Play interactive tour

Edit tour

Analysis Report 13efMb6ayq.exe

Overview

General Information

Sample Name:	13efMb6ayq.exe
Analysis ID:	412090
MD5:	5003ed514f5ec9f0c5fbbc8994dfbfe7
SHA1:	71e8666304c34b0e4f96502c1a9747acf19acfa5
SHA256:	eec100fdef88c4bcd7fe30040ccd0476cac543ab8edda576c5e5a799606c585e
Tags:	exeNanoCoreRAT
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Yara detected AntiVM3

Yara detected Nanocore RAT

C2 URLs / IPs found in malware configuration

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

PE file has nameless sections

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

13efMb6ayq.exe (PID: 4664 cmdline: 'C:\Users\user\Desktop\13efMb6ayq.exe' MD5: 5003ED514F5EC9F0C5FBBC8994DFBFE7)

schtasks.exe (PID: 2924 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\KdoySzebyGeRTO' /XML 'C:\Users\user\AppData\Local\Temp\tmpE80E.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 3756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

RegSvcs.exe (PID: 5988 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": ".0.0.0,", "Mutex": "a7fa722b-7dae-45b1-afa6-302155a5", "Group": "Default", "Domain1": "wespeaktruthtoman.sytes.net", "Domain2": "wespeaktruthtoman12.sytes.net", "Port": 5600, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.243331566.0000000002B03000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.244161403.0000000003AB1000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x144bd:$x1: NanoCore.ClientPluginHost 0x144fa:$x2: IClientNetworkHost 0x1802d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.244161403.0000000003AB1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.244161403.0000000003AB1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x14225:$a: NanoCore 0x14235:$a: NanoCore 0x14469:$a: NanoCore 0x1447d:$a: NanoCore 0x144bd:$a: NanoCore 0x14284:$b: ClientPlugin 0x14486:$b: ClientPlugin 0x144c6:$b: ClientPlugin 0x143ab:$c: ProjectData 0x14db2:$d: DESCrypto 0x1c77e:$e: KeepAlive 0x1a76c:$g: LogClientMessage 0x16967:$i: get_Connected 0x150e8:$j: #=q 0x15118:$j: #=q 0x15134:$j: #=q 0x15164:$j: #=q 0x15180:$j: #=q 0x1519c:$j: #=q 0x151cc:$j: #=q 0x151e8:$j: #=q
00000000.00000002.247174227.00000000047E3000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1b1d75:$x1: NanoCore.ClientPluginHost 0x1b1db2:$x2: IClientNetworkHost 0x1b58e5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.247174227.00000000047E3000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.247174227.00000000047E3000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1b1add:$a: NanoCore 0x1b1aed:$a: NanoCore 0x1b1d21:$a: NanoCore 0x1b1d35:$a: NanoCore 0x1b1d75:$a: NanoCore 0x1b1b3c:$b: ClientPlugin 0x1b1d3e:$b: ClientPlugin 0x1b1d7e:$b: ClientPlugin 0x1b1c63:$c: ProjectData 0x1b266a:$d: DESCrypto 0x1ba036:$e: KeepAlive 0x1b8024:$g: LogClientMessage 0x1b421f:$i: get_Connected 0x1b29a0:$j: #=q 0x1b29d0:$j: #=q 0x1b29ec:$j: #=q 0x1b2a1c:$j: #=q 0x1b2a38:$j: #=q 0x1b2a54:$j: #=q 0x1b2a84:$j: #=q 0x1b2aa0:$j: #=q
Process Memory Space: 13efMb6ayq.exe PID: 4664	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5d6b6:$x1: NanoCore.ClientPluginHost 0x5d717:$x2: IClientNetworkHost 0x62b1c:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x70a8e:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: 13efMb6ayq.exe PID: 4664	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: 13efMb6ayq.exe PID: 4664	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: 13efMb6ayq.exe PID: 4664	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x5d1bb:$a: NanoCore 0x5d1d7:$a: NanoCore 0x5d332:$a: NanoCore 0x5d341:$a: NanoCore 0x5d61a:$a: NanoCore 0x5d646:$a: NanoCore 0x5d6b6:$a: NanoCore 0x6d0f8:$a: NanoCore 0x6d10a:$a: NanoCore 0x6d146:$a: NanoCore 0x5d262:$b: ClientPlugin 0x5d38b:$b: ClientPlugin 0x5d64f:$b: ClientPlugin 0x5d6bf:$b: ClientPlugin 0x6d113:$b: ClientPlugin 0x6d14f:$b: ClientPlugin 0x1cf5:$c: ProjectData 0x23a2e:$c: ProjectData 0x24c98:$c: ProjectData 0x5d4d8:$c: ProjectData 0x6d045:$c: ProjectData
Click to see the 6 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.13efMb6ayq.exe.4984be8.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.13efMb6ayq.exe.4984be8.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.13efMb6ayq.exe.4984be8.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.13efMb6ayq.exe.4984be8.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.13efMb6ayq.exe.4984be8.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.13efMb6ayq.exe.4984be8.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.13efMb6ayq.exe.4984be8.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0.2.13efMb6ayq.exe.47e3168.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1b1c0d:$x1: NanoCore.ClientPluginHost 0x1b1c4a:$x2: IClientNetworkHost 0x1b577d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.13efMb6ayq.exe.47e3168.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.13efMb6ayq.exe.47e3168.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1b1975:$a: NanoCore 0x1b1985:$a: NanoCore 0x1b1bb9:$a: NanoCore 0x1b1bcd:$a: NanoCore 0x1b1c0d:$a: NanoCore 0x1b19d4:$b: ClientPlugin 0x1b1bd6:$b: ClientPlugin 0x1b1c16:$b: ClientPlugin 0x1b1afb:$c: ProjectData 0x1b2502:$d: DESCrypto 0x1b9ece:$e: KeepAlive 0x1b7ebc:$g: LogClientMessage 0x1b40b7:$i: get_Connected 0x1b2838:$j: #=q 0x1b2868:$j: #=q 0x1b2884:$j: #=q 0x1b28b4:$j: #=q 0x1b28d0:$j: #=q 0x1b28ec:$j: #=q 0x1b291c:$j: #=q 0x1b2938:$j: #=q
Click to see the 5 entries

Sigma Overview

AV Detection:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 5988, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud:

Sigma detected: NanoCore

Show sources

Source: File created

System Summary:

Sigma detected: Possible Applocker Bypass

Show sources

Source: Process started

Author: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\13efMb6ayq.exe' , ParentImage: C:\Users\user\Desktop\13efMb6ayq.exe, ParentProcessId: 4664, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 5988

Stealing of Sensitive Information:

Sigma detected: NanoCore

Show sources

Source: File created

Remote Access Functionality:

Sigma detected: NanoCore

Show sources

Source: File created

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0.2.13efMb6ayq.exe.4984be8.4.raw.unpack

Malware Configuration Extractor: NanoCore {"Version": ".0.0.0,", "Mutex": "a7fa722b-7dae-45b1-afa6-302155a5", "Group": "Default", "Domain1": "wespeaktruthtoman.sytes.net", "Domain2": "wespeaktruthtoman12.sytes.net", "Port": 5600, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8"}

Multi AV Scanner detection for domain / URL

Show sources

Source: wespeaktruthtoman.sytes.net

Virustotal: Detection: 8%

Perma Link

Multi AV Scanner detection for submitted file

Show sources

Source: 13efMb6ayq.exe

Virustotal: Detection: 26%

Perma Link

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000000.00000002.244161403.0000000003AB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.247174227.00000000047E3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 13efMb6ayq.exe PID: 4664, type: MEMORY
Source: Yara match	File source: 0.2.13efMb6ayq.exe.4984be8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.13efMb6ayq.exe.4984be8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.13efMb6ayq.exe.47e3168.3.raw.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\KdoySzebyGeRTO.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: 13efMb6ayq.exe

Joe Sandbox ML: detected

Source: 13efMb6ayq.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 13efMb6ayq.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\13efMb6ayq.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	0_2_01191690
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	0_2_011915A0
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	0_2_01191638
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	0_2_053D6F54
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	0_2_053DA988

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs: wespeaktruthtoman.sytes.net
Source: Malware configuration extractor	URLs: wespeaktruthtoman12.sytes.net

Source: global traffic

TCP traffic: 192.168.2.5:49715 -> 79.134.225.47:5600

Source: Joe Sandbox View

IP Address: 79.134.225.47 79.134.225.47

Source: Joe Sandbox View

ASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH

Source: unknown

DNS traffic detected: queries for: wespeaktruthtoman.sytes.net

Source: 13efMb6ayq.exe, 00000000.00000002.243269353.0000000002AB1000.00000004.00000001.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: 13efMb6ayq.exe, 00000000.00000002.243990693.0000000002FC0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 13efMb6ayq.exe, 00000000.00000002.243269353.0000000002AB1000.00000004.00000001.sdmp	String found in binary or memory: http://servermanager.miixit.org/1
Source: 13efMb6ayq.exe, 00000000.00000002.243269353.0000000002AB1000.00000004.00000001.sdmp	String found in binary or memory: http://servermanager.miixit.org/downloads/
Source: 13efMb6ayq.exe, 00000000.00000002.243269353.0000000002AB1000.00000004.00000001.sdmp	String found in binary or memory: http://servermanager.miixit.org/hits/hit_index.php?k=
Source: 13efMb6ayq.exe, 00000000.00000002.243269353.0000000002AB1000.00000004.00000001.sdmp	String found in binary or memory: http://servermanager.miixit.org/index_ru.html
Source: 13efMb6ayq.exe, 00000000.00000002.243269353.0000000002AB1000.00000004.00000001.sdmp	String found in binary or memory: http://servermanager.miixit.org/index_ru.htmlc
Source: 13efMb6ayq.exe, 00000000.00000002.243269353.0000000002AB1000.00000004.00000001.sdmp	String found in binary or memory: http://servermanager.miixit.org/report/reporter_index.php?name=
Source: 13efMb6ayq.exe, 00000000.00000002.243331566.0000000002B03000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
Source: 13efMb6ayq.exe, 00000000.00000002.243269353.0000000002AB1000.00000004.00000001.sdmp	String found in binary or memory: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=CJU3DBQXBUQPC
Source: 13efMb6ayq.exe, 00000000.00000002.243269353.0000000002AB1000.00000004.00000001.sdmp	String found in binary or memory: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=CJU3DBQXBUQPC5http://servermana

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000000.00000002.244161403.0000000003AB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.247174227.00000000047E3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 13efMb6ayq.exe PID: 4664, type: MEMORY
Source: Yara match	File source: 0.2.13efMb6ayq.exe.4984be8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.13efMb6ayq.exe.4984be8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.13efMb6ayq.exe.47e3168.3.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000000.00000002.244161403.0000000003AB1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.244161403.0000000003AB1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.247174227.00000000047E3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.247174227.00000000047E3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: 13efMb6ayq.exe PID: 4664, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: 13efMb6ayq.exe PID: 4664, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.13efMb6ayq.exe.4984be8.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.13efMb6ayq.exe.4984be8.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.13efMb6ayq.exe.4984be8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.13efMb6ayq.exe.4984be8.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.13efMb6ayq.exe.47e3168.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.13efMb6ayq.exe.47e3168.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

PE file contains section with special chars

Show sources

Source: 13efMb6ayq.exe	Static PE information: section name: +j821Zo
Source: KdoySzebyGeRTO.exe.0.dr	Static PE information: section name: +j821Zo

PE file has nameless sections

Show sources

Source: 13efMb6ayq.exe	Static PE information: section name:
Source: KdoySzebyGeRTO.exe.0.dr	Static PE information: section name:

Source: C:\Users\user\Desktop\13efMb6ayq.exe	Code function: 0_2_011935F8	0_2_011935F8
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Code function: 0_2_0119B010	0_2_0119B010
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Code function: 0_2_01192440	0_2_01192440
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Code function: 0_2_011918B0	0_2_011918B0
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Code function: 0_2_011904F9	0_2_011904F9
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Code function: 0_2_01192BB0	0_2_01192BB0
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Code function: 0_2_011965B8	0_2_011965B8
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Code function: 0_2_011965C8	0_2_011965C8
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Code function: 0_2_01196C31	0_2_01196C31
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Code function: 0_2_01195370	0_2_01195370
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Code function: 0_2_01195360	0_2_01195360
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Code function: 0_2_011923A0	0_2_011923A0
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Code function: 0_2_011967D9	0_2_011967D9
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Code function: 0_2_011967E8	0_2_011967E8
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Code function: 0_2_01196211	0_2_01196211
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Code function: 0_2_01196A10	0_2_01196A10
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Code function: 0_2_01196A00	0_2_01196A00
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Code function: 0_2_053D1F50	0_2_053D1F50
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Code function: 0_2_053D5668	0_2_053D5668
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Code function: 0_2_053D8070	0_2_053D8070
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Code function: 0_2_053D1F41	0_2_053D1F41
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Code function: 0_2_05A98908	0_2_05A98908
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Code function: 0_2_05A94560	0_2_05A94560
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Code function: 0_2_05A99008	0_2_05A99008
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Code function: 0_2_05A94078	0_2_05A94078
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Code function: 0_2_05A97FD8	0_2_05A97FD8
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Code function: 0_2_05A9A69D	0_2_05A9A69D
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Code function: 0_2_05A99638	0_2_05A99638
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Code function: 0_2_05A98192	0_2_05A98192
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Code function: 0_2_05A9312D	0_2_05A9312D

Source: 13efMb6ayq.exe	Binary or memory string: OriginalFilename vs 13efMb6ayq.exe
Source: 13efMb6ayq.exe, 00000000.00000002.250794149.00000000053F0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDSASignature.dll@ vs 13efMb6ayq.exe
Source: 13efMb6ayq.exe, 00000000.00000002.243990693.0000000002FC0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameIRuntimeMethodInfo.exeF vs 13efMb6ayq.exe
Source: 13efMb6ayq.exe, 00000000.00000002.243990693.0000000002FC0000.00000004.00000001.sdmp	Binary or memory string: l,\\StringFileInfo\\000004B0\\OriginalFilename vs 13efMb6ayq.exe
Source: 13efMb6ayq.exe, 00000000.00000002.251326518.0000000006060000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs 13efMb6ayq.exe
Source: 13efMb6ayq.exe, 00000000.00000002.251326518.0000000006060000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs 13efMb6ayq.exe
Source: 13efMb6ayq.exe, 00000000.00000002.251181665.0000000005F60000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs 13efMb6ayq.exe
Source: 13efMb6ayq.exe, 00000000.00000002.243269353.0000000002AB1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSimpleUI.dll( vs 13efMb6ayq.exe
Source: 13efMb6ayq.exe	Binary or memory string: OriginalFilenameIRuntimeMethodInfo.exeF vs 13efMb6ayq.exe

Source: 13efMb6ayq.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 00000000.00000002.244161403.0000000003AB1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.244161403.0000000003AB1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.247174227.00000000047E3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.247174227.00000000047E3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: 13efMb6ayq.exe PID: 4664, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: 13efMb6ayq.exe PID: 4664, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.13efMb6ayq.exe.4984be8.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.13efMb6ayq.exe.4984be8.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.13efMb6ayq.exe.4984be8.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.13efMb6ayq.exe.4984be8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.13efMb6ayq.exe.4984be8.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.13efMb6ayq.exe.47e3168.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.13efMb6ayq.exe.47e3168.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: 13efMb6ayq.exe	Static PE information: Section: +j821Zo ZLIB complexity 1.00031287106
Source: KdoySzebyGeRTO.exe.0.dr	Static PE information: Section: +j821Zo ZLIB complexity 1.00031287106

Source: classification engine

Classification label: mal100.troj.evad.winEXE@6/5@48/1

Source: C:\Users\user\Desktop\13efMb6ayq.exe

File created: C:\Users\user\AppData\Roaming\KdoySzebyGeRTO.exe

Jump to behavior

Source: C:\Users\user\Desktop\13efMb6ayq.exe	Mutant created: \Sessions\1\BaseNamedObjects\jkTjyDgmmNRdT
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3756:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{a7fa722b-7dae-45b1-afa6-302155a56210}

Source: C:\Users\user\Desktop\13efMb6ayq.exe

File created: C:\Users\user\AppData\Local\Temp\tmpE80E.tmp

Jump to behavior

Source: C:\Users\user\Desktop\13efMb6ayq.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\13efMb6ayq.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\13efMb6ayq.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: 13efMb6ayq.exe, 00000000.00000002.243331566.0000000002B03000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: 13efMb6ayq.exe, 00000000.00000002.243331566.0000000002B03000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: 13efMb6ayq.exe, 00000000.00000002.243331566.0000000002B03000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE id=@id;
Source: 13efMb6ayq.exe, 00000000.00000002.243331566.0000000002B03000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
Source: 13efMb6ayq.exe, 00000000.00000002.243331566.0000000002B03000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: 13efMb6ayq.exe, 00000000.00000002.243331566.0000000002B03000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: 13efMb6ayq.exe, 00000000.00000002.243331566.0000000002B03000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: 13efMb6ayq.exe, 00000000.00000002.243331566.0000000002B03000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
Source: 13efMb6ayq.exe, 00000000.00000002.243331566.0000000002B03000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonTypeErro ao listar Banco sql-SecurityLogonType,Select from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)

Source: 13efMb6ayq.exe

Virustotal: Detection: 26%

Source: C:\Users\user\Desktop\13efMb6ayq.exe

File read: C:\Users\user\Desktop\13efMb6ayq.exe:Zone.Identifier

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\13efMb6ayq.exe 'C:\Users\user\Desktop\13efMb6ayq.exe'
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\KdoySzebyGeRTO' /XML 'C:\Users\user\AppData\Local\Temp\tmpE80E.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\KdoySzebyGeRTO' /XML 'C:\Users\user\AppData\Local\Temp\tmpE80E.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Jump to behavior

Source: C:\Users\user\Desktop\13efMb6ayq.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\13efMb6ayq.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 13efMb6ayq.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 13efMb6ayq.exe

Static file information: File size 1250816 > 1048576

Source: 13efMb6ayq.exe

Static PE information: Raw size of +j821Zo is bigger than: 0x100000 < 0x121800

Source: 13efMb6ayq.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\Desktop\13efMb6ayq.exe

Unpacked PE file: 0.2.13efMb6ayq.exe.730000.0.unpack +j821Zo:EW;.text:ER;.rsrc:R;.reloc:R;Unknown_Section4:ER; vs Unknown_Section0:EW;Unknown_Section1:ER;Unknown_Section2:R;Unknown_Section3:R;Unknown_Section4:ER;

Source: 13efMb6ayq.exe	Static PE information: section name: +j821Zo
Source: 13efMb6ayq.exe	Static PE information: section name:
Source: KdoySzebyGeRTO.exe.0.dr	Static PE information: section name: +j821Zo
Source: KdoySzebyGeRTO.exe.0.dr	Static PE information: section name:

Source: C:\Users\user\Desktop\13efMb6ayq.exe	Code function: 0_2_008413CC push ebp; iretd	0_2_008413CD
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Code function: 0_2_00841B18 push edi; ret	0_2_00841B2A
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Code function: 0_2_01198174 push es; ret	0_2_0119817A
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Code function: 0_2_011984E0 push ebp; iretd	0_2_011984E1
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Code function: 0_2_011940E6 push esi; ret	0_2_011940E7
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Code function: 0_2_0119931D push edi; ret	0_2_0119931E
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Code function: 0_2_01199327 push edi; ret	0_2_01199328
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Code function: 0_2_053DE071 pushad ; ret	0_2_053DE083
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Code function: 0_2_053DDD59 push es; ret	0_2_053DDD5A
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Code function: 0_2_053DDD5B push es; ret	0_2_053DDD62
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Code function: 0_2_053DDD41 push es; ret	0_2_053DDD42
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Code function: 0_2_053DDD43 push es; ret	0_2_053DDD4A
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Code function: 0_2_053D9ED8 pushfd ; ret	0_2_053D9EE1
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Code function: 0_2_05A91DCE push edx; retf	0_2_05A91DD0

Source: initial sample	Static PE information: section name: +j821Zo entropy: 7.99985504348
Source: initial sample	Static PE information: section name: +j821Zo entropy: 7.99985504348

Source: C:\Users\user\Desktop\13efMb6ayq.exe

File created: C:\Users\user\AppData\Roaming\KdoySzebyGeRTO.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Users\user\Desktop\13efMb6ayq.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\KdoySzebyGeRTO' /XML 'C:\Users\user\AppData\Local\Temp\tmpE80E.tmp'

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\13efMb6ayq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 00000000.00000002.243331566.0000000002B03000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 13efMb6ayq.exe PID: 4664, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: 13efMb6ayq.exe, 00000000.00000002.243331566.0000000002B03000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: 13efMb6ayq.exe, 00000000.00000002.243331566.0000000002B03000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\13efMb6ayq.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\13efMb6ayq.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 6262	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 2878	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: foregroundWindowGot 810	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: foregroundWindowGot 643	Jump to behavior

Source: C:\Users\user\Desktop\13efMb6ayq.exe TID: 5400	Thread sleep time: -100282s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\13efMb6ayq.exe TID: 3500	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\13efMb6ayq.exe	Thread delayed: delay time: 100282	Jump to behavior
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: 13efMb6ayq.exe, 00000000.00000002.243331566.0000000002B03000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: 13efMb6ayq.exe, 00000000.00000002.243331566.0000000002B03000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: 13efMb6ayq.exe, 00000000.00000002.243331566.0000000002B03000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: 13efMb6ayq.exe, 00000000.00000002.243331566.0000000002B03000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: 13efMb6ayq.exe, 00000000.00000002.243331566.0000000002B03000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: 13efMb6ayq.exe, 00000000.00000002.243331566.0000000002B03000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: 13efMb6ayq.exe, 00000000.00000003.242407864.0000000000D20000.00000004.00000001.sdmp	Binary or memory string: en_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f:y
Source: 13efMb6ayq.exe, 00000000.00000002.243331566.0000000002B03000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: 13efMb6ayq.exe, 00000000.00000002.243331566.0000000002B03000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: 13efMb6ayq.exe, 00000000.00000002.243331566.0000000002B03000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Source: C:\Users\user\Desktop\13efMb6ayq.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Show sources

Source: C:\Users\user\Desktop\13efMb6ayq.exe

Code function: 0_2_01191690 CheckRemoteDebuggerPresent,

0_2_01191690

Source: C:\Users\user\Desktop\13efMb6ayq.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\13efMb6ayq.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\13efMb6ayq.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\13efMb6ayq.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\13efMb6ayq.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 420000	Jump to behavior
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 422000	Jump to behavior
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 72E008	Jump to behavior

Source: C:\Users\user\Desktop\13efMb6ayq.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\KdoySzebyGeRTO' /XML 'C:\Users\user\AppData\Local\Temp\tmpE80E.tmp'			Jump to behavior
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe			Jump to behavior

Source: C:\Users\user\Desktop\13efMb6ayq.exe	Queries volume information: C:\Users\user\Desktop\13efMb6ayq.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\13efMb6ayq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\13efMb6ayq.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000000.00000002.244161403.0000000003AB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.247174227.00000000047E3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 13efMb6ayq.exe PID: 4664, type: MEMORY
Source: Yara match	File source: 0.2.13efMb6ayq.exe.4984be8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.13efMb6ayq.exe.4984be8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.13efMb6ayq.exe.47e3168.3.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: 13efMb6ayq.exe, 00000000.00000002.244161403.0000000003AB1000.00000004.00000001.sdmp

String found in binary or memory: NanoCore.ClientPluginHost

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000000.00000002.244161403.0000000003AB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.247174227.00000000047E3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 13efMb6ayq.exe PID: 4664, type: MEMORY
Source: Yara match	File source: 0.2.13efMb6ayq.exe.4984be8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.13efMb6ayq.exe.4984be8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.13efMb6ayq.exe.47e3168.3.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scheduled Task/Job1	Scheduled Task/Job1	Process Injection211	Masquerading1	OS Credential Dumping	Security Software Discovery221	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Scheduled Task/Job1	Disable or Modify Tools1	LSASS Memory	Process Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion41	Security Account Manager	Virtualization/Sandbox Evasion41	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Remote Access Software1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection211	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Hidden Files and Directories1	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol11	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information3	Cached Domain Credentials	File and Directory Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Software Packing12	DCSync	System Information Discovery12	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
13efMb6ayq.exe	26%	Virustotal		Browse
13efMb6ayq.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\KdoySzebyGeRTO.exe	100%	Joe Sandbox ML

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.2.13efMb6ayq.exe.730000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File

Domains

Source	Detection	Scanner	Label	Link
wespeaktruthtoman.sytes.net	8%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://checkip.dyndns.org/	0%	Virustotal		Browse
http://checkip.dyndns.org/	0%	Avira URL Cloud	safe
wespeaktruthtoman.sytes.net	0%	Avira URL Cloud	safe
wespeaktruthtoman12.sytes.net	0%	Avira URL Cloud	safe
http://servermanager.miixit.org/index_ru.html	0%	Avira URL Cloud	safe
http://servermanager.miixit.org/index_ru.htmlc	0%	Avira URL Cloud	safe
http://servermanager.miixit.org/report/reporter_index.php?name=	0%	Avira URL Cloud	safe
http://servermanager.miixit.org/1	0%	Avira URL Cloud	safe
http://servermanager.miixit.org/downloads/	0%	Avira URL Cloud	safe
http://servermanager.miixit.org/hits/hit_index.php?k=	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
wespeaktruthtoman.sytes.net	79.134.225.47	true	true	8%, Virustotal, Browse	unknown
wespeaktruthtoman12.sytes.net	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
wespeaktruthtoman.sytes.net	true	Avira URL Cloud: safe	unknown
wespeaktruthtoman12.sytes.net	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	13efMb6ayq.exe, 00000000.00000002.243269353.0000000002AB1000.00000004.00000001.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=CJU3DBQXBUQPC	13efMb6ayq.exe, 00000000.00000002.243269353.0000000002AB1000.00000004.00000001.sdmp	false		high
http://servermanager.miixit.org/index_ru.html	13efMb6ayq.exe, 00000000.00000002.243269353.0000000002AB1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://servermanager.miixit.org/index_ru.htmlc	13efMb6ayq.exe, 00000000.00000002.243269353.0000000002AB1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://servermanager.miixit.org/report/reporter_index.php?name=	13efMb6ayq.exe, 00000000.00000002.243269353.0000000002AB1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://servermanager.miixit.org/1	13efMb6ayq.exe, 00000000.00000002.243269353.0000000002AB1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	13efMb6ayq.exe, 00000000.00000002.243990693.0000000002FC0000.00000004.00000001.sdmp	false		high
https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css	13efMb6ayq.exe, 00000000.00000002.243331566.0000000002B03000.00000004.00000001.sdmp	false		high
https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=CJU3DBQXBUQPC5http://servermana	13efMb6ayq.exe, 00000000.00000002.243269353.0000000002AB1000.00000004.00000001.sdmp	false		high
http://servermanager.miixit.org/downloads/	13efMb6ayq.exe, 00000000.00000002.243269353.0000000002AB1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://servermanager.miixit.org/hits/hit_index.php?k=	13efMb6ayq.exe, 00000000.00000002.243269353.0000000002AB1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
79.134.225.47	wespeaktruthtoman.sytes.net	Switzerland		6775	FINK-TELECOM-SERVICESCH	true

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	412090
Start date:	12.05.2021
Start time:	11:55:20
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 49s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	13efMb6ayq.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@6/5@48/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 1.7% (good quality ratio 1%) Quality average: 34.2% Quality standard deviation: 37.1%
HCA Information:	Successful, ratio: 90% Number of executed functions: 51 Number of non-executed functions: 16
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Excluded IPs from analysis (whitelisted): 131.253.33.200, 13.107.22.200, 52.147.198.201, 92.122.145.220, 93.184.220.29, 40.88.32.150, 184.30.24.56, 20.50.102.62, 92.122.213.194, 92.122.213.247, 205.185.216.42, 205.185.216.10, 20.54.26.129, 20.82.209.183 Excluded domains from analysis (whitelisted): cs9.wac.phicdn.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, skypedataprdcoleus15.cloudapp.net, ocsp.digicert.com, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, dual-a-0001.dc-msedge.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:56:14	API Interceptor	1x Sleep call for process: 13efMb6ayq.exe modified
11:56:19	API Interceptor	983x Sleep call for process: RegSvcs.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
79.134.225.47	s65eJyjKga.exe	Get hash	malicious	Browse
	new order.xlsx	Get hash	malicious	Browse
	Ot3srIM10B.exe	Get hash	malicious	Browse
	kwK4iGa9DL.exe	Get hash	malicious	Browse
	4z9Saf2vu3.exe	Get hash	malicious	Browse
	image002933894HF8474H038RHF7.exe	Get hash	malicious	Browse
	IMG-PO-SCAN-DOCUMENTS-00HDU12.exe	Get hash	malicious	Browse
	IMAGE-SCAN-DOCUMENTS-002D.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
wespeaktruthtoman.sytes.net	s65eJyjKga.exe	Get hash	malicious	Browse	79.134.225.47
	new order.xlsx	Get hash	malicious	Browse	79.134.225.47
	Ot3srIM10B.exe	Get hash	malicious	Browse	79.134.225.47
	kwK4iGa9DL.exe	Get hash	malicious	Browse	79.134.225.47
	4z9Saf2vu3.exe	Get hash	malicious	Browse	79.134.225.47
	ORDER 4553241.xlsx	Get hash	malicious	Browse	105.112.101.86
	Pu5UMH4fWK.exe	Get hash	malicious	Browse	79.134.225.14

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
FINK-TELECOM-SERVICESCH	PO #KV18RE001-A5491.exe	Get hash	malicious	Browse	79.134.225.91
	Devizni izvod za partiju 0050100073053.exe	Get hash	malicious	Browse	79.134.225.71
	QwUl4FaToe.exe	Get hash	malicious	Browse	79.134.225.71
	IMG_1035852_607.exe	Get hash	malicious	Browse	79.134.225.10
	RFQEMFA.Elektrik.exe	Get hash	malicious	Browse	79.134.225.17
	Waybill Document 22700456.exe	Get hash	malicious	Browse	79.134.225.7
	Give Offer CVE6535 _TVOP-MIO, pdf.exe	Get hash	malicious	Browse	79.134.225.8
	Waybill Document 22700456.exe	Get hash	malicious	Browse	79.134.225.7
	RFQEMFA.Elektrik.pdf.exe	Get hash	malicious	Browse	79.134.225.17
	w85rzxid7y.exe	Get hash	malicious	Browse	79.134.225.81
	Remittance E-MAIL Layout - 10_.jar	Get hash	malicious	Browse	79.134.225.106
	s65eJyjKga.exe	Get hash	malicious	Browse	79.134.225.47
	new order.xlsx	Get hash	malicious	Browse	79.134.225.47
	Ot3srIM10B.exe	Get hash	malicious	Browse	79.134.225.47
	Remittance E-MAIL Layout - 10_.jar	Get hash	malicious	Browse	79.134.225.106
	wnQXyfONbS.exe	Get hash	malicious	Browse	79.134.225.82
	kwK4iGa9DL.exe	Get hash	malicious	Browse	79.134.225.47
	Remittance E-MAIL Layout - 10_.jar	Get hash	malicious	Browse	79.134.225.106
	4z9Saf2vu3.exe	Get hash	malicious	Browse	79.134.225.47
	NewOrderSupplypdf.exe	Get hash	malicious	Browse	79.134.225.52

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\13efMb6ayq.exe.log Download File
Process:	C:\Users\user\Desktop\13efMb6ayq.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1314
Entropy (8bit):	5.350128552078965
Encrypted:	false
SSDEEP:	24:ML9E4Ks2f84jE4Kx1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MxHKXfvjHKx1qHiYHKhQnoPtHoxHhAHR
MD5:	8198C64CE0786EABD4C792E7E6FC30E5
SHA1:	71E1676126F4616B18C751A0A775B2D64944A15A
SHA-256:	C58018934011086A883D1D56B21F6C1916B1CD83206ADD1865C9BDD29DADCBC4
SHA-512:	EE293C0F88A12AB10041F66DDFAE89BC11AB3B3AAD8604F1A418ABE43DF0980245C3B7F8FEB709AEE8E9474841A280E073EC063045EA39948E853AA6B4EC0FB0
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Temp\tmpE80E.tmp Download File
Process:	C:\Users\user\Desktop\13efMb6ayq.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1651
Entropy (8bit):	5.173489332133557
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/a7hTlNMFpH/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKB4jtn:cbhC7ZlNQF/rydbz9I3YODOLNdq3A
MD5:	AA258ECF15D4B8EAE0D25BC14E9364DB
SHA1:	C86E67F2A208055B174B948ABD563D99E8F3247D
SHA-256:	C99758943A96EF108590C403E08989158C1E3F970A479F26611DB42E8BC9E96F
SHA-512:	D4F1735572F337B008258527B35517D73BFE76BA32584B1A02C53511886D32242F35A390BE6C0DEC56837F06AF2F0855AE84567547618ED67B6B3BC7BD78528D
Malicious:	true
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>t

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	data
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:oi8n:oi8
MD5:	3C7F8EF66EA764B5B594543E8361A6B6
SHA1:	58DCDCC3E7F7575E5768ED9A5F335D15B50D63BC
SHA-256:	538BC6C18A2964BF839571116569E8BEB0D388ED8AF16090349D990BF2D24AD4
SHA-512:	D288DA67A544D4F15B525672A89DF9F791EF26530DC8D4FB5EA7E65A01823AB4EB81B4A9276304D00A5BF6D6774452C91AD7D5DAB5E0E1A643F4474549488F6E
Malicious:	true
Reputation:	low
Preview:	...w..H

C:\Users\user\AppData\Roaming\KdoySzebyGeRTO.exe Download File
Process:	C:\Users\user\Desktop\13efMb6ayq.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1250816
Entropy (8bit):	7.982339309647317
Encrypted:	false
SSDEEP:	24576:fB4YJ28quwK87NXNAekJ+pL04NVMOVgrmjX0970Jorgb8OvDUo80:6d1uwHNXeeD0zOVxjE97060b8Ov38
MD5:	5003ED514F5EC9F0C5FBBC8994DFBFE7
SHA1:	71E8666304C34B0E4F96502C1A9747ACF19ACFA5
SHA-256:	EEC100FDEF88C4BCD7FE30040CCD0476CAC543AB8EDDA576C5E5A799606C585E
SHA-512:	33C17242AD0F184610CFF328EFD33833636C4A479C0990DB32EF78E88EC73B113D4A968107F04C6DC6708A6A1510F1C5C4954A94F5E5FDA65BBB87DA0A2DED89
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............P......P.......`...@... ....@.. ....................................@..................................H..O........4...................@.......................................................`...............@..H...........+j8.21Zo..... ......................@....text........@...................... ..`.rsrc....4.......6..................@..@.reloc.......@......................@..B.............`...................... ..`........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\KdoySzebyGeRTO.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\13efMb6ayq.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.982339309647317
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.96% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	13efMb6ayq.exe
File size:	1250816
MD5:	5003ed514f5ec9f0c5fbbc8994dfbfe7
SHA1:	71e8666304c34b0e4f96502c1a9747acf19acfa5
SHA256:	eec100fdef88c4bcd7fe30040ccd0476cac543ab8edda576c5e5a799606c585e
SHA512:	33c17242ad0f184610cff328efd33833636c4a479c0990db32ef78e88ec73b113d4a968107f04c6dc6708a6a1510f1c5c4954a94f5e5fda65bbb87da0a2ded89
SSDEEP:	24576:fB4YJ28quwK87NXNAekJ+pL04NVMOVgrmjX0970Jorgb8OvDUo80:6d1uwHNXeeD0zOVxjE97060b8Ov38
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............P......P.......`...@... ....@.. ....................................@................................

File Icon


Icon Hash:	f2d2e9fcc4ead362

Static PE Info

General
Entrypoint:	0x53600a
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x609B8A89 [Wed May 12 07:58:01 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00536000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1248ac	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x130000	0x34c0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x134000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x136000	0x8
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x124000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
+j821Zo	0x2000	0x1217bc	0x121800	False	1.00031287106	data	7.99985504348	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.text	0x124000	0xbeb8	0xc000	False	0.444742838542	data	5.99458868006	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x130000	0x34c0	0x3600	False	0.361038773148	data	5.24830765917	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x134000	0xc	0x200	False	0.044921875	data	0.0980041756627	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
	0x136000	0x10	0x200	False	0.044921875	data	0.142635768149	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x130130	0x25a8	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
RT_GROUP_ICON	0x1326d8	0x14	data
RT_VERSION	0x1326ec	0x36c	data
RT_MANIFEST	0x132a58	0xa65	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2013
Assembly Version	3.0.0.0
InternalName	IRuntimeMethodInfo.exe
FileVersion	3.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	ServerManager_Core
ProductVersion	3.0.0.0
FileDescription	ServerManager_Core
OriginalFilename	IRuntimeMethodInfo.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 12, 2021 11:56:22.281764984 CEST	49715	5600	192.168.2.5	79.134.225.47
May 12, 2021 11:56:22.357716084 CEST	5600	49715	79.134.225.47	192.168.2.5
May 12, 2021 11:56:22.864218950 CEST	49715	5600	192.168.2.5	79.134.225.47
May 12, 2021 11:56:22.941792965 CEST	5600	49715	79.134.225.47	192.168.2.5
May 12, 2021 11:56:23.552285910 CEST	49715	5600	192.168.2.5	79.134.225.47
May 12, 2021 11:56:23.628170013 CEST	5600	49715	79.134.225.47	192.168.2.5
May 12, 2021 11:56:28.048727036 CEST	49718	5600	192.168.2.5	79.134.225.47
May 12, 2021 11:56:28.128902912 CEST	5600	49718	79.134.225.47	192.168.2.5
May 12, 2021 11:56:28.645586014 CEST	49718	5600	192.168.2.5	79.134.225.47
May 12, 2021 11:56:28.725637913 CEST	5600	49718	79.134.225.47	192.168.2.5
May 12, 2021 11:56:29.239418030 CEST	49718	5600	192.168.2.5	79.134.225.47
May 12, 2021 11:56:29.320132971 CEST	5600	49718	79.134.225.47	192.168.2.5
May 12, 2021 11:56:33.456083059 CEST	49723	5600	192.168.2.5	79.134.225.47
May 12, 2021 11:56:33.532042980 CEST	5600	49723	79.134.225.47	192.168.2.5
May 12, 2021 11:56:34.064884901 CEST	49723	5600	192.168.2.5	79.134.225.47
May 12, 2021 11:56:34.140707970 CEST	5600	49723	79.134.225.47	192.168.2.5
May 12, 2021 11:56:34.771064997 CEST	49723	5600	192.168.2.5	79.134.225.47
May 12, 2021 11:56:34.846941948 CEST	5600	49723	79.134.225.47	192.168.2.5
May 12, 2021 11:56:52.535027027 CEST	49725	5600	192.168.2.5	79.134.225.47
May 12, 2021 11:56:52.610995054 CEST	5600	49725	79.134.225.47	192.168.2.5
May 12, 2021 11:56:53.272712946 CEST	49725	5600	192.168.2.5	79.134.225.47
May 12, 2021 11:56:53.348802090 CEST	5600	49725	79.134.225.47	192.168.2.5
May 12, 2021 11:56:53.960200071 CEST	49725	5600	192.168.2.5	79.134.225.47
May 12, 2021 11:56:54.036463976 CEST	5600	49725	79.134.225.47	192.168.2.5
May 12, 2021 11:56:58.121556044 CEST	49727	5600	192.168.2.5	79.134.225.47
May 12, 2021 11:56:58.198653936 CEST	5600	49727	79.134.225.47	192.168.2.5
May 12, 2021 11:56:58.773147106 CEST	49727	5600	192.168.2.5	79.134.225.47
May 12, 2021 11:56:58.853504896 CEST	5600	49727	79.134.225.47	192.168.2.5
May 12, 2021 11:56:59.460745096 CEST	49727	5600	192.168.2.5	79.134.225.47
May 12, 2021 11:56:59.536813974 CEST	5600	49727	79.134.225.47	192.168.2.5
May 12, 2021 11:57:03.647186041 CEST	49729	5600	192.168.2.5	79.134.225.47
May 12, 2021 11:57:03.723046064 CEST	5600	49729	79.134.225.47	192.168.2.5
May 12, 2021 11:57:04.226886988 CEST	49729	5600	192.168.2.5	79.134.225.47
May 12, 2021 11:57:04.302859068 CEST	5600	49729	79.134.225.47	192.168.2.5
May 12, 2021 11:57:04.805072069 CEST	49729	5600	192.168.2.5	79.134.225.47
May 12, 2021 11:57:04.883039951 CEST	5600	49729	79.134.225.47	192.168.2.5
May 12, 2021 11:57:22.134888887 CEST	49737	5600	192.168.2.5	79.134.225.47
May 12, 2021 11:57:22.213671923 CEST	5600	49737	79.134.225.47	192.168.2.5
May 12, 2021 11:57:22.728266001 CEST	49737	5600	192.168.2.5	79.134.225.47
May 12, 2021 11:57:22.807145119 CEST	5600	49737	79.134.225.47	192.168.2.5
May 12, 2021 11:57:23.322186947 CEST	49737	5600	192.168.2.5	79.134.225.47
May 12, 2021 11:57:23.402050018 CEST	5600	49737	79.134.225.47	192.168.2.5
May 12, 2021 11:57:27.720781088 CEST	49738	5600	192.168.2.5	79.134.225.47
May 12, 2021 11:57:27.798253059 CEST	5600	49738	79.134.225.47	192.168.2.5
May 12, 2021 11:57:28.306972027 CEST	49738	5600	192.168.2.5	79.134.225.47
May 12, 2021 11:57:28.382766008 CEST	5600	49738	79.134.225.47	192.168.2.5
May 12, 2021 11:57:28.885368109 CEST	49738	5600	192.168.2.5	79.134.225.47
May 12, 2021 11:57:28.961153030 CEST	5600	49738	79.134.225.47	192.168.2.5
May 12, 2021 11:57:33.065783024 CEST	49739	5600	192.168.2.5	79.134.225.47
May 12, 2021 11:57:33.141863108 CEST	5600	49739	79.134.225.47	192.168.2.5
May 12, 2021 11:57:33.651046991 CEST	49739	5600	192.168.2.5	79.134.225.47
May 12, 2021 11:57:33.728403091 CEST	5600	49739	79.134.225.47	192.168.2.5
May 12, 2021 11:57:34.229268074 CEST	49739	5600	192.168.2.5	79.134.225.47
May 12, 2021 11:57:34.305474043 CEST	5600	49739	79.134.225.47	192.168.2.5
May 12, 2021 11:57:51.332679987 CEST	49742	5600	192.168.2.5	79.134.225.47
May 12, 2021 11:57:51.411637068 CEST	5600	49742	79.134.225.47	192.168.2.5
May 12, 2021 11:57:51.918251991 CEST	49742	5600	192.168.2.5	79.134.225.47
May 12, 2021 11:57:51.997203112 CEST	5600	49742	79.134.225.47	192.168.2.5
May 12, 2021 11:57:52.512095928 CEST	49742	5600	192.168.2.5	79.134.225.47
May 12, 2021 11:57:52.591227055 CEST	5600	49742	79.134.225.47	192.168.2.5
May 12, 2021 11:57:56.701483965 CEST	49743	5600	192.168.2.5	79.134.225.47
May 12, 2021 11:57:56.781137943 CEST	5600	49743	79.134.225.47	192.168.2.5
May 12, 2021 11:57:57.293746948 CEST	49743	5600	192.168.2.5	79.134.225.47
May 12, 2021 11:57:57.372451067 CEST	5600	49743	79.134.225.47	192.168.2.5
May 12, 2021 11:57:57.887496948 CEST	49743	5600	192.168.2.5	79.134.225.47
May 12, 2021 11:57:57.966150999 CEST	5600	49743	79.134.225.47	192.168.2.5
May 12, 2021 11:58:02.072910070 CEST	49744	5600	192.168.2.5	79.134.225.47
May 12, 2021 11:58:02.151597977 CEST	5600	49744	79.134.225.47	192.168.2.5
May 12, 2021 11:58:02.653527975 CEST	49744	5600	192.168.2.5	79.134.225.47
May 12, 2021 11:58:02.734643936 CEST	5600	49744	79.134.225.47	192.168.2.5
May 12, 2021 11:58:03.247381926 CEST	49744	5600	192.168.2.5	79.134.225.47
May 12, 2021 11:58:03.326116085 CEST	5600	49744	79.134.225.47	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 12, 2021 11:55:59.210716009 CEST	53	65307	8.8.8.8	192.168.2.5
May 12, 2021 11:55:59.225861073 CEST	53	62060	8.8.8.8	192.168.2.5
May 12, 2021 11:55:59.230595112 CEST	53	64344	8.8.8.8	192.168.2.5
May 12, 2021 11:55:59.243119955 CEST	61805	53	192.168.2.5	8.8.8.8
May 12, 2021 11:55:59.292054892 CEST	53	61805	8.8.8.8	192.168.2.5
May 12, 2021 11:55:59.353940010 CEST	54795	53	192.168.2.5	8.8.8.8
May 12, 2021 11:55:59.404156923 CEST	53	54795	8.8.8.8	192.168.2.5
May 12, 2021 11:56:00.123471022 CEST	49557	53	192.168.2.5	8.8.8.8
May 12, 2021 11:56:00.180892944 CEST	53	49557	8.8.8.8	192.168.2.5
May 12, 2021 11:56:00.927726030 CEST	61733	53	192.168.2.5	8.8.8.8
May 12, 2021 11:56:00.984846115 CEST	53	61733	8.8.8.8	192.168.2.5
May 12, 2021 11:56:01.720897913 CEST	65447	53	192.168.2.5	8.8.8.8
May 12, 2021 11:56:01.778446913 CEST	53	65447	8.8.8.8	192.168.2.5
May 12, 2021 11:56:02.521372080 CEST	52441	53	192.168.2.5	8.8.8.8
May 12, 2021 11:56:02.571652889 CEST	53	52441	8.8.8.8	192.168.2.5
May 12, 2021 11:56:03.420166969 CEST	62176	53	192.168.2.5	8.8.8.8
May 12, 2021 11:56:03.470977068 CEST	53	62176	8.8.8.8	192.168.2.5
May 12, 2021 11:56:04.322504044 CEST	59596	53	192.168.2.5	8.8.8.8
May 12, 2021 11:56:04.371371984 CEST	53	59596	8.8.8.8	192.168.2.5
May 12, 2021 11:56:05.106908083 CEST	65296	53	192.168.2.5	8.8.8.8
May 12, 2021 11:56:05.159462929 CEST	53	65296	8.8.8.8	192.168.2.5
May 12, 2021 11:56:06.032879114 CEST	63183	53	192.168.2.5	8.8.8.8
May 12, 2021 11:56:06.081615925 CEST	53	63183	8.8.8.8	192.168.2.5
May 12, 2021 11:56:06.975989103 CEST	60151	53	192.168.2.5	8.8.8.8
May 12, 2021 11:56:07.027590990 CEST	53	60151	8.8.8.8	192.168.2.5
May 12, 2021 11:56:22.142874002 CEST	56969	53	192.168.2.5	8.8.8.8
May 12, 2021 11:56:22.201960087 CEST	53	56969	8.8.8.8	192.168.2.5
May 12, 2021 11:56:27.984225988 CEST	55161	53	192.168.2.5	8.8.8.8
May 12, 2021 11:56:28.046653032 CEST	53	55161	8.8.8.8	192.168.2.5
May 12, 2021 11:56:28.945059061 CEST	54757	53	192.168.2.5	8.8.8.8
May 12, 2021 11:56:29.012820959 CEST	53	54757	8.8.8.8	192.168.2.5
May 12, 2021 11:56:31.553553104 CEST	49992	53	192.168.2.5	8.8.8.8
May 12, 2021 11:56:31.621473074 CEST	53	49992	8.8.8.8	192.168.2.5
May 12, 2021 11:56:33.361536980 CEST	60075	53	192.168.2.5	8.8.8.8
May 12, 2021 11:56:33.421668053 CEST	53	60075	8.8.8.8	192.168.2.5
May 12, 2021 11:56:38.899353981 CEST	55016	53	192.168.2.5	8.8.8.8
May 12, 2021 11:56:38.958455086 CEST	53	55016	8.8.8.8	192.168.2.5
May 12, 2021 11:56:39.105220079 CEST	64345	53	192.168.2.5	8.8.4.4
May 12, 2021 11:56:39.165150881 CEST	53	64345	8.8.4.4	192.168.2.5
May 12, 2021 11:56:39.210704088 CEST	57128	53	192.168.2.5	8.8.8.8
May 12, 2021 11:56:39.268415928 CEST	53	57128	8.8.8.8	192.168.2.5
May 12, 2021 11:56:42.095846891 CEST	54791	53	192.168.2.5	8.8.8.8
May 12, 2021 11:56:42.154405117 CEST	53	54791	8.8.8.8	192.168.2.5
May 12, 2021 11:56:43.317101955 CEST	50463	53	192.168.2.5	8.8.8.8
May 12, 2021 11:56:43.379637003 CEST	53	50463	8.8.8.8	192.168.2.5
May 12, 2021 11:56:43.460725069 CEST	50394	53	192.168.2.5	8.8.4.4
May 12, 2021 11:56:43.518410921 CEST	53	50394	8.8.4.4	192.168.2.5
May 12, 2021 11:56:43.543571949 CEST	58530	53	192.168.2.5	8.8.8.8
May 12, 2021 11:56:43.600579977 CEST	53	58530	8.8.8.8	192.168.2.5
May 12, 2021 11:56:47.649982929 CEST	53813	53	192.168.2.5	8.8.8.8
May 12, 2021 11:56:47.712074995 CEST	53	53813	8.8.8.8	192.168.2.5
May 12, 2021 11:56:47.715277910 CEST	63732	53	192.168.2.5	8.8.4.4
May 12, 2021 11:56:47.764663935 CEST	53	63732	8.8.4.4	192.168.2.5
May 12, 2021 11:56:48.144627094 CEST	57344	53	192.168.2.5	8.8.8.8
May 12, 2021 11:56:48.193918943 CEST	53	57344	8.8.8.8	192.168.2.5
May 12, 2021 11:56:52.470195055 CEST	54450	53	192.168.2.5	8.8.8.8
May 12, 2021 11:56:52.532334089 CEST	53	54450	8.8.8.8	192.168.2.5
May 12, 2021 11:56:54.883038998 CEST	59261	53	192.168.2.5	8.8.8.8
May 12, 2021 11:56:54.957290888 CEST	53	59261	8.8.8.8	192.168.2.5
May 12, 2021 11:56:58.062475920 CEST	57151	53	192.168.2.5	8.8.8.8
May 12, 2021 11:56:58.120215893 CEST	53	57151	8.8.8.8	192.168.2.5
May 12, 2021 11:56:59.484330893 CEST	59413	53	192.168.2.5	8.8.8.8
May 12, 2021 11:56:59.546802998 CEST	53	59413	8.8.8.8	192.168.2.5
May 12, 2021 11:57:03.570048094 CEST	60516	53	192.168.2.5	8.8.8.8
May 12, 2021 11:57:03.624087095 CEST	53	60516	8.8.8.8	192.168.2.5
May 12, 2021 11:57:06.724078894 CEST	51649	53	192.168.2.5	8.8.8.8
May 12, 2021 11:57:06.785554886 CEST	53	51649	8.8.8.8	192.168.2.5
May 12, 2021 11:57:08.947585106 CEST	65086	53	192.168.2.5	8.8.8.8
May 12, 2021 11:57:09.000730038 CEST	53	65086	8.8.8.8	192.168.2.5
May 12, 2021 11:57:09.007044077 CEST	56432	53	192.168.2.5	8.8.4.4
May 12, 2021 11:57:09.066996098 CEST	53	56432	8.8.4.4	192.168.2.5
May 12, 2021 11:57:09.161456108 CEST	52929	53	192.168.2.5	8.8.8.8
May 12, 2021 11:57:09.220006943 CEST	53	52929	8.8.8.8	192.168.2.5
May 12, 2021 11:57:10.326390028 CEST	64317	53	192.168.2.5	8.8.8.8
May 12, 2021 11:57:10.387623072 CEST	53	64317	8.8.8.8	192.168.2.5
May 12, 2021 11:57:13.378760099 CEST	61004	53	192.168.2.5	8.8.8.8
May 12, 2021 11:57:13.435967922 CEST	53	61004	8.8.8.8	192.168.2.5
May 12, 2021 11:57:13.470868111 CEST	56895	53	192.168.2.5	8.8.4.4
May 12, 2021 11:57:13.530239105 CEST	53	56895	8.8.4.4	192.168.2.5
May 12, 2021 11:57:13.537861109 CEST	62372	53	192.168.2.5	8.8.8.8
May 12, 2021 11:57:13.595016003 CEST	53	62372	8.8.8.8	192.168.2.5
May 12, 2021 11:57:17.634048939 CEST	61515	53	192.168.2.5	8.8.8.8
May 12, 2021 11:57:17.691037893 CEST	53	61515	8.8.8.8	192.168.2.5
May 12, 2021 11:57:17.694406986 CEST	56675	53	192.168.2.5	8.8.4.4
May 12, 2021 11:57:17.751338959 CEST	53	56675	8.8.4.4	192.168.2.5
May 12, 2021 11:57:17.970109940 CEST	57172	53	192.168.2.5	8.8.8.8
May 12, 2021 11:57:18.023912907 CEST	53	57172	8.8.8.8	192.168.2.5
May 12, 2021 11:57:22.074270964 CEST	55267	53	192.168.2.5	8.8.8.8
May 12, 2021 11:57:22.133522034 CEST	53	55267	8.8.8.8	192.168.2.5
May 12, 2021 11:57:27.656297922 CEST	50969	53	192.168.2.5	8.8.8.8
May 12, 2021 11:57:27.715954065 CEST	53	50969	8.8.8.8	192.168.2.5
May 12, 2021 11:57:33.002366066 CEST	64362	53	192.168.2.5	8.8.8.8
May 12, 2021 11:57:33.064666986 CEST	53	64362	8.8.8.8	192.168.2.5
May 12, 2021 11:57:38.339844942 CEST	54766	53	192.168.2.5	8.8.8.8
May 12, 2021 11:57:38.398958921 CEST	53	54766	8.8.8.8	192.168.2.5
May 12, 2021 11:57:38.438786030 CEST	61446	53	192.168.2.5	8.8.4.4
May 12, 2021 11:57:38.499377966 CEST	53	61446	8.8.4.4	192.168.2.5
May 12, 2021 11:57:38.542026043 CEST	57515	53	192.168.2.5	8.8.8.8
May 12, 2021 11:57:38.602956057 CEST	53	57515	8.8.8.8	192.168.2.5
May 12, 2021 11:57:42.564567089 CEST	58199	53	192.168.2.5	8.8.8.8
May 12, 2021 11:57:42.622159004 CEST	53	58199	8.8.8.8	192.168.2.5
May 12, 2021 11:57:42.631194115 CEST	65221	53	192.168.2.5	8.8.8.8
May 12, 2021 11:57:42.683355093 CEST	53	65221	8.8.8.8	192.168.2.5
May 12, 2021 11:57:42.688484907 CEST	61573	53	192.168.2.5	8.8.4.4
May 12, 2021 11:57:42.749973059 CEST	53	61573	8.8.4.4	192.168.2.5
May 12, 2021 11:57:42.779257059 CEST	56562	53	192.168.2.5	8.8.8.8
May 12, 2021 11:57:42.839169979 CEST	53	56562	8.8.8.8	192.168.2.5
May 12, 2021 11:57:46.912286043 CEST	53591	53	192.168.2.5	8.8.8.8
May 12, 2021 11:57:46.975523949 CEST	53	53591	8.8.8.8	192.168.2.5
May 12, 2021 11:57:47.078147888 CEST	59688	53	192.168.2.5	8.8.4.4
May 12, 2021 11:57:47.138158083 CEST	53	59688	8.8.4.4	192.168.2.5
May 12, 2021 11:57:47.173043966 CEST	56032	53	192.168.2.5	8.8.8.8
May 12, 2021 11:57:47.199074984 CEST	61150	53	192.168.2.5	8.8.8.8
May 12, 2021 11:57:47.230050087 CEST	53	56032	8.8.8.8	192.168.2.5
May 12, 2021 11:57:47.274666071 CEST	53	61150	8.8.8.8	192.168.2.5
May 12, 2021 11:57:51.274241924 CEST	63458	53	192.168.2.5	8.8.8.8
May 12, 2021 11:57:51.331151009 CEST	53	63458	8.8.8.8	192.168.2.5
May 12, 2021 11:57:56.642632961 CEST	50422	53	192.168.2.5	8.8.8.8
May 12, 2021 11:57:56.699822903 CEST	53	50422	8.8.8.8	192.168.2.5
May 12, 2021 11:58:02.016817093 CEST	53247	53	192.168.2.5	8.8.8.8
May 12, 2021 11:58:02.070880890 CEST	53	53247	8.8.8.8	192.168.2.5
May 12, 2021 11:58:07.372509003 CEST	58544	53	192.168.2.5	8.8.8.8
May 12, 2021 11:58:07.429737091 CEST	53	58544	8.8.8.8	192.168.2.5
May 12, 2021 11:58:07.433084011 CEST	53814	53	192.168.2.5	8.8.4.4
May 12, 2021 11:58:07.490560055 CEST	53	53814	8.8.4.4	192.168.2.5
May 12, 2021 11:58:07.615370035 CEST	51305	53	192.168.2.5	8.8.8.8
May 12, 2021 11:58:07.675365925 CEST	53	51305	8.8.8.8	192.168.2.5
May 12, 2021 11:58:11.712347984 CEST	53670	53	192.168.2.5	8.8.8.8
May 12, 2021 11:58:11.763190031 CEST	53	53670	8.8.8.8	192.168.2.5
May 12, 2021 11:58:11.815891027 CEST	55160	53	192.168.2.5	8.8.4.4
May 12, 2021 11:58:11.875965118 CEST	53	55160	8.8.4.4	192.168.2.5
May 12, 2021 11:58:11.963767052 CEST	61414	53	192.168.2.5	8.8.8.8
May 12, 2021 11:58:12.012665987 CEST	53	61414	8.8.8.8	192.168.2.5
May 12, 2021 11:58:16.017546892 CEST	63847	53	192.168.2.5	8.8.8.8
May 12, 2021 11:58:16.071338892 CEST	53	63847	8.8.8.8	192.168.2.5
May 12, 2021 11:58:16.083134890 CEST	61523	53	192.168.2.5	8.8.4.4
May 12, 2021 11:58:16.131964922 CEST	53	61523	8.8.4.4	192.168.2.5
May 12, 2021 11:58:16.167382002 CEST	50551	53	192.168.2.5	8.8.8.8
May 12, 2021 11:58:16.225055933 CEST	53	50551	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 12, 2021 11:56:22.142874002 CEST	192.168.2.5	8.8.8.8	0x69eb	Standard query (0)	wespeaktruthtoman.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 11:56:27.984225988 CEST	192.168.2.5	8.8.8.8	0xd0a5	Standard query (0)	wespeaktruthtoman.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 11:56:33.361536980 CEST	192.168.2.5	8.8.8.8	0xd650	Standard query (0)	wespeaktruthtoman.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 11:56:38.899353981 CEST	192.168.2.5	8.8.8.8	0xfa70	Standard query (0)	wespeaktruthtoman12.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 11:56:39.105220079 CEST	192.168.2.5	8.8.4.4	0xfda2	Standard query (0)	wespeaktruthtoman12.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 11:56:39.210704088 CEST	192.168.2.5	8.8.8.8	0x2df9	Standard query (0)	wespeaktruthtoman12.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 11:56:43.317101955 CEST	192.168.2.5	8.8.8.8	0xae1c	Standard query (0)	wespeaktruthtoman12.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 11:56:43.460725069 CEST	192.168.2.5	8.8.4.4	0x32d2	Standard query (0)	wespeaktruthtoman12.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 11:56:43.543571949 CEST	192.168.2.5	8.8.8.8	0x9370	Standard query (0)	wespeaktruthtoman12.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 11:56:47.649982929 CEST	192.168.2.5	8.8.8.8	0xbb56	Standard query (0)	wespeaktruthtoman12.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 11:56:47.715277910 CEST	192.168.2.5	8.8.4.4	0x290	Standard query (0)	wespeaktruthtoman12.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 11:56:48.144627094 CEST	192.168.2.5	8.8.8.8	0x3617	Standard query (0)	wespeaktruthtoman12.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 11:56:52.470195055 CEST	192.168.2.5	8.8.8.8	0x2268	Standard query (0)	wespeaktruthtoman.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 11:56:58.062475920 CEST	192.168.2.5	8.8.8.8	0x4b7a	Standard query (0)	wespeaktruthtoman.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 11:57:03.570048094 CEST	192.168.2.5	8.8.8.8	0x3fce	Standard query (0)	wespeaktruthtoman.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 11:57:08.947585106 CEST	192.168.2.5	8.8.8.8	0x792a	Standard query (0)	wespeaktruthtoman12.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 11:57:09.007044077 CEST	192.168.2.5	8.8.4.4	0xb7c6	Standard query (0)	wespeaktruthtoman12.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 11:57:09.161456108 CEST	192.168.2.5	8.8.8.8	0x7f32	Standard query (0)	wespeaktruthtoman12.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 11:57:13.378760099 CEST	192.168.2.5	8.8.8.8	0x8e0d	Standard query (0)	wespeaktruthtoman12.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 11:57:13.470868111 CEST	192.168.2.5	8.8.4.4	0xd121	Standard query (0)	wespeaktruthtoman12.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 11:57:13.537861109 CEST	192.168.2.5	8.8.8.8	0xd97f	Standard query (0)	wespeaktruthtoman12.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 11:57:17.634048939 CEST	192.168.2.5	8.8.8.8	0xaa52	Standard query (0)	wespeaktruthtoman12.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 11:57:17.694406986 CEST	192.168.2.5	8.8.4.4	0x3479	Standard query (0)	wespeaktruthtoman12.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 11:57:17.970109940 CEST	192.168.2.5	8.8.8.8	0x2d58	Standard query (0)	wespeaktruthtoman12.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 11:57:22.074270964 CEST	192.168.2.5	8.8.8.8	0x446a	Standard query (0)	wespeaktruthtoman.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 11:57:27.656297922 CEST	192.168.2.5	8.8.8.8	0x439f	Standard query (0)	wespeaktruthtoman.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 11:57:33.002366066 CEST	192.168.2.5	8.8.8.8	0x1e77	Standard query (0)	wespeaktruthtoman.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 11:57:38.339844942 CEST	192.168.2.5	8.8.8.8	0x249d	Standard query (0)	wespeaktruthtoman12.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 11:57:38.438786030 CEST	192.168.2.5	8.8.4.4	0x2be	Standard query (0)	wespeaktruthtoman12.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 11:57:38.542026043 CEST	192.168.2.5	8.8.8.8	0x6262	Standard query (0)	wespeaktruthtoman12.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 11:57:42.631194115 CEST	192.168.2.5	8.8.8.8	0x6c02	Standard query (0)	wespeaktruthtoman12.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 11:57:42.688484907 CEST	192.168.2.5	8.8.4.4	0xf13f	Standard query (0)	wespeaktruthtoman12.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 11:57:42.779257059 CEST	192.168.2.5	8.8.8.8	0xcd2	Standard query (0)	wespeaktruthtoman12.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 11:57:46.912286043 CEST	192.168.2.5	8.8.8.8	0xb7ba	Standard query (0)	wespeaktruthtoman12.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 11:57:47.078147888 CEST	192.168.2.5	8.8.4.4	0x342f	Standard query (0)	wespeaktruthtoman12.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 11:57:47.173043966 CEST	192.168.2.5	8.8.8.8	0xf1a0	Standard query (0)	wespeaktruthtoman12.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 11:57:51.274241924 CEST	192.168.2.5	8.8.8.8	0xee91	Standard query (0)	wespeaktruthtoman.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 11:57:56.642632961 CEST	192.168.2.5	8.8.8.8	0xb942	Standard query (0)	wespeaktruthtoman.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 11:58:02.016817093 CEST	192.168.2.5	8.8.8.8	0xe468	Standard query (0)	wespeaktruthtoman.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 11:58:07.372509003 CEST	192.168.2.5	8.8.8.8	0x5c47	Standard query (0)	wespeaktruthtoman12.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 11:58:07.433084011 CEST	192.168.2.5	8.8.4.4	0x5831	Standard query (0)	wespeaktruthtoman12.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 11:58:07.615370035 CEST	192.168.2.5	8.8.8.8	0xd723	Standard query (0)	wespeaktruthtoman12.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 11:58:11.712347984 CEST	192.168.2.5	8.8.8.8	0x1d02	Standard query (0)	wespeaktruthtoman12.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 11:58:11.815891027 CEST	192.168.2.5	8.8.4.4	0x17c2	Standard query (0)	wespeaktruthtoman12.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 11:58:11.963767052 CEST	192.168.2.5	8.8.8.8	0xdfd2	Standard query (0)	wespeaktruthtoman12.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 11:58:16.017546892 CEST	192.168.2.5	8.8.8.8	0x244d	Standard query (0)	wespeaktruthtoman12.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 11:58:16.083134890 CEST	192.168.2.5	8.8.4.4	0xdfd9	Standard query (0)	wespeaktruthtoman12.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 11:58:16.167382002 CEST	192.168.2.5	8.8.8.8	0xa769	Standard query (0)	wespeaktruthtoman12.sytes.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
May 12, 2021 11:56:22.201960087 CEST	8.8.8.8	192.168.2.5	0x69eb	No error (0)	wespeaktruthtoman.sytes.net	79.134.225.47	A (IP address)	IN (0x0001)
May 12, 2021 11:56:28.046653032 CEST	8.8.8.8	192.168.2.5	0xd0a5	No error (0)	wespeaktruthtoman.sytes.net	79.134.225.47	A (IP address)	IN (0x0001)
May 12, 2021 11:56:33.421668053 CEST	8.8.8.8	192.168.2.5	0xd650	No error (0)	wespeaktruthtoman.sytes.net	79.134.225.47	A (IP address)	IN (0x0001)
May 12, 2021 11:56:52.532334089 CEST	8.8.8.8	192.168.2.5	0x2268	No error (0)	wespeaktruthtoman.sytes.net	79.134.225.47	A (IP address)	IN (0x0001)
May 12, 2021 11:56:58.120215893 CEST	8.8.8.8	192.168.2.5	0x4b7a	No error (0)	wespeaktruthtoman.sytes.net	79.134.225.47	A (IP address)	IN (0x0001)
May 12, 2021 11:57:03.624087095 CEST	8.8.8.8	192.168.2.5	0x3fce	No error (0)	wespeaktruthtoman.sytes.net	79.134.225.47	A (IP address)	IN (0x0001)
May 12, 2021 11:57:22.133522034 CEST	8.8.8.8	192.168.2.5	0x446a	No error (0)	wespeaktruthtoman.sytes.net	79.134.225.47	A (IP address)	IN (0x0001)
May 12, 2021 11:57:27.715954065 CEST	8.8.8.8	192.168.2.5	0x439f	No error (0)	wespeaktruthtoman.sytes.net	79.134.225.47	A (IP address)	IN (0x0001)
May 12, 2021 11:57:33.064666986 CEST	8.8.8.8	192.168.2.5	0x1e77	No error (0)	wespeaktruthtoman.sytes.net	79.134.225.47	A (IP address)	IN (0x0001)
May 12, 2021 11:57:51.331151009 CEST	8.8.8.8	192.168.2.5	0xee91	No error (0)	wespeaktruthtoman.sytes.net	79.134.225.47	A (IP address)	IN (0x0001)
May 12, 2021 11:57:56.699822903 CEST	8.8.8.8	192.168.2.5	0xb942	No error (0)	wespeaktruthtoman.sytes.net	79.134.225.47	A (IP address)	IN (0x0001)
May 12, 2021 11:58:02.070880890 CEST	8.8.8.8	192.168.2.5	0xe468	No error (0)	wespeaktruthtoman.sytes.net	79.134.225.47	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: 13efMb6ayq.exe PID: 4664 Parent PID: 5808

General

Start time:	11:56:06
Start date:	12/05/2021
Path:	C:\Users\user\Desktop\13efMb6ayq.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\13efMb6ayq.exe'
Imagebase:	0x730000
File size:	1250816 bytes
MD5 hash:	5003ED514F5EC9F0C5FBBC8994DFBFE7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.243331566.0000000002B03000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.244161403.0000000003AB1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.244161403.0000000003AB1000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.244161403.0000000003AB1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.247174227.00000000047E3000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.247174227.00000000047E3000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.247174227.00000000047E3000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 2924 Parent PID: 4664

General

Start time:	11:56:16
Start date:	12/05/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\KdoySzebyGeRTO' /XML 'C:\Users\user\AppData\Local\Temp\tmpE80E.tmp'
Imagebase:	0x1280000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 3756 Parent PID: 2924

General

Start time:	11:56:17
Start date:	12/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: RegSvcs.exe PID: 5988 Parent PID: 4664

General

Start time:	11:56:17
Start date:	12/05/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Imagebase:	0x550000
File size:	45152 bytes
MD5 hash:	2867A3817C9245F7CF518524DFD18F28
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: 13efMb6ayq.exe PID: 4664 Parent PID: 5808 13efMb6ayq.exeCOMMON

Executed Functions

Function 0119B010, Relevance: 2.8, Strings: 2, Instructions: 269COMMON

Download Yara Rule

Strings

R39-, xrefs: 0119B2B2
R39-, xrefs: 0119B2A4

Memory Dump Source

Source File: 00000000.00000002.243196967.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: false

Similarity

API ID:
String ID: R39-$R39-
API String ID: 0-253041474
Opcode ID: 179ccc676d5cd69a207b1075c35bc85f9b767b703e3790a20e08064c65872881
Instruction ID: c0db0e695eb64d10252cc35398b6496d553f3dc63f6861faf4684c3ceb807b13
Opcode Fuzzy Hash: 179ccc676d5cd69a207b1075c35bc85f9b767b703e3790a20e08064c65872881
Instruction Fuzzy Hash: 92C11470D09218CFCF58DFA8D990ADDBBB2FF88304F158569C02AAB254DB359941CF29

Uniqueness

Uniqueness Score: -1.00%

Function 05A94078, Relevance: 2.8, Strings: 2, Instructions: 260COMMON

Download Yara Rule

Strings

sLY, xrefs: 05A94224
yBe, xrefs: 05A94269

Memory Dump Source

Source File: 00000000.00000002.251086253.0000000005A90000.00000040.00000001.sdmp, Offset: 05A90000, based on PE: false

Similarity

API ID:
String ID: sLY$yBe
API String ID: 0-667910923
Opcode ID: 237d66cab4eb50c208e358c58e99db16590181420b0cf048994bbee50ed6a5fe
Instruction ID: 8ad155187c8d9c82034bdc5132ca61d45d276f80435544b2695627a78f8a9823
Opcode Fuzzy Hash: 237d66cab4eb50c208e358c58e99db16590181420b0cf048994bbee50ed6a5fe
Instruction Fuzzy Hash: 58B10774E05229DBCF08DFAAC5409EEFBF2BF99300F24C165D415AB358E73499468B64

Uniqueness

Uniqueness Score: -1.00%

Function 011904F9, Relevance: 2.6, Strings: 2, Instructions: 139COMMON

Download Yara Rule

Strings

<, xrefs: 01190619
Yj%K, xrefs: 011906A5

Memory Dump Source

Source File: 00000000.00000002.243196967.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: false

Similarity

API ID:
String ID: <$Yj%K
API String ID: 0-209955216
Opcode ID: d5602e7e4d8eeebddb6a1fa324107d637ea0616a77f57bd94f64713af61ad8a6
Instruction ID: 89fa78b09f84f3ba073fa4afe476b115de4e55e2f80e86bb5c2d6e7ea4debc0c
Opcode Fuzzy Hash: d5602e7e4d8eeebddb6a1fa324107d637ea0616a77f57bd94f64713af61ad8a6
Instruction Fuzzy Hash: FE51A475E046189FDB58CFAAC9406DDBBF2BF89300F14C0AAD519AB264EB305A81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 011915A0, Relevance: 1.7, APIs: 1, Instructions: 181COMMON

Download Yara Rule

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 0119172C

Memory Dump Source

Source File: 00000000.00000002.243196967.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: false

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 4093d7b1e8254ce3a4ddeebae8ba479315103579c9e5d386d856246f494e12a0
Instruction ID: 85df845289766a093ce9c6959b13eed4c1d6904a69ceb2a4f22279f6181929b2
Opcode Fuzzy Hash: 4093d7b1e8254ce3a4ddeebae8ba479315103579c9e5d386d856246f494e12a0
Instruction Fuzzy Hash: 31712675D063599FCB45CFB4C4806DDBBF0AF0A328F2840A9E854AB211D3369A4ACF51

Uniqueness

Uniqueness Score: -1.00%

Function 01191638, Relevance: 1.6, APIs: 1, Instructions: 128COMMON

Download Yara Rule

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 0119172C

Memory Dump Source

Source File: 00000000.00000002.243196967.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: false

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 14d5e0a568bc1ad5f7cf48799e37a013b788362cfca666f2ce1ca9cf108e3217
Instruction ID: 16a56846d53ea3740d1f988c0581497c4ca78f6d807d24b86aaf32d58adcc153
Opcode Fuzzy Hash: 14d5e0a568bc1ad5f7cf48799e37a013b788362cfca666f2ce1ca9cf108e3217
Instruction Fuzzy Hash: 79411375D052599FCB44CFA8D484AEDBBF0BF1A324F18906AE454B7211D338AA46CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01191690, Relevance: 1.6, APIs: 1, Instructions: 94COMMON

Download Yara Rule

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 0119172C

Memory Dump Source

Source File: 00000000.00000002.243196967.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: false

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: ebfcb1f2cd769384dea51167406ef7796194b65d5ac4d3b57410401bd6e07da7
Instruction ID: 47e77119c8a1056b37116819f8113d13ab877e47920b0bfd15c1ab49c6e16b1d
Opcode Fuzzy Hash: ebfcb1f2cd769384dea51167406ef7796194b65d5ac4d3b57410401bd6e07da7
Instruction Fuzzy Hash: C441CEB5D04259DFCF04CFA9D584AEEFBF4AB09324F14905AE414B7250D738AA85CF64

Uniqueness

Uniqueness Score: -1.00%

Function 05A99638, Relevance: 1.4, Strings: 1, Instructions: 198COMMON

Download Yara Rule

Strings

0q|, xrefs: 05A998C5

Memory Dump Source

Source File: 00000000.00000002.251086253.0000000005A90000.00000040.00000001.sdmp, Offset: 05A90000, based on PE: false

Similarity

API ID:
String ID: 0q|
API String ID: 0-4164726831
Opcode ID: 5a46a49def1989c3557afe26a19b72b0aadac089cef9f3a72a84792e3372e662
Instruction ID: 13ad7ad1d46a6afef35957a5f9f4e37de3f5dca9e3bd1be99cf57d5786347552
Opcode Fuzzy Hash: 5a46a49def1989c3557afe26a19b72b0aadac089cef9f3a72a84792e3372e662
Instruction Fuzzy Hash: B5810474E142199FCF48DFA6D9449AEFBB2FF89300F10852AD416AB364DB349902CF94

Uniqueness

Uniqueness Score: -1.00%

Function 01192BB0, Relevance: 1.4, Strings: 1, Instructions: 151COMMON

Download Yara Rule

Strings

@J[, xrefs: 01192D59

Memory Dump Source

Source File: 00000000.00000002.243196967.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: false

Similarity

API ID:
String ID: @J[
API String ID: 0-3303442783
Opcode ID: 25c262daf8413d80f3a0c5f73baba545512c7d2507ba93d20d44701ebd12f4ea
Instruction ID: b18bf9f0efad0e65b36b32d1cfe5dc1a62dfc0f639469a15d5bb51f62bbfb9cf
Opcode Fuzzy Hash: 25c262daf8413d80f3a0c5f73baba545512c7d2507ba93d20d44701ebd12f4ea
Instruction Fuzzy Hash: 44512BB0E0420A9FDB08CFA6D4506AEFBF2FB89300F14D46AD429B7254E7349A41CF95

Uniqueness

Uniqueness Score: -1.00%

Function 011918B0, Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

k){, xrefs: 011919A5

Memory Dump Source

Source File: 00000000.00000002.243196967.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: false

Similarity

API ID:
String ID: k){
API String ID: 0-3610107401
Opcode ID: bedb528cfb57dde1ad6bbca99f400ba03b3218e41ec9879583f04b938a76e660
Instruction ID: 8226c4f1851e8c0f523d839d5cbb84e858ea4cae43b993abd926b140b197d6de
Opcode Fuzzy Hash: bedb528cfb57dde1ad6bbca99f400ba03b3218e41ec9879583f04b938a76e660
Instruction Fuzzy Hash: 6241EAB1E046189FDB58DFAAD850B9DB7F3FF89200F04C1BAD518AB254DB305A858F61

Uniqueness

Uniqueness Score: -1.00%

Function 05A97FD8, Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

N4S;, xrefs: 05A98046

Memory Dump Source

Source File: 00000000.00000002.251086253.0000000005A90000.00000040.00000001.sdmp, Offset: 05A90000, based on PE: false

Similarity

API ID:
String ID: N4S;
API String ID: 0-1500535533
Opcode ID: 215bbc3ad5fbb07164c0c331cf2a591cbdd4e09f57893e0a52a44ba3b6e6a07f
Instruction ID: c2f81633d70ea4a5049cc59651dec4c552b85afa5f37b98c2caf196d9416c91e
Opcode Fuzzy Hash: 215bbc3ad5fbb07164c0c331cf2a591cbdd4e09f57893e0a52a44ba3b6e6a07f
Instruction Fuzzy Hash: BF317E70E19229DBCF48CFA5D9459EDFBF3AB8E210F14952AC506F7314DB3889018B28

Uniqueness

Uniqueness Score: -1.00%

Function 05A99008, Relevance: .3, Instructions: 316COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251086253.0000000005A90000.00000040.00000001.sdmp, Offset: 05A90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da4575d922ea4d14a00e37cf6daf8df080a53c7fa28023527d89ea1c4241575f
Instruction ID: a8b358623c18d96ec39b815849adda96594414aee0a449304450c68a86a0dd37
Opcode Fuzzy Hash: da4575d922ea4d14a00e37cf6daf8df080a53c7fa28023527d89ea1c4241575f
Instruction Fuzzy Hash: 4AD1F674E05218AFDF08CFA5D945B9EBBF2BB89711F20902AE41AFB394D7349D418B14

Uniqueness

Uniqueness Score: -1.00%

Function 011923A0, Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.243196967.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 156c90a2380a40056a24c0e44b4ecb80e936c7b6f274283e07416884c0a3d876
Instruction ID: f0ebe7047ba991ad7c983fcb1d865a8856cc9292995f04e787043b1907610217
Opcode Fuzzy Hash: 156c90a2380a40056a24c0e44b4ecb80e936c7b6f274283e07416884c0a3d876
Instruction Fuzzy Hash: 49B17874E05319DFDB09CFA9C8809DDBBB2FF8A314F24806AD815AB264D735A946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01192440, Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.243196967.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 370a451e45818026e21cc57c5a93e90f97e0893433d7909816fc3a5af9a77e43
Instruction ID: 47235f8e8b888314d8abd01e3b53e23e927130ee2872819420f5da48b1368afe
Opcode Fuzzy Hash: 370a451e45818026e21cc57c5a93e90f97e0893433d7909816fc3a5af9a77e43
Instruction Fuzzy Hash: 2681E374E142199FDB08CFE9C984ADEBBB2FF89300F20912AD915BB358D7349945CB51

Uniqueness

Uniqueness Score: -1.00%

Function 05A94560, Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251086253.0000000005A90000.00000040.00000001.sdmp, Offset: 05A90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 331990e74226eb69d17f72664a1c8aa1e2762441f44fda93fa2b580ce93d1546
Instruction ID: 7ae625f54649e39ba1c07099f51d018b74c3ce7cdd38dda77b140fca110846c9
Opcode Fuzzy Hash: 331990e74226eb69d17f72664a1c8aa1e2762441f44fda93fa2b580ce93d1546
Instruction Fuzzy Hash: CF714874E0521A8BCF48CFEAC5809AEFBF2BF89310F14D426D515B7258D7749A428FA0

Uniqueness

Uniqueness Score: -1.00%

Function 05A9A69D, Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251086253.0000000005A90000.00000040.00000001.sdmp, Offset: 05A90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73c48a02d73ea71a6c37f7f8c71353ba6da96e0860c6c389931e9bdec4627f34
Instruction ID: 865c2d880a5af7e3deaeb504fbac3ce53a27cfcdb43fffc556d6ba04a60c56e5
Opcode Fuzzy Hash: 73c48a02d73ea71a6c37f7f8c71353ba6da96e0860c6c389931e9bdec4627f34
Instruction Fuzzy Hash: B8517974E4522ACFCB64CF65D940BEDB7B2BB88300F1096E6D409A7250E7349AC58F54

Uniqueness

Uniqueness Score: -1.00%

Function 05A98908, Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251086253.0000000005A90000.00000040.00000001.sdmp, Offset: 05A90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac29a8648de34a9184226119e8831c7be12941aff8df98397310af1815849d51
Instruction ID: 6700d13d13f82cd18f085efc04781ea19afe0ad0688a7ba757b21a78e3ae2204
Opcode Fuzzy Hash: ac29a8648de34a9184226119e8831c7be12941aff8df98397310af1815849d51
Instruction Fuzzy Hash: 7B412A31E152299BCF08CFA5E9449EEFBF2BB8E250F14952AD406F7254D73898018B69

Uniqueness

Uniqueness Score: -1.00%

Function 053D1F41, Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250756647.00000000053D0000.00000040.00000001.sdmp, Offset: 053D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 450a7d880cc5ffa7e64069f7fe10a52addf32a78eb84f430ebabd1aabe4cad88
Instruction ID: ef28076c2a1e7e26a114d941f56baca1c1c8880d0157ad9d9ce49eb9f6a84da9
Opcode Fuzzy Hash: 450a7d880cc5ffa7e64069f7fe10a52addf32a78eb84f430ebabd1aabe4cad88
Instruction Fuzzy Hash: FB319271E05209EFCB48CFA4D54469EFBBAEBCD300F20D5A99416EB258D7749A51CB20

Uniqueness

Uniqueness Score: -1.00%

Function 053D1F50, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250756647.00000000053D0000.00000040.00000001.sdmp, Offset: 053D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa8316162f8c76d7900aadad1d53eda78f595e57949fb96bd67c579be77d3ce6
Instruction ID: 19e176876165079092fc17dc884c211ca5b5be212c2a49caa1bc98d691b89e37
Opcode Fuzzy Hash: fa8316162f8c76d7900aadad1d53eda78f595e57949fb96bd67c579be77d3ce6
Instruction Fuzzy Hash: A4319475E05209EFCB48CFA4E1406AEFBBBEBCD300F20D5699416E7258D7749A51CB20

Uniqueness

Uniqueness Score: -1.00%

Function 011935F8, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.243196967.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2156806046e72f09e746b8f68e8cf7c4fd3fa26807baf4ef74fd37519951896
Instruction ID: 85b0908aef36a632169ed509805a20b2d686d9f55ab756b223e615894bf601d8
Opcode Fuzzy Hash: e2156806046e72f09e746b8f68e8cf7c4fd3fa26807baf4ef74fd37519951896
Instruction Fuzzy Hash: 4B311671E006189BDB28CFA6D85469EBBB3FFC9310F14C06AD419A6268DB345A85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 053D2831, Relevance: 6.1, APIs: 4, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 053D28A0
GetCurrentThread.KERNEL32 ref: 053D28DD
GetCurrentProcess.KERNEL32 ref: 053D291A
GetCurrentThreadId.KERNEL32 ref: 053D2973

Memory Dump Source

Source File: 00000000.00000002.250756647.00000000053D0000.00000040.00000001.sdmp, Offset: 053D0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 0202fe2084c2bd5a3e6f65e5f0bbb4eae1328ed3d1265134a67f2f45785f78aa
Instruction ID: d57f9d2a3e2b3e111c0585e4d1503910783636231c500469b984bc845a08887d
Opcode Fuzzy Hash: 0202fe2084c2bd5a3e6f65e5f0bbb4eae1328ed3d1265134a67f2f45785f78aa
Instruction Fuzzy Hash: D55155B4D043098FDB14CFA9D948BEEBBF0BF48318F248459E459A7290DB785984CB65

Uniqueness

Uniqueness Score: -1.00%

Function 053D2840, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 053D28A0
GetCurrentThread.KERNEL32 ref: 053D28DD
GetCurrentProcess.KERNEL32 ref: 053D291A
GetCurrentThreadId.KERNEL32 ref: 053D2973

Memory Dump Source

Source File: 00000000.00000002.250756647.00000000053D0000.00000040.00000001.sdmp, Offset: 053D0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 6cd4cec42b9dade6ba12a6b6a88938041e984e1a2e20515081c6e3fa6ddd79b3
Instruction ID: b8ed129cdb455a2d84d8cf0f7218c708cae93fa428b75fc8d96517a949e2a0c6
Opcode Fuzzy Hash: 6cd4cec42b9dade6ba12a6b6a88938041e984e1a2e20515081c6e3fa6ddd79b3
Instruction Fuzzy Hash: D25143B49047098FDB14CFA9D988BEEBBF0BF48318F248459E459A7390CB785984CB65

Uniqueness

Uniqueness Score: -1.00%

Function 05A96CB0, Relevance: 1.8, APIs: 1, Instructions: 321processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05A96F77

Memory Dump Source

Source File: 00000000.00000002.251086253.0000000005A90000.00000040.00000001.sdmp, Offset: 05A90000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 3fe3bfa0eb94598a76b8305e9463a15d5ecfab91cf0ac0352facf66eb7cc7e00
Instruction ID: 8332b55eb0f39450cd26eecb871248e98e0f49704ff47e80dd8747fda636fb96
Opcode Fuzzy Hash: 3fe3bfa0eb94598a76b8305e9463a15d5ecfab91cf0ac0352facf66eb7cc7e00
Instruction Fuzzy Hash: F6C112B1D042298FDF24CFA5C880BEDBBB1BF49304F0085A9E559B7240DB749A89CF95

Uniqueness

Uniqueness Score: -1.00%

Function 053D7888, Relevance: 1.7, APIs: 1, Instructions: 224COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(?), ref: 053D7B0A

Memory Dump Source

Source File: 00000000.00000002.250756647.00000000053D0000.00000040.00000001.sdmp, Offset: 053D0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: b3c15dea382d15fd190098a10c1b2b36cd555eb15e398e092524f2ed8a7527be
Instruction ID: 63ac50eb574f905f7d83a3fe9991e363b793678e3297bfa53c8f4cc52fe737c8
Opcode Fuzzy Hash: b3c15dea382d15fd190098a10c1b2b36cd555eb15e398e092524f2ed8a7527be
Instruction Fuzzy Hash: B4912571A047098FDB24CF69E580B9AFBF2FF49204F00892AD496E7A50D774E945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 053D9AAC, Relevance: 1.7, APIs: 1, Instructions: 184COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 053D9C79

Memory Dump Source

Source File: 00000000.00000002.250756647.00000000053D0000.00000040.00000001.sdmp, Offset: 053D0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 145cf2886ad1016af4c4f31b87c6c9f9c606be7d137b460e24771e2066d23b3c
Instruction ID: f57ee7af0605c130c3079f9e1b0262a3535025fc9179d0001f6e2a9ce7e6c4b5
Opcode Fuzzy Hash: 145cf2886ad1016af4c4f31b87c6c9f9c606be7d137b460e24771e2066d23b3c
Instruction Fuzzy Hash: AC7199B5D042189FCF21CFA9D980BDDFBF1BB09314F1091AAE808AB211D774AA85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 053D9AB8, Relevance: 1.7, APIs: 1, Instructions: 182COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 053D9C79

Memory Dump Source

Source File: 00000000.00000002.250756647.00000000053D0000.00000040.00000001.sdmp, Offset: 053D0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 0321575cb49c364ca12ba7c2698e42848c0a3343ec35d7e7286035ad69a1c521
Instruction ID: 67c23aeef1dbb9ed83465460d81b1f4fed30d90c5ab478dcc9da52c037307784
Opcode Fuzzy Hash: 0321575cb49c364ca12ba7c2698e42848c0a3343ec35d7e7286035ad69a1c521
Instruction Fuzzy Hash: C67188B5D042189FCF20CFA9D984BDEFBF1BB09314F1491AAE808A7211D770AA85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 011903B0, Relevance: 1.6, APIs: 1, Instructions: 150COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNELBASE(?), ref: 0119B62A

Memory Dump Source

Source File: 00000000.00000002.243196967.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: false

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: 33cd29b273988dc299b3455a46123eb938595844878224e78ae02a4c951de8a5
Instruction ID: 5f719952af1be9e2c98649ca64b954cc7bfb94673eb66b4aef9287e65beccda5
Opcode Fuzzy Hash: 33cd29b273988dc299b3455a46123eb938595844878224e78ae02a4c951de8a5
Instruction Fuzzy Hash: 9751CDB4D04218DFCF14CFA9E584ADEFBF4AB49314F14906AE814B7250D734AA45CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 053DD5A4, Relevance: 1.6, APIs: 1, Instructions: 126COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 053DF711

Memory Dump Source

Source File: 00000000.00000002.250756647.00000000053D0000.00000040.00000001.sdmp, Offset: 053D0000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 80579a4645489d6dd7f2878f7dba03354ef72e9ebe72c46e1e2911e40e5b65bf
Instruction ID: ff1540ff587e0bc331973b91ce252813abefda10d2fe670f1ff874196ef8fca7
Opcode Fuzzy Hash: 80579a4645489d6dd7f2878f7dba03354ef72e9ebe72c46e1e2911e40e5b65bf
Instruction Fuzzy Hash: 9051D471D0822C8FDB20DFA4C980BDEBBB5BF45304F118599D509AB251DB716A89CF91

Uniqueness

Uniqueness Score: -1.00%

Function 053DF61B, Relevance: 1.6, APIs: 1, Instructions: 122COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 053DF711

Memory Dump Source

Source File: 00000000.00000002.250756647.00000000053D0000.00000040.00000001.sdmp, Offset: 053D0000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: c6253bc3d9ab01db40caa0213ece1fa2bdcc9581a89475b32eae40787373584d
Instruction ID: 43daab520b3f1b5ba2065229c3a345cf8c2f52ca5b9585ad4ba614558009095a
Opcode Fuzzy Hash: c6253bc3d9ab01db40caa0213ece1fa2bdcc9581a89475b32eae40787373584d
Instruction Fuzzy Hash: FA51E471D0822CCFDB20CFA4C980BDEBBB5BF49304F11859AD509AB251DB716A89CF91

Uniqueness

Uniqueness Score: -1.00%

Function 05A96922, Relevance: 1.6, APIs: 1, Instructions: 118injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05A969FB

Memory Dump Source

Source File: 00000000.00000002.251086253.0000000005A90000.00000040.00000001.sdmp, Offset: 05A90000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 17bd597d5689c3cc9fce2d1133ae7f0f853fee940aaecd2c78b51924f9e4bec0
Instruction ID: 771d3f54b69677121fde52e6dce06f1a3ef551a4b12ba171dbca8d99be004601
Opcode Fuzzy Hash: 17bd597d5689c3cc9fce2d1133ae7f0f853fee940aaecd2c78b51924f9e4bec0
Instruction Fuzzy Hash: 2141A9B5D052589FCF00CFA9D984AEEFBF1BF49314F14902AE819B7200D738AA45CB64

Uniqueness

Uniqueness Score: -1.00%

Function 05A96928, Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05A969FB

Memory Dump Source

Source File: 00000000.00000002.251086253.0000000005A90000.00000040.00000001.sdmp, Offset: 05A90000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 9ba729342f9b668e50677838662f33856f530110bc0e52b5905eae986db7a8e3
Instruction ID: d9ab7ac7bec7b73409db28ee335c3cf85824435e0d3b5c8c972933ecb244b3be
Opcode Fuzzy Hash: 9ba729342f9b668e50677838662f33856f530110bc0e52b5905eae986db7a8e3
Instruction Fuzzy Hash: F14199B5D052589FCF04CFA9D984AEEFBF1BF49314F14942AE819B7200D734AA45CB64

Uniqueness

Uniqueness Score: -1.00%

Function 053D2A60, Relevance: 1.6, APIs: 1, Instructions: 110COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 053D2B33

Memory Dump Source

Source File: 00000000.00000002.250756647.00000000053D0000.00000040.00000001.sdmp, Offset: 053D0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: fcb6b23504177e0b0d49381a894a7ea3407aa5f6cf2ab3a0cddc2fe9c096e251
Instruction ID: 9fb6d27d0a68fd373bde666cae1afce59631ad47c402da72f2527a44bfacdee7
Opcode Fuzzy Hash: fcb6b23504177e0b0d49381a894a7ea3407aa5f6cf2ab3a0cddc2fe9c096e251
Instruction Fuzzy Hash: 344156B9D042589FCF00CFA9D984ADEFBF5BB09310F14902AE918AB310D775A995CF64

Uniqueness

Uniqueness Score: -1.00%

Function 053D2A68, Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 053D2B33

Memory Dump Source

Source File: 00000000.00000002.250756647.00000000053D0000.00000040.00000001.sdmp, Offset: 053D0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 6492e956756c5ceab70246608e0fad2c3c6b76eb9c5e26a7b18aa1be3780e58b
Instruction ID: 9929316c14f1001c3c711ac63812ea88b15f18a560d921cd5d0d84f664b5187d
Opcode Fuzzy Hash: 6492e956756c5ceab70246608e0fad2c3c6b76eb9c5e26a7b18aa1be3780e58b
Instruction Fuzzy Hash: 284145B9D042589FCF00CFA9D984ADEFBF5BB09310F14902AE918AB310D775A995CF64

Uniqueness

Uniqueness Score: -1.00%

Function 05A96A80, Relevance: 1.6, APIs: 1, Instructions: 106COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05A96B32

Memory Dump Source

Source File: 00000000.00000002.251086253.0000000005A90000.00000040.00000001.sdmp, Offset: 05A90000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 0f4e465164e28fe1e06a636ad3be055c85fd7ef41ac500df9f1b61f43ec2e27e
Instruction ID: b57b51184ac21458a5c04aa7aff5207c43fab6abdd40d9211648b6bb327728e0
Opcode Fuzzy Hash: 0f4e465164e28fe1e06a636ad3be055c85fd7ef41ac500df9f1b61f43ec2e27e
Instruction Fuzzy Hash: 2A4197B5D042589FCF00CFAAD984AEEFBB1BF49324F14942AE915B7200D734A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 05A96808, Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05A968B2

Memory Dump Source

Source File: 00000000.00000002.251086253.0000000005A90000.00000040.00000001.sdmp, Offset: 05A90000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: bd262cfdc574365443b5423509b415f6d09cc3b46b54d36d03ebbd7c3d5254b2
Instruction ID: 3919ea3b5ae9ee9980854e13aa3ebade0177584f8ac99001ef15e06bb607d16b
Opcode Fuzzy Hash: bd262cfdc574365443b5423509b415f6d09cc3b46b54d36d03ebbd7c3d5254b2
Instruction Fuzzy Hash: 9B3197B5D042589FCF00CFA9D980ADEFBB5BB49310F10942AE815B7200D734A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 05A96598, Relevance: 1.6, APIs: 1, Instructions: 99threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 05A9666E

Memory Dump Source

Source File: 00000000.00000002.251086253.0000000005A90000.00000040.00000001.sdmp, Offset: 05A90000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 549db7f66563219b674a51be0fa7e66f80699f2f026c33a25fe46ecd3151c893
Instruction ID: 68028e247ed1257e970962508deaebe9dadbbc4d7715e017d631bbb8e3be40b7
Opcode Fuzzy Hash: 549db7f66563219b674a51be0fa7e66f80699f2f026c33a25fe46ecd3151c893
Instruction Fuzzy Hash: 5041EBB1D04258AFCF14DFA9D984AAEBBF0AB48314F14846AE925B3300DB74A901CF94

Uniqueness

Uniqueness Score: -1.00%

Function 011917A9, Relevance: 1.6, APIs: 1, Instructions: 97memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 01191857

Memory Dump Source

Source File: 00000000.00000002.243196967.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 6773c27e6b98707f9bf7b6414073a55288839518a0a488a5766003ee774463e6
Instruction ID: 806f51a40c20f6510354e54d8e6ff8b868be60fc86fddcd9115586af738b6584
Opcode Fuzzy Hash: 6773c27e6b98707f9bf7b6414073a55288839518a0a488a5766003ee774463e6
Instruction Fuzzy Hash: 77319AB5D04258AFCF14CFA9E584AEEFBF0BB59320F14902AE814B7210D774A985CF65

Uniqueness

Uniqueness Score: -1.00%

Function 053D6D80, Relevance: 1.6, APIs: 1, Instructions: 97libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(?,?,?), ref: 053D7E32

Memory Dump Source

Source File: 00000000.00000002.250756647.00000000053D0000.00000040.00000001.sdmp, Offset: 053D0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 4eb41f39bed765afd959662fe6c5f45b16d93eb5472d4be5904f550cc0e71ff4
Instruction ID: e64f1a006c2c04942a0e6267e1e7d828b2ec0277480e218801b6a8a3688e9250
Opcode Fuzzy Hash: 4eb41f39bed765afd959662fe6c5f45b16d93eb5472d4be5904f550cc0e71ff4
Instruction Fuzzy Hash: 274197B5D042589FCF14CFA9E484AAEFBF5FB49314F14902AE914B7210D374A946CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 053DAB14, Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 053DC461

Memory Dump Source

Source File: 00000000.00000002.250756647.00000000053D0000.00000040.00000001.sdmp, Offset: 053D0000, based on PE: false

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 5688e8c0d2e915ca8b416f08582c33fe0a407e234c7637ae9c246689b14e5a90
Instruction ID: 76594b3bdd8e15460cd37b9d60de20c251b221d12f29d68c9c48a8d34fc6e3f5
Opcode Fuzzy Hash: 5688e8c0d2e915ca8b416f08582c33fe0a407e234c7637ae9c246689b14e5a90
Instruction Fuzzy Hash: 334147B5A102098FDB15CF99D488AAAFBF5FF88314F14C859E519A7321C774A841CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 053D7D80, Relevance: 1.6, APIs: 1, Instructions: 96libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(?,?,?), ref: 053D7E32

Memory Dump Source

Source File: 00000000.00000002.250756647.00000000053D0000.00000040.00000001.sdmp, Offset: 053D0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 527676cb7f48b964b743a3c3386681868b871e8974c1863ec7f8d88faf14ef61
Instruction ID: 9ce6b56d4468c89dd086f69e6a2083e88dc44b0a6c06ae35bb65168a7da8d789
Opcode Fuzzy Hash: 527676cb7f48b964b743a3c3386681868b871e8974c1863ec7f8d88faf14ef61
Instruction Fuzzy Hash: C34197B5D042589FCB14CFA9E884AAEFBF5FB49314F14902AE814B7210D734A946CF64

Uniqueness

Uniqueness Score: -1.00%

Function 011917B0, Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 01191857

Memory Dump Source

Source File: 00000000.00000002.243196967.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: a7f5dce7af396f0402249a7d1cc285e22972ad233d777bf3062bc5c1cf1a594c
Instruction ID: 3d50c376ea35401760a3496d30d1a24c9844ff6c52047ec843cbaf2a92049d07
Opcode Fuzzy Hash: a7f5dce7af396f0402249a7d1cc285e22972ad233d777bf3062bc5c1cf1a594c
Instruction Fuzzy Hash: 9B3199B5D04258AFCF14CFA9D584ADEFBB4BB09320F14902AE824B7210D734A985CF64

Uniqueness

Uniqueness Score: -1.00%

Function 01199C88, Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 01199D2F

Memory Dump Source

Source File: 00000000.00000002.243196967.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 9abdfc19862a20f35d2cf34eb5f368c9193a9043d522b77d40bde4f5094cda7c
Instruction ID: 26390ee7904082213f54c411448f775846a522fea6429b476a8c1bd09a6e2eed
Opcode Fuzzy Hash: 9abdfc19862a20f35d2cf34eb5f368c9193a9043d522b77d40bde4f5094cda7c
Instruction Fuzzy Hash: F63198B9D042589FCF14CFA9D984ADEFBF0BB09314F14902AE824B7210D734AA85CF64

Uniqueness

Uniqueness Score: -1.00%

Function 05A966E0, Relevance: 1.6, APIs: 1, Instructions: 94threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,?), ref: 05A9678F

Memory Dump Source

Source File: 00000000.00000002.251086253.0000000005A90000.00000040.00000001.sdmp, Offset: 05A90000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: f462f8d4c74adf88dc814bd0ae6def634b82b8fb9267a88189fae6ae8b62caf7
Instruction ID: 95af253cda8449da6a6564eba57e5ffca66b08df654eb9ce1170c86879543f18
Opcode Fuzzy Hash: f462f8d4c74adf88dc814bd0ae6def634b82b8fb9267a88189fae6ae8b62caf7
Instruction Fuzzy Hash: 9231BAB4D042589FCF14CFA9D884AEEBBF1BF49314F14842AE415B7240D738A989CF94

Uniqueness

Uniqueness Score: -1.00%

Function 05A9C390, Relevance: 1.6, APIs: 1, Instructions: 85windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 05A9C42B

Memory Dump Source

Source File: 00000000.00000002.251086253.0000000005A90000.00000040.00000001.sdmp, Offset: 05A90000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 9ded4ad8b393137bbeb14b75580b17738816692fe3d5ef4824bb3b11e4e0e391
Instruction ID: 9da6db608b5b26b826bd3137ad85fd7427b89d08e8a070581e8d7638e9e0a245
Opcode Fuzzy Hash: 9ded4ad8b393137bbeb14b75580b17738816692fe3d5ef4824bb3b11e4e0e391
Instruction Fuzzy Hash: 503187B9D042589FCF14CFA9E984ADEFBF4AB49320F14901AE814B7310D334A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 011903C8, Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNELBASE(?), ref: 0119B62A

Memory Dump Source

Source File: 00000000.00000002.243196967.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: false

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: 383a453ef8d407aeb08b55fa4c3427421c88c70b5c440cdfbf11f6040a3685c2
Instruction ID: 947492f41d2d61b9483883df8a6f5ae1f2ebe43ae78a74c7840d67bc7f4c5f80
Opcode Fuzzy Hash: 383a453ef8d407aeb08b55fa4c3427421c88c70b5c440cdfbf11f6040a3685c2
Instruction Fuzzy Hash: FD31BCB4D042489FCF14CFAAE584ADEFBF5AB49314F14906AE828B7310D734A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 05A965E8, Relevance: 1.6, APIs: 1, Instructions: 76threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 05A9666E

Memory Dump Source

Source File: 00000000.00000002.251086253.0000000005A90000.00000040.00000001.sdmp, Offset: 05A90000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 4a7fe932ffe03148de8278a4840c4ae1f3810adc6985c3388c0502ca4c4779d9
Instruction ID: 9e5fa4b03f9fe79cdb6816f4132db0d39a0dffb87265b4b9165140086ac56ab9
Opcode Fuzzy Hash: 4a7fe932ffe03148de8278a4840c4ae1f3810adc6985c3388c0502ca4c4779d9
Instruction Fuzzy Hash: D731DAB4D04258AFCF04CFA9D984ADEFBB5AF48314F14842AE915B7300CB34A845CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 053D7A78, Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(?), ref: 053D7B0A

Memory Dump Source

Source File: 00000000.00000002.250756647.00000000053D0000.00000040.00000001.sdmp, Offset: 053D0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 4d2bf84c9001699bf5b1c128558c20ce347f9ce29b4577bdd390932468181d5b
Instruction ID: 63b4eaf70bd2cfa6e60add0f565ed10af9cc090235a6e0dfcee2e5d3b81245ec
Opcode Fuzzy Hash: 4d2bf84c9001699bf5b1c128558c20ce347f9ce29b4577bdd390932468181d5b
Instruction Fuzzy Hash: 2031A8B5D042099FCB14CFAAE884ADEFBF5EB49314F14902AE818B7310D374A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 05A965F0, Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 05A9666E

Memory Dump Source

Source File: 00000000.00000002.251086253.0000000005A90000.00000040.00000001.sdmp, Offset: 05A90000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 994411094b5da9251299d8d359b6e3c3b565fddae1f93ba5bb52f46199c5ddd8
Instruction ID: 4afa0c485318d877ab61d8250ef0fb45dc6dfa5824805f7b266e5b215b8320df
Opcode Fuzzy Hash: 994411094b5da9251299d8d359b6e3c3b565fddae1f93ba5bb52f46199c5ddd8
Instruction Fuzzy Hash: 3131C9B4D042589FCF14CFA9D984AEEFBB5AF49324F14942AE915B7300CB34A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0113D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.243121926.000000000113D000.00000040.00000001.sdmp, Offset: 0113D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0578811e64cad3818dca1fb4f63dcc35a2441a653a94e5c1ef1d1b0fafd739eb
Instruction ID: 35459f2a7070a1ea0f1bb68035245a2ee43e18fd9e5bf9a38c4a6d72d868726b
Opcode Fuzzy Hash: 0578811e64cad3818dca1fb4f63dcc35a2441a653a94e5c1ef1d1b0fafd739eb
Instruction Fuzzy Hash: 182133B0508240DFCF18CF64E8C0B26FB61FB84658F60C569E9094B24AC736D846CA62

Uniqueness

Uniqueness Score: -1.00%

Function 0113D006, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.243121926.000000000113D000.00000040.00000001.sdmp, Offset: 0113D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47e142b21685fd1633770c35fb2f50a2768f20012825e7339496d0ed27d215a0
Instruction ID: c400f5da4acb3cb263f249500cb2a7c36516db2ea3ed407001c61534d846f4d2
Opcode Fuzzy Hash: 47e142b21685fd1633770c35fb2f50a2768f20012825e7339496d0ed27d215a0
Instruction Fuzzy Hash: 8921B0714083809FCB06CF24D994B11BF71EB86214F28C5DAD8498F2A7C33AD80ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0112D7FD, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.243106491.000000000112D000.00000040.00000001.sdmp, Offset: 0112D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ab42f37b2b93f71248c4e10a47979044f360baa00b1f96459d3d2631d18eff2
Instruction ID: 7fd715e6c2cfd0de064ec99ac78ec54bc4234e3cbafaf0f21432a248636ed1b6
Opcode Fuzzy Hash: 7ab42f37b2b93f71248c4e10a47979044f360baa00b1f96459d3d2631d18eff2
Instruction Fuzzy Hash: 0B01F77140C3909AEB184AA6EC84766FBD8EF41634F09C45AFE085B287D3B89444C6B2

Uniqueness

Uniqueness Score: -1.00%

Function 0112D7FC, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.243106491.000000000112D000.00000040.00000001.sdmp, Offset: 0112D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce66bfea6c618f45e0fbc52c519cf63c80c985b8d2cee72336aaf7b19b323634
Instruction ID: 5e348bbfd15ce25d187c51156c3e88b0acf32e9d21cfe8a03f21d88bf600777a
Opcode Fuzzy Hash: ce66bfea6c618f45e0fbc52c519cf63c80c985b8d2cee72336aaf7b19b323634
Instruction Fuzzy Hash: B4F096714083949EEB158A5ADCC4B66FFD8EB41634F18C45AFD485B28BC3B89844CBB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 01195370, Relevance: 2.7, Strings: 2, Instructions: 172COMMON

Download Yara Rule

Strings

g)wq, xrefs: 0119556F
g)wq, xrefs: 0119557D

Memory Dump Source

Source File: 00000000.00000002.243196967.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: false

Similarity

API ID:
String ID: g)wq$g)wq
API String ID: 0-869475573
Opcode ID: 6963a633070f0ece7411a5b837aa9dac100ea3683076d96b72eef610f98257b7
Instruction ID: 5e7545ded9ce93e649c9df75a0173b96a5c42de87d1c2ddaee6d0591b7c9a6be
Opcode Fuzzy Hash: 6963a633070f0ece7411a5b837aa9dac100ea3683076d96b72eef610f98257b7
Instruction Fuzzy Hash: 6171ED74A15219CFCB49CFA9D5848ADBBF2FB89310F14956AE415BB320D330AA42CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01195360, Relevance: 1.4, Strings: 1, Instructions: 169COMMON

Download Yara Rule

Strings

g)wq, xrefs: 0119557D

Memory Dump Source

Source File: 00000000.00000002.243196967.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: false

Similarity

API ID:
String ID: g)wq
API String ID: 0-4149592914
Opcode ID: a3f0d522101e49ac03eeadcff62aebb9ec999762a686e5a42fec543b88b244d2
Instruction ID: ec29a348af94077514affdb3a713f21b4ef6f706a375e28a47156250bf400805
Opcode Fuzzy Hash: a3f0d522101e49ac03eeadcff62aebb9ec999762a686e5a42fec543b88b244d2
Instruction Fuzzy Hash: A771DE74E152198FCB49CFA9C5849AEFBF2FF89310F14956AE415AB321D330AA42CF51

Uniqueness

Uniqueness Score: -1.00%

Function 011965B8, Relevance: 1.4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

~m1, xrefs: 011966AE

Memory Dump Source

Source File: 00000000.00000002.243196967.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: false

Similarity

API ID:
String ID: ~m1
API String ID: 0-2716026466
Opcode ID: c774fa8ef89dd7e098a8336cc3010f710e94253488a92d6f07529eb8bde2b201
Instruction ID: ae769087ee9436d9d755d1d147bbde775d8520ead589396ea1dae5bbd33395a1
Opcode Fuzzy Hash: c774fa8ef89dd7e098a8336cc3010f710e94253488a92d6f07529eb8bde2b201
Instruction Fuzzy Hash: 4041E7B0E0460ADBCF48CFAAC4815AEFBF2BF89300F15C46AC515A7254E7349A41CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 011965C8, Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

~m1, xrefs: 011966AE

Memory Dump Source

Source File: 00000000.00000002.243196967.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: false

Similarity

API ID:
String ID: ~m1
API String ID: 0-2716026466
Opcode ID: 70d248f7b03daf9530ee28c9724f049dcbc348b34ecc6d450e273e9f83244ea0
Instruction ID: 61ac71c3b98fca62f917be9c8231265428b7b2fa58716b588769c1496f2b5bdd
Opcode Fuzzy Hash: 70d248f7b03daf9530ee28c9724f049dcbc348b34ecc6d450e273e9f83244ea0
Instruction Fuzzy Hash: 5D41F8B4E0460ADBCF48CFAAC4415AEFBF2BF89304F15D12AC425A7254E7349A41CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 053D8070, Relevance: .5, Instructions: 525COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250756647.00000000053D0000.00000040.00000001.sdmp, Offset: 053D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba6e92ff294848e336b4d1976637fc1f2a18701ebb55e36452e301d7992c4b07
Instruction ID: 21ecf5aab76e4ad166c2b9eebf18990bb72910390de5bc9a72c1776d5f7369a3
Opcode Fuzzy Hash: ba6e92ff294848e336b4d1976637fc1f2a18701ebb55e36452e301d7992c4b07
Instruction Fuzzy Hash: 46528BB1500B06CFD710CF1AE88859DBBB1FB5931AF60420AD6E15B2D0D7BD688ACF64

Uniqueness

Uniqueness Score: -1.00%

Function 053D5668, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250756647.00000000053D0000.00000040.00000001.sdmp, Offset: 053D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16c34cccc2560a40b17100c394507b3c620ba1307c2facc29fa4250c4329a5fa
Instruction ID: 0305bd3330fd4c3addfdc5b2978bdd9dbf3df12407482af7aeb4f1ca068d8abe
Opcode Fuzzy Hash: 16c34cccc2560a40b17100c394507b3c620ba1307c2facc29fa4250c4329a5fa
Instruction Fuzzy Hash: 56A18132E106198FCF05DFB5D8846EDFBB2FF84300B15856AE806BB221EB71A955CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01196211, Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.243196967.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6adafce49f88d7bb4fbfc21720c06a345365dc82d5896eadd130104f3c8898b
Instruction ID: f4681b1dabfe4433647e047d537a2a91d53c695425e92c22174c1fb5c0a3afb8
Opcode Fuzzy Hash: e6adafce49f88d7bb4fbfc21720c06a345365dc82d5896eadd130104f3c8898b
Instruction Fuzzy Hash: 466129B0E0820ADFCF08CFA5C5815AEFBB2FF49344F15856AD525AB254D3349A52CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 011967E8, Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.243196967.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 980cc6090ecc97691332400afabf2bd3d7848e0a70b6e5514383310a3ded9d82
Instruction ID: db773523116adf5f7eb318a320bbe1184fe4e2fb254642e3f08c6f823f68a5b3
Opcode Fuzzy Hash: 980cc6090ecc97691332400afabf2bd3d7848e0a70b6e5514383310a3ded9d82
Instruction Fuzzy Hash: 3F51B074E05619CFCF08CFAAC5809EEFBF2BB89210F25952AD425BB214D7349A41CF65

Uniqueness

Uniqueness Score: -1.00%

Function 011967D9, Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.243196967.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e298ca55b0adc05e9dd5ccf88a705fb5f92448cf1d2b6ae679fbc7d5dd73024
Instruction ID: b4b3301ca69969cefe3bd0cc411033ccca6bf802ac1ff63895ed54e7ec00f1af
Opcode Fuzzy Hash: 9e298ca55b0adc05e9dd5ccf88a705fb5f92448cf1d2b6ae679fbc7d5dd73024
Instruction Fuzzy Hash: 3F51C074E156198FCF08CFA9C9809EEFBF2BF89200F25946AD415BB214D3349A42CF65

Uniqueness

Uniqueness Score: -1.00%

Function 01196A10, Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.243196967.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af415fa5c115f79224411d10764631fbab2167200fd4e6c54e5b9893f6183432
Instruction ID: c310fa8df8fe34b41597721ae9653c6ee9bca6c2df8d8fa5583a1c656b21d4f1
Opcode Fuzzy Hash: af415fa5c115f79224411d10764631fbab2167200fd4e6c54e5b9893f6183432
Instruction Fuzzy Hash: 8551C9B0E0560ADBCF48CFAAC5815AEFBF2FB88300F24D56AC515A7254D3749A41CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 01196A00, Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.243196967.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08d594224c1640186d770d2e6e7c312d662754d14df7dd2990914b0e3a2d3251
Instruction ID: 5f9e39d73bb2ffbf7a244edec128d12a1734c3230b7e7f80b0950ca941db7046
Opcode Fuzzy Hash: 08d594224c1640186d770d2e6e7c312d662754d14df7dd2990914b0e3a2d3251
Instruction Fuzzy Hash: C1510A70E0560ADBCF08CFAAC5815AEFBB2FF88300F25D46AC515A7254D3749A41CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 05A98192, Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251086253.0000000005A90000.00000040.00000001.sdmp, Offset: 05A90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48bcb614733251d2691838810c603e4f94f8a42a4062eae214aee9409e8e46ba
Instruction ID: 7302911e9138a290f1d505677552df08acaf5c562553601be01aec756ee103b4
Opcode Fuzzy Hash: 48bcb614733251d2691838810c603e4f94f8a42a4062eae214aee9409e8e46ba
Instruction Fuzzy Hash: 99415B71E146189BDF58CFAAD8456AEFBF6FB89300F14C06AD418A7354D7345A01CF91

Uniqueness

Uniqueness Score: -1.00%

Function 053D6F54, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250756647.00000000053D0000.00000040.00000001.sdmp, Offset: 053D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95d61e203a6e20adedc60c00becf0694b4229244c7ca1aed2c670e7f145c81d4
Instruction ID: 0aa5f2c32f4ac65947d138b336399ac0a6f1dce1e3dee1e430276117f94cabb2
Opcode Fuzzy Hash: 95d61e203a6e20adedc60c00becf0694b4229244c7ca1aed2c670e7f145c81d4
Instruction Fuzzy Hash: 7331BBB5D052089FCB10CFA9E984ADEFBF5BB59310F14902AE815B7310D374A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 053DA988, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250756647.00000000053D0000.00000040.00000001.sdmp, Offset: 053D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f6bc276a2b3127efe39ac62487d78b62464b55814973f486eee10f06ff11a06
Instruction ID: 3cdf8c8a9199ed3042773e7e086e59aff1052b0cedd72c3569385a8a581b730a
Opcode Fuzzy Hash: 3f6bc276a2b3127efe39ac62487d78b62464b55814973f486eee10f06ff11a06
Instruction Fuzzy Hash: DD31BCB5D052189FCB10CFA9E984AEEFBF5BB59310F14902AE804B7310D774A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 01196C31, Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.243196967.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f58f8ddb5a7524b8a630d3e24e5c3dcee90016d7b7eede7e0a2b42e2b9273a7f
Instruction ID: 93303573f0eecfe5c536ef1f4b89a5503d6d3e42e10e972d39337bcb03ec5825
Opcode Fuzzy Hash: f58f8ddb5a7524b8a630d3e24e5c3dcee90016d7b7eede7e0a2b42e2b9273a7f
Instruction Fuzzy Hash: F131E971E056189FEB18CFABD84069EFBF3AFC9204F14C0BAC518A6254DB345A568F61

Uniqueness

Uniqueness Score: -1.00%

Function 05A9312D, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251086253.0000000005A90000.00000040.00000001.sdmp, Offset: 05A90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a785a73b9855bc8ee2b748e6036500c27284f35e690f93cf98b4ac05513b10b
Instruction ID: 73e5abe7d81268d5fb21f4ca1f55430a12dbb18c45fdeb32d83728986beff016
Opcode Fuzzy Hash: 1a785a73b9855bc8ee2b748e6036500c27284f35e690f93cf98b4ac05513b10b
Instruction Fuzzy Hash: 6531A2B2D142549BEF0CCF6BC845B9AFFF6EFD5200F18C06AD448E6255DA308641CB51

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report 13efMb6ayq.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

AV Detection:

E-Banking Fraud:

System Summary:

Stealing of Sensitive Information:

Remote Access Functionality:

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior