2bb9feeefae241b67a3b20f2b572995eb1fa0d6dbd2f974c203e5
Instruction ID: f9811e9b0de569b3735fa15f242a2acf7eddaa02404234de3511ab19134684f0
Opcode Fuzzy Hash: 31f43ec5b0c2bb9feeefae241b67a3b20f2b572995eb1fa0d6dbd2f974c203e5
Instruction Fuzzy Hash: 4F316970D10309DFDB54DFA5D484AA9BBB1FF49314F24856AE406AB341DB72AC86CF90

Uniqueness

Uniqueness Score: -1.00%

Function 06AA2750, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.594402683.0000000006AA0000.00000040.00000001.sdmp, Offset: 06AA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5ddbcea0d281e4735ef4f7ed157a0e5f03b594e23875edeabb30c83220121a0
Instruction ID: c81ad205a5e9bc992e158f900d615c91452a65f13650b6c97cb62b7422a5ec3a
Opcode Fuzzy Hash: e5ddbcea0d281e4735ef4f7ed157a0e5f03b594e23875edeabb30c83220121a0
Instruction Fuzzy Hash: 06215930B183408FD745ABB6941D36DBBF2AF88605F14842AE016E7794DF389B06CB92

Uniqueness

Uniqueness Score: -1.00%

Function 017FD3B4, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.588163632.00000000017FD000.00000040.00000001.sdmp, Offset: 017FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9fcf7fb2e38b1538ad18ebcacf32f7bcd632443fbdcdeadd5dd095d1eb39c91
Instruction ID: ba8be3d0108b2b23e74e5e1095d69594c3dcb105cd65af31a5afac3c0d1b068e
Opcode Fuzzy Hash: d9fcf7fb2e38b1538ad18ebcacf32f7bcd632443fbdcdeadd5dd095d1eb39c91
Instruction Fuzzy Hash: C321C1B1504240DFDB25DF94D8C0B67FB65FB88324F24C5ADEE094A346C336E856DAA2

Uniqueness

Uniqueness Score: -1.00%

Function 0180D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.588190816.000000000180D000.00000040.00000001.sdmp, Offset: 0180D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3db256e164367ff4af8a1acefd46b82d936c0f459353a2b9d038d5e5a354276a
Instruction ID: ba636e04ee2cd013237e2d78e8cc9044fa3dd86075995654e731bf49283a4e5d
Opcode Fuzzy Hash: 3db256e164367ff4af8a1acefd46b82d936c0f459353a2b9d038d5e5a354276a
Instruction Fuzzy Hash: 6E210371504248DFDB52DF94DCC0B16BB65EB84358F24C669D80D8B286C736D946CA61

Uniqueness

Uniqueness Score: -1.00%

Function 06AA1720, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.594402683.0000000006AA0000.00000040.00000001.sdmp, Offset: 06AA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0699e913b55fd953948d378d12dc493a958cc93b7205db04befb726633c096e
Instruction ID: 746fe76d1975792281e5f5b0116efb4c9393e9363bd6fb30728ca162e4179ffd
Opcode Fuzzy Hash: a0699e913b55fd953948d378d12dc493a958cc93b7205db04befb726633c096e
Instruction Fuzzy Hash: EF11C131308604ABC354A739E09056EB7BB9FC4618B548C6ED10F8B680EF72EC428BE1

Uniqueness

Uniqueness Score: -1.00%

Function 06AA1D80, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.594402683.0000000006AA0000.00000040.00000001.sdmp, Offset: 06AA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e34231d90d1eebabcdd45f4885446c6f19bd0b10a7a94ea9d036991c781a038d
Instruction ID: 7f57c1c7381811bd1da74b1ebe95765cefc2f53c0a00148c496168c13f4637e4
Opcode Fuzzy Hash: e34231d90d1eebabcdd45f4885446c6f19bd0b10a7a94ea9d036991c781a038d
Instruction Fuzzy Hash: B4116D74304701AFD7A4EB55C9C0D2AF3ABEFC8264F54C51AD45A8BA50CB31EC52CA90

Uniqueness

Uniqueness Score: -1.00%

Function 06AA1E21, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.594402683.0000000006AA0000.00000040.00000001.sdmp, Offset: 06AA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c48d37eed1d48ae9342f398ab2af558ef85d633736f7f5cc454e8f15c042ca6b
Instruction ID: 1743e7890b5acb6789ba8a067b836f86856070a8262c53b25fe2ff73d402b206
Opcode Fuzzy Hash: c48d37eed1d48ae9342f398ab2af558ef85d633736f7f5cc454e8f15c042ca6b
Instruction Fuzzy Hash: C0115171E04219DFDB50EFA4C8856AEBBF5EF49304F01816AD209AB611E7719A84C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 017FD3AF, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.588163632.00000000017FD000.00000040.00000001.sdmp, Offset: 017FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 475f330473868ad3c29f7e884537fa5e2c046c0b54d26c118bd7d839c6bfe152
Instruction ID: 1950f219600030581ed12906c683fd78216c7aa371078a7e4c48f435b4d78240
Opcode Fuzzy Hash: 475f330473868ad3c29f7e884537fa5e2c046c0b54d26c118bd7d839c6bfe152
Instruction Fuzzy Hash: DF118C76404280CFDB12CF54D5C4B66BF61FB84224F2886A9D9494A656C336E45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0180D017, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.588190816.000000000180D000.00000040.00000001.sdmp, Offset: 0180D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4676951a6f3742d0ee41557564238a877822e21330454799e2497e13120bab7e
Instruction ID: e1547528884448e19b83647553fb2075d98e268d2939042093d035a3da4b6846
Opcode Fuzzy Hash: 4676951a6f3742d0ee41557564238a877822e21330454799e2497e13120bab7e
Instruction Fuzzy Hash: B011BE75504284CFCB12CF94D9C4B15BB61FB44324F28C6A9D8098B696C33AD54ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 06AA11A8, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.594402683.0000000006AA0000.00000040.00000001.sdmp, Offset: 06AA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c5d46f503e65c45dbf1b7d3cbc37891bf6727124e98a2d981dc41d8ff5948a
Instruction ID: 1bcc6378cd495d432947dd1cc5b5c8c02aed9cd9b111c705adb850b368adc636
Opcode Fuzzy Hash: d6c5d46f503e65c45dbf1b7d3cbc37891bf6727124e98a2d981dc41d8ff5948a
Instruction Fuzzy Hash: D311E3B0600391AFD3619B28D54AB267BF6FB49308F11889DE056CB351DB39AD84CFE0

Uniqueness

Uniqueness Score: -1.00%

Function 06AA2F28, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.594402683.0000000006AA0000.00000040.00000001.sdmp, Offset: 06AA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3652fee4f8bdf02d0fd4720d58ffd05dbf451b4f700932a1c9b1cb825b1a879
Instruction ID: f9d75e04ae78a5ff55bdec1a9daa99b90b6fc61104522d2d5bc9a463b87c65fe
Opcode Fuzzy Hash: d3652fee4f8bdf02d0fd4720d58ffd05dbf451b4f700932a1c9b1cb825b1a879
Instruction Fuzzy Hash: 14F0A431711254ABC7142BB9A909A7F7BEEEB8DA11704583EF90AD7700EE75AC0187A0

Uniqueness

Uniqueness Score: -1.00%

Function 06AA1198, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.594402683.0000000006AA0000.00000040.00000001.sdmp, Offset: 06AA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d53a45d5637de1ac176fd52bf1f98f1a56add387b44506a722922b73246ae33
Instruction ID: 3cc64bd49492f6be5b8ec18c4bf132a948f413dba1eefcd2bb42cae8b5fdb9ad
Opcode Fuzzy Hash: 1d53a45d5637de1ac176fd52bf1f98f1a56add387b44506a722922b73246ae33
Instruction Fuzzy Hash: 5101F5B06043D0AFD3129B28E14A7257FF6FB4A318F14589DD045CB252CB799D84CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 06AA2F38, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.594402683.0000000006AA0000.00000040.00000001.sdmp, Offset: 06AA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3545e41182c9be61abfb8e77569d8aaced39c51d849294f3e82c35f9335b73d
Instruction ID: f9e527aac49040b5630fe3cacb7e36eb4012b9551a1dcb132b212ff90121fdcc
Opcode Fuzzy Hash: a3545e41182c9be61abfb8e77569d8aaced39c51d849294f3e82c35f9335b73d
Instruction Fuzzy Hash: 72F09671710254AF871467B9A94D97F7AEEEB8C651314483EF50BE7700DE359C0187E0

Uniqueness

Uniqueness Score: -1.00%

Function 06AA3668, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.594402683.0000000006AA0000.00000040.00000001.sdmp, Offset: 06AA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d68caf1f442df38bbf2a0022136d77fb034fdaa7fe548085b4400fc49c4af035
Instruction ID: 2189309be469d30a047f80ceed29069e52bdc1b20d777f9427f083e42490507e
Opcode Fuzzy Hash: d68caf1f442df38bbf2a0022136d77fb034fdaa7fe548085b4400fc49c4af035
Instruction Fuzzy Hash: 7FE0EC33B083505AEF61365DA8487BBAA4597C4235F450277D90ECB3418751484442E0

Uniqueness

Uniqueness Score: -1.00%

Function 06AA0A50, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.594402683.0000000006AA0000.00000040.00000001.sdmp, Offset: 06AA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a10149c995826f9c4d8ce8b59c7218fa85e089285f4aeb86f91b9d450a7d7b0c
Instruction ID: 70f6bacd34833cafd43842f28128f17d8ab30b6b75b6a8574436e9b318707d8b
Opcode Fuzzy Hash: a10149c995826f9c4d8ce8b59c7218fa85e089285f4aeb86f91b9d450a7d7b0c
Instruction Fuzzy Hash: 71F06236600A049F8364DA6AE444C57F7FAEFC9625315C96AE59EC7B24D630F8058A60

Uniqueness

Uniqueness Score: -1.00%

Function 06AA35D9, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.594402683.0000000006AA0000.00000040.00000001.sdmp, Offset: 06AA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4aa3bc25e7e147b0564f7514137b1e16fa4195a959751cd745125572f44541d
Instruction ID: 3b31f43709be4fbefb31ed464d9a536c0f493c4eaab7113e09c5c48334c33f07
Opcode Fuzzy Hash: f4aa3bc25e7e147b0564f7514137b1e16fa4195a959751cd745125572f44541d
Instruction Fuzzy Hash: 35E02B356147106BC754F788D450A6BB765DBC9A64B00C42FD10AC7700DF72DD0287D0

Uniqueness

Uniqueness Score: -1.00%

Function 06AA191E, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.594402683.0000000006AA0000.00000040.00000001.sdmp, Offset: 06AA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82cdb872e16fb046621716290d31146d892e39027d901acff806176a3677d5b0
Instruction ID: 14b261f5448b12e2c57b2082be79a1cb925b2726a5f1a7be7a0e977fbafbda96
Opcode Fuzzy Hash: 82cdb872e16fb046621716290d31146d892e39027d901acff806176a3677d5b0
Instruction Fuzzy Hash: 11E02231308224AFD3002324E11436837B9EB9F610F01409BD54ACB222CF204C00C3D2

Uniqueness

Uniqueness Score: -1.00%

Function 06AA35E8, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.594402683.0000000006AA0000.00000040.00000001.sdmp, Offset: 06AA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7acebf4740b5d5b0ef8211a87f573e7d3cbfe14fc53648c73ce451f42d9ac0f
Instruction ID: eff8d5d215f53e4cc5c20ec5df5d29b7d17da0f1412edf9c9d22959c47ff377e
Opcode Fuzzy Hash: e7acebf4740b5d5b0ef8211a87f573e7d3cbfe14fc53648c73ce451f42d9ac0f
Instruction Fuzzy Hash: DFE0DF356187106F4A95E258981082FB7AACBC1964341C82FD10ACB740EF62ED0287D0

Uniqueness

Uniqueness Score: -1.00%

Function 06AA1938, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.594402683.0000000006AA0000.00000040.00000001.sdmp, Offset: 06AA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3ee8c69827e6377f5fbb15b06e9c213c313f0057537774f2d55daa9d3d3821a
Instruction ID: 3d41ee4b20c3b97f50a2a24926674cf57bf65fcaa9720d4de18217c10ed7b6a7
Opcode Fuzzy Hash: b3ee8c69827e6377f5fbb15b06e9c213c313f0057537774f2d55daa9d3d3821a
Instruction Fuzzy Hash: E1D05E31319220BF57847268D2549A973BEAB8EA64B4040ABD65ADB310DF526C04C3D6

Uniqueness

Uniqueness Score: -1.00%

Function 06AA2600, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.594402683.0000000006AA0000.00000040.00000001.sdmp, Offset: 06AA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 706c44428d431fd60b841de8229f89b3d0e1f4b2ea9d507d8fc26096d7372589
Instruction ID: 46afbc682aa1a539e03ebeb23e217d815c892d487e24618b5045a42ee0a253ae
Opcode Fuzzy Hash: 706c44428d431fd60b841de8229f89b3d0e1f4b2ea9d507d8fc26096d7372589
Instruction Fuzzy Hash: 8CE0867110E7C14FE3639720EE16F553F3C9B16201F5980DBDD40860A3EB595919C7A7

Uniqueness

Uniqueness Score: -1.00%

Function 06AA3628, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.594402683.0000000006AA0000.00000040.00000001.sdmp, Offset: 06AA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8214214b6aad7235f22fb889b2d95411ddc401c53179d45234ca284ce560da29
Instruction ID: 599709c7106c33c9ce3b7c23520f49365651d7484f60678fec0ccb8d92e3b933
Opcode Fuzzy Hash: 8214214b6aad7235f22fb889b2d95411ddc401c53179d45234ca284ce560da29
Instruction Fuzzy Hash: 1DD05E3010A708DFEB446B60E15832673B4FB08708B64886AE00FC7301CB33E9138AD0

Uniqueness

Uniqueness Score: -1.00%

Function 06AA3638, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.594402683.0000000006AA0000.00000040.00000001.sdmp, Offset: 06AA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 430ebd97b218077f2968cb11c0e5de3de1f3399b0796416360ea702e3fa69809
Instruction ID: ebe2f5beb77f546e4eb770e7ed7e114283f1564842b1048b6ddfc981ed280676
Opcode Fuzzy Hash: 430ebd97b218077f2968cb11c0e5de3de1f3399b0796416360ea702e3fa69809
Instruction Fuzzy Hash: 6BD0C934109344DF9F446A60D0185267774A64470432484AAA40FCB301D733E8128AC0

Uniqueness

Uniqueness Score: -1.00%

Function 06AA4103, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.594402683.0000000006AA0000.00000040.00000001.sdmp, Offset: 06AA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adaa83e992f58bc6bfb6b32a215b09c15c37053c70da07604c8abe85ec254549
Instruction ID: fb918f5c22e1d1d2104aabec4d474079f42e5b5c029a8bd9c07aad66810e02ff
Opcode Fuzzy Hash: adaa83e992f58bc6bfb6b32a215b09c15c37053c70da07604c8abe85ec254549
Instruction Fuzzy Hash: 6CC08C668486480BCA4433F0E90A30EBA9C4B40006FC80059AA1AE2B42EE29852002A8

Uniqueness

Uniqueness Score: -1.00%

Function 06AA3E3C, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.594402683.0000000006AA0000.00000040.00000001.sdmp, Offset: 06AA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3c05850eb4fa80c123f6b9ab607a45d75ab8ecddcf7042266ce39a98eeac9f5
Instruction ID: e3c0a72605ba070c4405e29a8090b3e27ae127d90d518325251322562e9daf0a
Opcode Fuzzy Hash: b3c05850eb4fa80c123f6b9ab607a45d75ab8ecddcf7042266ce39a98eeac9f5
Instruction Fuzzy Hash: C4C04C76A041098EEF145BD4F4453ECBB74F78436AF104067E61D92441C775196547D1

Uniqueness

Uniqueness Score: -1.00%

Function 06AA16F0, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.594402683.0000000006AA0000.00000040.00000001.sdmp, Offset: 06AA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccb812a9d3c1e3bc80690b87b4c8e63e79ba4d7512aa8ae29bac9a2f39995712
Instruction ID: 073a76ac32ef7a88b469d3f9091439ac0ded3bea33f8951c1eb600e8c08ba391
Opcode Fuzzy Hash: ccb812a9d3c1e3bc80690b87b4c8e63e79ba4d7512aa8ae29bac9a2f39995712
Instruction Fuzzy Hash: C0C09BB4110555DFDF155F51E2467643775FB49345F505458D00145512CF75454BC744

Uniqueness

Uniqueness Score: -1.00%

Function 06AA2628, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.594402683.0000000006AA0000.00000040.00000001.sdmp, Offset: 06AA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 235aa6037bf66eb2173b8f856d151aae9e2624a5e6874259bf565a9dcec57779
Instruction ID: 3fc8782ba806f4e47c0282c76d5fb82b118b41db4c3716ece300a03d0fed483a
Opcode Fuzzy Hash: 235aa6037bf66eb2173b8f856d151aae9e2624a5e6874259bf565a9dcec57779
Instruction Fuzzy Hash: C8B09B7000D744DF53717B11DB06D99763DD6015017548415D60142155DF656B1445E5

Uniqueness

Uniqueness Score: -1.00%

Function 06AA4110, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.594402683.0000000006AA0000.00000040.00000001.sdmp, Offset: 06AA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b98ebbcfcfb02958bd1c7da3dc9c22d2acfedb4c32c5894b82d1da2f6d200f92
Instruction ID: 1a6af4fd710bc5ba295cc1bf3f87430fc1d85f58226f0169a42b9153e11241fc
Opcode Fuzzy Hash: b98ebbcfcfb02958bd1c7da3dc9c22d2acfedb4c32c5894b82d1da2f6d200f92
Instruction Fuzzy Hash: 65B0123455870C474D8833F1650D21D768C0E400063C00159F51EA37409F39552000A1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: dhcpmon.exe PID: 5940 Parent PID: 3388 dhcpmon.exeCOMMON

Executed Functions

Function 054C9A30, Relevance: 1.7, APIs: 1, Instructions: 195COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 054C9C76

Memory Dump Source

Source File: 00000006.00000002.267173012.00000000054C0000.00000040.00000001.sdmp, Offset: 054C0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 7929a473e9f2b2076ffd34fcab1fecffaa246f8bce3267a57d542b9c26de0aad
Instruction ID: a66bca4eaf76326159a85643b36c0b96dd7057b6751842277f863023ade6d097
Opcode Fuzzy Hash: 7929a473e9f2b2076ffd34fcab1fecffaa246f8bce3267a57d542b9c26de0aad
Instruction Fuzzy Hash: 04713374A00B059FD7A4DF2AD4457AABBF1BB88304F1089AED54AD7B40EB35F805CB91

Uniqueness

Uniqueness Score: -1.00%

Function 054CA7A4, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,054CBF1E,?,?,?,?,?), ref: 054CBFDF

Memory Dump Source

Source File: 00000006.00000002.267173012.00000000054C0000.00000040.00000001.sdmp, Offset: 054C0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: db3a7150aa6c4d1fb0277370e62ef98d5c0601ec4aec0b85becf7ce3986147fd
Instruction ID: 989c0ef6d2247539412e264bef14195fdd38016ffdd8c67dd692a6ddc223e476
Opcode Fuzzy Hash: db3a7150aa6c4d1fb0277370e62ef98d5c0601ec4aec0b85becf7ce3986147fd
Instruction Fuzzy Hash: AB2116B59002489FCB10CFA9D884AEEBFF4FB48314F14805AE915B3310D774A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 054CBF50, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,054CBF1E,?,?,?,?,?), ref: 054CBFDF

Memory Dump Source

Source File: 00000006.00000002.267173012.00000000054C0000.00000040.00000001.sdmp, Offset: 054C0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 9b1bd3b4b58a9761ab86f5fe23ad97ef9cc2817196b3fa2b4142c9aa4cbe68c8
Instruction ID: df9f3ca77ee12be7a0afdc4fa4ac378d20ffd794eb2d2fd3d2ec7c8f915ff67e
Opcode Fuzzy Hash: 9b1bd3b4b58a9761ab86f5fe23ad97ef9cc2817196b3fa2b4142c9aa4cbe68c8
Instruction Fuzzy Hash: 0821E6B59002489FDB10CFA9D884AEEBFF8FB48314F14845AE915B3310D774A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 054C8DF8, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,054C9CF1,00000800,00000000,00000000), ref: 054C9F02

Memory Dump Source

Source File: 00000006.00000002.267173012.00000000054C0000.00000040.00000001.sdmp, Offset: 054C0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: b124dafa43b714374def2a3f7fc277593b82d3258d02a78e71eef05f3a3844c0
Instruction ID: c8b78a8ea13e9580a5f7171cf0285ff20331a391096f251423138e6eca36461b
Opcode Fuzzy Hash: b124dafa43b714374def2a3f7fc277593b82d3258d02a78e71eef05f3a3844c0
Instruction Fuzzy Hash: 511114B69043499FCB10CFAAD444ADEFBF4EB98314F10846EE519A7300C775A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 054C9E91, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,054C9CF1,00000800,00000000,00000000), ref: 054C9F02

Memory Dump Source

Source File: 00000006.00000002.267173012.00000000054C0000.00000040.00000001.sdmp, Offset: 054C0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 2c0bf9d4879403f867b60fd831941536bbd2b1f179545c1aa46bb134e7a994d8
Instruction ID: d20c612ea3c2e8c06c070c814f27bd3ff887ed8afe987d331b1fced477d7916e
Opcode Fuzzy Hash: 2c0bf9d4879403f867b60fd831941536bbd2b1f179545c1aa46bb134e7a994d8
Instruction Fuzzy Hash: 901144BA8042489FCB10CFA9D544AEEBBF4AF88324F14846EE419B7700C775A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 054C9C10, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 054C9C76

Memory Dump Source

Source File: 00000006.00000002.267173012.00000000054C0000.00000040.00000001.sdmp, Offset: 054C0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 06b21491580ef5786a56112fc3ee1c18a095657f0c758469ed80b4c1a9714c06
Instruction ID: ba377c2eb45b41785a66488ed828b279bd5a606294df136be2718af513619df4
Opcode Fuzzy Hash: 06b21491580ef5786a56112fc3ee1c18a095657f0c758469ed80b4c1a9714c06
Instruction Fuzzy Hash: E0110FB6C006498FCB10CFAAC484ADEFBF4AB88324F10849AD429B7600C378A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 011DD3B4, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.264903899.00000000011DD000.00000040.00000001.sdmp, Offset: 011DD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f73c11fec5c320f0b47864235ede7b30454c8478b8a41e9d67520b9fe9837dcc
Instruction ID: a3d6e8213b95eb3fab3142f65f5d01d8332a5a49c93bc8b7952335ca3b06924e
Opcode Fuzzy Hash: f73c11fec5c320f0b47864235ede7b30454c8478b8a41e9d67520b9fe9837dcc
Instruction Fuzzy Hash: DD2128B1504240EFDF09DF94E8C0B66BB65FB84324F24C569E9094B687C736E846C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 011DD3AF, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.264903899.00000000011DD000.00000040.00000001.sdmp, Offset: 011DD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 475f330473868ad3c29f7e884537fa5e2c046c0b54d26c118bd7d839c6bfe152
Instruction ID: 550538fa87c6621dda10b822b91cceeb3572b453e6b6d02f75452acea4319783
Opcode Fuzzy Hash: 475f330473868ad3c29f7e884537fa5e2c046c0b54d26c118bd7d839c6bfe152
Instruction Fuzzy Hash: F811AF76404280DFCF16CF54E5C4B56BF71FB84324F28C6A9D8490BA56C33AE45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 011DD731, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.264903899.00000000011DD000.00000040.00000001.sdmp, Offset: 011DD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eaba4492cd06947a27549d042ffe2e182300f11ccf1c967e3341bd90219d429
Instruction ID: e27c5a880b57ea861cb4b8b929c2f9a6556f9b62bc45a85af3a27904cf9daeb4
Opcode Fuzzy Hash: 0eaba4492cd06947a27549d042ffe2e182300f11ccf1c967e3341bd90219d429
Instruction Fuzzy Hash: 6D01F771408BC4AAEB184A65ED847A7FB98EF4122CF1AC499ED044A2C3C7789844C6B2

Uniqueness

Uniqueness Score: -1.00%

Function 011DD730, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.264903899.00000000011DD000.00000040.00000001.sdmp, Offset: 011DD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 985dcd259daa675169ac288e384825f78079eecd11a40c4fc8578dfd9c08e22a
Instruction ID: e8eaf57fd7bc92f1a2d42094d778848a98bc50589a52f8c9a9721823b692359d
Opcode Fuzzy Hash: 985dcd259daa675169ac288e384825f78079eecd11a40c4fc8578dfd9c08e22a
Instruction Fuzzy Hash: 6DF068714047849AEB158A19DD84766FF98EB41678F18C55AED085B287C3789844CA71

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: dhcpmon.exe PID: 5920 Parent PID: 5940 dhcpmon.exeCOMMON

Executed Functions

Function 031BB6C0, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 031BB730
GetCurrentThread.KERNEL32 ref: 031BB76D
GetCurrentProcess.KERNEL32 ref: 031BB7AA
GetCurrentThreadId.KERNEL32 ref: 031BB803

Strings

0TI~, xrefs: 031BB6EC

Memory Dump Source

Source File: 0000000B.00000002.280353438.00000000031B0000.00000040.00000001.sdmp, Offset: 031B0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID: 0TI~
API String ID: 2063062207-752617894
Opcode ID: cd14a05968b821b59bd9abd1bb8ffacb259491335c4a342205ae5922d9f6e007
Instruction ID: 3b4d2f3f8f11da71f9b67d2477198856cce8cbb36212ac56c0dd24c77e37c0fd
Opcode Fuzzy Hash: cd14a05968b821b59bd9abd1bb8ffacb259491335c4a342205ae5922d9f6e007
Instruction Fuzzy Hash: 025194B09057488FDB10CFA9C688BDEBBF0AF4D304F24845AE019B7790CB749884CB65

Uniqueness

Uniqueness Score: -1.00%

Function 031BB6D0, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 031BB730
GetCurrentThread.KERNEL32 ref: 031BB76D
GetCurrentProcess.KERNEL32 ref: 031BB7AA
GetCurrentThreadId.KERNEL32 ref: 031BB803

Strings

0TI~, xrefs: 031BB6EC

Memory Dump Source

Source File: 0000000B.00000002.280353438.00000000031B0000.00000040.00000001.sdmp, Offset: 031B0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID: 0TI~
API String ID: 2063062207-752617894
Opcode ID: 5e981b48c4c6b85ee4ea7c87334baf81510aab8618c10a72528697b40570d786
Instruction ID: a983cd98bba810d6ae26d49db5f9d7f23fa32654071f5c2e13db2308652e8169
Opcode Fuzzy Hash: 5e981b48c4c6b85ee4ea7c87334baf81510aab8618c10a72528697b40570d786
Instruction Fuzzy Hash: 765164B09016488FDB14CFAAD688BDEBBF0AF4D314F248559E019B7790CB74A885CF65

Uniqueness

Uniqueness Score: -1.00%

Function 031BFB81, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 153COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 031BFD0A

Strings

0TI~, xrefs: 031BFC26
0TI~, xrefs: 031BFC46

Memory Dump Source

Source File: 0000000B.00000002.280353438.00000000031B0000.00000040.00000001.sdmp, Offset: 031B0000, based on PE: false

Similarity

API ID: CreateWindow
String ID: 0TI~$0TI~
API String ID: 716092398-3224775205
Opcode ID: b184720148173e7f48889328767090be43a811d2dc782026feda9c7c0c43ba3a
Instruction ID: a363c4577685db26cdd4e0cad0f4db052086d3500a9392adbb5821fec9fe12bd
Opcode Fuzzy Hash: b184720148173e7f48889328767090be43a811d2dc782026feda9c7c0c43ba3a
Instruction Fuzzy Hash: 73610275C04249AFCF11CFA9D980ADEBFB5FF48304F29816AE818AB221D7759945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 031BFBF8, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 031BFD0A

Strings

0TI~, xrefs: 031BFC26
0TI~, xrefs: 031BFC46

Memory Dump Source

Source File: 0000000B.00000002.280353438.00000000031B0000.00000040.00000001.sdmp, Offset: 031B0000, based on PE: false

Similarity

API ID: CreateWindow
String ID: 0TI~$0TI~
API String ID: 716092398-3224775205
Opcode ID: 6d31425a515aae0f10609ebf2e374e72a29daf8bc2a3d08887ea1fe0eda6c7d2
Instruction ID: 878b65d8480bcaf892edf9969e19e7ce0c751c926028fc6f7dd7db1818aded89
Opcode Fuzzy Hash: 6d31425a515aae0f10609ebf2e374e72a29daf8bc2a3d08887ea1fe0eda6c7d2
Instruction Fuzzy Hash: 7441B3B1D003499FDB14CF99D884ADEFBB5BF48354F64812AE419AB210D7749945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 031B93E8, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 194COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 031B962E

Strings

0TI~, xrefs: 031B95E7

Memory Dump Source

Source File: 0000000B.00000002.280353438.00000000031B0000.00000040.00000001.sdmp, Offset: 031B0000, based on PE: false

Similarity

API ID: HandleModule
String ID: 0TI~
API String ID: 4139908857-752617894
Opcode ID: 0c24ad10b1461e6be2aa2a8198162128cdf9844e823d8a2172b6c6e29e41be84
Instruction ID: cb5b206546522f07cb170252d50b6f5aaac8c0526f009b963685142482c2cbb4
Opcode Fuzzy Hash: 0c24ad10b1461e6be2aa2a8198162128cdf9844e823d8a2172b6c6e29e41be84
Instruction Fuzzy Hash: 9E7156B0A00B058FD724DF2AD54179ABBF5BF89204F048A6DD58ADBA50DB34E846CB91

Uniqueness

Uniqueness Score: -1.00%

Function 031BBD00, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 031BBD87

Strings

0TI~, xrefs: 031BBD1F

Memory Dump Source

Source File: 0000000B.00000002.280353438.00000000031B0000.00000040.00000001.sdmp, Offset: 031B0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID: 0TI~
API String ID: 3793708945-752617894
Opcode ID: fadd1868c13c75896a708bb23f133760dd3c213bc5de417cc683e70165098f11
Instruction ID: 8af1b5ac006d13902a54c271b04f9b8f1d7919cd92aa2430d27b7ffc35d1dee8
Opcode Fuzzy Hash: fadd1868c13c75896a708bb23f133760dd3c213bc5de417cc683e70165098f11
Instruction Fuzzy Hash: 9D21C4B59002489FDB10CFAAD984ADEBBF4EB48324F14841AE958B7310D778A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 031BBCF9, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 031BBD87

Strings

0TI~, xrefs: 031BBD1F

Memory Dump Source

Source File: 0000000B.00000002.280353438.00000000031B0000.00000040.00000001.sdmp, Offset: 031B0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID: 0TI~
API String ID: 3793708945-752617894
Opcode ID: dd747bd897adce64777959bd5f602e2e5ca698a7a6d05e40ef08d5f951b0f47b
Instruction ID: 8358afb974d73556c6173555c3a0a0e4cd58bd0801acc856780dae90e48f1027
Opcode Fuzzy Hash: dd747bd897adce64777959bd5f602e2e5ca698a7a6d05e40ef08d5f951b0f47b
Instruction Fuzzy Hash: 4221E4B59002489FDB10CFA9D984BDEFBF4BB48314F14841AE958B3750C378AA44CF65

Uniqueness

Uniqueness Score: -1.00%

Function 031B8768, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,031B96A9,00000800,00000000,00000000), ref: 031B98BA

Strings

0TI~, xrefs: 031B986F

Memory Dump Source

Source File: 0000000B.00000002.280353438.00000000031B0000.00000040.00000001.sdmp, Offset: 031B0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID: 0TI~
API String ID: 1029625771-752617894
Opcode ID: f786d4d7a8be87c1efecab06e9bb36f24c0e74ea4e5492a0eadff4e52f52ca71
Instruction ID: 067fb951794be434e3a9f695366e8db9fe2fbcfa6a8b555ef3233c2e49b92ffb
Opcode Fuzzy Hash: f786d4d7a8be87c1efecab06e9bb36f24c0e74ea4e5492a0eadff4e52f52ca71
Instruction Fuzzy Hash: B41103B69002499FCB10CF9AD444BDEFBF4EB48314F14842EE519B7600C779A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 031B9849, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,031B96A9,00000800,00000000,00000000), ref: 031B98BA

Strings

0TI~, xrefs: 031B986F

Memory Dump Source

Source File: 0000000B.00000002.280353438.00000000031B0000.00000040.00000001.sdmp, Offset: 031B0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID: 0TI~
API String ID: 1029625771-752617894
Opcode ID: 8e6156d9eac569177d9e0bf08ce2e8a11c17d54e1aa81222f4136f8af22b7405
Instruction ID: a1db98bb08538036ae1ec5d5b1bbd15af78dff5e98d5be6431016fbeacace12e
Opcode Fuzzy Hash: 8e6156d9eac569177d9e0bf08ce2e8a11c17d54e1aa81222f4136f8af22b7405
Instruction Fuzzy Hash: E711F2B68002498FDB10CFAAD944BDEBBF4AB48314F14842ED519A7600C779A546CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 031B95C8, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 031B962E

Strings

0TI~, xrefs: 031B95E7

Memory Dump Source

Source File: 0000000B.00000002.280353438.00000000031B0000.00000040.00000001.sdmp, Offset: 031B0000, based on PE: false

Similarity

API ID: HandleModule
String ID: 0TI~
API String ID: 4139908857-752617894
Opcode ID: 4b9dd023b980dc96b4dbcebfedc238d8178b64f1a20c72598c1ae564cb9da411
Instruction ID: 16debdb2917f0673174683ffb90bfb22e2e964a46e667268210e7be7a12a3a9d
Opcode Fuzzy Hash: 4b9dd023b980dc96b4dbcebfedc238d8178b64f1a20c72598c1ae564cb9da411
Instruction Fuzzy Hash: 6011E0B6C006498FCB10CF9AD444BDEFBF4AF89324F14851AD529B7600C778A546CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 031BFE38, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 031BFE9D

Strings

0TI~, xrefs: 031BFE5A

Memory Dump Source

Source File: 0000000B.00000002.280353438.00000000031B0000.00000040.00000001.sdmp, Offset: 031B0000, based on PE: false

Similarity

API ID: LongWindow
String ID: 0TI~
API String ID: 1378638983-752617894
Opcode ID: dcf2f20db90d5f72e03e469c32b5d25de731d17da3795fc253d74887b669f778
Instruction ID: b86406363fb1cbbbb37522efebe740194e17e098f98a9d5b851075084e4d20c6
Opcode Fuzzy Hash: dcf2f20db90d5f72e03e469c32b5d25de731d17da3795fc253d74887b669f778
Instruction Fuzzy Hash: 4F1125B5800249CFDB10CF99D585BEEBBF4EB48324F20841AE858B7601C378A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 031BFE40, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 031BFE9D

Strings

0TI~, xrefs: 031BFE5A

Memory Dump Source

Source File: 0000000B.00000002.280353438.00000000031B0000.00000040.00000001.sdmp, Offset: 031B0000, based on PE: false

Similarity

API ID: LongWindow
String ID: 0TI~
API String ID: 1378638983-752617894
Opcode ID: 785dcc4940cf2d83a9c8cdcf93f98ab9f9a1fad7b5ae020f57fe93286a72c981
Instruction ID: 6995b80dfdf580d3620d898f3f31db03178ca76844f4fd1c2ef522f6a3b6a51f
Opcode Fuzzy Hash: 785dcc4940cf2d83a9c8cdcf93f98ab9f9a1fad7b5ae020f57fe93286a72c981
Instruction Fuzzy Hash: DC1103B58002488FDB10CF9AD585BDEBBF8EB48324F20841AD918B7301C374A945CFB1

Uniqueness

Uniqueness Score: -1.00%

Function 0306D4A0, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.280162178.000000000306D000.00000040.00000001.sdmp, Offset: 0306D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31632e8444137f32ace762df7717eef614d401cbd1dc323789608cf5160960bd
Instruction ID: 733003ff5f1c467f83290131963a9f96fc96ba73516363a5c80121db0199b32f
Opcode Fuzzy Hash: 31632e8444137f32ace762df7717eef614d401cbd1dc323789608cf5160960bd
Instruction Fuzzy Hash: 42213A71604240DFDF11DF54D8C0B2ABFA5FB88328F24C5A9E9094B64AC336D845C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0307D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.280176263.000000000307D000.00000040.00000001.sdmp, Offset: 0307D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a58294f111337da1206952acf81f1b11f4f0ec29c803a521914f9b256034fdb
Instruction ID: c5f2aa82d2bf4d78a424c1ee3c85f9e8ae327c07a9d42bce34601cfaf8785128
Opcode Fuzzy Hash: 0a58294f111337da1206952acf81f1b11f4f0ec29c803a521914f9b256034fdb
Instruction Fuzzy Hash: CA210775904240DFDB14DF14D9C0B16BBA5FF84314F28C9ADD9094B346C736D847CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 0307D006, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.280176263.000000000307D000.00000040.00000001.sdmp, Offset: 0307D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5bd3cf6c820259fc742b49f5a225b4122fd4e99e9b7daf657f425b0bdf3a055
Instruction ID: 88195a4ad93264541d9e2635a2c6a6c57969867369813139fb82eb88bb24a99c
Opcode Fuzzy Hash: e5bd3cf6c820259fc742b49f5a225b4122fd4e99e9b7daf657f425b0bdf3a055
Instruction Fuzzy Hash: 842162755093808FCB12CF24D994B15BFB1EF46214F28C5DAD8498F657C33AD84ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0306D49B, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.280162178.000000000306D000.00000040.00000001.sdmp, Offset: 0306D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 475f330473868ad3c29f7e884537fa5e2c046c0b54d26c118bd7d839c6bfe152
Instruction ID: e080605ccb0a876f59af7f2226ed875f4f9b15fe19009672174dda28861bd1f6
Opcode Fuzzy Hash: 475f330473868ad3c29f7e884537fa5e2c046c0b54d26c118bd7d839c6bfe152
Instruction Fuzzy Hash: 3111E676504280CFCF12CF14D5D4B56BFB1FB84324F28C6A9D8054B65AC336D45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report SecuriteInfo.com.Trojan.GenericKDZ.72687.31999.25241

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage