Play interactive tour

Edit tour

Analysis Report cXyHZtgrFS.exe

Overview

General Information

Sample Name:	cXyHZtgrFS.exe
Analysis ID:	412155
MD5:	82f9b9752d04017d3ea889f8a83c6c17
SHA1:	e192196bd3415149952549b8fa5cf9c2753d5bf3
SHA256:	eadbbb8b375ad2b983ed4e9653d7cbbe980cadca775be3b597cfd0524743676e
Tags:	exeNanoCoreRAT
Infos:
Most interesting Screenshot:

Detection

NanoCore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Yara detected AntiVM3

Yara detected Nanocore RAT

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Contains capabilities to detect virtual machines

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

cXyHZtgrFS.exe (PID: 5440 cmdline: 'C:\Users\user\Desktop\cXyHZtgrFS.exe' MD5: 82F9B9752D04017D3EA889F8A83C6C17)

schtasks.exe (PID: 4944 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ZLWPrVikqiWD' /XML 'C:\Users\user\AppData\Local\Temp\tmpD5EC.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 1928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

RegSvcs.exe (PID: 752 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": ".0.0.0,", "Mutex": "a7fa722b-7dae-45b1-afa6-302155a5", "Group": "Default", "Domain1": "wespeaktruthtoman.sytes.net", "Domain2": "wespeaktruthtoman12.sytes.net", "Port": 5600, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.228642431.0000000003BC1000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x175815:$x1: NanoCore.ClientPluginHost 0x175852:$x2: IClientNetworkHost 0x179385:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.228642431.0000000003BC1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.228642431.0000000003BC1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x17557d:$a: NanoCore 0x17558d:$a: NanoCore 0x1757c1:$a: NanoCore 0x1757d5:$a: NanoCore 0x175815:$a: NanoCore 0x1755dc:$b: ClientPlugin 0x1757de:$b: ClientPlugin 0x17581e:$b: ClientPlugin 0x175703:$c: ProjectData 0x17610a:$d: DESCrypto 0x17dad6:$e: KeepAlive 0x17bac4:$g: LogClientMessage 0x177cbf:$i: get_Connected 0x176440:$j: #=q 0x176470:$j: #=q 0x17648c:$j: #=q 0x1764bc:$j: #=q 0x1764d8:$j: #=q 0x1764f4:$j: #=q 0x176524:$j: #=q 0x176540:$j: #=q
00000000.00000002.225843647.0000000002C10000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.229750935.00000000048A7000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1b156d:$x1: NanoCore.ClientPluginHost 0x1b15aa:$x2: IClientNetworkHost 0x1b50dd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.229750935.00000000048A7000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.229750935.00000000048A7000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1b12d5:$a: NanoCore 0x1b12e5:$a: NanoCore 0x1b1519:$a: NanoCore 0x1b152d:$a: NanoCore 0x1b156d:$a: NanoCore 0x1b1334:$b: ClientPlugin 0x1b1536:$b: ClientPlugin 0x1b1576:$b: ClientPlugin 0x1b145b:$c: ProjectData 0x1b1e62:$d: DESCrypto 0x1b982e:$e: KeepAlive 0x1b781c:$g: LogClientMessage 0x1b3a17:$i: get_Connected 0x1b2198:$j: #=q 0x1b21c8:$j: #=q 0x1b21e4:$j: #=q 0x1b2214:$j: #=q 0x1b2230:$j: #=q 0x1b224c:$j: #=q 0x1b227c:$j: #=q 0x1b2298:$j: #=q
Process Memory Space: cXyHZtgrFS.exe PID: 5440	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.cXyHZtgrFS.exe.4a483e0.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.cXyHZtgrFS.exe.4a483e0.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.cXyHZtgrFS.exe.4a483e0.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0.2.cXyHZtgrFS.exe.4a483e0.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.cXyHZtgrFS.exe.4a483e0.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.cXyHZtgrFS.exe.4a483e0.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.cXyHZtgrFS.exe.4a483e0.5.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.cXyHZtgrFS.exe.48a7560.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1b100d:$x1: NanoCore.ClientPluginHost 0x1b104a:$x2: IClientNetworkHost 0x1b4b7d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.cXyHZtgrFS.exe.48a7560.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.cXyHZtgrFS.exe.48a7560.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1b0d75:$a: NanoCore 0x1b0d85:$a: NanoCore 0x1b0fb9:$a: NanoCore 0x1b0fcd:$a: NanoCore 0x1b100d:$a: NanoCore 0x1b0dd4:$b: ClientPlugin 0x1b0fd6:$b: ClientPlugin 0x1b1016:$b: ClientPlugin 0x1b0efb:$c: ProjectData 0x1b1902:$d: DESCrypto 0x1b92ce:$e: KeepAlive 0x1b72bc:$g: LogClientMessage 0x1b34b7:$i: get_Connected 0x1b1c38:$j: #=q 0x1b1c68:$j: #=q 0x1b1c84:$j: #=q 0x1b1cb4:$j: #=q 0x1b1cd0:$j: #=q 0x1b1cec:$j: #=q 0x1b1d1c:$j: #=q 0x1b1d38:$j: #=q
Click to see the 5 entries

Sigma Overview

AV Detection:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 752, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud:

Sigma detected: NanoCore

Show sources

Source: File created

System Summary:

Sigma detected: Possible Applocker Bypass

Show sources

Source: Process started

Author: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\cXyHZtgrFS.exe' , ParentImage: C:\Users\user\Desktop\cXyHZtgrFS.exe, ParentProcessId: 5440, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 752

Stealing of Sensitive Information:

Sigma detected: NanoCore

Show sources

Source: File created

Remote Access Functionality:

Sigma detected: NanoCore

Show sources

Source: File created

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0.2.cXyHZtgrFS.exe.4a483e0.5.raw.unpack

Malware Configuration Extractor: NanoCore {"Version": ".0.0.0,", "Mutex": "a7fa722b-7dae-45b1-afa6-302155a5", "Group": "Default", "Domain1": "wespeaktruthtoman.sytes.net", "Domain2": "wespeaktruthtoman12.sytes.net", "Port": 5600, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8"}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\ZLWPrVikqiWD.exe

ReversingLabs: Detection: 19%

Multi AV Scanner detection for submitted file

Show sources

Source: cXyHZtgrFS.exe	Virustotal: Detection: 27%			Perma Link
Source: cXyHZtgrFS.exe	ReversingLabs: Detection: 19%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000000.00000002.228642431.0000000003BC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.229750935.00000000048A7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.cXyHZtgrFS.exe.4a483e0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.cXyHZtgrFS.exe.4a483e0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.cXyHZtgrFS.exe.48a7560.4.raw.unpack, type: UNPACKEDPE

Source: cXyHZtgrFS.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: cXyHZtgrFS.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Users\Administrator\Desktop\Client\Temp\vuUnytUkvs\src\obj\Debug\TraceLoggingDataCollector.pdb source: cXyHZtgrFS.exe
Source:	Binary string: System.pdb source: RegSvcs.exe, 00000003.00000003.276196489.00000000064D7000.00000004.00000001.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs: wespeaktruthtoman.sytes.net
Source: Malware configuration extractor	URLs: wespeaktruthtoman12.sytes.net

Source: global traffic

TCP traffic: 192.168.2.3:49693 -> 79.134.225.47:5600

Source: Joe Sandbox View

IP Address: 79.134.225.47 79.134.225.47

Source: Joe Sandbox View

ASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH

Source: unknown

DNS traffic detected: queries for: wespeaktruthtoman.sytes.net

Source: cXyHZtgrFS.exe	String found in binary or memory: http://checkip.dyndns.org/
Source: cXyHZtgrFS.exe, 00000000.00000002.225630352.0000000002BC1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: cXyHZtgrFS.exe	String found in binary or memory: http://servermanager.miixit.org/
Source: cXyHZtgrFS.exe	String found in binary or memory: http://servermanager.miixit.org/E
Source: cXyHZtgrFS.exe	String found in binary or memory: http://servermanager.miixit.org/downloads/
Source: cXyHZtgrFS.exe	String found in binary or memory: http://servermanager.miixit.org/hits/hit_index.php?k=
Source: cXyHZtgrFS.exe	String found in binary or memory: http://servermanager.miixit.org/hits/hit_index.php?k=1
Source: cXyHZtgrFS.exe	String found in binary or memory: http://servermanager.miixit.org/index_ru.html
Source: cXyHZtgrFS.exe	String found in binary or memory: http://servermanager.miixit.org/index_ru.htmlk
Source: cXyHZtgrFS.exe	String found in binary or memory: http://servermanager.miixit.org/report/reporter_index.php?name=
Source: cXyHZtgrFS.exe, 00000000.00000002.225843647.0000000002C10000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
Source: cXyHZtgrFS.exe	String found in binary or memory: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=CJU3DBQXBUQPC

Source: cXyHZtgrFS.exe, 00000000.00000002.225109675.0000000000EEA000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000000.00000002.228642431.0000000003BC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.229750935.00000000048A7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.cXyHZtgrFS.exe.4a483e0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.cXyHZtgrFS.exe.4a483e0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.cXyHZtgrFS.exe.48a7560.4.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000000.00000002.228642431.0000000003BC1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.228642431.0000000003BC1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.229750935.00000000048A7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.229750935.00000000048A7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.cXyHZtgrFS.exe.4a483e0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.cXyHZtgrFS.exe.4a483e0.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.cXyHZtgrFS.exe.4a483e0.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.cXyHZtgrFS.exe.4a483e0.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.cXyHZtgrFS.exe.48a7560.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.cXyHZtgrFS.exe.48a7560.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Source: C:\Users\user\Desktop\cXyHZtgrFS.exe	Code function: 0_2_0125C2B0	0_2_0125C2B0
Source: C:\Users\user\Desktop\cXyHZtgrFS.exe	Code function: 0_2_01259968	0_2_01259968
Source: C:\Users\user\Desktop\cXyHZtgrFS.exe	Code function: 0_2_051B4958	0_2_051B4958
Source: C:\Users\user\Desktop\cXyHZtgrFS.exe	Code function: 0_2_051BAAD0	0_2_051BAAD0
Source: C:\Users\user\Desktop\cXyHZtgrFS.exe	Code function: 0_2_051B8470	0_2_051B8470
Source: C:\Users\user\Desktop\cXyHZtgrFS.exe	Code function: 0_2_051BAAC1	0_2_051BAAC1

Source: cXyHZtgrFS.exe	Binary or memory string: OriginalFilename vs cXyHZtgrFS.exe
Source: cXyHZtgrFS.exe, 00000000.00000002.235206090.000000000BEC0000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs cXyHZtgrFS.exe
Source: cXyHZtgrFS.exe, 00000000.00000002.235206090.000000000BEC0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs cXyHZtgrFS.exe
Source: cXyHZtgrFS.exe, 00000000.00000002.228874914.0000000003D63000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDSASignature.dll@ vs cXyHZtgrFS.exe
Source: cXyHZtgrFS.exe, 00000000.00000002.226048023.0000000002C5B000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSimpleUI.dll( vs cXyHZtgrFS.exe
Source: cXyHZtgrFS.exe, 00000000.00000003.219787441.0000000000F8F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameTraceLoggingDataCollector.exeF vs cXyHZtgrFS.exe
Source: cXyHZtgrFS.exe, 00000000.00000002.225109675.0000000000EEA000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs cXyHZtgrFS.exe
Source: cXyHZtgrFS.exe, 00000000.00000002.234640954.000000000BDC0000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs cXyHZtgrFS.exe
Source: cXyHZtgrFS.exe	Binary or memory string: OriginalFilenameTraceLoggingDataCollector.exeF vs cXyHZtgrFS.exe

Source: C:\Users\user\Desktop\cXyHZtgrFS.exe

Section loaded: onecoreuapcommonproxystub.dll

Jump to behavior

Source: cXyHZtgrFS.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 00000000.00000002.228642431.0000000003BC1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.228642431.0000000003BC1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.229750935.00000000048A7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.229750935.00000000048A7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.cXyHZtgrFS.exe.4a483e0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.cXyHZtgrFS.exe.4a483e0.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.cXyHZtgrFS.exe.4a483e0.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.cXyHZtgrFS.exe.4a483e0.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.cXyHZtgrFS.exe.4a483e0.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.cXyHZtgrFS.exe.48a7560.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.cXyHZtgrFS.exe.48a7560.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: cXyHZtgrFS.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: ZLWPrVikqiWD.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@6/5@49/2

Source: C:\Users\user\Desktop\cXyHZtgrFS.exe

File created: C:\Users\user\AppData\Roaming\ZLWPrVikqiWD.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1928:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{a7fa722b-7dae-45b1-afa6-302155a56210}
Source: C:\Users\user\Desktop\cXyHZtgrFS.exe	Mutant created: \Sessions\1\BaseNamedObjects\vJfbolFAwPFkIAcsDgWFGx

Source: C:\Users\user\Desktop\cXyHZtgrFS.exe

File created: C:\Users\user\AppData\Local\Temp\tmpD5EC.tmp

Jump to behavior

Source: cXyHZtgrFS.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\cXyHZtgrFS.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\cXyHZtgrFS.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\cXyHZtgrFS.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: cXyHZtgrFS.exe, 00000000.00000002.225843647.0000000002C10000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: cXyHZtgrFS.exe, 00000000.00000002.225843647.0000000002C10000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: cXyHZtgrFS.exe, 00000000.00000002.225843647.0000000002C10000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE id=@id;
Source: cXyHZtgrFS.exe, 00000000.00000002.225843647.0000000002C10000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
Source: cXyHZtgrFS.exe, 00000000.00000002.225843647.0000000002C10000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: cXyHZtgrFS.exe, 00000000.00000002.225843647.0000000002C10000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: cXyHZtgrFS.exe, 00000000.00000002.225843647.0000000002C10000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: cXyHZtgrFS.exe, 00000000.00000002.225843647.0000000002C10000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
Source: cXyHZtgrFS.exe, 00000000.00000002.225843647.0000000002C10000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonTypeErro ao listar Banco sql-SecurityLogonType,Select from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)

Source: cXyHZtgrFS.exe	Virustotal: Detection: 27%
Source: cXyHZtgrFS.exe	ReversingLabs: Detection: 19%

Source: C:\Users\user\Desktop\cXyHZtgrFS.exe

File read: C:\Users\user\Desktop\cXyHZtgrFS.exe:Zone.Identifier

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\cXyHZtgrFS.exe 'C:\Users\user\Desktop\cXyHZtgrFS.exe'
Source: C:\Users\user\Desktop\cXyHZtgrFS.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ZLWPrVikqiWD' /XML 'C:\Users\user\AppData\Local\Temp\tmpD5EC.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\cXyHZtgrFS.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: C:\Users\user\Desktop\cXyHZtgrFS.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ZLWPrVikqiWD' /XML 'C:\Users\user\AppData\Local\Temp\tmpD5EC.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\cXyHZtgrFS.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Jump to behavior

Source: C:\Users\user\Desktop\cXyHZtgrFS.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\cXyHZtgrFS.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: cXyHZtgrFS.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: cXyHZtgrFS.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: cXyHZtgrFS.exe

Static file information: File size 1399296 > 1048576

Source: cXyHZtgrFS.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x152000

Source: cXyHZtgrFS.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: cXyHZtgrFS.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Users\Administrator\Desktop\Client\Temp\vuUnytUkvs\src\obj\Debug\TraceLoggingDataCollector.pdb source: cXyHZtgrFS.exe
Source:	Binary string: System.pdb source: RegSvcs.exe, 00000003.00000003.276196489.00000000064D7000.00000004.00000001.sdmp

Source: C:\Users\user\Desktop\cXyHZtgrFS.exe	Code function: 0_2_012504D0 push C033011Fh; ret		0_2_012504E2
Source: C:\Users\user\Desktop\cXyHZtgrFS.exe	Code function: 0_2_051B83E4 push 5800005Eh; iretd		0_2_051B83E9

Source: initial sample	Static PE information: section name: .text entropy: 7.93649392422
Source: initial sample	Static PE information: section name: .text entropy: 7.93649392422

Source: C:\Users\user\Desktop\cXyHZtgrFS.exe

File created: C:\Users\user\AppData\Roaming\ZLWPrVikqiWD.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Users\user\Desktop\cXyHZtgrFS.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ZLWPrVikqiWD' /XML 'C:\Users\user\AppData\Local\Temp\tmpD5EC.tmp'

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\cXyHZtgrFS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cXyHZtgrFS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cXyHZtgrFS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cXyHZtgrFS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cXyHZtgrFS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cXyHZtgrFS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cXyHZtgrFS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cXyHZtgrFS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cXyHZtgrFS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cXyHZtgrFS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cXyHZtgrFS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cXyHZtgrFS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cXyHZtgrFS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cXyHZtgrFS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cXyHZtgrFS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cXyHZtgrFS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cXyHZtgrFS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cXyHZtgrFS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cXyHZtgrFS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cXyHZtgrFS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cXyHZtgrFS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cXyHZtgrFS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cXyHZtgrFS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cXyHZtgrFS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cXyHZtgrFS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cXyHZtgrFS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cXyHZtgrFS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cXyHZtgrFS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cXyHZtgrFS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cXyHZtgrFS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cXyHZtgrFS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cXyHZtgrFS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cXyHZtgrFS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cXyHZtgrFS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cXyHZtgrFS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cXyHZtgrFS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cXyHZtgrFS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 00000000.00000002.225843647.0000000002C10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cXyHZtgrFS.exe PID: 5440, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: cXyHZtgrFS.exe, 00000000.00000002.225843647.0000000002C10000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: cXyHZtgrFS.exe, 00000000.00000002.225843647.0000000002C10000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\cXyHZtgrFS.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\cXyHZtgrFS.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 6721	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 2427	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: foregroundWindowGot 666	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: foregroundWindowGot 789	Jump to behavior

Source: C:\Users\user\Desktop\cXyHZtgrFS.exe TID: 5508	Thread sleep time: -104513s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\cXyHZtgrFS.exe TID: 5612	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\cXyHZtgrFS.exe	Thread delayed: delay time: 104513	Jump to behavior
Source: C:\Users\user\Desktop\cXyHZtgrFS.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: cXyHZtgrFS.exe, 00000000.00000002.225843647.0000000002C10000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: cXyHZtgrFS.exe, 00000000.00000002.225843647.0000000002C10000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: cXyHZtgrFS.exe, 00000000.00000002.225843647.0000000002C10000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: cXyHZtgrFS.exe, 00000000.00000002.225843647.0000000002C10000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: cXyHZtgrFS.exe, 00000000.00000002.225843647.0000000002C10000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: cXyHZtgrFS.exe, 00000000.00000002.225843647.0000000002C10000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: cXyHZtgrFS.exe, 00000000.00000002.225843647.0000000002C10000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: cXyHZtgrFS.exe, 00000000.00000002.225843647.0000000002C10000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: cXyHZtgrFS.exe, 00000000.00000002.225843647.0000000002C10000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: RegSvcs.exe, 00000003.00000003.230825568.00000000012CF000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\cXyHZtgrFS.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\cXyHZtgrFS.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\cXyHZtgrFS.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Allocates memory in foreign processes

Show sources

Source: C:\Users\user\Desktop\cXyHZtgrFS.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\cXyHZtgrFS.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\cXyHZtgrFS.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\cXyHZtgrFS.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\cXyHZtgrFS.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 420000	Jump to behavior
Source: C:\Users\user\Desktop\cXyHZtgrFS.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 422000	Jump to behavior
Source: C:\Users\user\Desktop\cXyHZtgrFS.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: C6F008	Jump to behavior

Source: C:\Users\user\Desktop\cXyHZtgrFS.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ZLWPrVikqiWD' /XML 'C:\Users\user\AppData\Local\Temp\tmpD5EC.tmp'			Jump to behavior
Source: C:\Users\user\Desktop\cXyHZtgrFS.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe			Jump to behavior

Source: C:\Users\user\Desktop\cXyHZtgrFS.exe	Queries volume information: C:\Users\user\Desktop\cXyHZtgrFS.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cXyHZtgrFS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cXyHZtgrFS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cXyHZtgrFS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cXyHZtgrFS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cXyHZtgrFS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\cXyHZtgrFS.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000000.00000002.228642431.0000000003BC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.229750935.00000000048A7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.cXyHZtgrFS.exe.4a483e0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.cXyHZtgrFS.exe.4a483e0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.cXyHZtgrFS.exe.48a7560.4.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000000.00000002.228642431.0000000003BC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.229750935.00000000048A7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.cXyHZtgrFS.exe.4a483e0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.cXyHZtgrFS.exe.4a483e0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.cXyHZtgrFS.exe.48a7560.4.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scheduled Task/Job1	Scheduled Task/Job1	Process Injection311	Masquerading1	Input Capture1	Security Software Discovery211	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	DLL Side-Loading1	Scheduled Task/Job1	Disable or Modify Tools1	LSASS Memory	Process Discovery1	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	DLL Side-Loading1	Virtualization/Sandbox Evasion31	Security Account Manager	Virtualization/Sandbox Evasion31	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection311	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol11	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Hidden Files and Directories1	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information2	Cached Domain Credentials	File and Directory Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Software Packing2	DCSync	System Information Discovery12	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	DLL Side-Loading1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
cXyHZtgrFS.exe	27%	Virustotal		Browse
cXyHZtgrFS.exe	19%	ReversingLabs	Win32.Trojan.Wacatac

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\ZLWPrVikqiWD.exe	19%	ReversingLabs	Win32.Trojan.Wacatac

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://checkip.dyndns.org/	0%	Avira URL Cloud	safe
wespeaktruthtoman.sytes.net	0%	Avira URL Cloud	safe
http://servermanager.miixit.org/hits/hit_index.php?k=1	0%	Avira URL Cloud	safe
wespeaktruthtoman12.sytes.net	0%	Avira URL Cloud	safe
http://servermanager.miixit.org/E	0%	Avira URL Cloud	safe
http://servermanager.miixit.org/index_ru.html	0%	Avira URL Cloud	safe
http://servermanager.miixit.org/report/reporter_index.php?name=	0%	Avira URL Cloud	safe
http://servermanager.miixit.org/	0%	Avira URL Cloud	safe
http://servermanager.miixit.org/index_ru.htmlk	0%	Avira URL Cloud	safe
http://servermanager.miixit.org/downloads/	0%	Avira URL Cloud	safe
http://servermanager.miixit.org/hits/hit_index.php?k=	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
wespeaktruthtoman.sytes.net	79.134.225.47	true	true		unknown
wespeaktruthtoman12.sytes.net	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
wespeaktruthtoman.sytes.net	true	Avira URL Cloud: safe	unknown
wespeaktruthtoman12.sytes.net	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	cXyHZtgrFS.exe	false	Avira URL Cloud: safe	unknown
http://servermanager.miixit.org/hits/hit_index.php?k=1	cXyHZtgrFS.exe	false	Avira URL Cloud: safe	unknown
https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=CJU3DBQXBUQPC	cXyHZtgrFS.exe	false		high
http://servermanager.miixit.org/E	cXyHZtgrFS.exe	false	Avira URL Cloud: safe	unknown
http://servermanager.miixit.org/index_ru.html	cXyHZtgrFS.exe	false	Avira URL Cloud: safe	unknown
http://servermanager.miixit.org/report/reporter_index.php?name=	cXyHZtgrFS.exe	false	Avira URL Cloud: safe	unknown
http://servermanager.miixit.org/	cXyHZtgrFS.exe	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	cXyHZtgrFS.exe, 00000000.00000002.225630352.0000000002BC1000.00000004.00000001.sdmp	false		high
http://servermanager.miixit.org/index_ru.htmlk	cXyHZtgrFS.exe	false	Avira URL Cloud: safe	unknown
https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css	cXyHZtgrFS.exe, 00000000.00000002.225843647.0000000002C10000.00000004.00000001.sdmp	false		high
http://servermanager.miixit.org/downloads/	cXyHZtgrFS.exe	false	Avira URL Cloud: safe	unknown
http://servermanager.miixit.org/hits/hit_index.php?k=	cXyHZtgrFS.exe	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
79.134.225.47	wespeaktruthtoman.sytes.net	Switzerland		6775	FINK-TELECOM-SERVICESCH	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	412155
Start date:	12.05.2021
Start time:	12:55:38
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 59s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	cXyHZtgrFS.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@6/5@49/2
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 98% Number of executed functions: 24 Number of non-executed functions: 2
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Excluded IPs from analysis (whitelisted): 13.64.90.137, 104.42.151.234, 40.88.32.150, 104.43.193.48, 184.30.20.56 Excluded domains from analysis (whitelisted): skypedataprdcoleus15.cloudapp.net, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, blobcollector.events.data.trafficmanager.net, e1723.g.akamaiedge.net, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, skypedataprdcolwus16.cloudapp.net, skypedataprdcolcus15.cloudapp.net Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:56:33	API Interceptor	1x Sleep call for process: cXyHZtgrFS.exe modified
12:56:38	API Interceptor	1043x Sleep call for process: RegSvcs.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
79.134.225.47	13efMb6ayq.exe	Get hash	malicious	Browse
	s65eJyjKga.exe	Get hash	malicious	Browse
	new order.xlsx	Get hash	malicious	Browse
	Ot3srIM10B.exe	Get hash	malicious	Browse
	kwK4iGa9DL.exe	Get hash	malicious	Browse
	4z9Saf2vu3.exe	Get hash	malicious	Browse
	image002933894HF8474H038RHF7.exe	Get hash	malicious	Browse
	IMG-PO-SCAN-DOCUMENTS-00HDU12.exe	Get hash	malicious	Browse
	IMAGE-SCAN-DOCUMENTS-002D.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
wespeaktruthtoman.sytes.net	13efMb6ayq.exe	Get hash	malicious	Browse	79.134.225.47
	s65eJyjKga.exe	Get hash	malicious	Browse	79.134.225.47
	new order.xlsx	Get hash	malicious	Browse	79.134.225.47
	Ot3srIM10B.exe	Get hash	malicious	Browse	79.134.225.47
	kwK4iGa9DL.exe	Get hash	malicious	Browse	79.134.225.47
	4z9Saf2vu3.exe	Get hash	malicious	Browse	79.134.225.47
	ORDER 4553241.xlsx	Get hash	malicious	Browse	105.112.101.86
	Pu5UMH4fWK.exe	Get hash	malicious	Browse	79.134.225.14

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
FINK-TELECOM-SERVICESCH	INVOIC #CTR 110510H001347.exe	Get hash	malicious	Browse	79.134.225.17
	13efMb6ayq.exe	Get hash	malicious	Browse	79.134.225.47
	PO #KV18RE001-A5491.exe	Get hash	malicious	Browse	79.134.225.91
	Devizni izvod za partiju 0050100073053.exe	Get hash	malicious	Browse	79.134.225.71
	QwUl4FaToe.exe	Get hash	malicious	Browse	79.134.225.71
	IMG_1035852_607.exe	Get hash	malicious	Browse	79.134.225.10
	RFQEMFA.Elektrik.exe	Get hash	malicious	Browse	79.134.225.17
	Waybill Document 22700456.exe	Get hash	malicious	Browse	79.134.225.7
	Give Offer CVE6535 _TVOP-MIO, pdf.exe	Get hash	malicious	Browse	79.134.225.8
	Waybill Document 22700456.exe	Get hash	malicious	Browse	79.134.225.7
	RFQEMFA.Elektrik.pdf.exe	Get hash	malicious	Browse	79.134.225.17
	w85rzxid7y.exe	Get hash	malicious	Browse	79.134.225.81
	Remittance E-MAIL Layout - 10_.jar	Get hash	malicious	Browse	79.134.225.106
	s65eJyjKga.exe	Get hash	malicious	Browse	79.134.225.47
	new order.xlsx	Get hash	malicious	Browse	79.134.225.47
	Ot3srIM10B.exe	Get hash	malicious	Browse	79.134.225.47
	Remittance E-MAIL Layout - 10_.jar	Get hash	malicious	Browse	79.134.225.106
	wnQXyfONbS.exe	Get hash	malicious	Browse	79.134.225.82
	kwK4iGa9DL.exe	Get hash	malicious	Browse	79.134.225.47
	Remittance E-MAIL Layout - 10_.jar	Get hash	malicious	Browse	79.134.225.106

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\cXyHZtgrFS.exe.log Download File
Process:	C:\Users\user\Desktop\cXyHZtgrFS.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1314
Entropy (8bit):	5.350128552078965
Encrypted:	false
SSDEEP:	24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
MD5:	1DC1A2DCC9EFAA84EABF4F6D6066565B
SHA1:	B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
SHA-256:	28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
SHA-512:	95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Temp\tmpD5EC.tmp Download File
Process:	C:\Users\user\Desktop\cXyHZtgrFS.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1645
Entropy (8bit):	5.198641179123284
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBLPtn:cbh47TlNQ//rydbz9I3YODOLNdq3r
MD5:	95F93C14F0527685C610DC5DE83209DF
SHA1:	0006AB4EA22FD79E519519667A28A91785A022FB
SHA-256:	E038B8065134AB7E8AB8C15B958DA55AFDC7B348CA41FBD120C5468BB2177CEE
SHA-512:	D60E566B23840FAE514526980E6BA62ACEE037382ED56E8AA56F03B8EAF9BF39F4A7C55891FBFB87496B2935E74422217DEDCD75B9D527CEA1C18498A65A492D
Malicious:	true
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	data
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:Rj:Rj
MD5:	3A842E5A46DE30A8EE03515B6EA4C30D
SHA1:	06F2BB28EAFB4F6A64572940C5BC7F8D11685E8D
SHA-256:	446DD73D186F12F387AE5B361D3C20368530C3197914EBC2D80E7775426ED8E2
SHA-512:	51D97EAEBE213844A8602A9E3329D76F0DAFD0A3F788DB31E0784BE516D105D2801F3E462D332C8F2FCA2909317B23F99F8F24EBDB4995E5D519F16C48CFC548
Malicious:	true
Reputation:	low
Preview:	.......H

C:\Users\user\AppData\Roaming\ZLWPrVikqiWD.exe Download File
Process:	C:\Users\user\Desktop\cXyHZtgrFS.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1399296
Entropy (8bit):	7.924027323952348
Encrypted:	false
SSDEEP:	24576:ochI6jw9IwuOLQuBwP3F5tTrtGzT0dhdYlFlHriUJpqoLElXBI/:LuSyD0F5lozTuhdUuUXLAXO
MD5:	82F9B9752D04017D3EA889F8A83C6C17
SHA1:	E192196BD3415149952549B8FA5CF9C2753D5BF3
SHA-256:	EADBBB8B375AD2B983ED4E9653D7CBBE980CADCA775BE3B597CFD0524743676E
SHA-512:	D2B862E35929C96F43651FE9AA1121ADF4918183B10948064309C4E9626FD15B85FABB4406834DBAD7E2451541B6ACBF313891630E45434DE1AFD92157A9D9C8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 19%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....1.`..............P.. ...8.......?... ...@....@.. ....................................@.................................d?..O....@...4..........................,>............................................... ............... ..H............text........ ... .................. ..`.rsrc....4...@...6..."..............@..@.reloc...............X..............@..B.................?......H.......xr..T...............`K...........................................0............(....( .........(.....o!.........................("......(#......($......(%......(&....N..(....o....('....&..((.....s)........s........s+........s,........s-............0...........~....o.....+...0...........~....o/....+...0...........~....o0....+...0...........~....o1....+...0...........~....o2....+...0..<........~.....(3.....,!r...p.....(4...o5...s6............~.....+...0......

C:\Users\user\AppData\Roaming\ZLWPrVikqiWD.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\cXyHZtgrFS.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.924027323952348
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	cXyHZtgrFS.exe
File size:	1399296
MD5:	82f9b9752d04017d3ea889f8a83c6c17
SHA1:	e192196bd3415149952549b8fa5cf9c2753d5bf3
SHA256:	eadbbb8b375ad2b983ed4e9653d7cbbe980cadca775be3b597cfd0524743676e
SHA512:	d2b862e35929c96f43651fe9aa1121adf4918183b10948064309c4e9626fd15b85fabb4406834dbad7e2451541b6acbf313891630e45434de1afd92157a9d9c8
SSDEEP:	24576:ochI6jw9IwuOLQuBwP3F5tTrtGzT0dhdYlFlHriUJpqoLElXBI/:LuSyD0F5lozTuhdUuUXLAXO
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....1.`..............P.. ...8.......?... ...@....@.. ....................................@................................

File Icon


Icon Hash:	f2d2e9fcc4ead362

Static PE Info

General
Entrypoint:	0x553fb6
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x609B31CE [Wed May 12 01:39:26 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, 00h
add eax, dword ptr [eax]
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax+0000000Eh], al
pushad
add byte ptr [eax], al
adc byte ptr [eax], 00000000h
add byte ptr [eax], al
nop
add byte ptr [eax], al
sbb byte ptr [eax], 00000000h
add byte ptr [eax], al
rol byte ptr [eax], 00000000h
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add dword ptr [eax], eax
add byte ptr [eax], al
dec eax
add byte ptr [eax], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
lock add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
jnle 00007F68A0A0BAE2h
add byte ptr [eax+00h], bh
add byte ptr [eax+00000000h], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x153f64	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x154000	0x34dc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x158000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x153e2c	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x151fbc	0x152000	False	0.937950721154	data	7.93649392422	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x154000	0x34dc	0x3600	False	0.361689814815	data	5.25494603231	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x158000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x154100	0x25a8	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
RT_GROUP_ICON	0x1566b8	0x14	data
RT_VERSION	0x1566dc	0x384	data
RT_MANIFEST	0x156a70	0xa65	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2013
Assembly Version	3.0.0.0
InternalName	TraceLoggingDataCollector.exe
FileVersion	3.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	ServerManager_Core
ProductVersion	3.0.0.0
FileDescription	ServerManager_Core
OriginalFilename	TraceLoggingDataCollector.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 12, 2021 12:56:40.512617111 CEST	49693	5600	192.168.2.3	79.134.225.47
May 12, 2021 12:56:40.588664055 CEST	5600	49693	79.134.225.47	192.168.2.3
May 12, 2021 12:56:41.099802017 CEST	49693	5600	192.168.2.3	79.134.225.47
May 12, 2021 12:56:41.175457001 CEST	5600	49693	79.134.225.47	192.168.2.3
May 12, 2021 12:56:41.677934885 CEST	49693	5600	192.168.2.3	79.134.225.47
May 12, 2021 12:56:41.753674030 CEST	5600	49693	79.134.225.47	192.168.2.3
May 12, 2021 12:56:46.053966045 CEST	49699	5600	192.168.2.3	79.134.225.47
May 12, 2021 12:56:46.129770994 CEST	5600	49699	79.134.225.47	192.168.2.3
May 12, 2021 12:56:46.638493061 CEST	49699	5600	192.168.2.3	79.134.225.47
May 12, 2021 12:56:46.714185953 CEST	5600	49699	79.134.225.47	192.168.2.3
May 12, 2021 12:56:47.225359917 CEST	49699	5600	192.168.2.3	79.134.225.47
May 12, 2021 12:56:47.301090002 CEST	5600	49699	79.134.225.47	192.168.2.3
May 12, 2021 12:56:51.402374983 CEST	49701	5600	192.168.2.3	79.134.225.47
May 12, 2021 12:56:51.480460882 CEST	5600	49701	79.134.225.47	192.168.2.3
May 12, 2021 12:56:52.085212946 CEST	49701	5600	192.168.2.3	79.134.225.47
May 12, 2021 12:56:52.162516117 CEST	5600	49701	79.134.225.47	192.168.2.3
May 12, 2021 12:56:52.772712946 CEST	49701	5600	192.168.2.3	79.134.225.47
May 12, 2021 12:56:52.849281073 CEST	5600	49701	79.134.225.47	192.168.2.3
May 12, 2021 12:57:09.826275110 CEST	49705	5600	192.168.2.3	79.134.225.47
May 12, 2021 12:57:09.905472040 CEST	5600	49705	79.134.225.47	192.168.2.3
May 12, 2021 12:57:10.414889097 CEST	49705	5600	192.168.2.3	79.134.225.47
May 12, 2021 12:57:10.493894100 CEST	5600	49705	79.134.225.47	192.168.2.3
May 12, 2021 12:57:11.008740902 CEST	49705	5600	192.168.2.3	79.134.225.47
May 12, 2021 12:57:11.087760925 CEST	5600	49705	79.134.225.47	192.168.2.3
May 12, 2021 12:57:15.179896116 CEST	49706	5600	192.168.2.3	79.134.225.47
May 12, 2021 12:57:15.255753994 CEST	5600	49706	79.134.225.47	192.168.2.3
May 12, 2021 12:57:15.759206057 CEST	49706	5600	192.168.2.3	79.134.225.47
May 12, 2021 12:57:15.835309982 CEST	5600	49706	79.134.225.47	192.168.2.3
May 12, 2021 12:57:16.337306023 CEST	49706	5600	192.168.2.3	79.134.225.47
May 12, 2021 12:57:16.413285971 CEST	5600	49706	79.134.225.47	192.168.2.3
May 12, 2021 12:57:20.497596979 CEST	49707	5600	192.168.2.3	79.134.225.47
May 12, 2021 12:57:20.576368093 CEST	5600	49707	79.134.225.47	192.168.2.3
May 12, 2021 12:57:21.087666035 CEST	49707	5600	192.168.2.3	79.134.225.47
May 12, 2021 12:57:21.166415930 CEST	5600	49707	79.134.225.47	192.168.2.3
May 12, 2021 12:57:21.681576014 CEST	49707	5600	192.168.2.3	79.134.225.47
May 12, 2021 12:57:21.761924028 CEST	5600	49707	79.134.225.47	192.168.2.3
May 12, 2021 12:57:39.160238981 CEST	49708	5600	192.168.2.3	79.134.225.47
May 12, 2021 12:57:39.236049891 CEST	5600	49708	79.134.225.47	192.168.2.3
May 12, 2021 12:57:39.745572090 CEST	49708	5600	192.168.2.3	79.134.225.47
May 12, 2021 12:57:39.821310997 CEST	5600	49708	79.134.225.47	192.168.2.3
May 12, 2021 12:57:40.323801041 CEST	49708	5600	192.168.2.3	79.134.225.47
May 12, 2021 12:57:40.399591923 CEST	5600	49708	79.134.225.47	192.168.2.3
May 12, 2021 12:57:44.479228973 CEST	49709	5600	192.168.2.3	79.134.225.47
May 12, 2021 12:57:44.555296898 CEST	5600	49709	79.134.225.47	192.168.2.3
May 12, 2021 12:57:45.058511972 CEST	49709	5600	192.168.2.3	79.134.225.47
May 12, 2021 12:57:45.134550095 CEST	5600	49709	79.134.225.47	192.168.2.3
May 12, 2021 12:57:45.636789083 CEST	49709	5600	192.168.2.3	79.134.225.47
May 12, 2021 12:57:45.713602066 CEST	5600	49709	79.134.225.47	192.168.2.3
May 12, 2021 12:57:49.848792076 CEST	49710	5600	192.168.2.3	79.134.225.47
May 12, 2021 12:57:49.924684048 CEST	5600	49710	79.134.225.47	192.168.2.3
May 12, 2021 12:57:50.433967113 CEST	49710	5600	192.168.2.3	79.134.225.47
May 12, 2021 12:57:50.511605024 CEST	5600	49710	79.134.225.47	192.168.2.3
May 12, 2021 12:57:51.012428999 CEST	49710	5600	192.168.2.3	79.134.225.47
May 12, 2021 12:57:51.088206053 CEST	5600	49710	79.134.225.47	192.168.2.3
May 12, 2021 12:58:08.526103020 CEST	49711	5600	192.168.2.3	79.134.225.47
May 12, 2021 12:58:08.602035999 CEST	5600	49711	79.134.225.47	192.168.2.3
May 12, 2021 12:58:09.107485056 CEST	49711	5600	192.168.2.3	79.134.225.47
May 12, 2021 12:58:09.183195114 CEST	5600	49711	79.134.225.47	192.168.2.3
May 12, 2021 12:58:09.685790062 CEST	49711	5600	192.168.2.3	79.134.225.47
May 12, 2021 12:58:09.761878014 CEST	5600	49711	79.134.225.47	192.168.2.3
May 12, 2021 12:58:13.849675894 CEST	49712	5600	192.168.2.3	79.134.225.47
May 12, 2021 12:58:13.928164959 CEST	5600	49712	79.134.225.47	192.168.2.3
May 12, 2021 12:58:14.436135054 CEST	49712	5600	192.168.2.3	79.134.225.47
May 12, 2021 12:58:14.514753103 CEST	5600	49712	79.134.225.47	192.168.2.3
May 12, 2021 12:58:15.029930115 CEST	49712	5600	192.168.2.3	79.134.225.47
May 12, 2021 12:58:15.108514071 CEST	5600	49712	79.134.225.47	192.168.2.3
May 12, 2021 12:58:19.220876932 CEST	49713	5600	192.168.2.3	79.134.225.47
May 12, 2021 12:58:19.296777010 CEST	5600	49713	79.134.225.47	192.168.2.3
May 12, 2021 12:58:19.811644077 CEST	49713	5600	192.168.2.3	79.134.225.47
May 12, 2021 12:58:19.887623072 CEST	5600	49713	79.134.225.47	192.168.2.3
May 12, 2021 12:58:20.389714956 CEST	49713	5600	192.168.2.3	79.134.225.47
May 12, 2021 12:58:20.466945887 CEST	5600	49713	79.134.225.47	192.168.2.3
May 12, 2021 12:58:37.309508085 CEST	49714	5600	192.168.2.3	79.134.225.47
May 12, 2021 12:58:37.388200998 CEST	5600	49714	79.134.225.47	192.168.2.3
May 12, 2021 12:58:37.891330957 CEST	49714	5600	192.168.2.3	79.134.225.47
May 12, 2021 12:58:37.971410036 CEST	5600	49714	79.134.225.47	192.168.2.3
May 12, 2021 12:58:38.485261917 CEST	49714	5600	192.168.2.3	79.134.225.47
May 12, 2021 12:58:38.563935041 CEST	5600	49714	79.134.225.47	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 12, 2021 12:56:23.406985044 CEST	51904	53	192.168.2.3	8.8.8.8
May 12, 2021 12:56:23.458626986 CEST	53	51904	8.8.8.8	192.168.2.3
May 12, 2021 12:56:24.518009901 CEST	61328	53	192.168.2.3	8.8.8.8
May 12, 2021 12:56:24.568092108 CEST	53	61328	8.8.8.8	192.168.2.3
May 12, 2021 12:56:25.969326973 CEST	54130	53	192.168.2.3	8.8.8.8
May 12, 2021 12:56:26.020956993 CEST	53	54130	8.8.8.8	192.168.2.3
May 12, 2021 12:56:27.158277035 CEST	56961	53	192.168.2.3	8.8.8.8
May 12, 2021 12:56:27.209981918 CEST	53	56961	8.8.8.8	192.168.2.3
May 12, 2021 12:56:28.309333086 CEST	59353	53	192.168.2.3	8.8.8.8
May 12, 2021 12:56:28.358119011 CEST	53	59353	8.8.8.8	192.168.2.3
May 12, 2021 12:56:29.464442968 CEST	52238	53	192.168.2.3	8.8.8.8
May 12, 2021 12:56:29.516005039 CEST	53	52238	8.8.8.8	192.168.2.3
May 12, 2021 12:56:30.612071991 CEST	49873	53	192.168.2.3	8.8.8.8
May 12, 2021 12:56:30.663625956 CEST	53	49873	8.8.8.8	192.168.2.3
May 12, 2021 12:56:31.754771948 CEST	53196	53	192.168.2.3	8.8.8.8
May 12, 2021 12:56:31.806375980 CEST	53	53196	8.8.8.8	192.168.2.3
May 12, 2021 12:56:33.239487886 CEST	56777	53	192.168.2.3	8.8.8.8
May 12, 2021 12:56:33.288306952 CEST	53	56777	8.8.8.8	192.168.2.3
May 12, 2021 12:56:34.502676010 CEST	58643	53	192.168.2.3	8.8.8.8
May 12, 2021 12:56:34.551583052 CEST	53	58643	8.8.8.8	192.168.2.3
May 12, 2021 12:56:35.866019011 CEST	60985	53	192.168.2.3	8.8.8.8
May 12, 2021 12:56:35.914777994 CEST	53	60985	8.8.8.8	192.168.2.3
May 12, 2021 12:56:36.802933931 CEST	50200	53	192.168.2.3	8.8.8.8
May 12, 2021 12:56:36.851660967 CEST	53	50200	8.8.8.8	192.168.2.3
May 12, 2021 12:56:40.448347092 CEST	51281	53	192.168.2.3	8.8.8.8
May 12, 2021 12:56:40.499564886 CEST	53	51281	8.8.8.8	192.168.2.3
May 12, 2021 12:56:40.940287113 CEST	49199	53	192.168.2.3	8.8.8.8
May 12, 2021 12:56:40.989149094 CEST	53	49199	8.8.8.8	192.168.2.3
May 12, 2021 12:56:42.111762047 CEST	50620	53	192.168.2.3	8.8.8.8
May 12, 2021 12:56:42.163259029 CEST	53	50620	8.8.8.8	192.168.2.3
May 12, 2021 12:56:43.645148039 CEST	64938	53	192.168.2.3	8.8.8.8
May 12, 2021 12:56:43.693763018 CEST	53	64938	8.8.8.8	192.168.2.3
May 12, 2021 12:56:44.513176918 CEST	60152	53	192.168.2.3	8.8.8.8
May 12, 2021 12:56:44.562557936 CEST	53	60152	8.8.8.8	192.168.2.3
May 12, 2021 12:56:45.427418947 CEST	57544	53	192.168.2.3	8.8.8.8
May 12, 2021 12:56:45.478907108 CEST	53	57544	8.8.8.8	192.168.2.3
May 12, 2021 12:56:45.989885092 CEST	55984	53	192.168.2.3	8.8.8.8
May 12, 2021 12:56:46.051681042 CEST	53	55984	8.8.8.8	192.168.2.3
May 12, 2021 12:56:47.784763098 CEST	64185	53	192.168.2.3	8.8.8.8
May 12, 2021 12:56:47.835608006 CEST	53	64185	8.8.8.8	192.168.2.3
May 12, 2021 12:56:51.339147091 CEST	65110	53	192.168.2.3	8.8.8.8
May 12, 2021 12:56:51.398415089 CEST	53	65110	8.8.8.8	192.168.2.3
May 12, 2021 12:56:56.221163988 CEST	58361	53	192.168.2.3	8.8.8.8
May 12, 2021 12:56:56.382705927 CEST	53	58361	8.8.8.8	192.168.2.3
May 12, 2021 12:56:56.920252085 CEST	63492	53	192.168.2.3	8.8.8.8
May 12, 2021 12:56:56.971091986 CEST	53	63492	8.8.8.8	192.168.2.3
May 12, 2021 12:56:56.974450111 CEST	60831	53	192.168.2.3	8.8.4.4
May 12, 2021 12:56:57.036442995 CEST	53	60831	8.8.4.4	192.168.2.3
May 12, 2021 12:56:57.085217953 CEST	60100	53	192.168.2.3	8.8.8.8
May 12, 2021 12:56:57.137903929 CEST	53	60100	8.8.8.8	192.168.2.3
May 12, 2021 12:57:01.205702066 CEST	53195	53	192.168.2.3	8.8.8.8
May 12, 2021 12:57:01.267685890 CEST	53	53195	8.8.8.8	192.168.2.3
May 12, 2021 12:57:01.295872927 CEST	50141	53	192.168.2.3	8.8.4.4
May 12, 2021 12:57:01.353230000 CEST	53	50141	8.8.4.4	192.168.2.3
May 12, 2021 12:57:01.381684065 CEST	53023	53	192.168.2.3	8.8.8.8
May 12, 2021 12:57:01.438649893 CEST	53	53023	8.8.8.8	192.168.2.3
May 12, 2021 12:57:05.497879982 CEST	49563	53	192.168.2.3	8.8.8.8
May 12, 2021 12:57:05.546752930 CEST	53	49563	8.8.8.8	192.168.2.3
May 12, 2021 12:57:05.550687075 CEST	51352	53	192.168.2.3	8.8.4.4
May 12, 2021 12:57:05.602098942 CEST	53	51352	8.8.4.4	192.168.2.3
May 12, 2021 12:57:05.653584003 CEST	59349	53	192.168.2.3	8.8.8.8
May 12, 2021 12:57:05.704133987 CEST	53	59349	8.8.8.8	192.168.2.3
May 12, 2021 12:57:09.738672972 CEST	57084	53	192.168.2.3	8.8.8.8
May 12, 2021 12:57:09.796117067 CEST	53	57084	8.8.8.8	192.168.2.3
May 12, 2021 12:57:15.127099991 CEST	58823	53	192.168.2.3	8.8.8.8
May 12, 2021 12:57:15.178808928 CEST	53	58823	8.8.8.8	192.168.2.3
May 12, 2021 12:57:20.438766003 CEST	57568	53	192.168.2.3	8.8.8.8
May 12, 2021 12:57:20.496140003 CEST	53	57568	8.8.8.8	192.168.2.3
May 12, 2021 12:57:25.928478956 CEST	50540	53	192.168.2.3	8.8.8.8
May 12, 2021 12:57:25.988092899 CEST	53	50540	8.8.8.8	192.168.2.3
May 12, 2021 12:57:25.990446091 CEST	54366	53	192.168.2.3	8.8.4.4
May 12, 2021 12:57:26.050812960 CEST	53	54366	8.8.4.4	192.168.2.3
May 12, 2021 12:57:26.250632048 CEST	53034	53	192.168.2.3	8.8.8.8
May 12, 2021 12:57:26.303728104 CEST	53	53034	8.8.8.8	192.168.2.3
May 12, 2021 12:57:30.330436945 CEST	57762	53	192.168.2.3	8.8.8.8
May 12, 2021 12:57:30.387943029 CEST	53	57762	8.8.8.8	192.168.2.3
May 12, 2021 12:57:30.565342903 CEST	55435	53	192.168.2.3	8.8.4.4
May 12, 2021 12:57:30.625178099 CEST	53	55435	8.8.4.4	192.168.2.3
May 12, 2021 12:57:30.668559074 CEST	50713	53	192.168.2.3	8.8.8.8
May 12, 2021 12:57:30.725766897 CEST	53	50713	8.8.8.8	192.168.2.3
May 12, 2021 12:57:34.819576025 CEST	56132	53	192.168.2.3	8.8.8.8
May 12, 2021 12:57:34.868236065 CEST	53	56132	8.8.8.8	192.168.2.3
May 12, 2021 12:57:34.872184038 CEST	58987	53	192.168.2.3	8.8.4.4
May 12, 2021 12:57:34.929403067 CEST	53	58987	8.8.4.4	192.168.2.3
May 12, 2021 12:57:34.962059975 CEST	56579	53	192.168.2.3	8.8.8.8
May 12, 2021 12:57:35.010709047 CEST	53	56579	8.8.8.8	192.168.2.3
May 12, 2021 12:57:39.097064018 CEST	60633	53	192.168.2.3	8.8.8.8
May 12, 2021 12:57:39.159198999 CEST	53	60633	8.8.8.8	192.168.2.3
May 12, 2021 12:57:44.428934097 CEST	61292	53	192.168.2.3	8.8.8.8
May 12, 2021 12:57:44.477756023 CEST	53	61292	8.8.8.8	192.168.2.3
May 12, 2021 12:57:49.797447920 CEST	63619	53	192.168.2.3	8.8.8.8
May 12, 2021 12:57:49.847168922 CEST	53	63619	8.8.8.8	192.168.2.3
May 12, 2021 12:57:55.455099106 CEST	64938	53	192.168.2.3	8.8.8.8
May 12, 2021 12:57:55.512248039 CEST	53	64938	8.8.8.8	192.168.2.3
May 12, 2021 12:57:55.542064905 CEST	61946	53	192.168.2.3	8.8.4.4
May 12, 2021 12:57:55.599591017 CEST	53	61946	8.8.4.4	192.168.2.3
May 12, 2021 12:57:55.629410028 CEST	64910	53	192.168.2.3	8.8.8.8
May 12, 2021 12:57:55.690160990 CEST	53	64910	8.8.8.8	192.168.2.3
May 12, 2021 12:57:59.791951895 CEST	52123	53	192.168.2.3	8.8.8.8
May 12, 2021 12:57:59.843535900 CEST	53	52123	8.8.8.8	192.168.2.3
May 12, 2021 12:57:59.848723888 CEST	56130	53	192.168.2.3	8.8.4.4
May 12, 2021 12:57:59.897557020 CEST	53	56130	8.8.4.4	192.168.2.3
May 12, 2021 12:57:59.989219904 CEST	56338	53	192.168.2.3	8.8.8.8
May 12, 2021 12:58:00.049000978 CEST	53	56338	8.8.8.8	192.168.2.3
May 12, 2021 12:58:04.107609034 CEST	59420	53	192.168.2.3	8.8.8.8
May 12, 2021 12:58:04.167186975 CEST	53	59420	8.8.8.8	192.168.2.3
May 12, 2021 12:58:04.195837021 CEST	58784	53	192.168.2.3	8.8.4.4
May 12, 2021 12:58:04.256079912 CEST	53	58784	8.8.4.4	192.168.2.3
May 12, 2021 12:58:04.366200924 CEST	63978	53	192.168.2.3	8.8.8.8
May 12, 2021 12:58:04.423655033 CEST	53	63978	8.8.8.8	192.168.2.3
May 12, 2021 12:58:08.459110975 CEST	62938	53	192.168.2.3	8.8.8.8
May 12, 2021 12:58:08.524970055 CEST	53	62938	8.8.8.8	192.168.2.3
May 12, 2021 12:58:13.791480064 CEST	55708	53	192.168.2.3	8.8.8.8
May 12, 2021 12:58:13.848495960 CEST	53	55708	8.8.8.8	192.168.2.3
May 12, 2021 12:58:19.162184000 CEST	56803	53	192.168.2.3	8.8.8.8
May 12, 2021 12:58:19.219518900 CEST	53	56803	8.8.8.8	192.168.2.3
May 12, 2021 12:58:24.524244070 CEST	57145	53	192.168.2.3	8.8.8.8
May 12, 2021 12:58:24.581593037 CEST	53	57145	8.8.8.8	192.168.2.3
May 12, 2021 12:58:24.610419035 CEST	55359	53	192.168.2.3	8.8.4.4
May 12, 2021 12:58:24.670089960 CEST	53	55359	8.8.4.4	192.168.2.3
May 12, 2021 12:58:24.679236889 CEST	58306	53	192.168.2.3	8.8.8.8
May 12, 2021 12:58:24.739588022 CEST	53	58306	8.8.8.8	192.168.2.3
May 12, 2021 12:58:28.774804115 CEST	64124	53	192.168.2.3	8.8.8.8
May 12, 2021 12:58:28.832019091 CEST	53	64124	8.8.8.8	192.168.2.3
May 12, 2021 12:58:28.835751057 CEST	49361	53	192.168.2.3	8.8.4.4
May 12, 2021 12:58:28.893269062 CEST	53	49361	8.8.4.4	192.168.2.3
May 12, 2021 12:58:28.929292917 CEST	63150	53	192.168.2.3	8.8.8.8
May 12, 2021 12:58:28.989382029 CEST	53	63150	8.8.8.8	192.168.2.3
May 12, 2021 12:58:33.031136990 CEST	53279	53	192.168.2.3	8.8.8.8
May 12, 2021 12:58:33.083081007 CEST	53	53279	8.8.8.8	192.168.2.3
May 12, 2021 12:58:33.085609913 CEST	56881	53	192.168.2.3	8.8.4.4
May 12, 2021 12:58:33.143788099 CEST	53	56881	8.8.4.4	192.168.2.3
May 12, 2021 12:58:33.188982964 CEST	53642	53	192.168.2.3	8.8.8.8
May 12, 2021 12:58:33.249139071 CEST	53	53642	8.8.8.8	192.168.2.3
May 12, 2021 12:58:37.251457930 CEST	55667	53	192.168.2.3	8.8.8.8
May 12, 2021 12:58:37.308605909 CEST	53	55667	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 12, 2021 12:56:40.448347092 CEST	192.168.2.3	8.8.8.8	0x10e3	Standard query (0)	wespeaktruthtoman.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 12:56:45.989885092 CEST	192.168.2.3	8.8.8.8	0x90a9	Standard query (0)	wespeaktruthtoman.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 12:56:51.339147091 CEST	192.168.2.3	8.8.8.8	0x2c8d	Standard query (0)	wespeaktruthtoman.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 12:56:56.920252085 CEST	192.168.2.3	8.8.8.8	0x4e23	Standard query (0)	wespeaktruthtoman12.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 12:56:56.974450111 CEST	192.168.2.3	8.8.4.4	0x2cb1	Standard query (0)	wespeaktruthtoman12.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 12:56:57.085217953 CEST	192.168.2.3	8.8.8.8	0x47f0	Standard query (0)	wespeaktruthtoman12.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 12:57:01.205702066 CEST	192.168.2.3	8.8.8.8	0xebc2	Standard query (0)	wespeaktruthtoman12.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 12:57:01.295872927 CEST	192.168.2.3	8.8.4.4	0x6461	Standard query (0)	wespeaktruthtoman12.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 12:57:01.381684065 CEST	192.168.2.3	8.8.8.8	0x8cac	Standard query (0)	wespeaktruthtoman12.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 12:57:05.497879982 CEST	192.168.2.3	8.8.8.8	0x4aef	Standard query (0)	wespeaktruthtoman12.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 12:57:05.550687075 CEST	192.168.2.3	8.8.4.4	0x429b	Standard query (0)	wespeaktruthtoman12.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 12:57:05.653584003 CEST	192.168.2.3	8.8.8.8	0x18ac	Standard query (0)	wespeaktruthtoman12.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 12:57:09.738672972 CEST	192.168.2.3	8.8.8.8	0x51c	Standard query (0)	wespeaktruthtoman.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 12:57:15.127099991 CEST	192.168.2.3	8.8.8.8	0xa95f	Standard query (0)	wespeaktruthtoman.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 12:57:20.438766003 CEST	192.168.2.3	8.8.8.8	0x61a4	Standard query (0)	wespeaktruthtoman.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 12:57:25.928478956 CEST	192.168.2.3	8.8.8.8	0x3852	Standard query (0)	wespeaktruthtoman12.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 12:57:25.990446091 CEST	192.168.2.3	8.8.4.4	0xa79f	Standard query (0)	wespeaktruthtoman12.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 12:57:26.250632048 CEST	192.168.2.3	8.8.8.8	0xc041	Standard query (0)	wespeaktruthtoman12.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 12:57:30.330436945 CEST	192.168.2.3	8.8.8.8	0x7228	Standard query (0)	wespeaktruthtoman12.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 12:57:30.565342903 CEST	192.168.2.3	8.8.4.4	0xce8a	Standard query (0)	wespeaktruthtoman12.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 12:57:30.668559074 CEST	192.168.2.3	8.8.8.8	0x8dce	Standard query (0)	wespeaktruthtoman12.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 12:57:34.819576025 CEST	192.168.2.3	8.8.8.8	0x9aa1	Standard query (0)	wespeaktruthtoman12.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 12:57:34.872184038 CEST	192.168.2.3	8.8.4.4	0x4632	Standard query (0)	wespeaktruthtoman12.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 12:57:34.962059975 CEST	192.168.2.3	8.8.8.8	0x32e5	Standard query (0)	wespeaktruthtoman12.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 12:57:39.097064018 CEST	192.168.2.3	8.8.8.8	0x143f	Standard query (0)	wespeaktruthtoman.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 12:57:44.428934097 CEST	192.168.2.3	8.8.8.8	0xb405	Standard query (0)	wespeaktruthtoman.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 12:57:49.797447920 CEST	192.168.2.3	8.8.8.8	0x82e5	Standard query (0)	wespeaktruthtoman.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 12:57:55.455099106 CEST	192.168.2.3	8.8.8.8	0x6095	Standard query (0)	wespeaktruthtoman12.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 12:57:55.542064905 CEST	192.168.2.3	8.8.4.4	0x99ef	Standard query (0)	wespeaktruthtoman12.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 12:57:55.629410028 CEST	192.168.2.3	8.8.8.8	0xfbfe	Standard query (0)	wespeaktruthtoman12.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 12:57:59.791951895 CEST	192.168.2.3	8.8.8.8	0x88d	Standard query (0)	wespeaktruthtoman12.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 12:57:59.848723888 CEST	192.168.2.3	8.8.4.4	0xb243	Standard query (0)	wespeaktruthtoman12.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 12:57:59.989219904 CEST	192.168.2.3	8.8.8.8	0x785b	Standard query (0)	wespeaktruthtoman12.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 12:58:04.107609034 CEST	192.168.2.3	8.8.8.8	0x442d	Standard query (0)	wespeaktruthtoman12.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 12:58:04.195837021 CEST	192.168.2.3	8.8.4.4	0xf896	Standard query (0)	wespeaktruthtoman12.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 12:58:04.366200924 CEST	192.168.2.3	8.8.8.8	0xad5a	Standard query (0)	wespeaktruthtoman12.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 12:58:08.459110975 CEST	192.168.2.3	8.8.8.8	0x1677	Standard query (0)	wespeaktruthtoman.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 12:58:13.791480064 CEST	192.168.2.3	8.8.8.8	0x8106	Standard query (0)	wespeaktruthtoman.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 12:58:19.162184000 CEST	192.168.2.3	8.8.8.8	0xef26	Standard query (0)	wespeaktruthtoman.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 12:58:24.524244070 CEST	192.168.2.3	8.8.8.8	0xf4b4	Standard query (0)	wespeaktruthtoman12.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 12:58:24.610419035 CEST	192.168.2.3	8.8.4.4	0xa3a3	Standard query (0)	wespeaktruthtoman12.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 12:58:24.679236889 CEST	192.168.2.3	8.8.8.8	0x34bc	Standard query (0)	wespeaktruthtoman12.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 12:58:28.774804115 CEST	192.168.2.3	8.8.8.8	0xba8c	Standard query (0)	wespeaktruthtoman12.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 12:58:28.835751057 CEST	192.168.2.3	8.8.4.4	0xf23d	Standard query (0)	wespeaktruthtoman12.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 12:58:28.929292917 CEST	192.168.2.3	8.8.8.8	0xc83c	Standard query (0)	wespeaktruthtoman12.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 12:58:33.031136990 CEST	192.168.2.3	8.8.8.8	0x8c10	Standard query (0)	wespeaktruthtoman12.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 12:58:33.085609913 CEST	192.168.2.3	8.8.4.4	0x96ed	Standard query (0)	wespeaktruthtoman12.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 12:58:33.188982964 CEST	192.168.2.3	8.8.8.8	0xffd4	Standard query (0)	wespeaktruthtoman12.sytes.net	A (IP address)	IN (0x0001)
May 12, 2021 12:58:37.251457930 CEST	192.168.2.3	8.8.8.8	0xc88f	Standard query (0)	wespeaktruthtoman.sytes.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
May 12, 2021 12:56:40.499564886 CEST	8.8.8.8	192.168.2.3	0x10e3	No error (0)	wespeaktruthtoman.sytes.net	79.134.225.47	A (IP address)	IN (0x0001)
May 12, 2021 12:56:46.051681042 CEST	8.8.8.8	192.168.2.3	0x90a9	No error (0)	wespeaktruthtoman.sytes.net	79.134.225.47	A (IP address)	IN (0x0001)
May 12, 2021 12:56:51.398415089 CEST	8.8.8.8	192.168.2.3	0x2c8d	No error (0)	wespeaktruthtoman.sytes.net	79.134.225.47	A (IP address)	IN (0x0001)
May 12, 2021 12:57:09.796117067 CEST	8.8.8.8	192.168.2.3	0x51c	No error (0)	wespeaktruthtoman.sytes.net	79.134.225.47	A (IP address)	IN (0x0001)
May 12, 2021 12:57:15.178808928 CEST	8.8.8.8	192.168.2.3	0xa95f	No error (0)	wespeaktruthtoman.sytes.net	79.134.225.47	A (IP address)	IN (0x0001)
May 12, 2021 12:57:20.496140003 CEST	8.8.8.8	192.168.2.3	0x61a4	No error (0)	wespeaktruthtoman.sytes.net	79.134.225.47	A (IP address)	IN (0x0001)
May 12, 2021 12:57:39.159198999 CEST	8.8.8.8	192.168.2.3	0x143f	No error (0)	wespeaktruthtoman.sytes.net	79.134.225.47	A (IP address)	IN (0x0001)
May 12, 2021 12:57:44.477756023 CEST	8.8.8.8	192.168.2.3	0xb405	No error (0)	wespeaktruthtoman.sytes.net	79.134.225.47	A (IP address)	IN (0x0001)
May 12, 2021 12:57:49.847168922 CEST	8.8.8.8	192.168.2.3	0x82e5	No error (0)	wespeaktruthtoman.sytes.net	79.134.225.47	A (IP address)	IN (0x0001)
May 12, 2021 12:58:08.524970055 CEST	8.8.8.8	192.168.2.3	0x1677	No error (0)	wespeaktruthtoman.sytes.net	79.134.225.47	A (IP address)	IN (0x0001)
May 12, 2021 12:58:13.848495960 CEST	8.8.8.8	192.168.2.3	0x8106	No error (0)	wespeaktruthtoman.sytes.net	79.134.225.47	A (IP address)	IN (0x0001)
May 12, 2021 12:58:19.219518900 CEST	8.8.8.8	192.168.2.3	0xef26	No error (0)	wespeaktruthtoman.sytes.net	79.134.225.47	A (IP address)	IN (0x0001)
May 12, 2021 12:58:37.308605909 CEST	8.8.8.8	192.168.2.3	0xc88f	No error (0)	wespeaktruthtoman.sytes.net	79.134.225.47	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: cXyHZtgrFS.exe PID: 5440 Parent PID: 5628

General

Start time:	12:56:31
Start date:	12/05/2021
Path:	C:\Users\user\Desktop\cXyHZtgrFS.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\cXyHZtgrFS.exe'
Imagebase:	0x7d0000
File size:	1399296 bytes
MD5 hash:	82F9B9752D04017D3EA889F8A83C6C17
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.228642431.0000000003BC1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.228642431.0000000003BC1000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.228642431.0000000003BC1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.225843647.0000000002C10000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.229750935.00000000048A7000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.229750935.00000000048A7000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.229750935.00000000048A7000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 4944 Parent PID: 5440

General

Start time:	12:56:35
Start date:	12/05/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ZLWPrVikqiWD' /XML 'C:\Users\user\AppData\Local\Temp\tmpD5EC.tmp'
Imagebase:	0x180000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 1928 Parent PID: 4944

General

Start time:	12:56:35
Start date:	12/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: RegSvcs.exe PID: 752 Parent PID: 5440

General

Start time:	12:56:35
Start date:	12/05/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Imagebase:	0xaa0000
File size:	45152 bytes
MD5 hash:	2867A3817C9245F7CF518524DFD18F28
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: cXyHZtgrFS.exe PID: 5440 Parent PID: 5628 cXyHZtgrFS.exeCOMMON

Executed Functions

Function 051B4958, Relevance: .6, Instructions: 640COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.233303725.00000000051B0000.00000040.00000001.sdmp, Offset: 051B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc6372ee93c9222fef2db4d727ae393a3323f811f06c660b9df622e4d2129a2d
Instruction ID: 2cbc13e2abbf9579a60b96d01b87a828d59dc9b467da829b4ca199c7db12c115
Opcode Fuzzy Hash: fc6372ee93c9222fef2db4d727ae393a3323f811f06c660b9df622e4d2129a2d
Instruction Fuzzy Hash: 2462B334A51618CFDB54DF64C898ADDB7B1BF89300F1186E9D50AAB361DB70AD81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 051B8470, Relevance: .6, Instructions: 632COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.233303725.00000000051B0000.00000040.00000001.sdmp, Offset: 051B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f8598c1ead38bcd77f24e249125f68cda8adfaa97064c9b762313307f6194dd
Instruction ID: b99b4460cd5d3c0f0fe54b17d3993aed368a10adb9785dbf2af8fccace313441
Opcode Fuzzy Hash: 8f8598c1ead38bcd77f24e249125f68cda8adfaa97064c9b762313307f6194dd
Instruction Fuzzy Hash: D262C234A50618CFDB54EF64C898ADDB7B1BF89300F2186E9D50AAB361DB70AD85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 051BAAC1, Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.233303725.00000000051B0000.00000040.00000001.sdmp, Offset: 051B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39a0e17ca1fc25bd1087fd7e87f1b5b2ed34ab84ee5b33f6092f426b8caf45a1
Instruction ID: 98c567679b09baacc3622e913532142fc8de6ade00852cdecfb42c6f3cf06d12
Opcode Fuzzy Hash: 39a0e17ca1fc25bd1087fd7e87f1b5b2ed34ab84ee5b33f6092f426b8caf45a1
Instruction Fuzzy Hash: 8131E6B1D006098BEB08DFAAC9446DEFBF7AF89300F04C0299818BB354EB754946CB80

Uniqueness

Uniqueness Score: -1.00%

Function 051BAAD0, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.233303725.00000000051B0000.00000040.00000001.sdmp, Offset: 051B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41385fde637979474a6a6df15b290b204c05f7d32e5ab2df8df8f6e478994ef6
Instruction ID: cdf2de1e5f0de01a4278cb29bb15e2136288d8ad6c15fb746158911c43592fd0
Opcode Fuzzy Hash: 41385fde637979474a6a6df15b290b204c05f7d32e5ab2df8df8f6e478994ef6
Instruction Fuzzy Hash: B731D6B1D006098BEB08DFAAD9446DEFBF7AF89300F04C129D818AB254DB754546CF80

Uniqueness

Uniqueness Score: -1.00%

Function 01256B90, Relevance: 6.1, APIs: 4, Instructions: 126threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 01256C00
GetCurrentThread.KERNEL32 ref: 01256C3D
GetCurrentProcess.KERNEL32 ref: 01256C7A
GetCurrentThreadId.KERNEL32 ref: 01256CD3

Memory Dump Source

Source File: 00000000.00000002.225359681.0000000001250000.00000040.00000001.sdmp, Offset: 01250000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: c49e6e9f825b32fa71707b8f30be1e796da5eacb3ae26ae4db77263613352d48
Instruction ID: 72270ab0f62588b182ee1e17faaf7b586e9b2ca1cfa9d050559069c1e0109828
Opcode Fuzzy Hash: c49e6e9f825b32fa71707b8f30be1e796da5eacb3ae26ae4db77263613352d48
Instruction Fuzzy Hash: 5B5175B0E007498FDB54CFA9D688BEEBFF0EF48304F108459E419A7250DB749885CB65

Uniqueness

Uniqueness Score: -1.00%

Function 01256BA0, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 01256C00
GetCurrentThread.KERNEL32 ref: 01256C3D
GetCurrentProcess.KERNEL32 ref: 01256C7A
GetCurrentThreadId.KERNEL32 ref: 01256CD3

Memory Dump Source

Source File: 00000000.00000002.225359681.0000000001250000.00000040.00000001.sdmp, Offset: 01250000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: da2e8882f00b0fde5b02d913baedd00197ac197f8d3361af5646f5b8fa8a975c
Instruction ID: d13839594f1e94c28a256a283654160cc3e1801491b96612160ae49b32d82de6
Opcode Fuzzy Hash: da2e8882f00b0fde5b02d913baedd00197ac197f8d3361af5646f5b8fa8a975c
Instruction Fuzzy Hash: 155133B0E007498FDB54CFA9D688BAEBBF0EB48314F208459E519A7250DB74A984CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0125BBB8, Relevance: 1.7, APIs: 1, Instructions: 199COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0125BE0E

Memory Dump Source

Source File: 00000000.00000002.225359681.0000000001250000.00000040.00000001.sdmp, Offset: 01250000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 338f6acaeabf2058a0d9cfb98cc72adb9e82b0d654b04d71db16271080a016d6
Instruction ID: 58e654ac08adaef2cb502c5032d0462bd02f52cbe9568c20ed637bbd9ac1ccc6
Opcode Fuzzy Hash: 338f6acaeabf2058a0d9cfb98cc72adb9e82b0d654b04d71db16271080a016d6
Instruction Fuzzy Hash: B8816970A10B068FD764DF29C18476ABBF2FF48204F00892ED986DBA50DB35E846CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0125DC6D, Relevance: 1.6, APIs: 1, Instructions: 115COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0125DD8A

Memory Dump Source

Source File: 00000000.00000002.225359681.0000000001250000.00000040.00000001.sdmp, Offset: 01250000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: a1fd191567b246312721ba23cc80abb8e2c878c49c87a5c503dd57c9ae3e06d3
Instruction ID: bd3cf76a8a1a52a3de402957350c28039df6c5c4e8993dd6142e4a7f1c3d000c
Opcode Fuzzy Hash: a1fd191567b246312721ba23cc80abb8e2c878c49c87a5c503dd57c9ae3e06d3
Instruction Fuzzy Hash: 2451CEB1D10249DFDB15CFA9C884ADEBFB1BF88314F24812AE919AB210D7749985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0125DC78, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0125DD8A

Memory Dump Source

Source File: 00000000.00000002.225359681.0000000001250000.00000040.00000001.sdmp, Offset: 01250000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: b413dd27aa8376834302801550a76c42c2f7f261be0d0b88902968b3bffbc78e
Instruction ID: 24a134a7403094e70f3c7529ebc5463d6ae1576482a2adfff93c34729da0c1e5
Opcode Fuzzy Hash: b413dd27aa8376834302801550a76c42c2f7f261be0d0b88902968b3bffbc78e
Instruction Fuzzy Hash: 1241CEB1D10309DFDB14CFA9C884ADEBBB5BF48314F24812AE919AB210D7749985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01256D51, Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01256E4F

Memory Dump Source

Source File: 00000000.00000002.225359681.0000000001250000.00000040.00000001.sdmp, Offset: 01250000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 7ebffd9dc65423bb0f8a8e463b365b1b7e52218d4fe3392b311a5a31c220d728
Instruction ID: 06aba5ea03be6b9306bb51509301d3cf3b89e8eeb8192d5e7152ac9e44fe1769
Opcode Fuzzy Hash: 7ebffd9dc65423bb0f8a8e463b365b1b7e52218d4fe3392b311a5a31c220d728
Instruction Fuzzy Hash: C3417976A002489FCB11CFA8D884AEEBFF5FF49310F08805AEA54A7321C7349955DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 051B1E9C, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 051B3F49

Memory Dump Source

Source File: 00000000.00000002.233303725.00000000051B0000.00000040.00000001.sdmp, Offset: 051B0000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 7e21666ae46852723361e9defd741d293b03bc33cadddf8dc7c2b2cdcc34050d
Instruction ID: 1fd63d951413213517b0c4a4870ef171f981eac34a436ea6c780a3c4bb9e5dee
Opcode Fuzzy Hash: 7e21666ae46852723361e9defd741d293b03bc33cadddf8dc7c2b2cdcc34050d
Instruction Fuzzy Hash: 5D410571C00718CFEB24DFA9C8847CEBBB5BF49304F208469D419AB251DBB96945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 01256DC0, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01256E4F

Memory Dump Source

Source File: 00000000.00000002.225359681.0000000001250000.00000040.00000001.sdmp, Offset: 01250000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d57085fdc8fc42609ddb2f558bbeaac6831946d645279e3d5de6c64f77425ce6
Instruction ID: c38fd083b46c6e19947e318b70940371b616b70e8fcd5c9aa415650634a55acd
Opcode Fuzzy Hash: d57085fdc8fc42609ddb2f558bbeaac6831946d645279e3d5de6c64f77425ce6
Instruction Fuzzy Hash: 6D2100B5D012489FDB10CFA9D884AEEBFF4EF48324F14841AE958A7310D378A945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 01256DC8, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01256E4F

Memory Dump Source

Source File: 00000000.00000002.225359681.0000000001250000.00000040.00000001.sdmp, Offset: 01250000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b547fbdc0c8661abc3042a19aefd35af0693c4bf80b3eeacae73293edcc34915
Instruction ID: 77377c19d51bff0c4abb111af43a6a01b66122b42277dd49e7a7a67e99afddbf
Opcode Fuzzy Hash: b547fbdc0c8661abc3042a19aefd35af0693c4bf80b3eeacae73293edcc34915
Instruction Fuzzy Hash: 5521F3B5D002089FDB10CFA9D884ADEBBF8FB48324F14841AE918A7310D374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0125B0B0, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0125BE89,00000800,00000000,00000000), ref: 0125C09A

Memory Dump Source

Source File: 00000000.00000002.225359681.0000000001250000.00000040.00000001.sdmp, Offset: 01250000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: b9d464d37dbc4dfbed36e0289dadc4a0ee2166388ac35fe7f6771776adc5a023
Instruction ID: 3a2aa25f29dd740f130719415e987c81e6d4ea45aa895d2141fbd491bc5a4e37
Opcode Fuzzy Hash: b9d464d37dbc4dfbed36e0289dadc4a0ee2166388ac35fe7f6771776adc5a023
Instruction Fuzzy Hash: 131114B2D003098FDB14DF9AD484BDEFBF8EB49324F00842AE915A7600D775A949CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0125C028, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0125BE89,00000800,00000000,00000000), ref: 0125C09A

Memory Dump Source

Source File: 00000000.00000002.225359681.0000000001250000.00000040.00000001.sdmp, Offset: 01250000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 074d8981a7e73c9eaeaeb746751aec005f28634f916946ec2aa3bd739f98dfad
Instruction ID: 21b6f8c12a72f3842d0870c42abfcd09b90a4b0a0a45cdeb1077875ea97ba85d
Opcode Fuzzy Hash: 074d8981a7e73c9eaeaeb746751aec005f28634f916946ec2aa3bd739f98dfad
Instruction Fuzzy Hash: 821147B2D003098FDB10CFA9C484BDEFBF4AB49314F10851ED915A7600C375A94ACFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0125BDA8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0125BE0E

Memory Dump Source

Source File: 00000000.00000002.225359681.0000000001250000.00000040.00000001.sdmp, Offset: 01250000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 55cb3ef3c756987f705bbcf25fbc03581f6d41de58bf92cc256703123a5853c5
Instruction ID: 70a7ff3a5a4b54915067f19d6f96ec0088c536924b198cd380c6de01cff6defd
Opcode Fuzzy Hash: 55cb3ef3c756987f705bbcf25fbc03581f6d41de58bf92cc256703123a5853c5
Instruction Fuzzy Hash: 6D11F2B6D006498FDB10CF9AC484BDEFBF5EF88324F14841AD929A7600C375A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0125DEB9, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0125DF1D

Memory Dump Source

Source File: 00000000.00000002.225359681.0000000001250000.00000040.00000001.sdmp, Offset: 01250000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 044afe1cdb4be7ad58694e0ca90db6b5dfd46ccec9c89afa127379d70c3370de
Instruction ID: f428683ab4a2a8f7185fcf8c2ae43a2be798e8017434ea4cbcd21f947dfbbab7
Opcode Fuzzy Hash: 044afe1cdb4be7ad58694e0ca90db6b5dfd46ccec9c89afa127379d70c3370de
Instruction Fuzzy Hash: 401103B59002099FDB10DF99D589BDEBBF4EB48324F14840AE919B7700C374AA44CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0125DEC0, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0125DF1D

Memory Dump Source

Source File: 00000000.00000002.225359681.0000000001250000.00000040.00000001.sdmp, Offset: 01250000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: bad41eebcf3f7fde8e6c12b017ac7e9f9f6092a8c7d167982e3386bb26610655
Instruction ID: 8033f1bfb58ef8be94e62837589ab017f10b8249764af730aacb090df3db82c3
Opcode Fuzzy Hash: bad41eebcf3f7fde8e6c12b017ac7e9f9f6092a8c7d167982e3386bb26610655
Instruction Fuzzy Hash: E311E2B59002499FDB10DF99D588BDEBBF8EB48324F10841AE919A7700C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 011ED4D8, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.225272140.00000000011ED000.00000040.00000001.sdmp, Offset: 011ED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6468403827e452e67c01c0b245acd76fccd40a6dd1c7741d3afe9b37c3c07379
Instruction ID: 973460b66843f30c9b5d256acbc7f5cede557ae668683b8ce9f0d10f8842fc53
Opcode Fuzzy Hash: 6468403827e452e67c01c0b245acd76fccd40a6dd1c7741d3afe9b37c3c07379
Instruction Fuzzy Hash: 53210671504640DFDF09CFD4E9C8B26BBB5FF88328F248569E9054B246C336D845CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 011FD01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.225287879.00000000011FD000.00000040.00000001.sdmp, Offset: 011FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 263aca877ff445cb1816cc7d1a6f76cbc21c87f9c4bc62b234f1f62830710026
Instruction ID: 9bd762dd502c540076c1f4c2aa3c486f9b8e43f9e3f556ed37a731c3dfc80caa
Opcode Fuzzy Hash: 263aca877ff445cb1816cc7d1a6f76cbc21c87f9c4bc62b234f1f62830710026
Instruction Fuzzy Hash: 8D212271504240DFDF19CF98E9C4B26BB65FB88354F24C96DEA0A4B346C73AD847CA62

Uniqueness

Uniqueness Score: -1.00%

Function 011FD006, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.225287879.00000000011FD000.00000040.00000001.sdmp, Offset: 011FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a83ad8bfeeac5795cfd90c958a3554d56e7e3665135522d6ac6b4578ef80d96c
Instruction ID: 4fb4949003fc1dcaff5520ff41bd0a854da66cc9db5f9d7363ff4086fa82f25c
Opcode Fuzzy Hash: a83ad8bfeeac5795cfd90c958a3554d56e7e3665135522d6ac6b4578ef80d96c
Instruction Fuzzy Hash: 63219F755093808FCB07CF24D994B15BF71EB46214F28C5EED9498F6A7C33A984ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 011ED4D3, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.225272140.00000000011ED000.00000040.00000001.sdmp, Offset: 011ED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2afa457568e0bb640a5e96658e9777ab49a47e984ab559958fa4953148591eca
Instruction ID: f7d09a331bdc80e747d5b2e0f1ec48d38ef93c3f04a28ff31bff49ba0c1c6df4
Opcode Fuzzy Hash: 2afa457568e0bb640a5e96658e9777ab49a47e984ab559958fa4953148591eca
Instruction Fuzzy Hash: 5B11D376404680CFCF16CF94D9C4B16BFB1FF84324F2886A9D8050B656C33AD45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 011ED7FD, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.225272140.00000000011ED000.00000040.00000001.sdmp, Offset: 011ED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aca4eb62430b97bc634d7a4d85dc27781c698c7dc86e93d65d00b369aec6420c
Instruction ID: 29480763f6216a5b1f915edfabc749a8320fdecbedd298fd264b071a76ab9f4c
Opcode Fuzzy Hash: aca4eb62430b97bc634d7a4d85dc27781c698c7dc86e93d65d00b369aec6420c
Instruction Fuzzy Hash: C7012B71408744DAEB184AE9ED88F67BBDCEF41634F08C45AEE085B243D3759844C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 011ED7FC, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.225272140.00000000011ED000.00000040.00000001.sdmp, Offset: 011ED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2805691f776849f9a42075a3f8e6f14cdf42a4af99351bb4acb87de151ee504a
Instruction ID: b2271caa37df3e06b51ff214318ac0a1d49e7b217eb15f44759242a2ae745bfc
Opcode Fuzzy Hash: 2805691f776849f9a42075a3f8e6f14cdf42a4af99351bb4acb87de151ee504a
Instruction Fuzzy Hash: 5FF0F671404744AFEB148A5ADDC8BA2FFDCEB41734F18C45AED081B287C3799844CAB0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0125C2B0, Relevance: .5, Instructions: 522COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.225359681.0000000001250000.00000040.00000001.sdmp, Offset: 01250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b6d233238c403c2dc0902dff5e41db4dc514091231e04b1002ef77c527084e6
Instruction ID: 5fc4e53ed6fb9629cff8f9e889966f08e3428b58d9574c4c9149a7356eb2150d
Opcode Fuzzy Hash: 1b6d233238c403c2dc0902dff5e41db4dc514091231e04b1002ef77c527084e6
Instruction Fuzzy Hash: 6D526AB1D517068BD738CF18E4C95B93BB1FB44324BD28A08C6516BA90EBB4A56FCF44

Uniqueness

Uniqueness Score: -1.00%

Function 01259968, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.225359681.0000000001250000.00000040.00000001.sdmp, Offset: 01250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13c7e09b21e2f13a841b2f7688052f1f75e6f17b7960ea7e47c2fcd310233b7a
Instruction ID: 83901f4a98ab3de4005a9c0df04962f0808a6bfbc4e8e8eaf0897d48f64cbe57
Opcode Fuzzy Hash: 13c7e09b21e2f13a841b2f7688052f1f75e6f17b7960ea7e47c2fcd310233b7a
Instruction Fuzzy Hash: ECA18332E1021A8FCF15DFB9C8845EEBBB2FF85304B15856AE905BB261DB35D915CB40

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report cXyHZtgrFS.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

AV Detection:

E-Banking Fraud:

System Summary:

Stealing of Sensitive Information:

Remote Access Functionality:

Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos