Windows Analysis Report 7keerHhHvn.exe

Overview

General Information

Sample Name: 7keerHhHvn.exe
Analysis ID: 458550
MD5: 782783574d2d4b67666b77b686c2e673
SHA1: 8eeec0963fa7eaf3115335c03315ecc203babf9b
SHA256: 0d2aeb4a2f85b9bf8ae3990a3ddea5a242d0db5186263e3ccf2435bbc48ec478
Tags: exeMalware
Infos:

Most interesting Screenshot:

Detection

Nanocore GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected Nanocore Rat
Found malware configuration
GuLoader behavior detected
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Yara detected GuLoader
Yara detected Nanocore RAT
C2 URLs / IPs found in malware configuration
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses dynamic DNS services
Writes to foreign memory regions
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality to retrieve information about pressed keystrokes
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000029.00000002.780177556.000000001EBB1000.00000004.00000001.sdmp Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "07e10254-b226-4020-a6dd-2e85529c", "Group": "FRANCE", "Domain1": "mexi11.ddns.net", "Domain2": "127.0.0.1", "Port": 4040, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "", "BackupDNSServer": "37.235.1.177"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\subfolder1\filename1.exe ReversingLabs: Detection: 31%
Multi AV Scanner detection for submitted file
Source: 7keerHhHvn.exe Virustotal: Detection: 25% Perma Link
Source: 7keerHhHvn.exe ReversingLabs: Detection: 26%
Yara detected Nanocore RAT
Source: Yara match File source: 38.2.RegAsm.exe.1f219616.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 41.2.RegAsm.exe.1ebfe44c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.2.RegAsm.exe.1f21e44c.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 41.2.RegAsm.exe.1ebf9616.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.2.RegAsm.exe.1f21e44c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 41.2.RegAsm.exe.1ec02a75.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.2.RegAsm.exe.1f222a75.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 41.2.RegAsm.exe.1ebfe44c.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000029.00000002.780177556.000000001EBB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.767234010.000000001F1D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000002.780062745.000000001DBB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.767134795.000000001E1D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 5904, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 4736, type: MEMORYSTR
Machine Learning detection for dropped file
Source: C:\Users\user\subfolder1\filename1.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: 7keerHhHvn.exe Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: 7keerHhHvn.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: mexi11.ddns.net
Source: Malware configuration extractor URLs: 127.0.0.1
Uses dynamic DNS services
Source: unknown DNS query: name: mexi11.ddns.net
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49739 -> 194.5.98.74:4040
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: DANILENKODE DANILENKODE
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.177
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.177
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.177
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.177
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.177
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.177
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.177
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.177
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.177
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.177
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.177
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.177
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.177
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.177
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.177
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.177
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.177
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.177
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.177
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.177
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.177
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.177
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.177
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.177
Source: unknown UDP traffic detected without corresponding DNS query: 37.235.1.177
Source: unknown DNS traffic detected: queries for: onedrive.live.com
Source: RegAsm.exe, 00000026.00000002.762977823.0000000001739000.00000004.00000020.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: RegAsm.exe, 00000026.00000002.762977823.0000000001739000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: RegAsm.exe, 00000026.00000002.762977823.0000000001739000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.msocsp.com0
Source: RegAsm.exe, 00000026.00000002.762926600.000000000170B000.00000004.00000020.sdmp String found in binary or memory: https://onedrive.live.com/
Source: RegAsm.exe, 00000026.00000002.762926600.000000000170B000.00000004.00000020.sdmp String found in binary or memory: https://onedrive.live.com/download
Source: RegAsm.exe, 00000029.00000002.774677046.00000000009F0000.00000004.00000001.sdmp String found in binary or memory: https://onedrive.live.com/download?cid=6D6F745EC8C6F9D8&resid=6D6F745EC8C6F9D8%21108&authkey=AKJRgu_
Source: RegAsm.exe, 00000026.00000002.762926600.000000000170B000.00000004.00000020.sdmp String found in binary or memory: https://onedrive.live.com/p
Source: RegAsm.exe, 00000026.00000002.762977823.0000000001739000.00000004.00000020.sdmp String found in binary or memory: https://vt8dlg.bn.files.1drv.com/
Source: RegAsm.exe, 00000026.00000002.763005730.0000000001755000.00000004.00000020.sdmp String found in binary or memory: https://vt8dlg.bn.files.1drv.com/y4mrn2hczejFxJUaC7t02Lzk3UBxBtUoFTWBuN2lZyzI4ePO5huRlr2N1MK6Md6g2le

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_004028BC GetAsyncKeyState, 0_2_004028BC
Installs a raw input device (often for capturing keystrokes)
Source: RegAsm.exe, 00000026.00000002.767234010.000000001F1D1000.00000004.00000001.sdmp Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 38.2.RegAsm.exe.1f219616.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 41.2.RegAsm.exe.1ebfe44c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.2.RegAsm.exe.1f21e44c.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 41.2.RegAsm.exe.1ebf9616.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.2.RegAsm.exe.1f21e44c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 41.2.RegAsm.exe.1ec02a75.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.2.RegAsm.exe.1f222a75.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 41.2.RegAsm.exe.1ebfe44c.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000029.00000002.780177556.000000001EBB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.767234010.000000001F1D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000002.780062745.000000001DBB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.767134795.000000001E1D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 5904, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 4736, type: MEMORYSTR

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 38.2.RegAsm.exe.1e1f3c68.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 38.2.RegAsm.exe.1f219616.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 38.2.RegAsm.exe.1f219616.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 41.2.RegAsm.exe.1ebfe44c.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 41.2.RegAsm.exe.1dbd3c68.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 38.2.RegAsm.exe.1f21e44c.5.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 41.2.RegAsm.exe.1ebf9616.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 41.2.RegAsm.exe.1ebf9616.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 38.2.RegAsm.exe.1f21e44c.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 41.2.RegAsm.exe.1ec02a75.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 38.2.RegAsm.exe.1f222a75.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 41.2.RegAsm.exe.1ebfe44c.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000029.00000002.780177556.000000001EBB1000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000026.00000002.767234010.000000001F1D1000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000029.00000002.780062745.000000001DBB1000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000026.00000002.767134795.000000001E1D1000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: RegAsm.exe PID: 5904, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: RegAsm.exe PID: 4736, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Abnormal high CPU Usage
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process Stats: CPU usage > 98%
Source: C:\Users\user\Desktop\7keerHhHvn.exe Process Stats: CPU usage > 98%
Detected potential crypto function
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 38_2_202E2FA8 38_2_202E2FA8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 38_2_202E23A0 38_2_202E23A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 38_2_202E306F 38_2_202E306F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 38_2_202E3850 38_2_202E3850
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 41_2_1FCF2FA8 41_2_1FCF2FA8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 41_2_1FCF23A0 41_2_1FCF23A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 41_2_1FCF3850 41_2_1FCF3850
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 41_2_1FCF306F 41_2_1FCF306F
Sample file is different than original file name gathered from version info
Source: 7keerHhHvn.exe, 00000000.00000000.206884693.0000000000423000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameAbsurditiesun.exe vs 7keerHhHvn.exe
Source: 7keerHhHvn.exe Binary or memory string: OriginalFilenameAbsurditiesun.exe vs 7keerHhHvn.exe
Tries to load missing DLLs
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Uses 32bit PE files
Source: 7keerHhHvn.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Yara signature match
Source: 38.2.RegAsm.exe.1e1f3c68.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 38.2.RegAsm.exe.1e1f3c68.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 38.2.RegAsm.exe.1f219616.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 38.2.RegAsm.exe.1f219616.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 38.2.RegAsm.exe.1f219616.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 41.2.RegAsm.exe.1ebfe44c.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 41.2.RegAsm.exe.1ebfe44c.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 41.2.RegAsm.exe.1dbd3c68.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 41.2.RegAsm.exe.1dbd3c68.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 38.2.RegAsm.exe.1f21e44c.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 38.2.RegAsm.exe.1f21e44c.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 41.2.RegAsm.exe.1ebf9616.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 41.2.RegAsm.exe.1ebf9616.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 41.2.RegAsm.exe.1ebf9616.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 38.2.RegAsm.exe.1f21e44c.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 38.2.RegAsm.exe.1f21e44c.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 41.2.RegAsm.exe.1ec02a75.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 41.2.RegAsm.exe.1ec02a75.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 38.2.RegAsm.exe.1f222a75.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 38.2.RegAsm.exe.1f222a75.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 41.2.RegAsm.exe.1ebfe44c.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 41.2.RegAsm.exe.1ebfe44c.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000029.00000002.780177556.000000001EBB1000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000026.00000002.767234010.000000001F1D1000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000029.00000002.780062745.000000001DBB1000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000026.00000002.767134795.000000001E1D1000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: RegAsm.exe PID: 5904, type: MEMORYSTR Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: RegAsm.exe PID: 4736, type: MEMORYSTR Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: classification engine Classification label: mal100.troj.evad.winEXE@18/3@126/2
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File created: C:\Users\user\subfolder1 Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3596:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5028:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4792:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{07e10254-b226-4020-a6dd-2e85529cdca0}
Source: C:\Users\user\Desktop\7keerHhHvn.exe File created: C:\Users\user\AppData\Local\Temp\~DF6E485E0163CE766C.TMP Jump to behavior
Source: 7keerHhHvn.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\7keerHhHvn.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\7keerHhHvn.exe File read: C:\$Recycle.Bin\S-1-5-21-3853321935-2125563209-4053062332-1002\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\7keerHhHvn.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: 7keerHhHvn.exe Virustotal: Detection: 25%
Source: 7keerHhHvn.exe ReversingLabs: Detection: 26%
Source: unknown Process created: C:\Users\user\Desktop\7keerHhHvn.exe 'C:\Users\user\Desktop\7keerHhHvn.exe'
Source: C:\Users\user\Desktop\7keerHhHvn.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\7keerHhHvn.exe'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\subfolder1\filename1.exe 'C:\Users\user\subfolder1\filename1.exe'
Source: unknown Process created: C:\Users\user\subfolder1\filename1.exe 'C:\Users\user\subfolder1\filename1.exe'
Source: C:\Users\user\subfolder1\filename1.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\subfolder1\filename1.exe'
Source: C:\Users\user\subfolder1\filename1.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\subfolder1\filename1.exe'
Source: C:\Users\user\subfolder1\filename1.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\subfolder1\filename1.exe'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\subfolder1\filename1.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\subfolder1\filename1.exe'
Source: C:\Users\user\subfolder1\filename1.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\subfolder1\filename1.exe'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\7keerHhHvn.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\7keerHhHvn.exe' Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\subfolder1\filename1.exe' Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\subfolder1\filename1.exe' Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\subfolder1\filename1.exe' Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\subfolder1\filename1.exe' Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\subfolder1\filename1.exe' Jump to behavior
Source: C:\Users\user\Desktop\7keerHhHvn.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4a04656d-52aa-49de-8a09-cb178760e748}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000029.00000002.774677046.00000000009F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.762525078.0000000000FD0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 5904, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 4736, type: MEMORYSTR
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_004066EE push edx; iretd 0_2_004066EF
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_00407D67 push es; ret 0_2_00407D68
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_03C143DC push ebp; ret 0_2_03C143EE
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_03C12DDF push ss; retf 0_2_03C12E11
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_03C14FDF push es; ret 0_2_03C14FF2
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_03C12593 push ss; retf 0_2_03C12595
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_03C14598 push ss; ret 0_2_03C14599
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_03C12BB8 push ss; retf 0_2_03C12BED
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_03C12D17 push ss; ret 0_2_03C12D1A
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_03C124E4 push ss; retf 0_2_03C124E5
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_03C120EE push edi; ret 0_2_03C120F2
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_03C140F3 push esp; ret 0_2_03C140F6
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_03C156A2 push FFFFFFE5h; ret 0_2_03C156AB
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_03C120AA push edi; ret 0_2_03C120E6
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_03C156AD push FFFFFFE5h; ret 0_2_03C156AB
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_03C12203 pushad ; ret 0_2_03C12216
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_03C13C0B push esi; ret 0_2_03C13C0E
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_03C12E12 push ss; retf 0_2_03C12E11
Source: C:\Users\user\subfolder1\filename1.exe Code function: 27_2_02A912CB push ss; retf 27_2_02A912D5
Source: C:\Users\user\subfolder1\filename1.exe Code function: 27_2_02A93C2C pushfd ; iretd 27_2_02A93C9E
Source: C:\Users\user\subfolder1\filename1.exe Code function: 27_2_02A96220 push ds; ret 27_2_02A96303
Source: C:\Users\user\subfolder1\filename1.exe Code function: 27_2_02A93604 push ss; retf 27_2_02A93609
Source: C:\Users\user\subfolder1\filename1.exe Code function: 27_2_02A93C1F pushfd ; iretd 27_2_02A93C9E
Source: C:\Users\user\subfolder1\filename1.exe Code function: 27_2_02A94612 push ss; ret 27_2_02A94619
Source: C:\Users\user\subfolder1\filename1.exe Code function: 27_2_02A9625A push ds; ret 27_2_02A96303
Source: C:\Users\user\subfolder1\filename1.exe Code function: 27_2_02A9665E push FFFFFF8Dh; ret 27_2_02A96697
Source: C:\Users\user\subfolder1\filename1.exe Code function: 27_2_02A94653 pushad ; ret 27_2_02A94658
Source: C:\Users\user\subfolder1\filename1.exe Code function: 27_2_02A93FB2 pushad ; retf 27_2_02A93FB9
Source: C:\Users\user\subfolder1\filename1.exe Code function: 27_2_02A95DB5 push cs; iretd 27_2_02A95E62
Source: C:\Users\user\subfolder1\filename1.exe Code function: 27_2_02A90FB7 push eax; ret 27_2_02A90FCB
Source: C:\Users\user\subfolder1\filename1.exe Code function: 27_2_02A92BDD push ss; retf 27_2_02A92BED

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File created: C:\Users\user\subfolder1\filename1.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Desktop\7keerHhHvn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7keerHhHvn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7keerHhHvn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7keerHhHvn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\user\Desktop\7keerHhHvn.exe RDTSC instruction interceptor: First address: 0000000003C111D1 second address: 0000000003C1734D instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007FFA90374B8Eh 0x0000000f pushad 0x00000010 lfence 0x00000013 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe RDTSC instruction interceptor: First address: 0000000001121FB1 second address: 0000000001121FB1 instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe RDTSC instruction interceptor: First address: 0000000001123F9B second address: 0000000001123F9B instructions:
Source: C:\Users\user\subfolder1\filename1.exe RDTSC instruction interceptor: First address: 0000000002A911D1 second address: 0000000002A9734D instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007FFA90374B8Eh 0x0000000f pushad 0x00000010 lfence 0x00000013 rdtsc
Source: C:\Users\user\subfolder1\filename1.exe RDTSC instruction interceptor: First address: 0000000002AE11D1 second address: 0000000002AE734D instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007FFA90374B8Eh 0x0000000f pushad 0x00000010 lfence 0x00000013 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe RDTSC instruction interceptor: First address: 0000000001303F9B second address: 0000000001303F9B instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe RDTSC instruction interceptor: First address: 0000000000D03F9B second address: 0000000000D03F9B instructions:
Tries to detect Any.run
Source: C:\Users\user\Desktop\7keerHhHvn.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\7keerHhHvn.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: 7keerHhHvn.exe, 00000000.00000002.453217523.0000000003C50000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32USERPROFILE=WINDIR=\MICROSOFT.NET\FRAMEWORK\V2.0.50727\REGASM.EXE\SYSWOW64\MSVBVM60.DLL
Source: filename1.exe, 0000001C.00000002.767000852.0000000003C20000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32USERPROFILE=WINDIR=\MICROSOFT.NET\FRAMEWORK\V2.0.50727\REGASM.EXE\SYSWOW64\MSVBVM60.DLLWINDIR=\MICROSOFT.NET\FRAMEWORK\V2.0.50727\REGASM.EXE\SYSWOW64\MSVBVM60.DLL
Source: 7keerHhHvn.exe, 00000000.00000002.453217523.0000000003C50000.00000004.00000001.sdmp, filename1.exe, 0000001B.00000002.756747203.0000000003DB0000.00000004.00000001.sdmp, filename1.exe, 0000001C.00000002.767000852.0000000003C20000.00000004.00000001.sdmp, RegAsm.exe, 00000026.00000002.762525078.0000000000FD0000.00000004.00000001.sdmp, RegAsm.exe, 00000029.00000002.774677046.00000000009F0000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: filename1.exe, 0000001B.00000002.756747203.0000000003DB0000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32USERPROFILE=WINDIR=\MICROSOFT.NET\FRAMEWORK\V2.0.50727\REGASM.EXE\SYSWOW64\MSVBVM60.DLLWINDIR=\MICROSOFT.NET\FRAMEWORK\V2.0.50727\REGASM.EXE\SYSWOW64\MSVBVM60.DLLWINDIR=\MICROSOFT.NET\FRAMEWORK\V2.0.50727\REGASM.EXE\SYSWOW64\MSVBVM60.DLL
Source: RegAsm.exe, 00000026.00000002.762525078.0000000000FD0000.00000004.00000001.sdmp, RegAsm.exe, 00000029.00000002.774677046.00000000009F0000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32USERPROFILE=\FILENAME1.EXE\SUBFOLDER1SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCESTARTUP KEYHTTPS://ONEDRIVE.LIVE.COM/DOWNLOAD?CID=6D6F745EC8C6F9D8&RESID=6D6F745EC8C6F9D8%21108&AUTHKEY=AKJRGU_G9CQ6TRKWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKO
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\7keerHhHvn.exe RDTSC instruction interceptor: First address: 0000000003C16090 second address: 0000000003C16090 instructions: 0x00000000 rdtsc 0x00000002 mov eax, D06691AFh 0x00000007 xor eax, 51795B17h 0x0000000c sub eax, E89895FEh 0x00000011 sub eax, 988734B9h 0x00000016 cpuid 0x00000018 jmp 00007FFA9036EA76h 0x0000001a test bx, 62F2h 0x0000001f popad 0x00000020 call 00007FFA9036EA2Ch 0x00000025 lfence 0x00000028 mov edx, 3126F457h 0x0000002d xor edx, A11635D2h 0x00000033 xor edx, 122A2AF9h 0x00000039 xor edx, FDE4EB68h 0x0000003f mov edx, dword ptr [edx] 0x00000041 lfence 0x00000044 ret 0x00000045 cmp dh, ch 0x00000047 sub edx, esi 0x00000049 ret 0x0000004a test ah, dh 0x0000004c pop ecx 0x0000004d add edi, edx 0x0000004f dec ecx 0x00000050 mov dword ptr [ebp+0000017Ch], 339F83C1h 0x0000005a sub dword ptr [ebp+0000017Ch], 00B60B54h 0x00000064 sub dword ptr [ebp+0000017Ch], 2594365Ah 0x0000006e add dword ptr [ebp+0000017Ch], F2AABDEDh 0x00000078 cmp ecx, dword ptr [ebp+0000017Ch] 0x0000007e jne 00007FFA9036E974h 0x00000084 jmp 00007FFA9036EA82h 0x00000086 test ch, dh 0x00000088 mov dword ptr [ebp+00000274h], edi 0x0000008e mov edi, ecx 0x00000090 push edi 0x00000091 mov edi, dword ptr [ebp+00000274h] 0x00000097 call 00007FFA9036EA94h 0x0000009c call 00007FFA9036EAA8h 0x000000a1 lfence 0x000000a4 mov edx, 3126F457h 0x000000a9 xor edx, A11635D2h 0x000000af xor edx, 122A2AF9h 0x000000b5 xor edx, FDE4EB68h 0x000000bb mov edx, dword ptr [edx] 0x000000bd lfence 0x000000c0 ret 0x000000c1 mov esi, edx 0x000000c3 pushad 0x000000c4 rdtsc
Source: C:\Users\user\Desktop\7keerHhHvn.exe RDTSC instruction interceptor: First address: 0000000003C163DB second address: 0000000003C163DB instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 179B936Ch 0x00000013 xor eax, 12709E28h 0x00000018 add eax, 314D5628h 0x0000001d sub eax, 3738636Bh 0x00000022 cpuid 0x00000024 bt ecx, 1Fh 0x00000028 jc 00007FFA9039E6F8h 0x0000002e popad 0x0000002f call 00007FFA9039B303h 0x00000034 lfence 0x00000037 rdtsc
Source: C:\Users\user\Desktop\7keerHhHvn.exe RDTSC instruction interceptor: First address: 0000000003C111D1 second address: 0000000003C1734D instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007FFA90374B8Eh 0x0000000f pushad 0x00000010 lfence 0x00000013 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe RDTSC instruction interceptor: First address: 0000000001126090 second address: 0000000001126090 instructions: 0x00000000 rdtsc 0x00000002 mov eax, D06691AFh 0x00000007 xor eax, 51795B17h 0x0000000c sub eax, E89895FEh 0x00000011 sub eax, 988734B9h 0x00000016 cpuid 0x00000018 jmp 00007FFA9039B2C6h 0x0000001a test bx, 62F2h 0x0000001f popad 0x00000020 call 00007FFA9039B27Ch 0x00000025 lfence 0x00000028 mov edx, 3126F457h 0x0000002d xor edx, A11635D2h 0x00000033 xor edx, 122A2AF9h 0x00000039 xor edx, FDE4EB68h 0x0000003f mov edx, dword ptr [edx] 0x00000041 lfence 0x00000044 ret 0x00000045 cmp dh, ch 0x00000047 sub edx, esi 0x00000049 ret 0x0000004a test ah, dh 0x0000004c pop ecx 0x0000004d add edi, edx 0x0000004f dec ecx 0x00000050 mov dword ptr [ebp+0000017Ch], 339F83C1h 0x0000005a sub dword ptr [ebp+0000017Ch], 00B60B54h 0x00000064 sub dword ptr [ebp+0000017Ch], 2594365Ah 0x0000006e add dword ptr [ebp+0000017Ch], F2AABDEDh 0x00000078 cmp ecx, dword ptr [ebp+0000017Ch] 0x0000007e jne 00007FFA9039B1C4h 0x00000084 jmp 00007FFA9039B2D2h 0x00000086 test ch, dh 0x00000088 mov dword ptr [ebp+00000274h], edi 0x0000008e mov edi, ecx 0x00000090 push edi 0x00000091 mov edi, dword ptr [ebp+00000274h] 0x00000097 call 00007FFA9039B2E4h 0x0000009c call 00007FFA9039B2F8h 0x000000a1 lfence 0x000000a4 mov edx, 3126F457h 0x000000a9 xor edx, A11635D2h 0x000000af xor edx, 122A2AF9h 0x000000b5 xor edx, FDE4EB68h 0x000000bb mov edx, dword ptr [edx] 0x000000bd lfence 0x000000c0 ret 0x000000c1 mov esi, edx 0x000000c3 pushad 0x000000c4 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe RDTSC instruction interceptor: First address: 00000000011263DB second address: 00000000011263DB instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 179B936Ch 0x00000013 xor eax, 12709E28h 0x00000018 add eax, 314D5628h 0x0000001d sub eax, 3738636Bh 0x00000022 cpuid 0x00000024 bt ecx, 1Fh 0x00000028 jc 00007FFA90371EA8h 0x0000002e popad 0x0000002f call 00007FFA9036EAB3h 0x00000034 lfence 0x00000037 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe RDTSC instruction interceptor: First address: 0000000001121FB1 second address: 0000000001121FB1 instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe RDTSC instruction interceptor: First address: 0000000001123F9B second address: 0000000001123F9B instructions:
Source: C:\Users\user\subfolder1\filename1.exe RDTSC instruction interceptor: First address: 0000000002A96090 second address: 0000000002A96090 instructions: 0x00000000 rdtsc 0x00000002 mov eax, D06691AFh 0x00000007 xor eax, 51795B17h 0x0000000c sub eax, E89895FEh 0x00000011 sub eax, 988734B9h 0x00000016 cpuid 0x00000018 jmp 00007FFA9039B2C6h 0x0000001a test bx, 62F2h 0x0000001f popad 0x00000020 call 00007FFA9039B27Ch 0x00000025 lfence 0x00000028 mov edx, 3126F457h 0x0000002d xor edx, A11635D2h 0x00000033 xor edx, 122A2AF9h 0x00000039 xor edx, FDE4EB68h 0x0000003f mov edx, dword ptr [edx] 0x00000041 lfence 0x00000044 ret 0x00000045 cmp dh, ch 0x00000047 sub edx, esi 0x00000049 ret 0x0000004a test ah, dh 0x0000004c pop ecx 0x0000004d add edi, edx 0x0000004f dec ecx 0x00000050 mov dword ptr [ebp+0000017Ch], 339F83C1h 0x0000005a sub dword ptr [ebp+0000017Ch], 00B60B54h 0x00000064 sub dword ptr [ebp+0000017Ch], 2594365Ah 0x0000006e add dword ptr [ebp+0000017Ch], F2AABDEDh 0x00000078 cmp ecx, dword ptr [ebp+0000017Ch] 0x0000007e jne 00007FFA9039B1C4h 0x00000084 jmp 00007FFA9039B2D2h 0x00000086 test ch, dh 0x00000088 mov dword ptr [ebp+00000274h], edi 0x0000008e mov edi, ecx 0x00000090 push edi 0x00000091 mov edi, dword ptr [ebp+00000274h] 0x00000097 call 00007FFA9039B2E4h 0x0000009c call 00007FFA9039B2F8h 0x000000a1 lfence 0x000000a4 mov edx, 3126F457h 0x000000a9 xor edx, A11635D2h 0x000000af xor edx, 122A2AF9h 0x000000b5 xor edx, FDE4EB68h 0x000000bb mov edx, dword ptr [edx] 0x000000bd lfence 0x000000c0 ret 0x000000c1 mov esi, edx 0x000000c3 pushad 0x000000c4 rdtsc
Source: C:\Users\user\subfolder1\filename1.exe RDTSC instruction interceptor: First address: 0000000002AE6090 second address: 0000000002AE6090 instructions: 0x00000000 rdtsc 0x00000002 mov eax, D06691AFh 0x00000007 xor eax, 51795B17h 0x0000000c sub eax, E89895FEh 0x00000011 sub eax, 988734B9h 0x00000016 cpuid 0x00000018 jmp 00007FFA9036EA76h 0x0000001a test bx, 62F2h 0x0000001f popad 0x00000020 call 00007FFA9036EA2Ch 0x00000025 lfence 0x00000028 mov edx, 3126F457h 0x0000002d xor edx, A11635D2h 0x00000033 xor edx, 122A2AF9h 0x00000039 xor edx, FDE4EB68h 0x0000003f mov edx, dword ptr [edx] 0x00000041 lfence 0x00000044 ret 0x00000045 cmp dh, ch 0x00000047 sub edx, esi 0x00000049 ret 0x0000004a test ah, dh 0x0000004c pop ecx 0x0000004d add edi, edx 0x0000004f dec ecx 0x00000050 mov dword ptr [ebp+0000017Ch], 339F83C1h 0x0000005a sub dword ptr [ebp+0000017Ch], 00B60B54h 0x00000064 sub dword ptr [ebp+0000017Ch], 2594365Ah 0x0000006e add dword ptr [ebp+0000017Ch], F2AABDEDh 0x00000078 cmp ecx, dword ptr [ebp+0000017Ch] 0x0000007e jne 00007FFA9036E974h 0x00000084 jmp 00007FFA9036EA82h 0x00000086 test ch, dh 0x00000088 mov dword ptr [ebp+00000274h], edi 0x0000008e mov edi, ecx 0x00000090 push edi 0x00000091 mov edi, dword ptr [ebp+00000274h] 0x00000097 call 00007FFA9036EA94h 0x0000009c call 00007FFA9036EAA8h 0x000000a1 lfence 0x000000a4 mov edx, 3126F457h 0x000000a9 xor edx, A11635D2h 0x000000af xor edx, 122A2AF9h 0x000000b5 xor edx, FDE4EB68h 0x000000bb mov edx, dword ptr [edx] 0x000000bd lfence 0x000000c0 ret 0x000000c1 mov esi, edx 0x000000c3 pushad 0x000000c4 rdtsc
Source: C:\Users\user\subfolder1\filename1.exe RDTSC instruction interceptor: First address: 0000000002A963DB second address: 0000000002A963DB instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 179B936Ch 0x00000013 xor eax, 12709E28h 0x00000018 add eax, 314D5628h 0x0000001d sub eax, 3738636Bh 0x00000022 cpuid 0x00000024 bt ecx, 1Fh 0x00000028 jc 00007FFA9039E6F8h 0x0000002e popad 0x0000002f call 00007FFA9039B303h 0x00000034 lfence 0x00000037 rdtsc
Source: C:\Users\user\subfolder1\filename1.exe RDTSC instruction interceptor: First address: 0000000002A911D1 second address: 0000000002A9734D instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007FFA90374B8Eh 0x0000000f pushad 0x00000010 lfence 0x00000013 rdtsc
Source: C:\Users\user\subfolder1\filename1.exe RDTSC instruction interceptor: First address: 0000000002AE63DB second address: 0000000002AE63DB instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 179B936Ch 0x00000013 xor eax, 12709E28h 0x00000018 add eax, 314D5628h 0x0000001d sub eax, 3738636Bh 0x00000022 cpuid 0x00000024 bt ecx, 1Fh 0x00000028 jc 00007FFA9039E6F8h 0x0000002e popad 0x0000002f call 00007FFA9039B303h 0x00000034 lfence 0x00000037 rdtsc
Source: C:\Users\user\subfolder1\filename1.exe RDTSC instruction interceptor: First address: 0000000002AE11D1 second address: 0000000002AE734D instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007FFA90374B8Eh 0x0000000f pushad 0x00000010 lfence 0x00000013 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe RDTSC instruction interceptor: First address: 0000000001306090 second address: 0000000001306090 instructions: 0x00000000 rdtsc 0x00000002 mov eax, D06691AFh 0x00000007 xor eax, 51795B17h 0x0000000c sub eax, E89895FEh 0x00000011 sub eax, 988734B9h 0x00000016 cpuid 0x00000018 jmp 00007FFA9039B2C6h 0x0000001a test bx, 62F2h 0x0000001f popad 0x00000020 call 00007FFA9039B27Ch 0x00000025 lfence 0x00000028 mov edx, 3126F457h 0x0000002d xor edx, A11635D2h 0x00000033 xor edx, 122A2AF9h 0x00000039 xor edx, FDE4EB68h 0x0000003f mov edx, dword ptr [edx] 0x00000041 lfence 0x00000044 ret 0x00000045 cmp dh, ch 0x00000047 sub edx, esi 0x00000049 ret 0x0000004a test ah, dh 0x0000004c pop ecx 0x0000004d add edi, edx 0x0000004f dec ecx 0x00000050 mov dword ptr [ebp+0000017Ch], 339F83C1h 0x0000005a sub dword ptr [ebp+0000017Ch], 00B60B54h 0x00000064 sub dword ptr [ebp+0000017Ch], 2594365Ah 0x0000006e add dword ptr [ebp+0000017Ch], F2AABDEDh 0x00000078 cmp ecx, dword ptr [ebp+0000017Ch] 0x0000007e jne 00007FFA9039B1C4h 0x00000084 jmp 00007FFA9039B2D2h 0x00000086 test ch, dh 0x00000088 mov dword ptr [ebp+00000274h], edi 0x0000008e mov edi, ecx 0x00000090 push edi 0x00000091 mov edi, dword ptr [ebp+00000274h] 0x00000097 call 00007FFA9039B2E4h 0x0000009c call 00007FFA9039B2F8h 0x000000a1 lfence 0x000000a4 mov edx, 3126F457h 0x000000a9 xor edx, A11635D2h 0x000000af xor edx, 122A2AF9h 0x000000b5 xor edx, FDE4EB68h 0x000000bb mov edx, dword ptr [edx] 0x000000bd lfence 0x000000c0 ret 0x000000c1 mov esi, edx 0x000000c3 pushad 0x000000c4 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe RDTSC instruction interceptor: First address: 0000000000D06090 second address: 0000000000D06090 instructions: 0x00000000 rdtsc 0x00000002 mov eax, D06691AFh 0x00000007 xor eax, 51795B17h 0x0000000c sub eax, E89895FEh 0x00000011 sub eax, 988734B9h 0x00000016 cpuid 0x00000018 jmp 00007FFA9036EA76h 0x0000001a test bx, 62F2h 0x0000001f popad 0x00000020 call 00007FFA9036EA2Ch 0x00000025 lfence 0x00000028 mov edx, 3126F457h 0x0000002d xor edx, A11635D2h 0x00000033 xor edx, 122A2AF9h 0x00000039 xor edx, FDE4EB68h 0x0000003f mov edx, dword ptr [edx] 0x00000041 lfence 0x00000044 ret 0x00000045 cmp dh, ch 0x00000047 sub edx, esi 0x00000049 ret 0x0000004a test ah, dh 0x0000004c pop ecx 0x0000004d add edi, edx 0x0000004f dec ecx 0x00000050 mov dword ptr [ebp+0000017Ch], 339F83C1h 0x0000005a sub dword ptr [ebp+0000017Ch], 00B60B54h 0x00000064 sub dword ptr [ebp+0000017Ch], 2594365Ah 0x0000006e add dword ptr [ebp+0000017Ch], F2AABDEDh 0x00000078 cmp ecx, dword ptr [ebp+0000017Ch] 0x0000007e jne 00007FFA9036E974h 0x00000084 jmp 00007FFA9036EA82h 0x00000086 test ch, dh 0x00000088 mov dword ptr [ebp+00000274h], edi 0x0000008e mov edi, ecx 0x00000090 push edi 0x00000091 mov edi, dword ptr [ebp+00000274h] 0x00000097 call 00007FFA9036EA94h 0x0000009c call 00007FFA9036EAA8h 0x000000a1 lfence 0x000000a4 mov edx, 3126F457h 0x000000a9 xor edx, A11635D2h 0x000000af xor edx, 122A2AF9h 0x000000b5 xor edx, FDE4EB68h 0x000000bb mov edx, dword ptr [edx] 0x000000bd lfence 0x000000c0 ret 0x000000c1 mov esi, edx 0x000000c3 pushad 0x000000c4 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe RDTSC instruction interceptor: First address: 00000000013063DB second address: 00000000013063DB instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 179B936Ch 0x00000013 xor eax, 12709E28h 0x00000018 add eax, 314D5628h 0x0000001d sub eax, 3738636Bh 0x00000022 cpuid 0x00000024 bt ecx, 1Fh 0x00000028 jc 00007FFA9039E6F8h 0x0000002e popad 0x0000002f call 00007FFA9039B303h 0x00000034 lfence 0x00000037 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe RDTSC instruction interceptor: First address: 0000000000D063DB second address: 0000000000D063DB instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 179B936Ch 0x00000013 xor eax, 12709E28h 0x00000018 add eax, 314D5628h 0x0000001d sub eax, 3738636Bh 0x00000022 cpuid 0x00000024 bt ecx, 1Fh 0x00000028 jc 00007FFA90371EA8h 0x0000002e popad 0x0000002f call 00007FFA9036EAB3h 0x00000034 lfence 0x00000037 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe RDTSC instruction interceptor: First address: 0000000001303F9B second address: 0000000001303F9B instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe RDTSC instruction interceptor: First address: 0000000000D03F9B second address: 0000000000D03F9B instructions:
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Window / User API: threadDelayed 1085 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Window / User API: threadDelayed 846 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Window / User API: foregroundWindowGot 1268 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Window / User API: foregroundWindowGot 511 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 1124 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 1124 Thread sleep time: -54250s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5156 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 1528 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 6076 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: 7keerHhHvn.exe, 00000000.00000002.453217523.0000000003C50000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32USERPROFILE=windir=\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe\syswow64\msvbvm60.dll
Source: RegAsm.exe, 00000026.00000002.762525078.0000000000FD0000.00000004.00000001.sdmp, RegAsm.exe, 00000029.00000002.774677046.00000000009F0000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32USERPROFILE=\filename1.exe\subfolder1Software\Microsoft\Windows\CurrentVersion\RunOnceStartup keyhttps://onedrive.live.com/download?cid=6D6F745EC8C6F9D8&resid=6D6F745EC8C6F9D8%21108&authkey=AKJRgu_G9cq6Trkwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Source: filename1.exe, 0000001B.00000002.756747203.0000000003DB0000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32USERPROFILE=windir=\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe\syswow64\msvbvm60.dllwindir=\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe\syswow64\msvbvm60.dllwindir=\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe\syswow64\msvbvm60.dll
Source: RegAsm.exe, 00000026.00000002.763005730.0000000001755000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW
Source: 7keerHhHvn.exe, 00000000.00000002.453217523.0000000003C50000.00000004.00000001.sdmp, filename1.exe, 0000001B.00000002.756747203.0000000003DB0000.00000004.00000001.sdmp, filename1.exe, 0000001C.00000002.767000852.0000000003C20000.00000004.00000001.sdmp, RegAsm.exe, 00000026.00000002.762525078.0000000000FD0000.00000004.00000001.sdmp, RegAsm.exe, 00000029.00000002.774677046.00000000009F0000.00000004.00000001.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: filename1.exe, 0000001C.00000002.767000852.0000000003C20000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32USERPROFILE=windir=\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe\syswow64\msvbvm60.dllwindir=\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe\syswow64\msvbvm60.dll
Source: RegAsm.exe, 00000026.00000002.762926600.000000000170B000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW0!v
Source: C:\Users\user\Desktop\7keerHhHvn.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\7keerHhHvn.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Thread information set: HideFromDebugger Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\7keerHhHvn.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process queried: DebugPort Jump to behavior
Enables debug privileges
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\7keerHhHvn.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: 1120000 Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: 1300000 Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: D00000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\7keerHhHvn.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\7keerHhHvn.exe' Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\subfolder1\filename1.exe' Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\subfolder1\filename1.exe' Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\subfolder1\filename1.exe' Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\subfolder1\filename1.exe' Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\subfolder1\filename1.exe' Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
GuLoader behavior detected
Source: Initial file Signature Results: GuLoader behavior
Yara detected Nanocore RAT
Source: Yara match File source: 38.2.RegAsm.exe.1f219616.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 41.2.RegAsm.exe.1ebfe44c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.2.RegAsm.exe.1f21e44c.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 41.2.RegAsm.exe.1ebf9616.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.2.RegAsm.exe.1f21e44c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 41.2.RegAsm.exe.1ec02a75.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.2.RegAsm.exe.1f222a75.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 41.2.RegAsm.exe.1ebfe44c.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000029.00000002.780177556.000000001EBB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.767234010.000000001F1D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000002.780062745.000000001DBB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.767134795.000000001E1D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 5904, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 4736, type: MEMORYSTR

Remote Access Functionality:

barindex
Detected Nanocore Rat
Source: RegAsm.exe, 00000026.00000002.767234010.000000001F1D1000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: RegAsm.exe, 00000026.00000002.767234010.000000001F1D1000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: RegAsm.exe, 00000029.00000002.780177556.000000001EBB1000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: RegAsm.exe, 00000029.00000002.780177556.000000001EBB1000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Yara detected Nanocore RAT
Source: Yara match File source: 38.2.RegAsm.exe.1f219616.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 41.2.RegAsm.exe.1ebfe44c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.2.RegAsm.exe.1f21e44c.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 41.2.RegAsm.exe.1ebf9616.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.2.RegAsm.exe.1f21e44c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 41.2.RegAsm.exe.1ec02a75.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.2.RegAsm.exe.1f222a75.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 41.2.RegAsm.exe.1ebfe44c.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000029.00000002.780177556.000000001EBB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.767234010.000000001F1D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000002.780062745.000000001DBB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.767134795.000000001E1D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 5904, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 4736, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 458550 Sample: 7keerHhHvn.exe Startdate: 03/08/2021 Architecture: WINDOWS Score: 100 65 Found malware configuration 2->65 67 Malicious sample detected (through community Yara rule) 2->67 69 Multi AV Scanner detection for submitted file 2->69 71 9 other signatures 2->71 7 7keerHhHvn.exe 2 2->7         started        10 filename1.exe 2 2->10         started        12 filename1.exe 2 2->12         started        process3 signatures4 73 Writes to foreign memory regions 7->73 75 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 7->75 77 Tries to detect Any.run 7->77 14 RegAsm.exe 1 17 7->14         started        79 Multi AV Scanner detection for dropped file 10->79 81 Machine Learning detection for dropped file 10->81 83 Tries to detect virtualization through RDTSC time measurements 10->83 19 RegAsm.exe 11 10->19         started        21 RegAsm.exe 10->21         started        23 RegAsm.exe 10->23         started        85 Hides threads from debuggers 12->85 25 RegAsm.exe 10 12->25         started        27 RegAsm.exe 12->27         started        process5 dnsIp6 39 mexi11.ddns.net 194.5.98.74, 4040, 49739, 49743 DANILENKODE Netherlands 14->39 41 127.0.0.1 unknown unknown 14->41 47 3 other IPs or domains 14->47 35 C:\Users\user\subfolder1\filename1.exe, PE32 14->35 dropped 37 C:\Users\user\AppData\Roaming\...\run.dat, data 14->37 dropped 53 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 14->53 55 Tries to detect Any.run 14->55 57 Tries to detect virtualization through RDTSC time measurements 14->57 59 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->59 29 conhost.exe 14->29         started        43 vt8dlg.bn.files.1drv.com 19->43 49 2 other IPs or domains 19->49 61 Hides threads from debuggers 19->61 31 conhost.exe 19->31         started        45 vt8dlg.bn.files.1drv.com 25->45 51 2 other IPs or domains 25->51 33 conhost.exe 25->33         started        file7 63 Uses dynamic DNS services 39->63 signatures8 process9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
194.5.98.74
 mexi11.ddns.net Netherlands
208476 DANILENKODE true

Private
IP
127.0.0.1

Contacted Domains

Name IP Active
mexi11.ddns.net 194.5.98.74 true
onedrive.live.com unknown unknown
vt8dlg.bn.files.1drv.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
mexi11.ddns.net true
  • 5%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
127.0.0.1 true
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown