Play interactive tour

Edit tour

Analysis Report Dintec Order PDF.exe

Overview

General Information

Sample Name:	Dintec Order PDF.exe
Analysis ID:	345061
MD5:	98e3c2ac1efdd997b05a1fee872630ec
SHA1:	d3ce076af7b45e1f11aac5e3a1c984951c7b92ba
SHA256:	d09ed1437134f7e5c71ee4877e6d030c2750b6e1873fe6afb0f82b988c591b44
Tags:	exeNanoCore
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected AntiVM_3

Yara detected Nanocore RAT

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for dropped file

Machine Learning detection for sample

Contains capabilities to detect virtual machines

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains executable resources (Code or Archives)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

Dintec Order PDF.exe (PID: 3480 cmdline: 'C:\Users\user\Desktop\Dintec Order PDF.exe' MD5: 98E3C2AC1EFDD997B05A1FEE872630EC)

a.exe (PID: 984 cmdline: 'C:\Users\user\AppData\Roaming\a.exe' MD5: 98E3C2AC1EFDD997B05A1FEE872630EC)

a.exe (PID: 6648 cmdline: 'C:\Users\user\AppData\Roaming\a.exe' MD5: 98E3C2AC1EFDD997B05A1FEE872630EC)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.681613074.0000000004031000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x109b7:$x1: NanoCore.ClientPluginHost 0x4359d:$x1: NanoCore.ClientPluginHost 0x109f4:$x2: IClientNetworkHost 0x435da:$x2: IClientNetworkHost 0x14527:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4710d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000001.00000002.681613074.0000000004031000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000001.00000002.681613074.0000000004031000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1071f:$a: NanoCore 0x1072f:$a: NanoCore 0x10963:$a: NanoCore 0x10977:$a: NanoCore 0x109b7:$a: NanoCore 0x43305:$a: NanoCore 0x43315:$a: NanoCore 0x43549:$a: NanoCore 0x4355d:$a: NanoCore 0x4359d:$a: NanoCore 0x1077e:$b: ClientPlugin 0x10980:$b: ClientPlugin 0x109c0:$b: ClientPlugin 0x43364:$b: ClientPlugin 0x43566:$b: ClientPlugin 0x435a6:$b: ClientPlugin 0x108a5:$c: ProjectData 0x4348b:$c: ProjectData 0x112ac:$d: DESCrypto 0x43e92:$d: DESCrypto 0x18c78:$e: KeepAlive
00000001.00000002.681348992.0000000003E9B000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xdba07:$x1: NanoCore.ClientPluginHost 0x10e607:$x1: NanoCore.ClientPluginHost 0x1411f7:$x1: NanoCore.ClientPluginHost 0xdba44:$x2: IClientNetworkHost 0x10e644:$x2: IClientNetworkHost 0x141234:$x2: IClientNetworkHost 0xdf577:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x112177:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x144d67:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000001.00000002.681348992.0000000003E9B000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000001.00000002.681348992.0000000003E9B000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xdb76f:$a: NanoCore 0xdb77f:$a: NanoCore 0xdb9b3:$a: NanoCore 0xdb9c7:$a: NanoCore 0xdba07:$a: NanoCore 0x10e36f:$a: NanoCore 0x10e37f:$a: NanoCore 0x10e5b3:$a: NanoCore 0x10e5c7:$a: NanoCore 0x10e607:$a: NanoCore 0x140f5f:$a: NanoCore 0x140f6f:$a: NanoCore 0x1411a3:$a: NanoCore 0x1411b7:$a: NanoCore 0x1411f7:$a: NanoCore 0xdb7ce:$b: ClientPlugin 0xdb9d0:$b: ClientPlugin 0xdba10:$b: ClientPlugin 0x10e3ce:$b: ClientPlugin 0x10e5d0:$b: ClientPlugin 0x10e610:$b: ClientPlugin
Process Memory Space: Dintec Order PDF.exe PID: 3480	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x133c67:$x1: NanoCore.ClientPluginHost 0x152bb3:$x1: NanoCore.ClientPluginHost 0x133cc8:$x2: IClientNetworkHost 0x152c14:$x2: IClientNetworkHost 0x1390cd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x14703f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x158019:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x165f8b:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: Dintec Order PDF.exe PID: 3480	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Dintec Order PDF.exe PID: 3480	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: Dintec Order PDF.exe PID: 3480	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x13376c:$a: NanoCore 0x133788:$a: NanoCore 0x1338e3:$a: NanoCore 0x1338f2:$a: NanoCore 0x133bcb:$a: NanoCore 0x133bf7:$a: NanoCore 0x133c67:$a: NanoCore 0x1436a9:$a: NanoCore 0x1436bb:$a: NanoCore 0x1436f7:$a: NanoCore 0x1526b8:$a: NanoCore 0x1526d4:$a: NanoCore 0x15282f:$a: NanoCore 0x15283e:$a: NanoCore 0x152b17:$a: NanoCore 0x152b43:$a: NanoCore 0x152bb3:$a: NanoCore 0x1625f5:$a: NanoCore 0x162607:$a: NanoCore 0x162643:$a: NanoCore 0x133813:$b: ClientPlugin
Click to see the 5 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\a.exe

Virustotal: Detection: 42%

Perma Link

Multi AV Scanner detection for submitted file

Show sources

Source: Dintec Order PDF.exe

Virustotal: Detection: 42%

Perma Link

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000001.00000002.681613074.0000000004031000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.681348992.0000000003E9B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Dintec Order PDF.exe PID: 3480, type: MEMORY

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\a.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: Dintec Order PDF.exe

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Show sources

Source: Dintec Order PDF.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: Dintec Order PDF.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Binary contains paths to debug symbols

Show sources

Source:	Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe.1.dr
Source:	Binary string: InstallUtil.pdb source: InstallUtil.exe.1.dr

Software Vulnerabilities:

Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	1_2_00BF1268
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	1_2_00BF1258
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Code function: 4x nop then push dword ptr [ebp-24h]	1_2_04CC54C0
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	1_2_04CC54C0
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	1_2_04CC46EC
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	1_2_04CCB658
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Code function: 4x nop then jmp 04CC0806h	1_2_04CC0040
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	1_2_04CCE280
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Code function: 4x nop then xor edx, edx	1_2_04CC53F8
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	1_2_04CC6320
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Code function: 4x nop then mov esp, ebp	1_2_04CCCE78
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Code function: 4x nop then push dword ptr [ebp-24h]	1_2_04CC54B4
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	1_2_04CC54B4
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	1_2_04CC6400
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	1_2_04CCB648
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Code function: 4x nop then jmp 04CC0806h	1_2_04CC003B
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Code function: 4x nop then push dword ptr [ebp-20h]	1_2_04CC5194
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	1_2_04CC5194
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Code function: 4x nop then push dword ptr [ebp-20h]	1_2_04CC51A0
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	1_2_04CC51A0
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	1_2_04CCE270
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Code function: 4x nop then xor edx, edx	1_2_04CC53EC
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	1_2_04CC4CBC
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Code function: 4x nop then mov esp, ebp	1_2_04CCCE68
Source: C:\Users\user\AppData\Roaming\a.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	2_2_00C11268
Source: C:\Users\user\AppData\Roaming\a.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	2_2_00C11258
Source: C:\Users\user\AppData\Roaming\a.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	3_2_009E1268
Source: C:\Users\user\AppData\Roaming\a.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	3_2_009E1258

Networking:

Source: Dintec Order PDF.exe, 00000001.00000002.680271086.0000000000951000.00000004.00000020.sdmp, a.exe, 00000002.00000002.685914222.0000000000A0E000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Dintec Order PDF.exe, 00000001.00000002.680577443.00000000025AA000.00000004.00000001.sdmp, a.exe, 00000002.00000002.685914222.0000000000A0E000.00000004.00000020.sdmp, a.exe, 00000003.00000002.687185207.00000000025DA000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: Dintec Order PDF.exe, 00000001.00000002.680271086.0000000000951000.00000004.00000020.sdmp, a.exe, 00000002.00000002.685914222.0000000000A0E000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: Dintec Order PDF.exe, 00000001.00000003.647767848.0000000008201000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adb
Source: Dintec Order PDF.exe, 00000001.00000002.685200737.0000000008212000.00000004.00000001.sdmp, Dintec Order PDF.exe, 00000001.00000003.647767848.0000000008201000.00000004.00000001.sdmp	String found in binary or memory: http://ns.ado/1
Source: Dintec Order PDF.exe, 00000001.00000002.685200737.0000000008212000.00000004.00000001.sdmp, Dintec Order PDF.exe, 00000001.00000003.647767848.0000000008201000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.c/g
Source: Dintec Order PDF.exe, 00000001.00000002.685200737.0000000008212000.00000004.00000001.sdmp, Dintec Order PDF.exe, 00000001.00000003.647767848.0000000008201000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.cobj
Source: Dintec Order PDF.exe, 00000001.00000002.680271086.0000000000951000.00000004.00000020.sdmp, a.exe, 00000002.00000002.685914222.0000000000A0E000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: Dintec Order PDF.exe, 00000001.00000002.680577443.00000000025AA000.00000004.00000001.sdmp, a.exe, 00000002.00000002.685914222.0000000000A0E000.00000004.00000020.sdmp, a.exe, 00000003.00000002.687185207.00000000025DA000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: Dintec Order PDF.exe, 00000001.00000002.680577443.00000000025AA000.00000004.00000001.sdmp, a.exe, 00000002.00000002.685914222.0000000000A0E000.00000004.00000020.sdmp, a.exe, 00000003.00000002.687185207.00000000025DA000.00000004.00000001.sdmp	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: a.exe, 00000002.00000002.686386684.000000000261A000.00000004.00000001.sdmp, a.exe, 00000003.00000002.687185207.00000000025DA000.00000004.00000001.sdmp	String found in binary or memory: http://schema.org/WebPage
Source: Dintec Order PDF.exe, 00000001.00000002.680463344.0000000002541000.00000004.00000001.sdmp, a.exe, 00000002.00000002.686284355.00000000025BB000.00000004.00000001.sdmp, a.exe, 00000003.00000002.686878655.000000000257B000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Dintec Order PDF.exe, 00000001.00000002.680271086.0000000000951000.00000004.00000020.sdmp, a.exe, 00000002.00000002.685914222.0000000000A0E000.00000004.00000020.sdmp	String found in binary or memory: https://pki.goog/repository/0
Source: Dintec Order PDF.exe, 00000001.00000002.680463344.0000000002541000.00000004.00000001.sdmp, a.exe, 00000002.00000002.686284355.00000000025BB000.00000004.00000001.sdmp, a.exe, 00000003.00000002.686878655.000000000257B000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com
Source: Dintec Order PDF.exe, 00000001.00000002.680463344.0000000002541000.00000004.00000001.sdmp, a.exe, 00000002.00000002.686284355.00000000025BB000.00000004.00000001.sdmp, a.exe, 00000003.00000002.686878655.000000000257B000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000001.00000002.681613074.0000000004031000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.681348992.0000000003E9B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Dintec Order PDF.exe PID: 3480, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000001.00000002.681613074.0000000004031000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.681613074.0000000004031000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.681348992.0000000003E9B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.681348992.0000000003E9B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Dintec Order PDF.exe PID: 3480, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Dintec Order PDF.exe PID: 3480, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: Dintec Order PDF.exe

Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Code function: 1_2_00BF4880	1_2_00BF4880
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Code function: 1_2_00BF5008	1_2_00BF5008
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Code function: 1_2_00BFE1A0	1_2_00BFE1A0
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Code function: 1_2_00BFA4B8	1_2_00BFA4B8
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Code function: 1_2_00BF1C58	1_2_00BF1C58
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Code function: 1_2_00BFC6E0	1_2_00BFC6E0
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Code function: 1_2_00BFAFB0	1_2_00BFAFB0
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Code function: 1_2_00BF7FC0	1_2_00BF7FC0
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Code function: 1_2_00BFA0F0	1_2_00BFA0F0
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Code function: 1_2_00BFE193	1_2_00BFE193
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Code function: 1_2_00BFA4AB	1_2_00BFA4AB
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Code function: 1_2_00BF1460	1_2_00BF1460
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Code function: 1_2_00BF1C49	1_2_00BF1C49
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Code function: 1_2_00BFC6DB	1_2_00BFC6DB
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Code function: 1_2_00BF1E10	1_2_00BF1E10
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Code function: 1_2_00BF1E01	1_2_00BF1E01
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Code function: 1_2_00BFAF9F	1_2_00BFAF9F
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Code function: 1_2_04CC6630	1_2_04CC6630
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Code function: 1_2_04CC0040	1_2_04CC0040
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Code function: 1_2_04CCBDC8	1_2_04CCBDC8
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Code function: 1_2_04CC0830	1_2_04CC0830
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Code function: 1_2_04CC6603	1_2_04CC6603
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Code function: 1_2_04CC003B	1_2_04CC003B
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Code function: 1_2_04CC5C69	1_2_04CC5C69
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Code function: 1_2_04CC5C78	1_2_04CC5C78
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Code function: 1_2_04CCBDB9	1_2_04CCBDB9
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Code function: 1_2_04CCC8D8	1_2_04CCC8D8
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Code function: 1_2_04CCC8E8	1_2_04CCC8E8
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Code function: 1_2_04CC0820	1_2_04CC0820
Source: C:\Users\user\AppData\Roaming\a.exe	Code function: 2_2_00C1A0F0	2_2_00C1A0F0
Source: C:\Users\user\AppData\Roaming\a.exe	Code function: 2_2_00C14890	2_2_00C14890
Source: C:\Users\user\AppData\Roaming\a.exe	Code function: 2_2_00C1E1A0	2_2_00C1E1A0
Source: C:\Users\user\AppData\Roaming\a.exe	Code function: 2_2_00C1A4B8	2_2_00C1A4B8
Source: C:\Users\user\AppData\Roaming\a.exe	Code function: 2_2_00C11C58	2_2_00C11C58
Source: C:\Users\user\AppData\Roaming\a.exe	Code function: 2_2_00C1C6E0	2_2_00C1C6E0
Source: C:\Users\user\AppData\Roaming\a.exe	Code function: 2_2_00C17FC0	2_2_00C17FC0
Source: C:\Users\user\AppData\Roaming\a.exe	Code function: 2_2_00C1AFB0	2_2_00C1AFB0
Source: C:\Users\user\AppData\Roaming\a.exe	Code function: 2_2_00C1E190	2_2_00C1E190
Source: C:\Users\user\AppData\Roaming\a.exe	Code function: 2_2_00C1A4A8	2_2_00C1A4A8
Source: C:\Users\user\AppData\Roaming\a.exe	Code function: 2_2_00C11C49	2_2_00C11C49
Source: C:\Users\user\AppData\Roaming\a.exe	Code function: 2_2_00C11470	2_2_00C11470
Source: C:\Users\user\AppData\Roaming\a.exe	Code function: 2_2_00C1C6D3	2_2_00C1C6D3
Source: C:\Users\user\AppData\Roaming\a.exe	Code function: 2_2_00C11E01	2_2_00C11E01
Source: C:\Users\user\AppData\Roaming\a.exe	Code function: 2_2_00C11E10	2_2_00C11E10
Source: C:\Users\user\AppData\Roaming\a.exe	Code function: 2_2_00C1AF9F	2_2_00C1AF9F
Source: C:\Users\user\AppData\Roaming\a.exe	Code function: 3_2_009E4882	3_2_009E4882
Source: C:\Users\user\AppData\Roaming\a.exe	Code function: 3_2_009EA0F0	3_2_009EA0F0
Source: C:\Users\user\AppData\Roaming\a.exe	Code function: 3_2_009EE190	3_2_009EE190
Source: C:\Users\user\AppData\Roaming\a.exe	Code function: 3_2_009EA4A8	3_2_009EA4A8
Source: C:\Users\user\AppData\Roaming\a.exe	Code function: 3_2_009E1C58	3_2_009E1C58
Source: C:\Users\user\AppData\Roaming\a.exe	Code function: 3_2_009E4EB8	3_2_009E4EB8
Source: C:\Users\user\AppData\Roaming\a.exe	Code function: 3_2_009EC6D3	3_2_009EC6D3
Source: C:\Users\user\AppData\Roaming\a.exe	Code function: 3_2_009EAF9F	3_2_009EAF9F
Source: C:\Users\user\AppData\Roaming\a.exe	Code function: 3_2_009E7FC0	3_2_009E7FC0
Source: C:\Users\user\AppData\Roaming\a.exe	Code function: 3_2_009E1C49	3_2_009E1C49
Source: C:\Users\user\AppData\Roaming\a.exe	Code function: 3_2_009E1460	3_2_009E1460
Source: C:\Users\user\AppData\Roaming\a.exe	Code function: 3_2_009E1E10	3_2_009E1E10
Source: C:\Users\user\AppData\Roaming\a.exe	Code function: 3_2_009E1E01	3_2_009E1E01

Source: Dintec Order PDF.exe	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: a.exe.1.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: Dintec Order PDF.exe, 00000001.00000002.680841447.0000000003551000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSHCore1.dll0 vs Dintec Order PDF.exe
Source: Dintec Order PDF.exe, 00000001.00000002.684385297.0000000004CE0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs Dintec Order PDF.exe
Source: Dintec Order PDF.exe, 00000001.00000002.685771109.0000000008B20000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs Dintec Order PDF.exe
Source: Dintec Order PDF.exe, 00000001.00000002.685771109.0000000008B20000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs Dintec Order PDF.exe
Source: Dintec Order PDF.exe, 00000001.00000002.685507014.0000000008810000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs Dintec Order PDF.exe
Source: Dintec Order PDF.exe, 00000001.00000002.684699800.0000000005610000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs Dintec Order PDF.exe

Source: Dintec Order PDF.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 00000001.00000002.681613074.0000000004031000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.681613074.0000000004031000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.681348992.0000000003E9B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.681348992.0000000003E9B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Dintec Order PDF.exe PID: 3480, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: Dintec Order PDF.exe PID: 3480, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: classification engine

Classification label: mal100.troj.evad.winEXE@4/6@0/0

Source: C:\Users\user\Desktop\Dintec Order PDF.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.lnk

Jump to behavior

Source: C:\Users\user\Desktop\Dintec Order PDF.exe

File created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe

Jump to behavior

Source: Dintec Order PDF.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\Desktop\Dintec Order PDF.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Dintec Order PDF.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Dintec Order PDF.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Dintec Order PDF.exe

Virustotal: Detection: 42%

Source: C:\Users\user\Desktop\Dintec Order PDF.exe

File read: C:\Users\user\Desktop\Dintec Order PDF.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Dintec Order PDF.exe 'C:\Users\user\Desktop\Dintec Order PDF.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\a.exe 'C:\Users\user\AppData\Roaming\a.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\a.exe 'C:\Users\user\AppData\Roaming\a.exe'
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Process created: C:\Users\user\AppData\Roaming\a.exe 'C:\Users\user\AppData\Roaming\a.exe'	Jump to behavior

Source: C:\Users\user\Desktop\Dintec Order PDF.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Dintec Order PDF.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Dintec Order PDF.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Dintec Order PDF.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe.1.dr
Source:	Binary string: InstallUtil.pdb source: InstallUtil.exe.1.dr

Data Obfuscation:

Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Code function: 1_2_00BF89C3 push es; retf	1_2_00BF89CA
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Code function: 1_2_00BFC5E3 pushad ; retf	1_2_00BFC5EA
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Code function: 1_2_00BFC513 pushad ; retf	1_2_00BFC51A
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Code function: 1_2_00BFC510 pushad ; retf	1_2_00BFC512
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Code function: 1_2_00BFC569 pushad ; retf	1_2_00BFC56A
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Code function: 1_2_00BFB727 push edi; retf	1_2_00BFB72A
Source: C:\Users\user\AppData\Roaming\a.exe	Code function: 2_2_00C1C569 pushad ; mov dword ptr [esp], 5504AE51h	2_2_00C1C572

Persistence and Installation Behavior:

Source: C:\Users\user\Desktop\Dintec Order PDF.exe	File created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe			Jump to dropped file
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	File created: C:\Users\user\AppData\Roaming\a.exe			Jump to dropped file

Boot Survival:

Source: C:\Users\user\Desktop\Dintec Order PDF.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.lnk

Jump to behavior

Source: C:\Users\user\Desktop\Dintec Order PDF.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.lnk

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\Dintec Order PDF.exe

File opened: C:\Users\user\Desktop\Dintec Order PDF.exe\:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\Dintec Order PDF.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM_3

Show sources

Source: Yara match

File source: Process Memory Space: Dintec Order PDF.exe PID: 3480, type: MEMORY

Source: C:\Users\user\Desktop\Dintec Order PDF.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\Dintec Order PDF.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\InstallUtil.exe

Jump to dropped file

Source: C:\Users\user\Desktop\Dintec Order PDF.exe TID: 4240	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe TID: 1584	Thread sleep count: 157 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe TID: 5776	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe TID: 6076	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe TID: 6868	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe TID: 6832	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe TID: 6912	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe TID: 6844	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: a.exe, 00000003.00000002.688769935.0000000004AF0000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: a.exe, 00000003.00000002.688769935.0000000004AF0000.00000004.00000001.sdmp	Binary or memory string: vmware svga
Source: Dintec Order PDF.exe, 00000001.00000002.684385297.0000000004CE0000.00000002.00000001.sdmp, a.exe, 00000002.00000002.688652951.0000000004C90000.00000002.00000001.sdmp, a.exe, 00000003.00000002.688803329.0000000004B30000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: a.exe, 00000003.00000002.688769935.0000000004AF0000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: Dintec Order PDF.exe, 00000001.00000002.680841447.0000000003551000.00000004.00000001.sdmp, a.exe, 00000002.00000002.686529597.00000000035C1000.00000004.00000001.sdmp, a.exe, 00000003.00000002.688769935.0000000004AF0000.00000004.00000001.sdmp	Binary or memory string: tpautoconnsvc#Microsoft Hyper-V
Source: Dintec Order PDF.exe, 00000001.00000002.680841447.0000000003551000.00000004.00000001.sdmp, a.exe, 00000002.00000002.686529597.00000000035C1000.00000004.00000001.sdmp, a.exe, 00000003.00000002.688769935.0000000004AF0000.00000004.00000001.sdmp	Binary or memory string: cmd.txtQEMUqemu
Source: Dintec Order PDF.exe, 00000001.00000002.680841447.0000000003551000.00000004.00000001.sdmp, a.exe, 00000002.00000002.686529597.00000000035C1000.00000004.00000001.sdmp, a.exe, 00000003.00000002.688769935.0000000004AF0000.00000004.00000001.sdmp	Binary or memory string: vmusrvc
Source: a.exe, 00000003.00000002.688769935.0000000004AF0000.00000004.00000001.sdmp	Binary or memory string: vmsrvc
Source: a.exe, 00000003.00000002.688769935.0000000004AF0000.00000004.00000001.sdmp	Binary or memory string: vmtools
Source: a.exe, 00000003.00000002.688769935.0000000004AF0000.00000004.00000001.sdmp	Binary or memory string: vmware sata5vmware usb pointing device-vmware vmci bus deviceCvmware virtual s scsi disk device
Source: a.exe, 00000003.00000002.688769935.0000000004AF0000.00000004.00000001.sdmp	Binary or memory string: vboxservicevbox)Microsoft Virtual PC
Source: Dintec Order PDF.exe, 00000001.00000002.684385297.0000000004CE0000.00000002.00000001.sdmp, a.exe, 00000002.00000002.688652951.0000000004C90000.00000002.00000001.sdmp, a.exe, 00000003.00000002.688803329.0000000004B30000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: Dintec Order PDF.exe, 00000001.00000002.684385297.0000000004CE0000.00000002.00000001.sdmp, a.exe, 00000002.00000002.688652951.0000000004C90000.00000002.00000001.sdmp, a.exe, 00000003.00000002.688803329.0000000004B30000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: a.exe, 00000003.00000002.688769935.0000000004AF0000.00000004.00000001.sdmp	Binary or memory string: virtual-vmware pointing device
Source: a.exe, 00000002.00000002.685914222.0000000000A0E000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Dintec Order PDF.exe, 00000001.00000002.684385297.0000000004CE0000.00000002.00000001.sdmp, a.exe, 00000002.00000002.688652951.0000000004C90000.00000002.00000001.sdmp, a.exe, 00000003.00000002.688803329.0000000004B30000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\Dintec Order PDF.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\Dintec Order PDF.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Source: C:\Users\user\Desktop\Dintec Order PDF.exe

Process created: C:\Users\user\AppData\Roaming\a.exe 'C:\Users\user\AppData\Roaming\a.exe'

Jump to behavior

Language, Device and Operating System Detection:

Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Queries volume information: C:\Users\user\Desktop\Dintec Order PDF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Dintec Order PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Queries volume information: C:\Users\user\AppData\Roaming\a.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Queries volume information: C:\Users\user\AppData\Roaming\a.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\a.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Dintec Order PDF.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000001.00000002.681613074.0000000004031000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.681348992.0000000003E9B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Dintec Order PDF.exe PID: 3480, type: MEMORY

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: Dintec Order PDF.exe, 00000001.00000002.681613074.0000000004031000.00000004.00000001.sdmp

String found in binary or memory: NanoCore.ClientPluginHost

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000001.00000002.681613074.0000000004031000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.681348992.0000000003E9B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Dintec Order PDF.exe PID: 3480, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Startup Items1	Startup Items1	Masquerading1	OS Credential Dumping	Query Registry1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Registry Run Keys / Startup Folder2	Process Injection11	Virtualization/Sandbox Evasion3	LSASS Memory	Security Software Discovery111	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Remote Access Software1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Registry Run Keys / Startup Folder2	Disable or Modify Tools1	Security Account Manager	Virtualization/Sandbox Evasion3	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection11	NTDS	Process Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Hidden Files and Directories1	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information2	Cached Domain Credentials	File and Directory Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	System Information Discovery12	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Dintec Order PDF.exe	42%	Virustotal		Browse
Dintec Order PDF.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Roaming\a.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\InstallUtil.exe	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\InstallUtil.exe	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\InstallUtil.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\a.exe	42%	Virustotal	Browse

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://ns.adb	0%	Avira URL Cloud	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
http://ns.adobe.c/g	0%	URL Reputation	safe
http://ns.adobe.c/g	0%	URL Reputation	safe
http://ns.adobe.c/g	0%	URL Reputation	safe
http://ns.adobe.c/g	0%	URL Reputation	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://ocsp.pki.goog/gsr202	0%	URL Reputation	safe
http://ocsp.pki.goog/gsr202	0%	URL Reputation	safe
http://ocsp.pki.goog/gsr202	0%	URL Reputation	safe
http://ocsp.pki.goog/gsr202	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
http://ns.adobe.cobj	0%	URL Reputation	safe
http://ns.adobe.cobj	0%	URL Reputation	safe
http://ns.adobe.cobj	0%	URL Reputation	safe
http://ns.adobe.cobj	0%	URL Reputation	safe
http://ocsp.pki.goog/gts1o1core0	0%	URL Reputation	safe
http://ocsp.pki.goog/gts1o1core0	0%	URL Reputation	safe
http://ocsp.pki.goog/gts1o1core0	0%	URL Reputation	safe
http://ocsp.pki.goog/gts1o1core0	0%	URL Reputation	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://ns.ado/1	0%	URL Reputation	safe
http://ns.ado/1	0%	URL Reputation	safe
http://ns.ado/1	0%	URL Reputation	safe
http://ns.ado/1	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://ns.adb	Dintec Order PDF.exe, 00000001.00000003.647767848.0000000008201000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://pki.goog/gsr2/GTS1O1.crt0	Dintec Order PDF.exe, 00000001.00000002.680577443.00000000025AA000.00000004.00000001.sdmp, a.exe, 00000002.00000002.685914222.0000000000A0E000.00000004.00000020.sdmp, a.exe, 00000003.00000002.687185207.00000000025DA000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ns.adobe.c/g	Dintec Order PDF.exe, 00000001.00000002.685200737.0000000008212000.00000004.00000001.sdmp, Dintec Order PDF.exe, 00000001.00000003.647767848.0000000008201000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.pki.goog/gsr2/gsr2.crl0?	Dintec Order PDF.exe, 00000001.00000002.680271086.0000000000951000.00000004.00000020.sdmp, a.exe, 00000002.00000002.685914222.0000000000A0E000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ocsp.pki.goog/gsr202	Dintec Order PDF.exe, 00000001.00000002.680271086.0000000000951000.00000004.00000020.sdmp, a.exe, 00000002.00000002.685914222.0000000000A0E000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://pki.goog/repository/0	Dintec Order PDF.exe, 00000001.00000002.680271086.0000000000951000.00000004.00000020.sdmp, a.exe, 00000002.00000002.685914222.0000000000A0E000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ns.adobe.cobj	Dintec Order PDF.exe, 00000001.00000002.685200737.0000000008212000.00000004.00000001.sdmp, Dintec Order PDF.exe, 00000001.00000003.647767848.0000000008201000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ocsp.pki.goog/gts1o1core0	Dintec Order PDF.exe, 00000001.00000002.680577443.00000000025AA000.00000004.00000001.sdmp, a.exe, 00000002.00000002.685914222.0000000000A0E000.00000004.00000020.sdmp, a.exe, 00000003.00000002.687185207.00000000025DA000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Dintec Order PDF.exe, 00000001.00000002.680463344.0000000002541000.00000004.00000001.sdmp, a.exe, 00000002.00000002.686284355.00000000025BB000.00000004.00000001.sdmp, a.exe, 00000003.00000002.686878655.000000000257B000.00000004.00000001.sdmp	false		high
http://schema.org/WebPage	a.exe, 00000002.00000002.686386684.000000000261A000.00000004.00000001.sdmp, a.exe, 00000003.00000002.687185207.00000000025DA000.00000004.00000001.sdmp	false		high
http://crl.pki.goog/GTS1O1core.crl0	Dintec Order PDF.exe, 00000001.00000002.680577443.00000000025AA000.00000004.00000001.sdmp, a.exe, 00000002.00000002.685914222.0000000000A0E000.00000004.00000020.sdmp, a.exe, 00000003.00000002.687185207.00000000025DA000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ns.ado/1	Dintec Order PDF.exe, 00000001.00000002.685200737.0000000008212000.00000004.00000001.sdmp, Dintec Order PDF.exe, 00000001.00000003.647767848.0000000008201000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	345061
Start date:	27.01.2021
Start time:	16:43:19
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 25s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Dintec Order PDF.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@4/6@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 4.2% (good quality ratio 2.3%) Quality average: 29.9% Quality standard deviation: 33.7%
HCA Information:	Successful, ratio: 100% Number of executed functions: 58 Number of non-executed functions: 11
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 13.88.21.125, 52.147.198.201, 172.217.23.68, 172.217.23.36, 51.11.168.160, 92.123.180.163, 92.123.180.153, 52.155.217.156, 20.54.26.129, 67.26.81.254, 8.241.11.254, 8.241.11.126, 67.27.158.126, 8.248.141.254, 51.104.144.132 Excluded domains from analysis (whitelisted): displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, arc.msn.com.nsatc.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcoleus16.cloudapp.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, www.google.com, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, auto.au.download.windowsupdate.com.c.footprint.net, skypedataprdcolwus15.cloudapp.net, au-bg-shim.trafficmanager.net Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
16:44:12	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.lnk
16:44:21	API Interceptor	1x Sleep call for process: Dintec Order PDF.exe modified
16:44:24	API Interceptor	2x Sleep call for process: a.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\InstallUtil.exe	IMG-47901.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Packed2.42783.27799.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Packed2.42783.24703.exe	Get hash	malicious	Browse
	Ewqm21Iwdh.exe	Get hash	malicious	Browse
	a4iz7zkilq.exe	Get hash	malicious	Browse
	Vcg9GH4CWw.exe	Get hash	malicious	Browse
	nMn5eAMhBy.exe	Get hash	malicious	Browse
	sSPHg0Y2cZ.exe	Get hash	malicious	Browse
	vK6VPijMoq.exe	Get hash	malicious	Browse
	8gom3VEZLS.exe	Get hash	malicious	Browse
	y4Gpxq7eWg.exe	Get hash	malicious	Browse
	DHL-#AWB130501923096PDF.exe	Get hash	malicious	Browse
	IMG_1677.EXE	Get hash	malicious	Browse
	PO#4018-308875.pdf.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	IMG_5371.EXE	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	IMG_9501.EXE	Get hash	malicious	Browse
	IMG_04017.pdf.exe	Get hash	malicious	Browse
	GFS_03781.xls.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Dintec Order PDF.exe.log Download File
Process:	C:\Users\user\Desktop\Dintec Order PDF.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1873
Entropy (8bit):	5.355036985457214
Encrypted:	false
SSDEEP:	48:MxHKXeHKlEHU0YHKhQnouHIW7HKjovitHoxHhAHKzvr1qHj:iqXeqm00YqhQnouRqjoKtIxHeqzTwD
MD5:	CDA95282F22F47DA2FDDC9E912B67FEF
SHA1:	67A40582A092B5DF40C3EB61A361A2D336FC69E0
SHA-256:	179E50F31095D0CFA13DCBB9CED6DEE424DFE8CEF8E05BDE1F840273F45E5F49
SHA-512:	1D151D92AE982D2149C2255826C2FFB89A475A1EB9B9FE93DC3706F3016CD6B309743B36A4D7F6D68F48CE25391FDA7A2BAE42061535EEA7862460424A3A2036
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\820a27781e8540ca263d835ec155f1a5\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\889128adc9a7c9370e5e293f65060164\PresentationFramework.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Wi

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\a.exe.log Download File
Process:	C:\Users\user\AppData\Roaming\a.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1784
Entropy (8bit):	5.35306750074546
Encrypted:	false
SSDEEP:	48:MxHKXeHKlEHU0YHKhQnouHIW7HKjovitHoxHhAHKzva:iqXeqm00YqhQnouRqjoKtIxHeqzC
MD5:	4D3278A4C9BE931A3AFCEACB561B87DB
SHA1:	E828DC80D92A261CA30E7333E7C2C3205C05AD7E
SHA-256:	A45DF0DB57887914E4C1D5A8F8053E669561A9177B333BE50AE3CB1EA4770EEB
SHA-512:	567CACB27FC7888FA3ABF924D64356780464DA20BDDB4A4719D15AD006522C0B1B75876A57E61CFC96A3A0C8C79F1D825F0D82C404AF0E53309A73CAF88519FF
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\820a27781e8540ca263d835ec155f1a5\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\889128adc9a7c9370e5e293f65060164\PresentationFramework.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Wi

C:\Users\user\AppData\Local\Temp\InstallUtil.exe Download File
Process:	C:\Users\user\Desktop\Dintec Order PDF.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	41064
Entropy (8bit):	6.164873449128079
Encrypted:	false
SSDEEP:	384:FtpFVLK0MsihB9VKS7xdgE7KJ9Yl6dnPU3SERztmbqCJstdMardz/JikPZ+sPZTd:ZBMs2SqdD86Iq8gZZFyViML3an
MD5:	EFEC8C379D165E3F33B536739AEE26A3
SHA1:	C875908ACBA5CAC1E0B40F06A83F0F156A2640FA
SHA-256:	46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB
SHA-512:	497847EC115D9AF78899E6DC20EC32A60B16954F83CF5169A23DD3F1459CB632DAC95417BD898FD1895C9FE2262FCBF7838FCF6919FB3B851A0557FBE07CCFFA
Malicious:	false
Antivirus:	Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: IMG-47901.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.Packed2.42783.27799.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.Packed2.42783.24703.exe, Detection: malicious, Browse Filename: Ewqm21Iwdh.exe, Detection: malicious, Browse Filename: a4iz7zkilq.exe, Detection: malicious, Browse Filename: Vcg9GH4CWw.exe, Detection: malicious, Browse Filename: nMn5eAMhBy.exe, Detection: malicious, Browse Filename: sSPHg0Y2cZ.exe, Detection: malicious, Browse Filename: vK6VPijMoq.exe, Detection: malicious, Browse Filename: 8gom3VEZLS.exe, Detection: malicious, Browse Filename: y4Gpxq7eWg.exe, Detection: malicious, Browse Filename: DHL-#AWB130501923096PDF.exe, Detection: malicious, Browse Filename: IMG_1677.EXE, Detection: malicious, Browse Filename: PO#4018-308875.pdf.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: IMG_5371.EXE, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: IMG_9501.EXE, Detection: malicious, Browse Filename: IMG_04017.pdf.exe, Detection: malicious, Browse Filename: GFS_03781.xls.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z.Z..............0..T...........r... ........@.. ....................................`.................................4r..O....................b..h>...........p............................................... ............... ..H............text....R... ...T.................. ..`.rsrc................V..............@..@.reloc...............`..............@..B................hr......H........"..\|J..........lm.......o......................................2~.....o.....r...p(....VrK..p(....s...........0..........(....(....o....o....(....o.... .....T(....o....(....o....o ...o!....4(....o....(....o....o ...o".....(....rm..ps#...o....($........(%....o&....ry..p......%.r...p.%.(.....(....('....((.......o)...('........................."..(.....{Q...-...}Q.....(+...(....(,....(+..."..(-.....(......(.....r...p.(/...o0...s....}T...*....0.. .......~S...-.s

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.lnk Download File
Process:	C:\Users\user\Desktop\Dintec Order PDF.exe
File Type:	MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
Category:	dropped
Size (bytes):	854
Entropy (8bit):	3.0159112944533297
Encrypted:	false
SSDEEP:	12:8wl0RsXowAOcQ/tz0/CSLm9RKMJkHgTCNfBT/v4t2Y+xIBjK:8iLDWLYr+Vpd7aB
MD5:	CDE31B0A7CA104AEE6CB2FF9ABFED71F
SHA1:	B92338857A61560D0E667E6E3EB5B9CCF22CE260
SHA-256:	A835B03B57A7941B592CCF6825F308CDA3158A53B4B798B0E14C51D3E9DB1AB1
SHA-512:	AF3C36C759A831D5366F2493A4AAF7BA2A97181D098C4E2D2394F06BC379A3D947A8D2BFCFDA2ADE9C3D6AC44B0895C0E4470AA8AECF1D960C7424E2E6FAE99D
Malicious:	false
Reputation:	low
Preview:	L..................F.............................................................P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....P.1...........user.<............................................j.o.n.e.s.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....V.1...........Roaming.@............................................R.o.a.m.i.n.g.....P.2...........a.exe.<............................................a...e.x.e.............\.....\.....\.....\.....\.a...e.x.e.$.C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.a...e.x.e.............y.............>.e.L.:..er.=y...............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.................

C:\Users\user\AppData\Roaming\a.exe Download File
Process:	C:\Users\user\Desktop\Dintec Order PDF.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	643584
Entropy (8bit):	5.320790042456682
Encrypted:	false
SSDEEP:	6144:0OplH55fOUxVcMpvWt56GyM0cwlnRvCSyiof5d+mxiqNdmwvg03:hHfNbxpvWtQMRwlnASyv71xiqZF
MD5:	98E3C2AC1EFDD997B05A1FEE872630EC
SHA1:	D3CE076AF7B45E1F11AAC5E3A1C984951C7B92BA
SHA-256:	D09ED1437134F7E5C71EE4877E6D030C2750B6E1873FE6AFB0F82B988C591B44
SHA-512:	F0C9CC82F29D547216672FC78C19CAAA23D432C63760433A17C86A4D484A49B879733659CEA68AE19FEEB1841A803C8BEE04CD96064C1CB3AE273E7299BE7EA7
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 42%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....3................P.................. ........@.. .......................@............`.....................................S.......B.................... ....................................................... ............... ..H............text...$.... ...................... ..`.rsrc...B...........................@..@.reloc....... ......................@..B........................H............&......>...La...[..........................................&..(......s.........s.........s.........s ........&........".......Vs....(3...t...........(4.....(......(8.....~....r...po5...tE...t....o8......(V.....0..F............(@...u1...........(@...u................................... .K.M(B...t2... ..U.\(B...t......... 4.......... .... .....(B...t................(B...t....(....t2...(B...t2...(B...t............(B...t1...(@...u............(B...t....&..

C:\Users\user\AppData\Roaming\a.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\Dintec Order PDF.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.320790042456682
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Dintec Order PDF.exe
File size:	643584
MD5:	98e3c2ac1efdd997b05a1fee872630ec
SHA1:	d3ce076af7b45e1f11aac5e3a1c984951c7b92ba
SHA256:	d09ed1437134f7e5c71ee4877e6d030c2750b6e1873fe6afb0f82b988c591b44
SHA512:	f0c9cc82f29d547216672fc78c19caaa23d432c63760433a17c86a4d484a49b879733659cea68ae19feeb1841a803c8bee04cd96064c1cb3ae273e7299be7ea7
SSDEEP:	6144:0OplH55fOUxVcMpvWt56GyM0cwlnRvCSyiof5d+mxiqNdmwvg03:hHfNbxpvWtQMRwlnASyv71xiqZF
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....3................P.................. ........@.. .......................@............`................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x49e41e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Time Stamp:	0x9D433DF [Mon Mar 24 14:04:15 1975 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9e3c8	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa0000	0x642	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa2000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x9c424	0x9c600	False	0.5252344999	data	5.32775062207	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xa0000	0x642	0x800	False	0.35595703125	data	3.69283936063	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xa2000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xa00a0	0x3b8	COM executable for DOS
RT_MANIFEST	0xa0458	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 1991 23F;HID;C92C>DJ
Assembly Version	1.0.0.0
InternalName	Dintec Order PDF.exe
FileVersion	9.13.17.22
CompanyName	23F;HID;C92C>DJ
Comments	77E5FH5@:B:;3GBH4G7
ProductName	D6:CEB?E58538D9<25FG
ProductVersion	9.13.17.22
FileDescription	D6:CEB?E58538D9<25FG
OriginalFilename	Dintec Order PDF.exe

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 27, 2021 16:44:00.369968891 CET	49257	53	192.168.2.4	8.8.8.8
Jan 27, 2021 16:44:00.420526028 CET	53	49257	8.8.8.8	192.168.2.4
Jan 27, 2021 16:44:02.034677029 CET	62389	53	192.168.2.4	8.8.8.8
Jan 27, 2021 16:44:02.096035004 CET	53	62389	8.8.8.8	192.168.2.4
Jan 27, 2021 16:44:03.912905931 CET	49910	53	192.168.2.4	8.8.8.8
Jan 27, 2021 16:44:03.960730076 CET	53	49910	8.8.8.8	192.168.2.4
Jan 27, 2021 16:44:05.790050030 CET	55854	53	192.168.2.4	8.8.8.8
Jan 27, 2021 16:44:05.846998930 CET	53	55854	8.8.8.8	192.168.2.4
Jan 27, 2021 16:44:09.958733082 CET	64549	53	192.168.2.4	8.8.8.8
Jan 27, 2021 16:44:10.006597042 CET	53	64549	8.8.8.8	192.168.2.4
Jan 27, 2021 16:44:11.314935923 CET	63153	53	192.168.2.4	8.8.8.8
Jan 27, 2021 16:44:11.371381998 CET	53	63153	8.8.8.8	192.168.2.4
Jan 27, 2021 16:44:17.520215988 CET	52991	53	192.168.2.4	8.8.8.8
Jan 27, 2021 16:44:17.569350958 CET	53	52991	8.8.8.8	192.168.2.4
Jan 27, 2021 16:44:18.648869038 CET	53700	53	192.168.2.4	8.8.8.8
Jan 27, 2021 16:44:18.699317932 CET	53	53700	8.8.8.8	192.168.2.4
Jan 27, 2021 16:44:19.893682003 CET	51726	53	192.168.2.4	8.8.8.8
Jan 27, 2021 16:44:19.941685915 CET	53	51726	8.8.8.8	192.168.2.4
Jan 27, 2021 16:44:22.173286915 CET	56794	53	192.168.2.4	8.8.8.8
Jan 27, 2021 16:44:22.221118927 CET	53	56794	8.8.8.8	192.168.2.4
Jan 27, 2021 16:44:23.031732082 CET	56534	53	192.168.2.4	8.8.8.8
Jan 27, 2021 16:44:23.087929964 CET	53	56534	8.8.8.8	192.168.2.4
Jan 27, 2021 16:44:23.151201010 CET	56627	53	192.168.2.4	8.8.8.8
Jan 27, 2021 16:44:23.176327944 CET	56621	53	192.168.2.4	8.8.8.8
Jan 27, 2021 16:44:23.216319084 CET	53	56627	8.8.8.8	192.168.2.4
Jan 27, 2021 16:44:23.227221012 CET	53	56621	8.8.8.8	192.168.2.4
Jan 27, 2021 16:44:24.032463074 CET	63116	53	192.168.2.4	8.8.8.8
Jan 27, 2021 16:44:24.080446959 CET	53	63116	8.8.8.8	192.168.2.4
Jan 27, 2021 16:44:25.059024096 CET	64078	53	192.168.2.4	8.8.8.8
Jan 27, 2021 16:44:25.085433960 CET	64801	53	192.168.2.4	8.8.8.8
Jan 27, 2021 16:44:25.109750986 CET	53	64078	8.8.8.8	192.168.2.4
Jan 27, 2021 16:44:25.136379957 CET	53	64801	8.8.8.8	192.168.2.4
Jan 27, 2021 16:44:26.191709995 CET	61721	53	192.168.2.4	8.8.8.8
Jan 27, 2021 16:44:26.242696047 CET	53	61721	8.8.8.8	192.168.2.4
Jan 27, 2021 16:44:27.431175947 CET	51255	53	192.168.2.4	8.8.8.8
Jan 27, 2021 16:44:27.481992960 CET	53	51255	8.8.8.8	192.168.2.4
Jan 27, 2021 16:44:28.297048092 CET	61522	53	192.168.2.4	8.8.8.8
Jan 27, 2021 16:44:28.350481033 CET	53	61522	8.8.8.8	192.168.2.4
Jan 27, 2021 16:44:29.657900095 CET	52337	53	192.168.2.4	8.8.8.8
Jan 27, 2021 16:44:29.718781948 CET	53	52337	8.8.8.8	192.168.2.4
Jan 27, 2021 16:44:42.962939024 CET	55046	53	192.168.2.4	8.8.8.8
Jan 27, 2021 16:44:43.022135019 CET	53	55046	8.8.8.8	192.168.2.4
Jan 27, 2021 16:44:43.544616938 CET	49612	53	192.168.2.4	8.8.8.8
Jan 27, 2021 16:44:43.607117891 CET	53	49612	8.8.8.8	192.168.2.4
Jan 27, 2021 16:44:44.167186022 CET	49285	53	192.168.2.4	8.8.8.8
Jan 27, 2021 16:44:44.223592997 CET	53	49285	8.8.8.8	192.168.2.4
Jan 27, 2021 16:44:44.378401995 CET	50601	53	192.168.2.4	8.8.8.8
Jan 27, 2021 16:44:44.450712919 CET	53	50601	8.8.8.8	192.168.2.4
Jan 27, 2021 16:44:44.659657001 CET	60875	53	192.168.2.4	8.8.8.8
Jan 27, 2021 16:44:44.711767912 CET	53	60875	8.8.8.8	192.168.2.4
Jan 27, 2021 16:44:45.163724899 CET	56448	53	192.168.2.4	8.8.8.8
Jan 27, 2021 16:44:45.213849068 CET	53	56448	8.8.8.8	192.168.2.4
Jan 27, 2021 16:44:45.748568058 CET	59172	53	192.168.2.4	8.8.8.8
Jan 27, 2021 16:44:45.810645103 CET	53	59172	8.8.8.8	192.168.2.4
Jan 27, 2021 16:44:46.401335001 CET	62420	53	192.168.2.4	8.8.8.8
Jan 27, 2021 16:44:46.458602905 CET	53	62420	8.8.8.8	192.168.2.4
Jan 27, 2021 16:44:47.273775101 CET	60579	53	192.168.2.4	8.8.8.8
Jan 27, 2021 16:44:47.330384016 CET	53	60579	8.8.8.8	192.168.2.4
Jan 27, 2021 16:44:48.324867964 CET	50183	53	192.168.2.4	8.8.8.8
Jan 27, 2021 16:44:48.381885052 CET	53	50183	8.8.8.8	192.168.2.4
Jan 27, 2021 16:44:48.881405115 CET	61531	53	192.168.2.4	8.8.8.8
Jan 27, 2021 16:44:48.942864895 CET	53	61531	8.8.8.8	192.168.2.4
Jan 27, 2021 16:44:49.295454979 CET	49228	53	192.168.2.4	8.8.8.8
Jan 27, 2021 16:44:49.355367899 CET	53	49228	8.8.8.8	192.168.2.4
Jan 27, 2021 16:45:00.754601955 CET	59794	53	192.168.2.4	8.8.8.8
Jan 27, 2021 16:45:00.802643061 CET	53	59794	8.8.8.8	192.168.2.4
Jan 27, 2021 16:45:00.874398947 CET	55916	53	192.168.2.4	8.8.8.8
Jan 27, 2021 16:45:00.945894957 CET	53	55916	8.8.8.8	192.168.2.4
Jan 27, 2021 16:45:02.516755104 CET	52752	53	192.168.2.4	8.8.8.8
Jan 27, 2021 16:45:02.580696106 CET	53	52752	8.8.8.8	192.168.2.4
Jan 27, 2021 16:45:35.890669107 CET	60542	53	192.168.2.4	8.8.8.8
Jan 27, 2021 16:45:35.943331003 CET	53	60542	8.8.8.8	192.168.2.4
Jan 27, 2021 16:45:37.506793976 CET	60689	53	192.168.2.4	8.8.8.8
Jan 27, 2021 16:45:37.563329935 CET	53	60689	8.8.8.8	192.168.2.4

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Dintec Order PDF.exe PID: 3480 Parent PID: 5932

General

Start time:	16:44:04
Start date:	27/01/2021
Path:	C:\Users\user\Desktop\Dintec Order PDF.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Dintec Order PDF.exe'
Imagebase:	0x1b0000
File size:	643584 bytes
MD5 hash:	98E3C2AC1EFDD997B05A1FEE872630EC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.681613074.0000000004031000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.681613074.0000000004031000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000001.00000002.681613074.0000000004031000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.681348992.0000000003E9B000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.681348992.0000000003E9B000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000001.00000002.681348992.0000000003E9B000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: a.exe PID: 984 Parent PID: 3480

General

Start time:	16:44:21
Start date:	27/01/2021
Path:	C:\Users\user\AppData\Roaming\a.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\a.exe'
Imagebase:	0x250000
File size:	643584 bytes
MD5 hash:	98E3C2AC1EFDD997B05A1FEE872630EC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 42%, Virustotal, Browse
Reputation:	low

Chronological Activities

Analysis Process: a.exe PID: 6648 Parent PID: 3424

General

Start time:	16:44:21
Start date:	27/01/2021
Path:	C:\Users\user\AppData\Roaming\a.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\a.exe'
Imagebase:	0x110000
File size:	643584 bytes
MD5 hash:	98E3C2AC1EFDD997B05A1FEE872630EC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: Dintec Order PDF.exe PID: 3480 Parent PID: 5932 Dintec Order PDF.exeCOMMON

Executed Functions

Function 00BFE1A0, Relevance: 7.2, Strings: 5, Instructions: 974COMMON

Download Yara Rule

Strings

ntin, xrefs: 00BFE6CD
(, xrefs: 00BFE826
#*{Y, xrefs: 00BFEF46
ntin, xrefs: 00BFEBFF
<, xrefs: 00BFE3BC

Memory Dump Source

Source File: 00000001.00000002.680389737.0000000000BF0000.00000040.00000001.sdmp, Offset: 00BF0000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID: #*{Y$($<$ntin$ntin
API String ID: 544645111-3243781729
Opcode ID: 72a7240fba1283d5935b365ce90a1c5f14da1c8b8bd9cb6d68f0c85a0130fa55
Instruction ID: 6f8442d913d1056fb02fe3306ae20ef5da1352b26196cf3874424026aa8cb1ac
Opcode Fuzzy Hash: 72a7240fba1283d5935b365ce90a1c5f14da1c8b8bd9cb6d68f0c85a0130fa55
Instruction Fuzzy Hash: B7A2D374E042188FDB14DF99C981AADFBF2BF89304F25C0A5D618AB355D730AA85CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00BFE193, Relevance: 5.3, Strings: 4, Instructions: 308COMMON

Download Yara Rule

Strings

ntin, xrefs: 00BFE6CD
ntin, xrefs: 00BFE4A3
<, xrefs: 00BFE3BC
#*{Y, xrefs: 00BFE6BC

Memory Dump Source

Source File: 00000001.00000002.680389737.0000000000BF0000.00000040.00000001.sdmp, Offset: 00BF0000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID: #*{Y$<$ntin$ntin
API String ID: 544645111-1528897308
Opcode ID: 6ce77b1e812b031d62c037408ef844a01a31d2350b6bd3509e2b756f758d1faf
Instruction ID: dbf3d3dd91ece9298432432bc5efe65f580c05c8216295d5cedce7310ec5e171
Opcode Fuzzy Hash: 6ce77b1e812b031d62c037408ef844a01a31d2350b6bd3509e2b756f758d1faf
Instruction Fuzzy Hash: 9DE195B5E046198FDB18CFAAC9816DEFBF2BF88300F14C0A9D518AB365DB3499458F51

Uniqueness

Uniqueness Score: -1.00%

Function 00BF4880, Relevance: 4.3, Strings: 3, Instructions: 520COMMON

Download Yara Rule

Strings

D0l, xrefs: 00BF4CE4
D0l, xrefs: 00BF4D71
D0l, xrefs: 00BF4E71

Memory Dump Source

Source File: 00000001.00000002.680389737.0000000000BF0000.00000040.00000001.sdmp, Offset: 00BF0000, based on PE: false

Similarity

API ID:
String ID: D0l$D0l$D0l
API String ID: 0-1921109830
Opcode ID: f33dfce74ab09fe22dc034f82463381653d4b526dd6e5bbe2b2c154589daddd9
Instruction ID: 96c7c26a14079a91433025b9e96457d060d926564f8f66a695c0eda4912e666f
Opcode Fuzzy Hash: f33dfce74ab09fe22dc034f82463381653d4b526dd6e5bbe2b2c154589daddd9
Instruction Fuzzy Hash: D9127D70A002199FDB14DF68C854BAEBBF2FF88304F1585A9E60ADB355EB349D45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00BFA4B8, Relevance: 3.1, Strings: 2, Instructions: 645COMMON

Download Yara Rule

Strings

<, xrefs: 00BFA5DD
@, xrefs: 00BFADBD

Memory Dump Source

Source File: 00000001.00000002.680389737.0000000000BF0000.00000040.00000001.sdmp, Offset: 00BF0000, based on PE: false

Similarity

API ID:
String ID: <$@
API String ID: 0-1426351568
Opcode ID: 2da298f63d6c2900c7a6144250d0088584eea32379e4798d234c523ed69ce20c
Instruction ID: ad5c870aa0c111afdea928019f072ab2309f298757f5ba481c5b4c55360ff383
Opcode Fuzzy Hash: 2da298f63d6c2900c7a6144250d0088584eea32379e4798d234c523ed69ce20c
Instruction Fuzzy Hash: 2B629EB4A00219CFDB64DFA9C980A9DFBF2FF49705F15C1A9D508AB212D730AA85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00BFA4AB, Relevance: 2.9, Strings: 2, Instructions: 441COMMON

Download Yara Rule

Strings

<, xrefs: 00BFA5DD
@, xrefs: 00BFADBD

Memory Dump Source

Source File: 00000001.00000002.680389737.0000000000BF0000.00000040.00000001.sdmp, Offset: 00BF0000, based on PE: false

Similarity

API ID:
String ID: <$@
API String ID: 0-1426351568
Opcode ID: 1e5978cadf582d69841c85eda748ed461a88077af88710cbe32438629b7e0cb7
Instruction ID: 2041e6b98d57d932b30d6aa3a556b367ed79aa05f72f3db142d180747c480549
Opcode Fuzzy Hash: 1e5978cadf582d69841c85eda748ed461a88077af88710cbe32438629b7e0cb7
Instruction Fuzzy Hash: 7422BEB0900219CFDB68EF56C984A99FBF2EF49B05F16C1E9D548AB212D7309E84CF51

Uniqueness

Uniqueness Score: -1.00%

Function 04CC6320, Relevance: 1.5, Strings: 1, Instructions: 296COMMON

Download Yara Rule

Strings

#*{Y, xrefs: 04CC7530

Memory Dump Source

Source File: 00000001.00000002.684352228.0000000004CC0000.00000040.00000001.sdmp, Offset: 04CC0000, based on PE: false

Similarity

API ID:
String ID: #*{Y
API String ID: 0-2019906967
Opcode ID: aa17650a2298796ff11d9f0c8584ddcdbff60cb08083569fc26ca37492908118
Instruction ID: 49508e4b6e8f7ff0d2c737ce2e0e6a6c22992fe2388454a8b5930b56f51392b0
Opcode Fuzzy Hash: aa17650a2298796ff11d9f0c8584ddcdbff60cb08083569fc26ca37492908118
Instruction Fuzzy Hash: C8B18C71E002099FDB14DFA9C45469EBBF2FF89304F24856EE519BB251EB30A981CF91

Uniqueness

Uniqueness Score: -1.00%

Function 04CC6400, Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

#*{Y, xrefs: 04CC7530

Memory Dump Source

Source File: 00000001.00000002.684352228.0000000004CC0000.00000040.00000001.sdmp, Offset: 04CC0000, based on PE: false

Similarity

API ID:
String ID: #*{Y
API String ID: 0-2019906967
Opcode ID: 6c80e11d38c03367d41d95c36b2029a777a52dec5fc4bdb58550bfc15576be45
Instruction ID: a54b1669fccb4fcacfefbff8289b8a2be2ba067c7d81a54900fe3f9ca31b769a
Opcode Fuzzy Hash: 6c80e11d38c03367d41d95c36b2029a777a52dec5fc4bdb58550bfc15576be45
Instruction Fuzzy Hash: 9E419AB4D05208DFDB10CFAAC584ADEBBF5EB09304F24906AE519BB250DB74A945CF94

Uniqueness

Uniqueness Score: -1.00%

Function 04CC4CBC, Relevance: 1.4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

Strings

#*{Y, xrefs: 04CC4CF0

Memory Dump Source

Source File: 00000001.00000002.684352228.0000000004CC0000.00000040.00000001.sdmp, Offset: 04CC0000, based on PE: false

Similarity

API ID:
String ID: #*{Y
API String ID: 0-2019906967
Opcode ID: bd1a1183f9c7a28780d7f87dd47b61ca562e550f9fd79a8e26d32b3a6b49f312
Instruction ID: 067a659a25dadbf74eb4f6c8918f9ae9cad518625643b3e039ae3e92ba12b180
Opcode Fuzzy Hash: bd1a1183f9c7a28780d7f87dd47b61ca562e550f9fd79a8e26d32b3a6b49f312
Instruction Fuzzy Hash: 0341C9B4D01208AFEB14DFA9D584BDEFBF2BB09314F20902AE405BB250CB75A945CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00BF1258, Relevance: 1.3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

Strings

!, xrefs: 00BF12DC

Memory Dump Source

Source File: 00000001.00000002.680389737.0000000000BF0000.00000040.00000001.sdmp, Offset: 00BF0000, based on PE: false

Similarity

API ID:
String ID: !
API String ID: 0-2657877971
Opcode ID: 0eb1c610ed496d92f483fa9694756b3fb05ea094ba974bc581908e7d632e0097
Instruction ID: 240c763b23ec1189c7d6ba985ed4bd2dbe5893c9a6a3d759840364ce8f7f6ca5
Opcode Fuzzy Hash: 0eb1c610ed496d92f483fa9694756b3fb05ea094ba974bc581908e7d632e0097
Instruction Fuzzy Hash: 5D410978E01249DFCB19DFA8D484ADEBBB2FF89305F10856AD405A7364DB349946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 04CC46EC, Relevance: 1.3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

#*{Y, xrefs: 04CC4CF0

Memory Dump Source

Source File: 00000001.00000002.684352228.0000000004CC0000.00000040.00000001.sdmp, Offset: 04CC0000, based on PE: false

Similarity

API ID:
String ID: #*{Y
API String ID: 0-2019906967
Opcode ID: b98d8a210b332dcbab1249ada8fd852ce273b98f4a10b621b23fd3db600c3ba1
Instruction ID: 3d14ce0e83436427a1476c0fa6aa8d68415d3c734af967f604e487e34a719918
Opcode Fuzzy Hash: b98d8a210b332dcbab1249ada8fd852ce273b98f4a10b621b23fd3db600c3ba1
Instruction Fuzzy Hash: 5341BCB4D05208DFEB14DFA9C584BDEFBF1AB09304F20912AE405BB250DB74A945CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00BF1268, Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

!, xrefs: 00BF12DC

Memory Dump Source

Source File: 00000001.00000002.680389737.0000000000BF0000.00000040.00000001.sdmp, Offset: 00BF0000, based on PE: false

Similarity

API ID:
String ID: !
API String ID: 0-2657877971
Opcode ID: b0fff5deab96012f8619116b5d4ded2053303f24578eab8ee86bcaf1bc9a39c8
Instruction ID: fdd332f4ca950a66034735d5017a331ab9e18d443df5945a7b4110d2a229b596
Opcode Fuzzy Hash: b0fff5deab96012f8619116b5d4ded2053303f24578eab8ee86bcaf1bc9a39c8
Instruction Fuzzy Hash: CE41EA78E01208DFCB09DFA9D484AEEBBF2FB89305F108569D905A3364DB359946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00BF7FC0, Relevance: .8, Instructions: 791COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.680389737.0000000000BF0000.00000040.00000001.sdmp, Offset: 00BF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a38e0e3a152f554ecc47a4a74b3a121a92280c57e184c8e58eb4b8efbeeca79
Instruction ID: 28743c46ee43cbd84e555d4b3f050e658c9231c5c0cd441e11bf8d9cad930675
Opcode Fuzzy Hash: 4a38e0e3a152f554ecc47a4a74b3a121a92280c57e184c8e58eb4b8efbeeca79
Instruction Fuzzy Hash: 68727D30A04209DFCB15CF68C884ABEBBF2FF88304F158599E645AB265DB74ED49CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00BFC6E0, Relevance: .5, Instructions: 506COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.680389737.0000000000BF0000.00000040.00000001.sdmp, Offset: 00BF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbdc73589fce97e324e5ce68aeca29226b4d4de118bf2d6477ea61e8e45bbba7
Instruction ID: 307935f4ec9491fa72e3e6458b583691cf5329dfae9c81fd978e003f4005cfb4
Opcode Fuzzy Hash: cbdc73589fce97e324e5ce68aeca29226b4d4de118bf2d6477ea61e8e45bbba7
Instruction Fuzzy Hash: 36426D74A01219CFDB24CFA9C984BADBBF2FB48311F5081A9D909A7355D734AE85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00BFAFB0, Relevance: .5, Instructions: 501COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.680389737.0000000000BF0000.00000040.00000001.sdmp, Offset: 00BF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f63e0d28902010b871d630ba779227ed821258025d8be1395d39312db403585
Instruction ID: ee0474101da9ae8a6e74c1aad92006cf78fc7e4d49ce7587b95aec7286d4b83a
Opcode Fuzzy Hash: 6f63e0d28902010b871d630ba779227ed821258025d8be1395d39312db403585
Instruction Fuzzy Hash: E832CF70900219CFDB54EF69C980A9EFBF2FF49B05F55C199C548AB212CB309A85CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04CC0040, Relevance: .5, Instructions: 451COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.684352228.0000000004CC0000.00000040.00000001.sdmp, Offset: 04CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 381c2d75e3b87a01a74e9e40a0ae37927ed57088fda7dd4e3a625f924602d16c
Instruction ID: 43cac386d8725dbfa81180bf9404b62a568e153ea07722a624a29234cc29bb09
Opcode Fuzzy Hash: 381c2d75e3b87a01a74e9e40a0ae37927ed57088fda7dd4e3a625f924602d16c
Instruction Fuzzy Hash: 5222C474D01228CFDB28DF66D845BADBBB2FF49306F1084AAD409A7254DB399E85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 04CC003B, Relevance: .4, Instructions: 443COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.684352228.0000000004CC0000.00000040.00000001.sdmp, Offset: 04CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9057f0354ca3849d03d09a1d316702b642a1fe42020dcbbbb8204f8218e6d49c
Instruction ID: 388340a036987bd5edaca59dc2316cf5bc8742e55977054cbb242002b8b9e74f
Opcode Fuzzy Hash: 9057f0354ca3849d03d09a1d316702b642a1fe42020dcbbbb8204f8218e6d49c
Instruction Fuzzy Hash: 8322C474901228CFDB28DF65D855BADBBB2FF49306F1084AAD409A7254DB399E85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 00BF5008, Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.680389737.0000000000BF0000.00000040.00000001.sdmp, Offset: 00BF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ac166af00875864abb953c29db5e18d46bf14ab41c6498a21c899db31e40028
Instruction ID: 908445878e6a9e9c6b2f6561737fd25d25217a8f144556d794e71ea4f1cde351
Opcode Fuzzy Hash: 0ac166af00875864abb953c29db5e18d46bf14ab41c6498a21c899db31e40028
Instruction Fuzzy Hash: 30E12A71A00519DFCB24CFA8C884AADBBF2FF89340F5581A5E606AB261D770ED49CB54

Uniqueness

Uniqueness Score: -1.00%

Function 04CCBDB9, Relevance: .3, Instructions: 297COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.684352228.0000000004CC0000.00000040.00000001.sdmp, Offset: 04CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 776f4b4b29e0cabab227dcb2bda74b89fd603321cc5d5fff499af318c09d7fbb
Instruction ID: d72f89735c6d953a9c2b27b0ae71e08c503e828489fb39ce6ea34d168fdfca84
Opcode Fuzzy Hash: 776f4b4b29e0cabab227dcb2bda74b89fd603321cc5d5fff499af318c09d7fbb
Instruction Fuzzy Hash: 2FD1AF78E01218CFDB14CFA6D948B9EBBB2FB49305F1091AAD809A7255DB385E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 04CCBDC8, Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.684352228.0000000004CC0000.00000040.00000001.sdmp, Offset: 04CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00bd2f14b9279e48c4d8dcff9b4a37efb77aaeb14a656ffacae777ff26d67083
Instruction ID: cafd89f648bbc7d88c23016c17d74e37822efcea5782a654f742acc3a2c75b97
Opcode Fuzzy Hash: 00bd2f14b9279e48c4d8dcff9b4a37efb77aaeb14a656ffacae777ff26d67083
Instruction Fuzzy Hash: 4ED1A078E01218CFDB14DFA6D948B9EBBF2FB49301F1091AAD809A7255DB385E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 04CC0830, Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.684352228.0000000004CC0000.00000040.00000001.sdmp, Offset: 04CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0afb95ecbc35260ab5e687a9b9835deca46bd5c5a522e7ef85e0658977eba72e
Instruction ID: 24a644c8eda498e1b94c960eecbeb6a3269ee3251d18623e728d781e69af6c96
Opcode Fuzzy Hash: 0afb95ecbc35260ab5e687a9b9835deca46bd5c5a522e7ef85e0658977eba72e
Instruction Fuzzy Hash: 4BD1BD74E00218CFDB54EFAAD984B9DBBB2FF88304F1081AAD449A7255EB345A85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 04CC6630, Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.684352228.0000000004CC0000.00000040.00000001.sdmp, Offset: 04CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc29fbb27f4b380e61164d7f546b21c0206a05f7c65798e9a0e414a7bb70b05b
Instruction ID: c2a040e242926e4ed2dfa78b5d496d593904adc559a7eddb4d4f51bad0983cb4
Opcode Fuzzy Hash: fc29fbb27f4b380e61164d7f546b21c0206a05f7c65798e9a0e414a7bb70b05b
Instruction Fuzzy Hash: 95B1E475E002188FDB14DFAAC944A9DFBF2BF89314F10C1AAD459AB355EB34A981CF50

Uniqueness

Uniqueness Score: -1.00%

Function 04CC0820, Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.684352228.0000000004CC0000.00000040.00000001.sdmp, Offset: 04CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a90d4535c2bfb5631116ba8b071df68fefcaf57e00447a1536f0818a3eacd47
Instruction ID: d1067788980364f02ebd0e67c892f16f54a15d4375d7e98fbb825e71155b4db9
Opcode Fuzzy Hash: 4a90d4535c2bfb5631116ba8b071df68fefcaf57e00447a1536f0818a3eacd47
Instruction Fuzzy Hash: 6AA1D274E04218CFDB58EFAAD98479DBBF2FF88304F1084AAD449A7255DB345A85CF11

Uniqueness

Uniqueness Score: -1.00%

Function 00BFC6DB, Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.680389737.0000000000BF0000.00000040.00000001.sdmp, Offset: 00BF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d4ceabd59277e52de2fd1b7ee36e15d171a960184221cdea64abaf255309e72
Instruction ID: 8bb43adb4e211bf35d757b89bfcb981a4b14c6aac6dd1c8aaff1aceaded14b68
Opcode Fuzzy Hash: 8d4ceabd59277e52de2fd1b7ee36e15d171a960184221cdea64abaf255309e72
Instruction Fuzzy Hash: 0061A474E01218DBDB18CF5AD984B9DBBF2FF88301F1481A9D809A7354D735A985CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00BF1C58, Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.680389737.0000000000BF0000.00000040.00000001.sdmp, Offset: 00BF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b5a8278fb2e5c5a8e04c6ea3ba2e941c25f23d185cb47e0dec1a86c0e181d77
Instruction ID: c9e51cfbf10ea10fb5f54456267f69d9f0ea1f611f6f6a88cfb061fd60ef398c
Opcode Fuzzy Hash: 3b5a8278fb2e5c5a8e04c6ea3ba2e941c25f23d185cb47e0dec1a86c0e181d77
Instruction Fuzzy Hash: B051A075E00208DFCB04DFAAC581AAEFBF2EF88315F25C5A9D504A7315DB359A45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00BFAF9F, Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.680389737.0000000000BF0000.00000040.00000001.sdmp, Offset: 00BF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1ab6a67cede084e1d6c6460c72472ddf8e1406af2e44b3782eadc168b58d871
Instruction ID: 55759a88aee5dc1e8bde1b0a9902633dd24afee766000cd91dbb45a281bc4b65
Opcode Fuzzy Hash: c1ab6a67cede084e1d6c6460c72472ddf8e1406af2e44b3782eadc168b58d871
Instruction Fuzzy Hash: 0151F671E046188FEB58DF6AC951B9EBBF3EF89304F10C0EAC508AB255DB345A858F51

Uniqueness

Uniqueness Score: -1.00%

Function 00BF1C49, Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.680389737.0000000000BF0000.00000040.00000001.sdmp, Offset: 00BF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55ddeb92046d17c4b9eeafc26ff98c29f0c5b10ce7b41c4a424765b61bb240be
Instruction ID: cf14cc8d06c2d2886f6a99e9cd75a1bc73c1b7f08bc0d712105cd4d3c65ba089
Opcode Fuzzy Hash: 55ddeb92046d17c4b9eeafc26ff98c29f0c5b10ce7b41c4a424765b61bb240be
Instruction Fuzzy Hash: FF41D275E04209DFDB04CFAAC9846EEBBF2AF88311F15C4AAD504AB355EB349A45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 04CCB648, Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.684352228.0000000004CC0000.00000040.00000001.sdmp, Offset: 04CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a868b1ce3981531da83563ae0a2cfdfa39d7725d30b6b8fbb7dfa225b8b267b0
Instruction ID: 5ea2498a2ca209e080dd6b987bd465aac3951ae6441532cabb5ad99349076c4e
Opcode Fuzzy Hash: a868b1ce3981531da83563ae0a2cfdfa39d7725d30b6b8fbb7dfa225b8b267b0
Instruction Fuzzy Hash: 2C411431D002189FCB08EFA9D855ADDBBB2FF89304F10856AE415B7260EB746D85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04CCB658, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.684352228.0000000004CC0000.00000040.00000001.sdmp, Offset: 04CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f9138a457e72f23ac28d5a0bf1b8803ec40a8baf72ecb63a0e507e8efdb7b58
Instruction ID: 8b5d117462b6c57398b5eeba1ae83ba355fa7ee3ef83535ed33ff53e330f6e7c
Opcode Fuzzy Hash: 5f9138a457e72f23ac28d5a0bf1b8803ec40a8baf72ecb63a0e507e8efdb7b58
Instruction Fuzzy Hash: 8241F331D102189FCB08EFA9D855ADDFBB2FF89305F10852AE415B3264EB746945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04CCE270, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.684352228.0000000004CC0000.00000040.00000001.sdmp, Offset: 04CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ce376216e67cc3d0f07333ee273e8b6450028172e6f604fa61ddb87d97d3bb9
Instruction ID: 71aedf206191d15ce15bf5f49c9e11bcda1c465f2c6e0e34ce33792c1fb7a7ef
Opcode Fuzzy Hash: 3ce376216e67cc3d0f07333ee273e8b6450028172e6f604fa61ddb87d97d3bb9
Instruction Fuzzy Hash: DD211672D002698FDB089FA5D8187EEBBB1EF4A306F00502AD51573290CB781A44CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 04CCE280, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.684352228.0000000004CC0000.00000040.00000001.sdmp, Offset: 04CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d622e16a96f73ca63181f998aa25ff82273632aeef63ea8d2f659f58639cfb6d
Instruction ID: 72e8b69724f3a806c707cb3fa7af2e0d94419bd80b0197a561dfcc42b1113f48
Opcode Fuzzy Hash: d622e16a96f73ca63181f998aa25ff82273632aeef63ea8d2f659f58639cfb6d
Instruction Fuzzy Hash: E321E471D002299FDB08DFA5D8197EEBBB1FB4A316F00542AD515B32A0DB781A44CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 04CC54B4, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.684352228.0000000004CC0000.00000040.00000001.sdmp, Offset: 04CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b3cfffcfd549466ece491efb689704e763051b5796b3c316c86b6782d849b01
Instruction ID: bce5565da834a24db9825be3a0329de1e354feb1a3d72e6df1bf3939a4cddf64
Opcode Fuzzy Hash: 6b3cfffcfd549466ece491efb689704e763051b5796b3c316c86b6782d849b01
Instruction Fuzzy Hash: 7421B478D00219EFDB14CFAAD4446EEBBF2AB49320F14D12AE824B7394D734A581CF58

Uniqueness

Uniqueness Score: -1.00%

Function 04CC54C0, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.684352228.0000000004CC0000.00000040.00000001.sdmp, Offset: 04CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c608dde101d8839e34180caa0ef11291841aebf21ed5a025404ae873d37ec7cc
Instruction ID: db58e8cdf4613711af3230a7d53693ad8a10a6332d856e250005f24272e05a8b
Opcode Fuzzy Hash: c608dde101d8839e34180caa0ef11291841aebf21ed5a025404ae873d37ec7cc
Instruction Fuzzy Hash: A52162B8D04218EFDB14CFAAD4446EDBBF2AB49310F14D129E824B7254D734A645CF58

Uniqueness

Uniqueness Score: -1.00%

Function 04CC53EC, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.684352228.0000000004CC0000.00000040.00000001.sdmp, Offset: 04CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dff5fbdad485ea2a5a5f396fc780060f0166ed517c110b4222b5cb4ff8c09e5
Instruction ID: 5b7732c4e5c405095c80aebfaaa0e7ee4aa0373e8c14195b631a87882712f0c4
Opcode Fuzzy Hash: 1dff5fbdad485ea2a5a5f396fc780060f0166ed517c110b4222b5cb4ff8c09e5
Instruction Fuzzy Hash: 3401B6B9D0420C9B8F14DFAAD4415DEFBF2AB59310F10A02AD855F3314E7319901CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 04CCCE68, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.684352228.0000000004CC0000.00000040.00000001.sdmp, Offset: 04CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab4340c81030c4a559241f025bf4e3c4b1262d442e909b9862d93ac6aed3ce40
Instruction ID: acb08dbf0dc3318d7d12c6263032b1c4f4a0665c1c6395951b5f7cf0724d5475
Opcode Fuzzy Hash: ab4340c81030c4a559241f025bf4e3c4b1262d442e909b9862d93ac6aed3ce40
Instruction Fuzzy Hash: 660124B0C0520AEFCB04EFA8C5053AEFBF1FF05301F2054AAD808A3290E7385A41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04CC53F8, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.684352228.0000000004CC0000.00000040.00000001.sdmp, Offset: 04CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eb7edaa31dfbf35867dc96d8b8f8c426529f6e1b54484e160c576f9eb5ddf33
Instruction ID: d016583ced7ab23055917ca73e7be69f2f0324c264797af1c6a93564997e4a6d
Opcode Fuzzy Hash: 9eb7edaa31dfbf35867dc96d8b8f8c426529f6e1b54484e160c576f9eb5ddf33
Instruction Fuzzy Hash: 2AF092B4D0520C9F8F04CFAAD4408EEFBF2AB59310F10A12AE818B3314E73099018FA8

Uniqueness

Uniqueness Score: -1.00%

Function 04CCCE78, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.684352228.0000000004CC0000.00000040.00000001.sdmp, Offset: 04CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c831004dbf79496475aba84c30f056008d74b520121130b8a3a1ce7bca41746d
Instruction ID: f22976a22573927088307ca18646dff4be316de82eb538d495a2c92c0c3a1081
Opcode Fuzzy Hash: c831004dbf79496475aba84c30f056008d74b520121130b8a3a1ce7bca41746d
Instruction Fuzzy Hash: B9F0E2B0C05219EFCB44EFA8D5157AEFBB1FB49305F2094AA8809B3290E7785A44CB95

Uniqueness

Uniqueness Score: -1.00%

Function 04CC65DC, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 273COMMON

Download Yara Rule

APIs

CopyFileExW.KERNEL32(?,?,?,?,?,?), ref: 04CCD209

Strings

#*{Y, xrefs: 04CCCFD4
#*{Y, xrefs: 04CCCFA5

Memory Dump Source

Source File: 00000001.00000002.684352228.0000000004CC0000.00000040.00000001.sdmp, Offset: 04CC0000, based on PE: false

Similarity

API ID: CopyFile
String ID: #*{Y$#*{Y
API String ID: 1304948518-2639071991
Opcode ID: 3bd59f2ed2467ac5d10fda0fb6bbf410857f21c80815c5cebf7f3248da9c72cc
Instruction ID: 4d0c66a1a4bbd03df614aaa6bfcbf44200ec989fc734fa9b2a070317473d8bb2
Opcode Fuzzy Hash: 3bd59f2ed2467ac5d10fda0fb6bbf410857f21c80815c5cebf7f3248da9c72cc
Instruction Fuzzy Hash: 81C1CF74E00219DFEB24CFA9D981B9DFBB2BF49304F1481A9E419B7251D734AA81CF45

Uniqueness

Uniqueness Score: -1.00%

Function 04CCCF5C, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 269COMMON

Download Yara Rule

APIs

CopyFileExW.KERNEL32(?,?,?,?,?,?), ref: 04CCD209

Strings

#*{Y, xrefs: 04CCCFD4
#*{Y, xrefs: 04CCCFA5

Memory Dump Source

Source File: 00000001.00000002.684352228.0000000004CC0000.00000040.00000001.sdmp, Offset: 04CC0000, based on PE: false

Similarity

API ID: CopyFile
String ID: #*{Y$#*{Y
API String ID: 1304948518-2639071991
Opcode ID: 4558ca3305f813a2f1cbda26fa908b002eba20ae82e0646c7e6c7d4e8deaef5d
Instruction ID: f62561c92c7ca5487afbb0da256fdcd38a5772bc383917be25a8f7d2769e5a5b
Opcode Fuzzy Hash: 4558ca3305f813a2f1cbda26fa908b002eba20ae82e0646c7e6c7d4e8deaef5d
Instruction Fuzzy Hash: 38B1E174E00219CFEB24CFA9D981B9DFBB2BF49304F1481A9E419B7251D734AA85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00BFEF98, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 98memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(00000000,?,?,?), ref: 00BFF047

Strings

#*{Y, xrefs: 00BFEFC2

Memory Dump Source

Source File: 00000001.00000002.680389737.0000000000BF0000.00000040.00000001.sdmp, Offset: 00BF0000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID: #*{Y
API String ID: 544645111-2019906967
Opcode ID: ad15cc82185894304b40c06846a94ddee0852763d839d17eb06c92b552186294
Instruction ID: 0090cc1913e239efdaa2b63b76913400107436b2de6e9f990e4fb1d8690f863e
Opcode Fuzzy Hash: ad15cc82185894304b40c06846a94ddee0852763d839d17eb06c92b552186294
Instruction Fuzzy Hash: 4A3198B9D042589FCB10CFA9D484AEEFBF1AF19320F24906AE815B7210D775A949CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00BFA0C4, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(00000000,?,?,?), ref: 00BFF047

Strings

#*{Y, xrefs: 00BFEFC2

Memory Dump Source

Source File: 00000001.00000002.680389737.0000000000BF0000.00000040.00000001.sdmp, Offset: 00BF0000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID: #*{Y
API String ID: 544645111-2019906967
Opcode ID: b48def7c467c760871eb26e2bc340ac80db3ca08249abf2d6553653d9bcf1d4c
Instruction ID: 1cdb30c1be1d0877d030e0ade0f1d6c625b7b31fce123d2961b3d5a2ede9cba5
Opcode Fuzzy Hash: b48def7c467c760871eb26e2bc340ac80db3ca08249abf2d6553653d9bcf1d4c
Instruction Fuzzy Hash: 6431A8B9D042589FCB10CFAAE484AEEFBF0AF19310F14906AE814B7210D775A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00BFAE9B, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,514A1B1F,DBBDF2D4), ref: 00BFAF47

Strings

#*{Y, xrefs: 00BFAEC2

Memory Dump Source

Source File: 00000001.00000002.680389737.0000000000BF0000.00000040.00000001.sdmp, Offset: 00BF0000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID: #*{Y
API String ID: 544645111-2019906967
Opcode ID: 26d129f6ca60467985af524226f34c78af4a8fdb3aac8085481e2c0cd06f452a
Instruction ID: 7e4a1b0a56c1c04fe19c2a5f73d6db1b5acd77f916fb0014e581c1ced957228d
Opcode Fuzzy Hash: 26d129f6ca60467985af524226f34c78af4a8fdb3aac8085481e2c0cd06f452a
Instruction Fuzzy Hash: 43319AB9D052589FCB10CFA9D884ADEFBF4BB19310F14906AE814B7310D774A945CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00BF9F5C, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,514A1B1F,DBBDF2D4), ref: 00BFAF47

Strings

#*{Y, xrefs: 00BFAEC2

Memory Dump Source

Source File: 00000001.00000002.680389737.0000000000BF0000.00000040.00000001.sdmp, Offset: 00BF0000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID: #*{Y
API String ID: 544645111-2019906967
Opcode ID: 87b6863c9d9f3b2fb8c5447a86687a1a70e85519c86d0bce16dad7960c856f56
Instruction ID: 244719fad818cd88203042de2b922e6ae4c126730709d088e9a9d31a596e9b43
Opcode Fuzzy Hash: 87b6863c9d9f3b2fb8c5447a86687a1a70e85519c86d0bce16dad7960c856f56
Instruction Fuzzy Hash: BC31AAB9D042589FCB14CFA9D484AEEFBF1AB19310F24906AE814B7210D774A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00BFB9A4, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 86fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?), ref: 00BFF7A1

Strings

#*{Y, xrefs: 00BFF72A

Memory Dump Source

Source File: 00000001.00000002.680389737.0000000000BF0000.00000040.00000001.sdmp, Offset: 00BF0000, based on PE: false

Similarity

API ID: DeleteFile
String ID: #*{Y
API String ID: 4033686569-2019906967
Opcode ID: d9a93d4c9f07fe83edadb6908176acd172912b6682cf36c258c5497d411df230
Instruction ID: 1303d0593012623b57335849348156923bbda1e0256079218de696f1d312094f
Opcode Fuzzy Hash: d9a93d4c9f07fe83edadb6908176acd172912b6682cf36c258c5497d411df230
Instruction Fuzzy Hash: 7631E9B4D052599FCB00CFA9D884AEEFBF1AF49314F14806AE904B7210D774A945CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00BFF703, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 86fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?), ref: 00BFF7A1

Strings

#*{Y, xrefs: 00BFF72A

Memory Dump Source

Source File: 00000001.00000002.680389737.0000000000BF0000.00000040.00000001.sdmp, Offset: 00BF0000, based on PE: false

Similarity

API ID: DeleteFile
String ID: #*{Y
API String ID: 4033686569-2019906967
Opcode ID: 3b72a51c87f6bd18a727215f540a3f34ccfb446156d38b78fc558e31dab9599d
Instruction ID: 4c8d6c61ac21b38703390f681c78cefbd669850f25589e9bca25c5c7ddbda2d3
Opcode Fuzzy Hash: 3b72a51c87f6bd18a727215f540a3f34ccfb446156d38b78fc558e31dab9599d
Instruction Fuzzy Hash: 0431D9B4D012599FDB00CFA9D984AEEFBF5AF49314F14806AE804B7210D774A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00B1D4EC, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.680325714.0000000000B1D000.00000040.00000001.sdmp, Offset: 00B1D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5432d5d4e04b7e5b8903c782ff6d1c1832748ccdb2988cee3c9f71a6926d8fb0
Instruction ID: bba08df8441a9ce9113300f1d6b87bfe2d088f9abb6e33f7a28aa5c6356b9acf
Opcode Fuzzy Hash: 5432d5d4e04b7e5b8903c782ff6d1c1832748ccdb2988cee3c9f71a6926d8fb0
Instruction Fuzzy Hash: AF213AB1504240EFDB04DF10D8C0B66BFA6FBA8328F6486A9D9054B206C336D896D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00B1D400, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.680325714.0000000000B1D000.00000040.00000001.sdmp, Offset: 00B1D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bed01c6df29ca10833875b730ea8850a5db31e4d135a5404c49dbbd5265c0fe8
Instruction ID: 2ae0a4febc8d8fd5fd78b8dac3adf3e1050abf62dc6f99be643cd80d4a96efb7
Opcode Fuzzy Hash: bed01c6df29ca10833875b730ea8850a5db31e4d135a5404c49dbbd5265c0fe8
Instruction Fuzzy Hash: 302125B1504244DFDB14DF10D8C0BA7BBA5FB98324F64C6A9E9054B306C33AE896C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00B1D3FB, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.680325714.0000000000B1D000.00000040.00000001.sdmp, Offset: 00B1D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 987ae082b2f359035be596b84dcad585c5d9c7b80c54fd1badd6de72d9b1f1a2
Instruction ID: 0fe9471d5dae0f4170b2943b0c0bd07dd2f604ec680dca363c1937c55497b0ee
Opcode Fuzzy Hash: 987ae082b2f359035be596b84dcad585c5d9c7b80c54fd1badd6de72d9b1f1a2
Instruction Fuzzy Hash: 1A11B176404680DFDB11CF10D5C4B56BFB1FB94320F24C6E9D8454B616C33AE896CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B1D4E7, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.680325714.0000000000B1D000.00000040.00000001.sdmp, Offset: 00B1D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 987ae082b2f359035be596b84dcad585c5d9c7b80c54fd1badd6de72d9b1f1a2
Instruction ID: 137439f3bddf2004442c0f681cad0ab1428fbe22f35bad33cded4d088a83c978
Opcode Fuzzy Hash: 987ae082b2f359035be596b84dcad585c5d9c7b80c54fd1badd6de72d9b1f1a2
Instruction Fuzzy Hash: 5511D376404280DFDB05CF10D5C4B56BFB2FB98324F24C6A9D8450B61AC33AD896CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B1D821, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.680325714.0000000000B1D000.00000040.00000001.sdmp, Offset: 00B1D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e64ad4d5604ba5deead9dbdbf430dcddc6d2365d0665c881fa9e5d424a896aa6
Instruction ID: 54aadafa17011b4fb9e4d0238f28eae4f7fbafcabbf6d0e08473082ce5d2de99
Opcode Fuzzy Hash: e64ad4d5604ba5deead9dbdbf430dcddc6d2365d0665c881fa9e5d424a896aa6
Instruction Fuzzy Hash: FC012B71408344AAE7104A12CCC0BE2FBD8EF41338F58C59AED445B246D378DC84C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 00B1D820, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.680325714.0000000000B1D000.00000040.00000001.sdmp, Offset: 00B1D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e24c9e3ffbde4ce72c06c6b84f3b4c41eec96e2b0c3bae05ae85ccf432864c4d
Instruction ID: e8621af0c9d74eb0790ef1b9ed0268e398ab24606eeb6d37812f633a8add7485
Opcode Fuzzy Hash: e24c9e3ffbde4ce72c06c6b84f3b4c41eec96e2b0c3bae05ae85ccf432864c4d
Instruction Fuzzy Hash: E3F06271405244ABE7148A16CCC4BA2FBE8EB91734F18C55AED485B286C3789884CAB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00BF1460, Relevance: 1.6, Strings: 1, Instructions: 333COMMON

Download Yara Rule

Strings

D0l, xrefs: 00BF18C8

Memory Dump Source

Source File: 00000001.00000002.680389737.0000000000BF0000.00000040.00000001.sdmp, Offset: 00BF0000, based on PE: false

Similarity

API ID:
String ID: D0l
API String ID: 0-2225038300
Opcode ID: b156eda6a7ced257fe30f2e5f1325aee0f67647145d67e09851742c868d3d481
Instruction ID: 126f2eff80ba227138fb276e70c6c3b383f7dc6029b3d27ca010f82b47d05be1
Opcode Fuzzy Hash: b156eda6a7ced257fe30f2e5f1325aee0f67647145d67e09851742c868d3d481
Instruction Fuzzy Hash: 98B1A630704219CBDB282B29865533A76E6EFC0791F258EADD687C7694CF34CC49DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00BFA0F0, Relevance: 1.5, Strings: 1, Instructions: 260COMMON

Download Yara Rule

Strings

D0l, xrefs: 00BFA3EC

Memory Dump Source

Source File: 00000001.00000002.680389737.0000000000BF0000.00000040.00000001.sdmp, Offset: 00BF0000, based on PE: false

Similarity

API ID:
String ID: D0l
API String ID: 0-2225038300
Opcode ID: 76bca6491060d876c955f866b15f1ea2477a51cd23b5a6b0f0baba03fc831297
Instruction ID: 63558617bf1643e87f1fc13f49bd208bc4f53e5fd72aca32309b6a353049cc61
Opcode Fuzzy Hash: 76bca6491060d876c955f866b15f1ea2477a51cd23b5a6b0f0baba03fc831297
Instruction Fuzzy Hash: 7E81C274B1822C8FDB0CAF74986477EB6A7BFC8704B15886DD50AE7298DF3488059792

Uniqueness

Uniqueness Score: -1.00%

Function 00BF1E10, Relevance: 1.4, Strings: 1, Instructions: 188COMMON

Download Yara Rule

Strings

$,l, xrefs: 00BF1FE7

Memory Dump Source

Source File: 00000001.00000002.680389737.0000000000BF0000.00000040.00000001.sdmp, Offset: 00BF0000, based on PE: false

Similarity

API ID:
String ID: $,l
API String ID: 0-2860895947
Opcode ID: fccc335940604bd87b42ebd9f42f8a1cf0de0570c140804ccca3f81c0a5bb456
Instruction ID: 27c9e3046bbe38f9acddf3d1e78a550a92cf60848456adf29ce9a4e12e00e3dd
Opcode Fuzzy Hash: fccc335940604bd87b42ebd9f42f8a1cf0de0570c140804ccca3f81c0a5bb456
Instruction Fuzzy Hash: 6F71A375E052188FDB14DFAAC580AADFBF2BF88314F15C569D908A7315EB309945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 04CCC8E8, Relevance: .4, Instructions: 367COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.684352228.0000000004CC0000.00000040.00000001.sdmp, Offset: 04CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3862f8ec2cc1cbfa0b6d6b7d8326b4ba29e56645544908fa18466d37dfa583c5
Instruction ID: 3ef858f8cd4da1959b7172855a3ef1ae744bc1fbf9c27cf66bf31dc61760bf4e
Opcode Fuzzy Hash: 3862f8ec2cc1cbfa0b6d6b7d8326b4ba29e56645544908fa18466d37dfa583c5
Instruction Fuzzy Hash: F002C475E04229CFDB24DFA5C884BADFBB2BF49314F1481A9D44CA7291DB389A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 04CC5C69, Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.684352228.0000000004CC0000.00000040.00000001.sdmp, Offset: 04CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8de5a09e44b9ce71e187265541f0fd6eaeeb93d1fe69f04f6601bb97008be041
Instruction ID: 8fd0d6f0d0cdb963ca930cf4fca59319cde32ad916ebafb2080edc35cad64993
Opcode Fuzzy Hash: 8de5a09e44b9ce71e187265541f0fd6eaeeb93d1fe69f04f6601bb97008be041
Instruction Fuzzy Hash: 7BD13631C2175ACACB10EF64D955ADDB3B1EF95200F608B9AE14937224FB706AC9CB80

Uniqueness

Uniqueness Score: -1.00%

Function 04CC5C78, Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.684352228.0000000004CC0000.00000040.00000001.sdmp, Offset: 04CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b795f287053b24126ebbfc5f2a24a23315633edac7630291e730338ad9aa0ef
Instruction ID: b7fda48a216adaf246411df48b8cac8ff72da1bf2c8d02cf20f22e8673b39d39
Opcode Fuzzy Hash: 2b795f287053b24126ebbfc5f2a24a23315633edac7630291e730338ad9aa0ef
Instruction Fuzzy Hash: AFD12431C2175ACACB10EF64D955A9DB3B1EF95300F619B9AE14937224FB706AC9CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00BF1E01, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.680389737.0000000000BF0000.00000040.00000001.sdmp, Offset: 00BF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 897acb408a3ed733930c525557706fee8f63dd7ac05679529fd107a9e78979db
Instruction ID: 57b85207745e1efad7079abd062c83aff09470189d02e44c343e141faf754593
Opcode Fuzzy Hash: 897acb408a3ed733930c525557706fee8f63dd7ac05679529fd107a9e78979db
Instruction Fuzzy Hash: C441D671E056188FDB18CFAAD9446EEFBF3AFC8311F14C56AD908AB255EB304946CB50

Uniqueness

Uniqueness Score: -1.00%

Function 04CC6603, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.684352228.0000000004CC0000.00000040.00000001.sdmp, Offset: 04CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94d558838350b0e45b9119dd7b218df4ba2a67f43a62f6450501b4f04143d7aa
Instruction ID: 3af65a904af3641bdf306e9cac051bd07cac95c8c9ea2fef1017370fd77663fd
Opcode Fuzzy Hash: 94d558838350b0e45b9119dd7b218df4ba2a67f43a62f6450501b4f04143d7aa
Instruction Fuzzy Hash: C631F2B1E042588FDB08CFAAC9446DDFBF2AFC9304F14C0AAD458AB265EB345945CF11

Uniqueness

Uniqueness Score: -1.00%

Function 04CCC8D8, Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.684352228.0000000004CC0000.00000040.00000001.sdmp, Offset: 04CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a45ef221b6a5ecbdc6715aad6875d710e7eac123ed6f840b6b4aa0801f89fc8
Instruction ID: a70f43f69dd57e3bfd4a5b423816a06081da001bbd383c6082a39374d48e2c1f
Opcode Fuzzy Hash: 5a45ef221b6a5ecbdc6715aad6875d710e7eac123ed6f840b6b4aa0801f89fc8
Instruction Fuzzy Hash: DE419471D002298FEB68CFA6D94579EBBF2BF88304F14C0AAD54CA7255DB781A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 04CC5194, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.684352228.0000000004CC0000.00000040.00000001.sdmp, Offset: 04CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: feaecf31270ad0847507631799fd059a8d6b83dc6c8e5452d90acac256451e12
Instruction ID: 53e3cb5d1478adf406236d7737aaf9d590095ae1fcd1c89396d392b0fcd06e3b
Opcode Fuzzy Hash: feaecf31270ad0847507631799fd059a8d6b83dc6c8e5452d90acac256451e12
Instruction Fuzzy Hash: 5F319FB8D05218EFDB14CFA9D484AEEBBF2BB89350F24912AE814B7354D734A941CF54

Uniqueness

Uniqueness Score: -1.00%

Function 04CC51A0, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.684352228.0000000004CC0000.00000040.00000001.sdmp, Offset: 04CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4af1e1b6e873590dfaa1babff31d87e6cb7129b3a32286ed7ce83a2d444c8844
Instruction ID: 2aec6e76547a7586312cd119232210bb554e618a5f568f9bd6bd242b7045eb97
Opcode Fuzzy Hash: 4af1e1b6e873590dfaa1babff31d87e6cb7129b3a32286ed7ce83a2d444c8844
Instruction Fuzzy Hash: 59316EB4D05218EFCB14CFA9D484AEEBBF2BB89350F24912AE814B7354D734AA41CF54

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: a.exe PID: 984 Parent PID: 3480 a.exeCOMMON

Executed Functions

Function 00C1EF98, Relevance: 1.6, APIs: 1, Instructions: 98memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(00000000,?,?,?), ref: 00C1F047

Memory Dump Source

Source File: 00000002.00000002.686160433.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: ed857c197221a2ead2d7a52bc902088b1d3f5d93436efb772f1f6a8c69accd38
Instruction ID: ac482e0c3feea3675162eb8bb9daef39b8acb878a059047a8faa9bf36150caae
Opcode Fuzzy Hash: ed857c197221a2ead2d7a52bc902088b1d3f5d93436efb772f1f6a8c69accd38
Instruction Fuzzy Hash: 4F31AAB9D042589FCF10CFA9D480ADEFBB1BB09310F24902AE814B7210C775A986DF64

Uniqueness

Uniqueness Score: -1.00%

Function 00C1A0C4, Relevance: 1.6, APIs: 1, Instructions: 97memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(00000000,?,?,?), ref: 00C1F047

Memory Dump Source

Source File: 00000002.00000002.686160433.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: d6e68e4786753af15d10048948eb02bf92fc6069a55180b56051ab9d4999fbcc
Instruction ID: ea227f398a5ee98238ce7cfe777f2e7487e8a1774af920a493fb742a476bd476
Opcode Fuzzy Hash: d6e68e4786753af15d10048948eb02bf92fc6069a55180b56051ab9d4999fbcc
Instruction Fuzzy Hash: 05319AB9D042589FCF10CFAAD584AEEFBB4AB49310F14902AE814B7310D775A985DF64

Uniqueness

Uniqueness Score: -1.00%

Function 00C19F5C, Relevance: 1.6, APIs: 1, Instructions: 97memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,514A1B1F,DBBDF2D4), ref: 00C1AF47

Memory Dump Source

Source File: 00000002.00000002.686160433.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 8f377f6964fba02358b3e642cfb69c5fc0a9812b27d501520830898917e93e6f
Instruction ID: e45207148e27c80f30a7e0c9efc217e57d2abca2f1c8a772d24e7cd3317f4424
Opcode Fuzzy Hash: 8f377f6964fba02358b3e642cfb69c5fc0a9812b27d501520830898917e93e6f
Instruction Fuzzy Hash: 0131AAB8D052589FCB10CFEAD484AEEFBB1AB09310F14902AE814B7310D774A985DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00C1AE98, Relevance: 1.6, APIs: 1, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,514A1B1F,DBBDF2D4), ref: 00C1AF47

Memory Dump Source

Source File: 00000002.00000002.686160433.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 5553fa95ab71bf67c6b19e3375670d9f75e430329f1ea6c5480cf4ca344265da
Instruction ID: 9569fc7358a77ab9b4d9bca050fc16a36aa21e05bedd7e97e961dcafea3cd97f
Opcode Fuzzy Hash: 5553fa95ab71bf67c6b19e3375670d9f75e430329f1ea6c5480cf4ca344265da
Instruction Fuzzy Hash: 74319AB9D052589FCB10CFA9E484ADEFBB1BB09310F14902AE854B7310D775A986DF64

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: a.exe PID: 6648 Parent PID: 3424 a.exeCOMMON

Executed Functions

Function 009EAE98, Relevance: 1.6, APIs: 1, Instructions: 99memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 009EAF47

Memory Dump Source

Source File: 00000003.00000002.686431010.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: f1106839341cb1216a3ae1f7522dd24da6334ebeef5cad15d732f8a44157d2e3
Instruction ID: 073c889f4ffce6a6f8d2c198bf8dd9be2717b3e306dc48107cbe7639a23cc2ae
Opcode Fuzzy Hash: f1106839341cb1216a3ae1f7522dd24da6334ebeef5cad15d732f8a44157d2e3
Instruction Fuzzy Hash: 8F31ACB9D042589FCF10CFAAD884AEEFBB0BB19310F14902AE855B7210D775A946CF64

Uniqueness

Uniqueness Score: -1.00%

Function 009EEF98, Relevance: 1.6, APIs: 1, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 009EF047

Memory Dump Source

Source File: 00000003.00000002.686431010.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 4658891e548e7119f02c936f9f1ed154ec1b13e4c2388a31a85dda98c999d135
Instruction ID: d71846736b05e88f8728b9080adab975c11d5688b6d98c4afb8eb016ccb3c0fe
Opcode Fuzzy Hash: 4658891e548e7119f02c936f9f1ed154ec1b13e4c2388a31a85dda98c999d135
Instruction Fuzzy Hash: E73198B9D04258AFCF10CFAAD484AEEFBF4BB59310F14902AE814B7210D775AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 009EAEA0, Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 009EAF47

Memory Dump Source

Source File: 00000003.00000002.686431010.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: fb85da4f5e63757cb4b5faa203d20c3dfc3eab348e443bd956ee384881b7b243
Instruction ID: 9283f0deec7aac7e516a3a5c6637b3d8680fe84ebefb44e6d805e89d090e1130
Opcode Fuzzy Hash: fb85da4f5e63757cb4b5faa203d20c3dfc3eab348e443bd956ee384881b7b243
Instruction Fuzzy Hash: E43199B9D042589FCB10CFAAD884ADEFBB4BB09310F14902AE814B7210D775A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 009EEFA0, Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 009EF047

Memory Dump Source

Source File: 00000003.00000002.686431010.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 2dfab00418e365ac1a710fcc678412416bdc5976b87e4677c426493447f02a89
Instruction ID: b2d5ef5ed30779af67bd1f95cbb6022e8a98e8ff023f3eb6526f5394cee1a8f1
Opcode Fuzzy Hash: 2dfab00418e365ac1a710fcc678412416bdc5976b87e4677c426493447f02a89
Instruction Fuzzy Hash: 1D3179B9D042589FCB10CFAAD484ADEFBF4BB59310F14902AE815B7210D775A945CF64

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Process monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Dintec Order PDF.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

UDP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior