Play interactive tour

Edit tour

Windows Analysis Report 7keerHhHvn.exe

Overview

General Information

Sample Name:	7keerHhHvn.exe
Analysis ID:	458550
MD5:	782783574d2d4b67666b77b686c2e673
SHA1:	8eeec0963fa7eaf3115335c03315ecc203babf9b
SHA256:	0d2aeb4a2f85b9bf8ae3990a3ddea5a242d0db5186263e3ccf2435bbc48ec478
Tags:	exeMalware
Infos:
Most interesting Screenshot:

Detection

Nanocore GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Found malware configuration

GuLoader behavior detected

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Yara detected GuLoader

Yara detected Nanocore RAT

C2 URLs / IPs found in malware configuration

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Hides threads from debuggers

Machine Learning detection for dropped file

Machine Learning detection for sample

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses dynamic DNS services

Writes to foreign memory regions

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains functionality to retrieve information about pressed keystrokes

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

7keerHhHvn.exe (PID: 1056 cmdline: 'C:\Users\user\Desktop\7keerHhHvn.exe' MD5: 782783574D2D4B67666B77B686C2E673)

RegAsm.exe (PID: 2476 cmdline: 'C:\Users\user\Desktop\7keerHhHvn.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)

conhost.exe (PID: 3596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

filename1.exe (PID: 2344 cmdline: 'C:\Users\user\subfolder1\filename1.exe' MD5: 782783574D2D4B67666B77B686C2E673)

RegAsm.exe (PID: 4168 cmdline: 'C:\Users\user\subfolder1\filename1.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)

RegAsm.exe (PID: 3448 cmdline: 'C:\Users\user\subfolder1\filename1.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)

RegAsm.exe (PID: 5904 cmdline: 'C:\Users\user\subfolder1\filename1.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)

conhost.exe (PID: 4792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

filename1.exe (PID: 5512 cmdline: 'C:\Users\user\subfolder1\filename1.exe' MD5: 782783574D2D4B67666B77B686C2E673)

RegAsm.exe (PID: 5376 cmdline: 'C:\Users\user\subfolder1\filename1.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)

RegAsm.exe (PID: 4736 cmdline: 'C:\Users\user\subfolder1\filename1.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)

conhost.exe (PID: 5028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "07e10254-b226-4020-a6dd-2e85529c", "Group": "FRANCE", "Domain1": "mexi11.ddns.net", "Domain2": "127.0.0.1", "Port": 4040, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "", "BackupDNSServer": "37.235.1.177"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000029.00000002.780177556.000000001EBB1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000029.00000002.780177556.000000001EBB1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x493f5:$a: NanoCore 0x4944e:$a: NanoCore 0x4948b:$a: NanoCore 0x49504:$a: NanoCore 0x5cbaf:$a: NanoCore 0x5cbc4:$a: NanoCore 0x5cbf9:$a: NanoCore 0x7567b:$a: NanoCore 0x75690:$a: NanoCore 0x756c5:$a: NanoCore 0x49457:$b: ClientPlugin 0x49494:$b: ClientPlugin 0x49d92:$b: ClientPlugin 0x49d9f:$b: ClientPlugin 0x5c96b:$b: ClientPlugin 0x5c986:$b: ClientPlugin 0x5c9b6:$b: ClientPlugin 0x5cbcd:$b: ClientPlugin 0x5cc02:$b: ClientPlugin 0x75437:$b: ClientPlugin 0x75452:$b: ClientPlugin
00000026.00000002.767234010.000000001F1D1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000026.00000002.767234010.000000001F1D1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x493f5:$a: NanoCore 0x4944e:$a: NanoCore 0x4948b:$a: NanoCore 0x49504:$a: NanoCore 0x5cbaf:$a: NanoCore 0x5cbc4:$a: NanoCore 0x5cbf9:$a: NanoCore 0x7567b:$a: NanoCore 0x75690:$a: NanoCore 0x756c5:$a: NanoCore 0x49457:$b: ClientPlugin 0x49494:$b: ClientPlugin 0x49d92:$b: ClientPlugin 0x49d9f:$b: ClientPlugin 0x5c96b:$b: ClientPlugin 0x5c986:$b: ClientPlugin 0x5c9b6:$b: ClientPlugin 0x5cbcd:$b: ClientPlugin 0x5cc02:$b: ClientPlugin 0x75437:$b: ClientPlugin 0x75452:$b: ClientPlugin
00000029.00000002.780062745.000000001DBB1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000029.00000002.780062745.000000001DBB1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x23a47:$a: NanoCore 0x23aa0:$a: NanoCore 0x23add:$a: NanoCore 0x23b56:$a: NanoCore 0x23aa9:$b: ClientPlugin 0x23ae6:$b: ClientPlugin 0x243e4:$b: ClientPlugin 0x243f1:$b: ClientPlugin 0x1b295:$e: KeepAlive 0x23f31:$g: LogClientMessage 0x23eb1:$i: get_Connected 0x15a79:$j: #=q 0x15aa9:$j: #=q 0x15ae5:$j: #=q 0x15b0d:$j: #=q 0x15b3d:$j: #=q 0x15b6d:$j: #=q 0x15b9d:$j: #=q 0x15bcd:$j: #=q 0x15be9:$j: #=q 0x15c19:$j: #=q
00000029.00000002.774677046.00000000009F0000.00000004.00000001.sdmp	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
00000026.00000002.767134795.000000001E1D1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000026.00000002.767134795.000000001E1D1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x23a47:$a: NanoCore 0x23aa0:$a: NanoCore 0x23add:$a: NanoCore 0x23b56:$a: NanoCore 0x23aa9:$b: ClientPlugin 0x23ae6:$b: ClientPlugin 0x243e4:$b: ClientPlugin 0x243f1:$b: ClientPlugin 0x1b295:$e: KeepAlive 0x23f31:$g: LogClientMessage 0x23eb1:$i: get_Connected 0x15a79:$j: #=q 0x15aa9:$j: #=q 0x15ae5:$j: #=q 0x15b0d:$j: #=q 0x15b3d:$j: #=q 0x15b6d:$j: #=q 0x15b9d:$j: #=q 0x15bcd:$j: #=q 0x15be9:$j: #=q 0x15c19:$j: #=q
00000026.00000002.762525078.0000000000FD0000.00000004.00000001.sdmp	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
Process Memory Space: RegAsm.exe PID: 5904	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: RegAsm.exe PID: 5904	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
Process Memory Space: RegAsm.exe PID: 5904	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x66d5:$a: NanoCore 0x6767:$a: NanoCore 0x677b:$a: NanoCore 0x144b0:$a: NanoCore 0x14509:$a: NanoCore 0x14546:$a: NanoCore 0x145bf:$a: NanoCore 0x14e71:$a: NanoCore 0x14ec4:$a: NanoCore 0x14efd:$a: NanoCore 0x14f70:$a: NanoCore 0x1c505:$a: NanoCore 0x1c518:$a: NanoCore 0x1c54a:$a: NanoCore 0x21d12:$a: NanoCore 0x21d25:$a: NanoCore 0x21d57:$a: NanoCore 0x3c29c:$a: NanoCore 0x3c30a:$a: NanoCore 0x3c399:$a: NanoCore 0x41848:$a: NanoCore
Process Memory Space: RegAsm.exe PID: 4736	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: RegAsm.exe PID: 4736	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
Process Memory Space: RegAsm.exe PID: 4736	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4ddd:$a: NanoCore 0x4e36:$a: NanoCore 0x4e73:$a: NanoCore 0x4eec:$a: NanoCore 0x57a5:$a: NanoCore 0x57f8:$a: NanoCore 0x5831:$a: NanoCore 0x58a4:$a: NanoCore 0xce5e:$a: NanoCore 0xce71:$a: NanoCore 0xcea3:$a: NanoCore 0x12673:$a: NanoCore 0x12686:$a: NanoCore 0x126b8:$a: NanoCore 0x3a75f:$a: NanoCore 0x3a7cd:$a: NanoCore 0x3a85c:$a: NanoCore 0x3fced:$a: NanoCore 0x3fd73:$a: NanoCore 0x4e3f:$b: ClientPlugin 0x4e7c:$b: ClientPlugin
Click to see the 11 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
38.2.RegAsm.exe.1e1f3c68.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
38.2.RegAsm.exe.1e1f3c68.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
38.2.RegAsm.exe.1f219616.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d0af:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d0dc:$x2: IClientNetworkHost
38.2.RegAsm.exe.1f219616.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d0af:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e18a:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d0c9:$s5: IClientLoggingHost
38.2.RegAsm.exe.1f219616.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
38.2.RegAsm.exe.1f219616.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d065:$a: NanoCore 0x2d07a:$a: NanoCore 0x2d0af:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2ce21:$b: ClientPlugin 0x2ce3c:$b: ClientPlugin
41.2.RegAsm.exe.1ebfe44c.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x28279:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x282a6:$x2: IClientNetworkHost
41.2.RegAsm.exe.1ebfe44c.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x28279:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x29354:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x28293:$s5: IClientLoggingHost
41.2.RegAsm.exe.1ebfe44c.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
41.2.RegAsm.exe.1dbd3c68.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
41.2.RegAsm.exe.1dbd3c68.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
38.2.RegAsm.exe.1f21e44c.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
38.2.RegAsm.exe.1f21e44c.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
38.2.RegAsm.exe.1f21e44c.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
41.2.RegAsm.exe.1ebf9616.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d0af:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d0dc:$x2: IClientNetworkHost
41.2.RegAsm.exe.1ebf9616.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d0af:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e18a:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d0c9:$s5: IClientLoggingHost
41.2.RegAsm.exe.1ebf9616.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
41.2.RegAsm.exe.1ebf9616.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d065:$a: NanoCore 0x2d07a:$a: NanoCore 0x2d0af:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2ce21:$b: ClientPlugin 0x2ce3c:$b: ClientPlugin
38.2.RegAsm.exe.1f21e44c.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x28279:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x282a6:$x2: IClientNetworkHost
38.2.RegAsm.exe.1f21e44c.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x28279:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x29354:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x28293:$s5: IClientLoggingHost
38.2.RegAsm.exe.1f21e44c.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
41.2.RegAsm.exe.1ec02a75.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x23c50:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x23c7d:$x2: IClientNetworkHost
41.2.RegAsm.exe.1ec02a75.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x23c50:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x24d2b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x23c6a:$s5: IClientLoggingHost
41.2.RegAsm.exe.1ec02a75.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
38.2.RegAsm.exe.1f222a75.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x23c50:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x23c7d:$x2: IClientNetworkHost
38.2.RegAsm.exe.1f222a75.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x23c50:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x24d2b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x23c6a:$s5: IClientLoggingHost
38.2.RegAsm.exe.1f222a75.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
41.2.RegAsm.exe.1ebfe44c.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
41.2.RegAsm.exe.1ebfe44c.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
41.2.RegAsm.exe.1ebfe44c.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Click to see the 25 entries

Sigma Overview

AV Detection:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, ProcessId: 2476, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud:

Sigma detected: NanoCore

Show sources

Source: File created

Stealing of Sensitive Information:

Sigma detected: NanoCore

Show sources

Source: File created

Remote Access Functionality:

Sigma detected: NanoCore

Show sources

Source: File created

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000029.00000002.780177556.000000001EBB1000.00000004.00000001.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "07e10254-b226-4020-a6dd-2e85529c", "Group": "FRANCE", "Domain1": "mexi11.ddns.net", "Domain2": "127.0.0.1", "Port": 4040, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "", "BackupDNSServer": "37.235.1.177"}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\subfolder1\filename1.exe

ReversingLabs: Detection: 31%

Multi AV Scanner detection for submitted file

Show sources

Source: 7keerHhHvn.exe	Virustotal: Detection: 25%			Perma Link
Source: 7keerHhHvn.exe	ReversingLabs: Detection: 26%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 38.2.RegAsm.exe.1f219616.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.2.RegAsm.exe.1ebfe44c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.RegAsm.exe.1f21e44c.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.2.RegAsm.exe.1ebf9616.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.RegAsm.exe.1f21e44c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.2.RegAsm.exe.1ec02a75.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.RegAsm.exe.1f222a75.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.2.RegAsm.exe.1ebfe44c.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000029.00000002.780177556.000000001EBB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.767234010.000000001F1D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.780062745.000000001DBB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.767134795.000000001E1D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5904, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 4736, type: MEMORYSTR

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\subfolder1\filename1.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: 7keerHhHvn.exe

Joe Sandbox ML: detected

Source: 7keerHhHvn.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs: mexi11.ddns.net
Source: Malware configuration extractor	URLs: 127.0.0.1

Uses dynamic DNS services

Show sources

Source: unknown

DNS query: name: mexi11.ddns.net

Source: global traffic

TCP traffic: 192.168.2.3:49739 -> 194.5.98.74:4040

Source: Joe Sandbox View

ASN Name: DANILENKODE DANILENKODE

Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.177
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.177
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.177
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.177
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.177
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.177
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.177
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.177
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.177
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.177
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.177
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.177
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.177
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.177
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.177
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.177
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.177
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.177
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.177
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.177
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.177
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.177
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.177
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.177
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.177

Source: unknown

DNS traffic detected: queries for: onedrive.live.com

Source: RegAsm.exe, 00000026.00000002.762977823.0000000001739000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: RegAsm.exe, 00000026.00000002.762977823.0000000001739000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: RegAsm.exe, 00000026.00000002.762977823.0000000001739000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: RegAsm.exe, 00000026.00000002.762926600.000000000170B000.00000004.00000020.sdmp	String found in binary or memory: https://onedrive.live.com/
Source: RegAsm.exe, 00000026.00000002.762926600.000000000170B000.00000004.00000020.sdmp	String found in binary or memory: https://onedrive.live.com/download
Source: RegAsm.exe, 00000029.00000002.774677046.00000000009F0000.00000004.00000001.sdmp	String found in binary or memory: https://onedrive.live.com/download?cid=6D6F745EC8C6F9D8&resid=6D6F745EC8C6F9D8%21108&authkey=AKJRgu_
Source: RegAsm.exe, 00000026.00000002.762926600.000000000170B000.00000004.00000020.sdmp	String found in binary or memory: https://onedrive.live.com/p
Source: RegAsm.exe, 00000026.00000002.762977823.0000000001739000.00000004.00000020.sdmp	String found in binary or memory: https://vt8dlg.bn.files.1drv.com/
Source: RegAsm.exe, 00000026.00000002.763005730.0000000001755000.00000004.00000020.sdmp	String found in binary or memory: https://vt8dlg.bn.files.1drv.com/y4mrn2hczejFxJUaC7t02Lzk3UBxBtUoFTWBuN2lZyzI4ePO5huRlr2N1MK6Md6g2le

Source: C:\Users\user\Desktop\7keerHhHvn.exe

Code function: 0_2_004028BC GetAsyncKeyState,

Source: RegAsm.exe, 00000026.00000002.767234010.000000001F1D1000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 38.2.RegAsm.exe.1f219616.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.2.RegAsm.exe.1ebfe44c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.RegAsm.exe.1f21e44c.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.2.RegAsm.exe.1ebf9616.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.RegAsm.exe.1f21e44c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.2.RegAsm.exe.1ec02a75.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.RegAsm.exe.1f222a75.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.2.RegAsm.exe.1ebfe44c.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000029.00000002.780177556.000000001EBB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.767234010.000000001F1D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.780062745.000000001DBB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.767134795.000000001E1D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5904, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 4736, type: MEMORYSTR

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 38.2.RegAsm.exe.1e1f3c68.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 38.2.RegAsm.exe.1f219616.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 38.2.RegAsm.exe.1f219616.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 41.2.RegAsm.exe.1ebfe44c.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 41.2.RegAsm.exe.1dbd3c68.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 38.2.RegAsm.exe.1f21e44c.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 41.2.RegAsm.exe.1ebf9616.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 41.2.RegAsm.exe.1ebf9616.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 38.2.RegAsm.exe.1f21e44c.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 41.2.RegAsm.exe.1ec02a75.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 38.2.RegAsm.exe.1f222a75.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 41.2.RegAsm.exe.1ebfe44c.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000029.00000002.780177556.000000001EBB1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000026.00000002.767234010.000000001F1D1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000029.00000002.780062745.000000001DBB1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000026.00000002.767134795.000000001E1D1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: RegAsm.exe PID: 5904, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: RegAsm.exe PID: 4736, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process Stats: CPU usage > 98%
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Process Stats: CPU usage > 98%

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 38_2_202E2FA8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 38_2_202E23A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 38_2_202E306F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 38_2_202E3850
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 41_2_1FCF2FA8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 41_2_1FCF23A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 41_2_1FCF3850
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 41_2_1FCF306F

Source: 7keerHhHvn.exe, 00000000.00000000.206884693.0000000000423000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameAbsurditiesun.exe vs 7keerHhHvn.exe
Source: 7keerHhHvn.exe	Binary or memory string: OriginalFilenameAbsurditiesun.exe vs 7keerHhHvn.exe

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: sfc.dll

Source: 7keerHhHvn.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 38.2.RegAsm.exe.1e1f3c68.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 38.2.RegAsm.exe.1e1f3c68.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 38.2.RegAsm.exe.1f219616.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 38.2.RegAsm.exe.1f219616.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 38.2.RegAsm.exe.1f219616.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 41.2.RegAsm.exe.1ebfe44c.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 41.2.RegAsm.exe.1ebfe44c.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 41.2.RegAsm.exe.1dbd3c68.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 41.2.RegAsm.exe.1dbd3c68.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 38.2.RegAsm.exe.1f21e44c.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 38.2.RegAsm.exe.1f21e44c.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 41.2.RegAsm.exe.1ebf9616.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 41.2.RegAsm.exe.1ebf9616.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 41.2.RegAsm.exe.1ebf9616.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 38.2.RegAsm.exe.1f21e44c.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 38.2.RegAsm.exe.1f21e44c.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 41.2.RegAsm.exe.1ec02a75.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 41.2.RegAsm.exe.1ec02a75.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 38.2.RegAsm.exe.1f222a75.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 38.2.RegAsm.exe.1f222a75.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 41.2.RegAsm.exe.1ebfe44c.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 41.2.RegAsm.exe.1ebfe44c.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000029.00000002.780177556.000000001EBB1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000026.00000002.767234010.000000001F1D1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000029.00000002.780062745.000000001DBB1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000026.00000002.767134795.000000001E1D1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: RegAsm.exe PID: 5904, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: RegAsm.exe PID: 4736, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: classification engine

Classification label: mal100.troj.evad.winEXE@18/3@126/2

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File created: C:\Users\user\subfolder1

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3596:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5028:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4792:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{07e10254-b226-4020-a6dd-2e85529cdca0}

Source: C:\Users\user\Desktop\7keerHhHvn.exe

File created: C:\Users\user\AppData\Local\Temp\~DF6E485E0163CE766C.TMP

Jump to behavior

Source: 7keerHhHvn.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\7keerHhHvn.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll
Source: C:\Users\user\subfolder1\filename1.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll
Source: C:\Users\user\subfolder1\filename1.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll

Source: C:\Users\user\Desktop\7keerHhHvn.exe

File read: C:\$Recycle.Bin\S-1-5-21-3853321935-2125563209-4053062332-1002\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\7keerHhHvn.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: 7keerHhHvn.exe	Virustotal: Detection: 25%
Source: 7keerHhHvn.exe	ReversingLabs: Detection: 26%

Source: unknown	Process created: C:\Users\user\Desktop\7keerHhHvn.exe 'C:\Users\user\Desktop\7keerHhHvn.exe'
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\7keerHhHvn.exe'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\subfolder1\filename1.exe 'C:\Users\user\subfolder1\filename1.exe'
Source: unknown	Process created: C:\Users\user\subfolder1\filename1.exe 'C:\Users\user\subfolder1\filename1.exe'
Source: C:\Users\user\subfolder1\filename1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\subfolder1\filename1.exe'
Source: C:\Users\user\subfolder1\filename1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\subfolder1\filename1.exe'
Source: C:\Users\user\subfolder1\filename1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\subfolder1\filename1.exe'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\subfolder1\filename1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\subfolder1\filename1.exe'
Source: C:\Users\user\subfolder1\filename1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\subfolder1\filename1.exe'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\7keerHhHvn.exe'
Source: C:\Users\user\subfolder1\filename1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\subfolder1\filename1.exe'
Source: C:\Users\user\subfolder1\filename1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\subfolder1\filename1.exe'
Source: C:\Users\user\subfolder1\filename1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\subfolder1\filename1.exe'
Source: C:\Users\user\subfolder1\filename1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\subfolder1\filename1.exe'
Source: C:\Users\user\subfolder1\filename1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\subfolder1\filename1.exe'

Source: C:\Users\user\Desktop\7keerHhHvn.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4a04656d-52aa-49de-8a09-cb178760e748}\InProcServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match	File source: 00000029.00000002.774677046.00000000009F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.762525078.0000000000FD0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5904, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 4736, type: MEMORYSTR

Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_004066EE push edx; iretd
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_00407D67 push es; ret
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_03C143DC push ebp; ret
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_03C12DDF push ss; retf
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_03C14FDF push es; ret
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_03C12593 push ss; retf
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_03C14598 push ss; ret
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_03C12BB8 push ss; retf
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_03C12D17 push ss; ret
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_03C124E4 push ss; retf
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_03C120EE push edi; ret
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_03C140F3 push esp; ret
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_03C156A2 push FFFFFFE5h; ret
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_03C120AA push edi; ret
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_03C156AD push FFFFFFE5h; ret
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_03C12203 pushad ; ret
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_03C13C0B push esi; ret
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_03C12E12 push ss; retf
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 27_2_02A912CB push ss; retf
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 27_2_02A93C2C pushfd ; iretd
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 27_2_02A96220 push ds; ret
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 27_2_02A93604 push ss; retf
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 27_2_02A93C1F pushfd ; iretd
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 27_2_02A94612 push ss; ret
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 27_2_02A9625A push ds; ret
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 27_2_02A9665E push FFFFFF8Dh; ret
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 27_2_02A94653 pushad ; ret
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 27_2_02A93FB2 pushad ; retf
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 27_2_02A95DB5 push cs; iretd
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 27_2_02A90FB7 push eax; ret
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 27_2_02A92BDD push ss; retf

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File created: C:\Users\user\subfolder1\filename1.exe

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key	Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe:Zone.Identifier read attributes | delete

Source: C:\Users\user\Desktop\7keerHhHvn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\subfolder1\filename1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\subfolder1\filename1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\subfolder1\filename1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\subfolder1\filename1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\subfolder1\filename1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\subfolder1\filename1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\subfolder1\filename1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\subfolder1\filename1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\7keerHhHvn.exe	RDTSC instruction interceptor: First address: 0000000003C111D1 second address: 0000000003C1734D instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007FFA90374B8Eh 0x0000000f pushad 0x00000010 lfence 0x00000013 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000001121FB1 second address: 0000000001121FB1 instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000001123F9B second address: 0000000001123F9B instructions:
Source: C:\Users\user\subfolder1\filename1.exe	RDTSC instruction interceptor: First address: 0000000002A911D1 second address: 0000000002A9734D instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007FFA90374B8Eh 0x0000000f pushad 0x00000010 lfence 0x00000013 rdtsc
Source: C:\Users\user\subfolder1\filename1.exe	RDTSC instruction interceptor: First address: 0000000002AE11D1 second address: 0000000002AE734D instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007FFA90374B8Eh 0x0000000f pushad 0x00000010 lfence 0x00000013 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000001303F9B second address: 0000000001303F9B instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000D03F9B second address: 0000000000D03F9B instructions:

Tries to detect Any.run

Show sources

Source: C:\Users\user\Desktop\7keerHhHvn.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Users\user\Desktop\7keerHhHvn.exe	File opened: C:\Program Files\qga\qga.exe
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Program Files\qga\qga.exe
Source: C:\Users\user\subfolder1\filename1.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Users\user\subfolder1\filename1.exe	File opened: C:\Program Files\qga\qga.exe
Source: C:\Users\user\subfolder1\filename1.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Users\user\subfolder1\filename1.exe	File opened: C:\Program Files\qga\qga.exe
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Program Files\qga\qga.exe
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Program Files\qga\qga.exe

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: 7keerHhHvn.exe, 00000000.00000002.453217523.0000000003C50000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32USERPROFILE=WINDIR=\MICROSOFT.NET\FRAMEWORK\V2.0.50727\REGASM.EXE\SYSWOW64\MSVBVM60.DLL
Source: filename1.exe, 0000001C.00000002.767000852.0000000003C20000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32USERPROFILE=WINDIR=\MICROSOFT.NET\FRAMEWORK\V2.0.50727\REGASM.EXE\SYSWOW64\MSVBVM60.DLLWINDIR=\MICROSOFT.NET\FRAMEWORK\V2.0.50727\REGASM.EXE\SYSWOW64\MSVBVM60.DLL
Source: 7keerHhHvn.exe, 00000000.00000002.453217523.0000000003C50000.00000004.00000001.sdmp, filename1.exe, 0000001B.00000002.756747203.0000000003DB0000.00000004.00000001.sdmp, filename1.exe, 0000001C.00000002.767000852.0000000003C20000.00000004.00000001.sdmp, RegAsm.exe, 00000026.00000002.762525078.0000000000FD0000.00000004.00000001.sdmp, RegAsm.exe, 00000029.00000002.774677046.00000000009F0000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: filename1.exe, 0000001B.00000002.756747203.0000000003DB0000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32USERPROFILE=WINDIR=\MICROSOFT.NET\FRAMEWORK\V2.0.50727\REGASM.EXE\SYSWOW64\MSVBVM60.DLLWINDIR=\MICROSOFT.NET\FRAMEWORK\V2.0.50727\REGASM.EXE\SYSWOW64\MSVBVM60.DLLWINDIR=\MICROSOFT.NET\FRAMEWORK\V2.0.50727\REGASM.EXE\SYSWOW64\MSVBVM60.DLL
Source: RegAsm.exe, 00000026.00000002.762525078.0000000000FD0000.00000004.00000001.sdmp, RegAsm.exe, 00000029.00000002.774677046.00000000009F0000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32USERPROFILE=\FILENAME1.EXE\SUBFOLDER1SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCESTARTUP KEYHTTPS://ONEDRIVE.LIVE.COM/DOWNLOAD?CID=6D6F745EC8C6F9D8&RESID=6D6F745EC8C6F9D8%21108&AUTHKEY=AKJRGU_G9CQ6TRKWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKO

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\7keerHhHvn.exe	RDTSC instruction interceptor: First address: 0000000003C16090 second address: 0000000003C16090 instructions: 0x00000000 rdtsc 0x00000002 mov eax, D06691AFh 0x00000007 xor eax, 51795B17h 0x0000000c sub eax, E89895FEh 0x00000011 sub eax, 988734B9h 0x00000016 cpuid 0x00000018 jmp 00007FFA9036EA76h 0x0000001a test bx, 62F2h 0x0000001f popad 0x00000020 call 00007FFA9036EA2Ch 0x00000025 lfence 0x00000028 mov edx, 3126F457h 0x0000002d xor edx, A11635D2h 0x00000033 xor edx, 122A2AF9h 0x00000039 xor edx, FDE4EB68h 0x0000003f mov edx, dword ptr [edx] 0x00000041 lfence 0x00000044 ret 0x00000045 cmp dh, ch 0x00000047 sub edx, esi 0x00000049 ret 0x0000004a test ah, dh 0x0000004c pop ecx 0x0000004d add edi, edx 0x0000004f dec ecx 0x00000050 mov dword ptr [ebp+0000017Ch], 339F83C1h 0x0000005a sub dword ptr [ebp+0000017Ch], 00B60B54h 0x00000064 sub dword ptr [ebp+0000017Ch], 2594365Ah 0x0000006e add dword ptr [ebp+0000017Ch], F2AABDEDh 0x00000078 cmp ecx, dword ptr [ebp+0000017Ch] 0x0000007e jne 00007FFA9036E974h 0x00000084 jmp 00007FFA9036EA82h 0x00000086 test ch, dh 0x00000088 mov dword ptr [ebp+00000274h], edi 0x0000008e mov edi, ecx 0x00000090 push edi 0x00000091 mov edi, dword ptr [ebp+00000274h] 0x00000097 call 00007FFA9036EA94h 0x0000009c call 00007FFA9036EAA8h 0x000000a1 lfence 0x000000a4 mov edx, 3126F457h 0x000000a9 xor edx, A11635D2h 0x000000af xor edx, 122A2AF9h 0x000000b5 xor edx, FDE4EB68h 0x000000bb mov edx, dword ptr [edx] 0x000000bd lfence 0x000000c0 ret 0x000000c1 mov esi, edx 0x000000c3 pushad 0x000000c4 rdtsc
Source: C:\Users\user\Desktop\7keerHhHvn.exe	RDTSC instruction interceptor: First address: 0000000003C163DB second address: 0000000003C163DB instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 179B936Ch 0x00000013 xor eax, 12709E28h 0x00000018 add eax, 314D5628h 0x0000001d sub eax, 3738636Bh 0x00000022 cpuid 0x00000024 bt ecx, 1Fh 0x00000028 jc 00007FFA9039E6F8h 0x0000002e popad 0x0000002f call 00007FFA9039B303h 0x00000034 lfence 0x00000037 rdtsc
Source: C:\Users\user\Desktop\7keerHhHvn.exe	RDTSC instruction interceptor: First address: 0000000003C111D1 second address: 0000000003C1734D instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007FFA90374B8Eh 0x0000000f pushad 0x00000010 lfence 0x00000013 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000001126090 second address: 0000000001126090 instructions: 0x00000000 rdtsc 0x00000002 mov eax, D06691AFh 0x00000007 xor eax, 51795B17h 0x0000000c sub eax, E89895FEh 0x00000011 sub eax, 988734B9h 0x00000016 cpuid 0x00000018 jmp 00007FFA9039B2C6h 0x0000001a test bx, 62F2h 0x0000001f popad 0x00000020 call 00007FFA9039B27Ch 0x00000025 lfence 0x00000028 mov edx, 3126F457h 0x0000002d xor edx, A11635D2h 0x00000033 xor edx, 122A2AF9h 0x00000039 xor edx, FDE4EB68h 0x0000003f mov edx, dword ptr [edx] 0x00000041 lfence 0x00000044 ret 0x00000045 cmp dh, ch 0x00000047 sub edx, esi 0x00000049 ret 0x0000004a test ah, dh 0x0000004c pop ecx 0x0000004d add edi, edx 0x0000004f dec ecx 0x00000050 mov dword ptr [ebp+0000017Ch], 339F83C1h 0x0000005a sub dword ptr [ebp+0000017Ch], 00B60B54h 0x00000064 sub dword ptr [ebp+0000017Ch], 2594365Ah 0x0000006e add dword ptr [ebp+0000017Ch], F2AABDEDh 0x00000078 cmp ecx, dword ptr [ebp+0000017Ch] 0x0000007e jne 00007FFA9039B1C4h 0x00000084 jmp 00007FFA9039B2D2h 0x00000086 test ch, dh 0x00000088 mov dword ptr [ebp+00000274h], edi 0x0000008e mov edi, ecx 0x00000090 push edi 0x00000091 mov edi, dword ptr [ebp+00000274h] 0x00000097 call 00007FFA9039B2E4h 0x0000009c call 00007FFA9039B2F8h 0x000000a1 lfence 0x000000a4 mov edx, 3126F457h 0x000000a9 xor edx, A11635D2h 0x000000af xor edx, 122A2AF9h 0x000000b5 xor edx, FDE4EB68h 0x000000bb mov edx, dword ptr [edx] 0x000000bd lfence 0x000000c0 ret 0x000000c1 mov esi, edx 0x000000c3 pushad 0x000000c4 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 00000000011263DB second address: 00000000011263DB instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 179B936Ch 0x00000013 xor eax, 12709E28h 0x00000018 add eax, 314D5628h 0x0000001d sub eax, 3738636Bh 0x00000022 cpuid 0x00000024 bt ecx, 1Fh 0x00000028 jc 00007FFA90371EA8h 0x0000002e popad 0x0000002f call 00007FFA9036EAB3h 0x00000034 lfence 0x00000037 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000001121FB1 second address: 0000000001121FB1 instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000001123F9B second address: 0000000001123F9B instructions:
Source: C:\Users\user\subfolder1\filename1.exe	RDTSC instruction interceptor: First address: 0000000002A96090 second address: 0000000002A96090 instructions: 0x00000000 rdtsc 0x00000002 mov eax, D06691AFh 0x00000007 xor eax, 51795B17h 0x0000000c sub eax, E89895FEh 0x00000011 sub eax, 988734B9h 0x00000016 cpuid 0x00000018 jmp 00007FFA9039B2C6h 0x0000001a test bx, 62F2h 0x0000001f popad 0x00000020 call 00007FFA9039B27Ch 0x00000025 lfence 0x00000028 mov edx, 3126F457h 0x0000002d xor edx, A11635D2h 0x00000033 xor edx, 122A2AF9h 0x00000039 xor edx, FDE4EB68h 0x0000003f mov edx, dword ptr [edx] 0x00000041 lfence 0x00000044 ret 0x00000045 cmp dh, ch 0x00000047 sub edx, esi 0x00000049 ret 0x0000004a test ah, dh 0x0000004c pop ecx 0x0000004d add edi, edx 0x0000004f dec ecx 0x00000050 mov dword ptr [ebp+0000017Ch], 339F83C1h 0x0000005a sub dword ptr [ebp+0000017Ch], 00B60B54h 0x00000064 sub dword ptr [ebp+0000017Ch], 2594365Ah 0x0000006e add dword ptr [ebp+0000017Ch], F2AABDEDh 0x00000078 cmp ecx, dword ptr [ebp+0000017Ch] 0x0000007e jne 00007FFA9039B1C4h 0x00000084 jmp 00007FFA9039B2D2h 0x00000086 test ch, dh 0x00000088 mov dword ptr [ebp+00000274h], edi 0x0000008e mov edi, ecx 0x00000090 push edi 0x00000091 mov edi, dword ptr [ebp+00000274h] 0x00000097 call 00007FFA9039B2E4h 0x0000009c call 00007FFA9039B2F8h 0x000000a1 lfence 0x000000a4 mov edx, 3126F457h 0x000000a9 xor edx, A11635D2h 0x000000af xor edx, 122A2AF9h 0x000000b5 xor edx, FDE4EB68h 0x000000bb mov edx, dword ptr [edx] 0x000000bd lfence 0x000000c0 ret 0x000000c1 mov esi, edx 0x000000c3 pushad 0x000000c4 rdtsc
Source: C:\Users\user\subfolder1\filename1.exe	RDTSC instruction interceptor: First address: 0000000002AE6090 second address: 0000000002AE6090 instructions: 0x00000000 rdtsc 0x00000002 mov eax, D06691AFh 0x00000007 xor eax, 51795B17h 0x0000000c sub eax, E89895FEh 0x00000011 sub eax, 988734B9h 0x00000016 cpuid 0x00000018 jmp 00007FFA9036EA76h 0x0000001a test bx, 62F2h 0x0000001f popad 0x00000020 call 00007FFA9036EA2Ch 0x00000025 lfence 0x00000028 mov edx, 3126F457h 0x0000002d xor edx, A11635D2h 0x00000033 xor edx, 122A2AF9h 0x00000039 xor edx, FDE4EB68h 0x0000003f mov edx, dword ptr [edx] 0x00000041 lfence 0x00000044 ret 0x00000045 cmp dh, ch 0x00000047 sub edx, esi 0x00000049 ret 0x0000004a test ah, dh 0x0000004c pop ecx 0x0000004d add edi, edx 0x0000004f dec ecx 0x00000050 mov dword ptr [ebp+0000017Ch], 339F83C1h 0x0000005a sub dword ptr [ebp+0000017Ch], 00B60B54h 0x00000064 sub dword ptr [ebp+0000017Ch], 2594365Ah 0x0000006e add dword ptr [ebp+0000017Ch], F2AABDEDh 0x00000078 cmp ecx, dword ptr [ebp+0000017Ch] 0x0000007e jne 00007FFA9036E974h 0x00000084 jmp 00007FFA9036EA82h 0x00000086 test ch, dh 0x00000088 mov dword ptr [ebp+00000274h], edi 0x0000008e mov edi, ecx 0x00000090 push edi 0x00000091 mov edi, dword ptr [ebp+00000274h] 0x00000097 call 00007FFA9036EA94h 0x0000009c call 00007FFA9036EAA8h 0x000000a1 lfence 0x000000a4 mov edx, 3126F457h 0x000000a9 xor edx, A11635D2h 0x000000af xor edx, 122A2AF9h 0x000000b5 xor edx, FDE4EB68h 0x000000bb mov edx, dword ptr [edx] 0x000000bd lfence 0x000000c0 ret 0x000000c1 mov esi, edx 0x000000c3 pushad 0x000000c4 rdtsc
Source: C:\Users\user\subfolder1\filename1.exe	RDTSC instruction interceptor: First address: 0000000002A963DB second address: 0000000002A963DB instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 179B936Ch 0x00000013 xor eax, 12709E28h 0x00000018 add eax, 314D5628h 0x0000001d sub eax, 3738636Bh 0x00000022 cpuid 0x00000024 bt ecx, 1Fh 0x00000028 jc 00007FFA9039E6F8h 0x0000002e popad 0x0000002f call 00007FFA9039B303h 0x00000034 lfence 0x00000037 rdtsc
Source: C:\Users\user\subfolder1\filename1.exe	RDTSC instruction interceptor: First address: 0000000002A911D1 second address: 0000000002A9734D instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007FFA90374B8Eh 0x0000000f pushad 0x00000010 lfence 0x00000013 rdtsc
Source: C:\Users\user\subfolder1\filename1.exe	RDTSC instruction interceptor: First address: 0000000002AE63DB second address: 0000000002AE63DB instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 179B936Ch 0x00000013 xor eax, 12709E28h 0x00000018 add eax, 314D5628h 0x0000001d sub eax, 3738636Bh 0x00000022 cpuid 0x00000024 bt ecx, 1Fh 0x00000028 jc 00007FFA9039E6F8h 0x0000002e popad 0x0000002f call 00007FFA9039B303h 0x00000034 lfence 0x00000037 rdtsc
Source: C:\Users\user\subfolder1\filename1.exe	RDTSC instruction interceptor: First address: 0000000002AE11D1 second address: 0000000002AE734D instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007FFA90374B8Eh 0x0000000f pushad 0x00000010 lfence 0x00000013 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000001306090 second address: 0000000001306090 instructions: 0x00000000 rdtsc 0x00000002 mov eax, D06691AFh 0x00000007 xor eax, 51795B17h 0x0000000c sub eax, E89895FEh 0x00000011 sub eax, 988734B9h 0x00000016 cpuid 0x00000018 jmp 00007FFA9039B2C6h 0x0000001a test bx, 62F2h 0x0000001f popad 0x00000020 call 00007FFA9039B27Ch 0x00000025 lfence 0x00000028 mov edx, 3126F457h 0x0000002d xor edx, A11635D2h 0x00000033 xor edx, 122A2AF9h 0x00000039 xor edx, FDE4EB68h 0x0000003f mov edx, dword ptr [edx] 0x00000041 lfence 0x00000044 ret 0x00000045 cmp dh, ch 0x00000047 sub edx, esi 0x00000049 ret 0x0000004a test ah, dh 0x0000004c pop ecx 0x0000004d add edi, edx 0x0000004f dec ecx 0x00000050 mov dword ptr [ebp+0000017Ch], 339F83C1h 0x0000005a sub dword ptr [ebp+0000017Ch], 00B60B54h 0x00000064 sub dword ptr [ebp+0000017Ch], 2594365Ah 0x0000006e add dword ptr [ebp+0000017Ch], F2AABDEDh 0x00000078 cmp ecx, dword ptr [ebp+0000017Ch] 0x0000007e jne 00007FFA9039B1C4h 0x00000084 jmp 00007FFA9039B2D2h 0x00000086 test ch, dh 0x00000088 mov dword ptr [ebp+00000274h], edi 0x0000008e mov edi, ecx 0x00000090 push edi 0x00000091 mov edi, dword ptr [ebp+00000274h] 0x00000097 call 00007FFA9039B2E4h 0x0000009c call 00007FFA9039B2F8h 0x000000a1 lfence 0x000000a4 mov edx, 3126F457h 0x000000a9 xor edx, A11635D2h 0x000000af xor edx, 122A2AF9h 0x000000b5 xor edx, FDE4EB68h 0x000000bb mov edx, dword ptr [edx] 0x000000bd lfence 0x000000c0 ret 0x000000c1 mov esi, edx 0x000000c3 pushad 0x000000c4 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000D06090 second address: 0000000000D06090 instructions: 0x00000000 rdtsc 0x00000002 mov eax, D06691AFh 0x00000007 xor eax, 51795B17h 0x0000000c sub eax, E89895FEh 0x00000011 sub eax, 988734B9h 0x00000016 cpuid 0x00000018 jmp 00007FFA9036EA76h 0x0000001a test bx, 62F2h 0x0000001f popad 0x00000020 call 00007FFA9036EA2Ch 0x00000025 lfence 0x00000028 mov edx, 3126F457h 0x0000002d xor edx, A11635D2h 0x00000033 xor edx, 122A2AF9h 0x00000039 xor edx, FDE4EB68h 0x0000003f mov edx, dword ptr [edx] 0x00000041 lfence 0x00000044 ret 0x00000045 cmp dh, ch 0x00000047 sub edx, esi 0x00000049 ret 0x0000004a test ah, dh 0x0000004c pop ecx 0x0000004d add edi, edx 0x0000004f dec ecx 0x00000050 mov dword ptr [ebp+0000017Ch], 339F83C1h 0x0000005a sub dword ptr [ebp+0000017Ch], 00B60B54h 0x00000064 sub dword ptr [ebp+0000017Ch], 2594365Ah 0x0000006e add dword ptr [ebp+0000017Ch], F2AABDEDh 0x00000078 cmp ecx, dword ptr [ebp+0000017Ch] 0x0000007e jne 00007FFA9036E974h 0x00000084 jmp 00007FFA9036EA82h 0x00000086 test ch, dh 0x00000088 mov dword ptr [ebp+00000274h], edi 0x0000008e mov edi, ecx 0x00000090 push edi 0x00000091 mov edi, dword ptr [ebp+00000274h] 0x00000097 call 00007FFA9036EA94h 0x0000009c call 00007FFA9036EAA8h 0x000000a1 lfence 0x000000a4 mov edx, 3126F457h 0x000000a9 xor edx, A11635D2h 0x000000af xor edx, 122A2AF9h 0x000000b5 xor edx, FDE4EB68h 0x000000bb mov edx, dword ptr [edx] 0x000000bd lfence 0x000000c0 ret 0x000000c1 mov esi, edx 0x000000c3 pushad 0x000000c4 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 00000000013063DB second address: 00000000013063DB instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 179B936Ch 0x00000013 xor eax, 12709E28h 0x00000018 add eax, 314D5628h 0x0000001d sub eax, 3738636Bh 0x00000022 cpuid 0x00000024 bt ecx, 1Fh 0x00000028 jc 00007FFA9039E6F8h 0x0000002e popad 0x0000002f call 00007FFA9039B303h 0x00000034 lfence 0x00000037 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000D063DB second address: 0000000000D063DB instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 179B936Ch 0x00000013 xor eax, 12709E28h 0x00000018 add eax, 314D5628h 0x0000001d sub eax, 3738636Bh 0x00000022 cpuid 0x00000024 bt ecx, 1Fh 0x00000028 jc 00007FFA90371EA8h 0x0000002e popad 0x0000002f call 00007FFA9036EAB3h 0x00000034 lfence 0x00000037 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000001303F9B second address: 0000000001303F9B instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000D03F9B second address: 0000000000D03F9B instructions:

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Window / User API: threadDelayed 1085
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Window / User API: threadDelayed 846
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Window / User API: foregroundWindowGot 1268
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Window / User API: foregroundWindowGot 511

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 1124	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 1124	Thread sleep time: -54250s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5156	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 1528	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 6076	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread delayed: delay time: 922337203685477

Source: 7keerHhHvn.exe, 00000000.00000002.453217523.0000000003C50000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32USERPROFILE=windir=\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe\syswow64\msvbvm60.dll
Source: RegAsm.exe, 00000026.00000002.762525078.0000000000FD0000.00000004.00000001.sdmp, RegAsm.exe, 00000029.00000002.774677046.00000000009F0000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32USERPROFILE=\filename1.exe\subfolder1Software\Microsoft\Windows\CurrentVersion\RunOnceStartup keyhttps://onedrive.live.com/download?cid=6D6F745EC8C6F9D8&resid=6D6F745EC8C6F9D8%21108&authkey=AKJRgu_G9cq6Trkwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Source: filename1.exe, 0000001B.00000002.756747203.0000000003DB0000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32USERPROFILE=windir=\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe\syswow64\msvbvm60.dllwindir=\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe\syswow64\msvbvm60.dllwindir=\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe\syswow64\msvbvm60.dll
Source: RegAsm.exe, 00000026.00000002.763005730.0000000001755000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: 7keerHhHvn.exe, 00000000.00000002.453217523.0000000003C50000.00000004.00000001.sdmp, filename1.exe, 0000001B.00000002.756747203.0000000003DB0000.00000004.00000001.sdmp, filename1.exe, 0000001C.00000002.767000852.0000000003C20000.00000004.00000001.sdmp, RegAsm.exe, 00000026.00000002.762525078.0000000000FD0000.00000004.00000001.sdmp, RegAsm.exe, 00000029.00000002.774677046.00000000009F0000.00000004.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: filename1.exe, 0000001C.00000002.767000852.0000000003C20000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32USERPROFILE=windir=\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe\syswow64\msvbvm60.dllwindir=\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe\syswow64\msvbvm60.dll
Source: RegAsm.exe, 00000026.00000002.762926600.000000000170B000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW0!v

Source: C:\Users\user\Desktop\7keerHhHvn.exe

System information queried: ModuleInformation

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Process information queried: ProcessInformation

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\7keerHhHvn.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\subfolder1\filename1.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\subfolder1\filename1.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread information set: HideFromDebugger

Source: C:\Users\user\Desktop\7keerHhHvn.exe	Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process queried: DebugPort
Source: C:\Users\user\subfolder1\filename1.exe	Process queried: DebugPort
Source: C:\Users\user\subfolder1\filename1.exe	Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process queried: DebugPort

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Process token adjusted: Debug

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\7keerHhHvn.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: 1120000
Source: C:\Users\user\subfolder1\filename1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: 1300000
Source: C:\Users\user\subfolder1\filename1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: D00000

Source: C:\Users\user\Desktop\7keerHhHvn.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\7keerHhHvn.exe'
Source: C:\Users\user\subfolder1\filename1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\subfolder1\filename1.exe'
Source: C:\Users\user\subfolder1\filename1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\subfolder1\filename1.exe'
Source: C:\Users\user\subfolder1\filename1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\subfolder1\filename1.exe'
Source: C:\Users\user\subfolder1\filename1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\subfolder1\filename1.exe'
Source: C:\Users\user\subfolder1\filename1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\subfolder1\filename1.exe'

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

GuLoader behavior detected

Show sources

Source: Initial file

Signature Results: GuLoader behavior

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 38.2.RegAsm.exe.1f219616.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.2.RegAsm.exe.1ebfe44c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.RegAsm.exe.1f21e44c.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.2.RegAsm.exe.1ebf9616.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.RegAsm.exe.1f21e44c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.2.RegAsm.exe.1ec02a75.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.RegAsm.exe.1f222a75.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.2.RegAsm.exe.1ebfe44c.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000029.00000002.780177556.000000001EBB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.767234010.000000001F1D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.780062745.000000001DBB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.767134795.000000001E1D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5904, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 4736, type: MEMORYSTR

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: RegAsm.exe, 00000026.00000002.767234010.000000001F1D1000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegAsm.exe, 00000026.00000002.767234010.000000001F1D1000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: RegAsm.exe, 00000029.00000002.780177556.000000001EBB1000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegAsm.exe, 00000029.00000002.780177556.000000001EBB1000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 38.2.RegAsm.exe.1f219616.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.2.RegAsm.exe.1ebfe44c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.RegAsm.exe.1f21e44c.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.2.RegAsm.exe.1ebf9616.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.RegAsm.exe.1f21e44c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.2.RegAsm.exe.1ec02a75.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.RegAsm.exe.1f222a75.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.2.RegAsm.exe.1ebfe44c.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000029.00000002.780177556.000000001EBB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.767234010.000000001F1D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.780062745.000000001DBB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.767134795.000000001E1D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5904, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 4736, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Registry Run Keys / Startup Folder1	Process Injection111	Masquerading1	Input Capture21	Security Software Discovery611	Remote Services	Input Capture21	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	DLL Side-Loading1	Registry Run Keys / Startup Folder1	Disable or Modify Tools1	LSASS Memory	Process Discovery1	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	DLL Side-Loading1	Virtualization/Sandbox Evasion231	Security Account Manager	Virtualization/Sandbox Evasion231	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Remote Access Software1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection111	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Hidden Files and Directories1	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol21	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information1	Cached Domain Credentials	File and Directory Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	DLL Side-Loading1	DCSync	System Information Discovery23	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
7keerHhHvn.exe	26%	Virustotal		Browse
7keerHhHvn.exe	27%	ReversingLabs	Win32.Trojan.AgentTesla
7keerHhHvn.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\subfolder1\filename1.exe	100%	Joe Sandbox ML
C:\Users\user\subfolder1\filename1.exe	31%	ReversingLabs	Win32.Trojan.AgentTesla

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
mexi11.ddns.net	5%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
mexi11.ddns.net	5%	Virustotal		Browse
mexi11.ddns.net	0%	Avira URL Cloud	safe
127.0.0.1	0%	Virustotal		Browse
127.0.0.1	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mexi11.ddns.net	194.5.98.74	true	true	5%, Virustotal, Browse	unknown
onedrive.live.com	unknown	unknown	false		high
vt8dlg.bn.files.1drv.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
mexi11.ddns.net	true	5%, Virustotal, Browse Avira URL Cloud: safe	unknown
127.0.0.1	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://onedrive.live.com/download	RegAsm.exe, 00000026.00000002.762926600.000000000170B000.00000004.00000020.sdmp	false	high
https://vt8dlg.bn.files.1drv.com/	RegAsm.exe, 00000026.00000002.762977823.0000000001739000.00000004.00000020.sdmp	false	high
https://onedrive.live.com/p	RegAsm.exe, 00000026.00000002.762926600.000000000170B000.00000004.00000020.sdmp	false	high
https://onedrive.live.com/download?cid=6D6F745EC8C6F9D8&resid=6D6F745EC8C6F9D8%21108&authkey=AKJRgu_	RegAsm.exe, 00000029.00000002.774677046.00000000009F0000.00000004.00000001.sdmp	false	high
https://onedrive.live.com/	RegAsm.exe, 00000026.00000002.762926600.000000000170B000.00000004.00000020.sdmp	false	high
https://vt8dlg.bn.files.1drv.com/y4mrn2hczejFxJUaC7t02Lzk3UBxBtUoFTWBuN2lZyzI4ePO5huRlr2N1MK6Md6g2le	RegAsm.exe, 00000026.00000002.763005730.0000000001755000.00000004.00000020.sdmp	false	high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
194.5.98.74	mexi11.ddns.net	Netherlands		208476	DANILENKODE	true

Private

IP
127.0.0.1

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	458550
Start date:	03.08.2021
Start time:	14:44:19
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 14m 6s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	7keerHhHvn.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Suspected Instruction Hammering Hide Perf
Number of analysed new started processes analysed:	44
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@18/3@126/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 5.4% (good quality ratio 1.6%) Quality average: 13.5% Quality standard deviation: 21.5%
HCA Information:	Successful, ratio: 89% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 40.88.32.150, 23.211.6.115, 104.43.139.144, 23.211.4.86, 20.82.210.154, 173.222.108.226, 173.222.108.210, 40.112.88.60, 80.67.82.211, 80.67.82.235, 13.107.43.13, 13.107.43.12, 20.54.110.249, 13.107.42.13, 13.107.42.12, 40.126.31.3, 40.126.31.5, 40.126.31.9, 40.126.31.2, 20.190.159.137, 20.190.159.131, 40.126.31.136, 40.126.31.7, 20.73.194.208, 40.127.240.158, 23.203.67.116 Excluded domains from analysis (whitelisted): www.tm.lg.prod.aadmsa.akadns.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, www.tm.a.prd.aadg.trafficmanager.net, cdn.onenote.net.edgekey.net, odc-bn-files-geo.onedrive.akadns.net, skypedataprdcoleus15.cloudapp.net, l-0003.l-msedge.net, login.live.com, audownload.windowsupdate.nsatc.net, watson.telemetry.microsoft.com, au-bg-shim.trafficmanager.net, fs.microsoft.com, bn-files.ha.1drv.com.l-0003.dc-msedge.net.l-0003.l-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, odc-bn-files-brs.onedrive.akadns.net, skypedataprdcolcus16.cloudapp.net, settingsfd-geo.trafficmanager.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, e1553.dspg.akamaiedge.net, au.download.windowsupdate.com.edgesuite.net, odc-web-brs.onedrive.akadns.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, l-0004.dc-msedge.net, l-0004.l-msedge.net, e12564.dspb.akamaiedge.net, odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, cdn.onenote.net, odc-web-geo.onedrive.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, asf-ris-prod-neu.northeurope.cloudapp.azure.com, l-0003.dc-msedge.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, settings-win.data.microsoft.com, a767.dscg3.akamai.net, login.msa.msidentity.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
14:47:00	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key C:\Users\user\subfolder1\filename1.exe
14:47:01	API Interceptor	2932x Sleep call for process: RegAsm.exe modified
14:47:08	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key C:\Users\user\subfolder1\filename1.exe

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DANILENKODE	Purchase.exe	Get hash	malicious	Browse	194.5.97.150
	Fec9qUX4at.exe	Get hash	malicious	Browse	194.5.97.128
	Ordonnance PL-PB39-210706,pdf.exe	Get hash	malicious	Browse	194.5.98.7
	Tzcyxxestkakhuvtmvfdserywturrfjrye.exe	Get hash	malicious	Browse	194.5.98.72
	LzbZ4T1iV8.exe	Get hash	malicious	Browse	194.5.97.128
	kGSHiWbgq9.exe	Get hash	malicious	Browse	194.5.97.128
	loKmeabs9V.exe	Get hash	malicious	Browse	194.5.97.128
	1niECmfIcE.exe	Get hash	malicious	Browse	194.5.97.94
	Nuzbcdoajgupgalxelbnohzzeonlplvuro.exe	Get hash	malicious	Browse	194.5.98.7
	RueoUfi1MZ.exe	Get hash	malicious	Browse	194.5.98.3
	Departamento de contadores Consejos de pago 0.exe	Get hash	malicious	Browse	194.5.98.7
	04_extracted.exe	Get hash	malicious	Browse	194.5.97.18
	scanorder01321.jar	Get hash	malicious	Browse	194.5.98.243
	scanorder01321.jar	Get hash	malicious	Browse	194.5.98.243
	PO.exe	Get hash	malicious	Browse	194.5.98.23
	PO B4007121.exe	Get hash	malicious	Browse	194.5.98.7
	WzOSphO1Np.exe	Get hash	malicious	Browse	194.5.98.107
	QUOTATION-007222021.exe	Get hash	malicious	Browse	194.5.97.145
	PO B4007121.exe	Get hash	malicious	Browse	194.5.98.7
	ORDER407-395.exe	Get hash	malicious	Browse	194.5.98.23

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegAsm.exe.log Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	525
Entropy (8bit):	5.2874233355119316
Encrypted:	false
SSDEEP:	12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
MD5:	61CCF53571C9ABA6511D696CB0D32E45
SHA1:	A13A42A20EC14942F52DB20FB16A0A520F8183CE
SHA-256:	3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
SHA-512:	90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
Malicious:	false
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
File Type:	data
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:Fd5tz8:n5tz8
MD5:	0F6770A104CD85E855C5A5EA85348B17
SHA1:	CD431CBC296446258B44671D7E72667C1B2E37E0
SHA-256:	07687E2CAB23D13E10044B95462C52C12C30F41AED319621FEEBEE9F111D983B
SHA-512:	85689CC95B8D0DD414238D61A1257CAD7228FED52F2BC47DA87571B6725DBBCB2FE3C6F3F72FC9CE73CDD2FAFB34CD33C9C32C28EF7DD2BBA24038D2B6437BB4
Malicious:	true
Preview:	Y.8..V.H

C:\Users\user\subfolder1\filename1.exe Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	143360
Entropy (8bit):	6.460043863848558
Encrypted:	false
SSDEEP:	3072:S5CCbi+/47tQatuMBmrBeMn5m4vvt6g58:Ai+/g/tuMQlzVntV
MD5:	782783574D2D4B67666B77B686C2E673
SHA1:	8EEEC0963FA7EAF3115335C03315ECC203BABF9B
SHA-256:	0D2AEB4A2F85B9BF8AE3990A3DDEA5A242D0DB5186263E3CCF2435BBC48EC478
SHA-512:	1E500C34D0A1CB7D53661A5759C9D1325A119D86813FD4204F6586B5BF5D16FBF774C694AB6AE367567C38FA38077DD8F1B47991245AFA4B6BA5292B235839FA
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 31%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L...S..Q.....................0....................@..........................@......1...........................................(....0.. ...................................................................(... ....................................text............................... ..`.data...............................@....rsrc... ....0....... ..............@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.460043863848558
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	7keerHhHvn.exe
File size:	143360
MD5:	782783574d2d4b67666b77b686c2e673
SHA1:	8eeec0963fa7eaf3115335c03315ecc203babf9b
SHA256:	0d2aeb4a2f85b9bf8ae3990a3ddea5a242d0db5186263e3ccf2435bbc48ec478
SHA512:	1e500c34d0a1cb7d53661a5759c9d1325a119d86813fd4204f6586b5bf5d16fbf774c694ab6ae367567c38fa38077dd8f1b47991245afa4b6ba5292b235839fa
SSDEEP:	3072:S5CCbi+/47tQatuMBmrBeMn5m4vvt6g58:Ai+/g/tuMQlzVntV
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L...S..Q.....................0....................@................

File Icon


Icon Hash:	c4e8c8cccce0e8e8

Static PE Info

General
Entrypoint:	0x4014b4
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x51ACB753 [Mon Jun 3 15:33:39 2013 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	fef384fc3a66a559dff455f07d497ca0

Entrypoint Preview

Instruction
push 00401F54h
call 00007FFA90E7A583h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax-67h], dl
sbb esi, dword ptr [ebx+4EFEB052h]
stosb
sbb cl, byte ptr [ecx+74h]
ret
test dword ptr [edx], esi
in al, dx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
inc ecx
add byte ptr [eax], ah
or byte ptr [ecx+00h], al
inc esi
popad
insb
jc 00007FFA90E7A5F5h
insb
jne 00007FFA90E7A5FFh
imul esi, dword ptr [eax+eax], 00000000h
add byte ptr [eax], al
dec esp
xor dword ptr [eax], eax
add bh, dl
movsb
add al, 03h
pop eax
movsd
test byte ptr [ebx-43h], 00000048h
dec eax
inc ebp
ror dl, 0000002Fh
and al, byte ptr [edx+6Eh]
mov al, 41h
fistp word ptr [ecx+43h]
xchg eax, edi
sti
push ebx
mov ebx, 3AE1F6F1h
dec edi
lodsd
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
adc al, 09h
add byte ptr [eax], al
wbinvd
add byte ptr [eax], al
add byte ptr [esi], al
add byte ptr [ebp+4Fh], cl
inc ecx
dec esi
dec ecx
inc esi
add byte ptr [54000901h], cl
jne 00007FFA90E7A600h
insd
je 00007FFA90E7A5F4h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x206f4	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x23000	0xc20	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x190	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1fcec	0x20000	False	0.384429931641	data	6.7545432225	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x21000	0x11bc	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x23000	0xc20	0x1000	False	0.314453125	data	3.28015845724	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x23378	0x8a8	data
RT_GROUP_ICON	0x23364	0x14	data
RT_VERSION	0x230f0	0x274	data	Chinese	Taiwan

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaAryMove, __vbaStrVarMove, __vbaFreeVarList, __vbaEnd, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaStrCat, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaVarForInit, __vbaOnError, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, __vbaAryConstruct2, __vbaR4Str, DllFunctionCall, _adj_fpatan, __vbaRedim, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaNew2, __vbaR8Str, __vbaVar2Vec, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaLateMemCall, __vbaVarDup, __vbaStrToAnsi, __vbaFpI4, _CIatan, __vbaStrMove, __vbaCastObj, _allmul, __vbaLateIdSt, _CItan, __vbaVarForNext, _CIexp, __vbaFreeObj, __vbaFreeStr

Version Infos

Description	Data
Translation	0x0404 0x04b0
InternalName	Absurditiesun
FileVersion	1.00
CompanyName	Intersection Road
Comments	Intersection Road
ProductName	Unrapedb6
ProductVersion	1.00
OriginalFilename	Absurditiesun.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	Taiwan

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 3, 2021 14:47:35.739195108 CEST	49739	4040	192.168.2.3	194.5.98.74
Aug 3, 2021 14:47:35.783749104 CEST	4040	49739	194.5.98.74	192.168.2.3
Aug 3, 2021 14:47:36.352982998 CEST	49739	4040	192.168.2.3	194.5.98.74
Aug 3, 2021 14:47:36.397624969 CEST	4040	49739	194.5.98.74	192.168.2.3
Aug 3, 2021 14:47:37.040594101 CEST	49739	4040	192.168.2.3	194.5.98.74
Aug 3, 2021 14:47:37.085175037 CEST	4040	49739	194.5.98.74	192.168.2.3
Aug 3, 2021 14:48:14.477144957 CEST	49743	4040	192.168.2.3	194.5.98.74
Aug 3, 2021 14:48:14.521774054 CEST	4040	49743	194.5.98.74	192.168.2.3
Aug 3, 2021 14:48:15.034255028 CEST	49743	4040	192.168.2.3	194.5.98.74
Aug 3, 2021 14:48:15.078751087 CEST	4040	49743	194.5.98.74	192.168.2.3
Aug 3, 2021 14:48:15.648817062 CEST	49743	4040	192.168.2.3	194.5.98.74
Aug 3, 2021 14:48:15.693285942 CEST	4040	49743	194.5.98.74	192.168.2.3
Aug 3, 2021 14:48:59.419826031 CEST	49751	4040	192.168.2.3	194.5.98.74
Aug 3, 2021 14:48:59.465426922 CEST	4040	49751	194.5.98.74	192.168.2.3
Aug 3, 2021 14:49:00.058918953 CEST	49751	4040	192.168.2.3	194.5.98.74
Aug 3, 2021 14:49:00.105498075 CEST	4040	49751	194.5.98.74	192.168.2.3
Aug 3, 2021 14:49:00.746720076 CEST	49751	4040	192.168.2.3	194.5.98.74
Aug 3, 2021 14:49:00.792035103 CEST	4040	49751	194.5.98.74	192.168.2.3
Aug 3, 2021 14:49:44.824145079 CEST	49759	4040	192.168.2.3	194.5.98.74
Aug 3, 2021 14:49:44.870352983 CEST	4040	49759	194.5.98.74	192.168.2.3
Aug 3, 2021 14:49:45.375174999 CEST	49759	4040	192.168.2.3	194.5.98.74
Aug 3, 2021 14:49:45.426491022 CEST	4040	49759	194.5.98.74	192.168.2.3
Aug 3, 2021 14:49:45.937864065 CEST	49759	4040	192.168.2.3	194.5.98.74
Aug 3, 2021 14:49:45.981906891 CEST	4040	49759	194.5.98.74	192.168.2.3
Aug 3, 2021 14:50:15.158128023 CEST	49765	4040	192.168.2.3	194.5.98.74
Aug 3, 2021 14:50:15.202559948 CEST	4040	49765	194.5.98.74	192.168.2.3
Aug 3, 2021 14:50:15.706037045 CEST	49765	4040	192.168.2.3	194.5.98.74
Aug 3, 2021 14:50:15.756139994 CEST	4040	49765	194.5.98.74	192.168.2.3
Aug 3, 2021 14:50:16.268457890 CEST	49765	4040	192.168.2.3	194.5.98.74
Aug 3, 2021 14:50:16.312866926 CEST	4040	49765	194.5.98.74	192.168.2.3
Aug 3, 2021 14:50:45.222585917 CEST	49766	4040	192.168.2.3	194.5.98.74
Aug 3, 2021 14:50:45.279006004 CEST	4040	49766	194.5.98.74	192.168.2.3
Aug 3, 2021 14:50:45.786555052 CEST	49766	4040	192.168.2.3	194.5.98.74
Aug 3, 2021 14:50:45.842958927 CEST	4040	49766	194.5.98.74	192.168.2.3
Aug 3, 2021 14:50:46.349107981 CEST	49766	4040	192.168.2.3	194.5.98.74
Aug 3, 2021 14:50:46.407428026 CEST	4040	49766	194.5.98.74	192.168.2.3
Aug 3, 2021 14:51:30.576817036 CEST	49770	4040	192.168.2.3	194.5.98.74
Aug 3, 2021 14:51:30.620276928 CEST	4040	49770	194.5.98.74	192.168.2.3
Aug 3, 2021 14:51:31.134229898 CEST	49770	4040	192.168.2.3	194.5.98.74
Aug 3, 2021 14:51:31.177716017 CEST	4040	49770	194.5.98.74	192.168.2.3
Aug 3, 2021 14:51:31.681015968 CEST	49770	4040	192.168.2.3	194.5.98.74
Aug 3, 2021 14:51:31.724941015 CEST	4040	49770	194.5.98.74	192.168.2.3
Aug 3, 2021 14:52:00.560456038 CEST	49771	4040	192.168.2.3	194.5.98.74
Aug 3, 2021 14:52:00.615791082 CEST	4040	49771	194.5.98.74	192.168.2.3
Aug 3, 2021 14:52:01.121059895 CEST	49771	4040	192.168.2.3	194.5.98.74
Aug 3, 2021 14:52:01.176704884 CEST	4040	49771	194.5.98.74	192.168.2.3
Aug 3, 2021 14:52:01.683590889 CEST	49771	4040	192.168.2.3	194.5.98.74
Aug 3, 2021 14:52:01.739079952 CEST	4040	49771	194.5.98.74	192.168.2.3
Aug 3, 2021 14:52:30.593358040 CEST	49773	4040	192.168.2.3	194.5.98.74
Aug 3, 2021 14:52:30.636796951 CEST	4040	49773	194.5.98.74	192.168.2.3
Aug 3, 2021 14:52:31.139195919 CEST	49773	4040	192.168.2.3	194.5.98.74
Aug 3, 2021 14:52:31.183046103 CEST	4040	49773	194.5.98.74	192.168.2.3
Aug 3, 2021 14:52:31.686194897 CEST	49773	4040	192.168.2.3	194.5.98.74
Aug 3, 2021 14:52:31.731462002 CEST	4040	49773	194.5.98.74	192.168.2.3
Aug 3, 2021 14:53:15.246557951 CEST	49779	4040	192.168.2.3	194.5.98.74
Aug 3, 2021 14:53:15.302040100 CEST	4040	49779	194.5.98.74	192.168.2.3
Aug 3, 2021 14:53:15.814881086 CEST	49779	4040	192.168.2.3	194.5.98.74
Aug 3, 2021 14:53:15.870394945 CEST	4040	49779	194.5.98.74	192.168.2.3
Aug 3, 2021 14:53:16.377656937 CEST	49779	4040	192.168.2.3	194.5.98.74
Aug 3, 2021 14:53:16.434027910 CEST	4040	49779	194.5.98.74	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 3, 2021 14:45:02.433785915 CEST	50620	53	192.168.2.3	8.8.8.8
Aug 3, 2021 14:45:02.459536076 CEST	53	50620	8.8.8.8	192.168.2.3
Aug 3, 2021 14:45:03.106939077 CEST	64938	53	192.168.2.3	8.8.8.8
Aug 3, 2021 14:45:03.132013083 CEST	53	64938	8.8.8.8	192.168.2.3
Aug 3, 2021 14:45:03.741242886 CEST	60152	53	192.168.2.3	8.8.8.8
Aug 3, 2021 14:45:03.766334057 CEST	53	60152	8.8.8.8	192.168.2.3
Aug 3, 2021 14:45:04.450599909 CEST	57544	53	192.168.2.3	8.8.8.8
Aug 3, 2021 14:45:04.478235960 CEST	53	57544	8.8.8.8	192.168.2.3
Aug 3, 2021 14:45:04.664549112 CEST	55984	53	192.168.2.3	8.8.8.8
Aug 3, 2021 14:45:04.704325914 CEST	53	55984	8.8.8.8	192.168.2.3
Aug 3, 2021 14:45:05.115405083 CEST	64185	53	192.168.2.3	8.8.8.8
Aug 3, 2021 14:45:05.141145945 CEST	53	64185	8.8.8.8	192.168.2.3
Aug 3, 2021 14:45:05.930788040 CEST	65110	53	192.168.2.3	8.8.8.8
Aug 3, 2021 14:45:05.956702948 CEST	53	65110	8.8.8.8	192.168.2.3
Aug 3, 2021 14:45:06.592334986 CEST	58361	53	192.168.2.3	8.8.8.8
Aug 3, 2021 14:45:06.619251966 CEST	53	58361	8.8.8.8	192.168.2.3
Aug 3, 2021 14:45:07.574091911 CEST	63492	53	192.168.2.3	8.8.8.8
Aug 3, 2021 14:45:07.601309061 CEST	53	63492	8.8.8.8	192.168.2.3
Aug 3, 2021 14:45:09.638709068 CEST	60831	53	192.168.2.3	8.8.8.8
Aug 3, 2021 14:45:09.663589001 CEST	53	60831	8.8.8.8	192.168.2.3
Aug 3, 2021 14:45:10.791352987 CEST	60100	53	192.168.2.3	8.8.8.8
Aug 3, 2021 14:45:10.824028015 CEST	53	60100	8.8.8.8	192.168.2.3
Aug 3, 2021 14:45:11.675386906 CEST	53195	53	192.168.2.3	8.8.8.8
Aug 3, 2021 14:45:11.700249910 CEST	53	53195	8.8.8.8	192.168.2.3
Aug 3, 2021 14:45:13.384774923 CEST	50141	53	192.168.2.3	8.8.8.8
Aug 3, 2021 14:45:13.412184954 CEST	53	50141	8.8.8.8	192.168.2.3
Aug 3, 2021 14:45:14.312062025 CEST	53023	53	192.168.2.3	8.8.8.8
Aug 3, 2021 14:45:14.340142012 CEST	53	53023	8.8.8.8	192.168.2.3
Aug 3, 2021 14:45:15.053843021 CEST	49563	53	192.168.2.3	8.8.8.8
Aug 3, 2021 14:45:15.081407070 CEST	53	49563	8.8.8.8	192.168.2.3
Aug 3, 2021 14:45:18.071397066 CEST	51352	53	192.168.2.3	8.8.8.8
Aug 3, 2021 14:45:18.098843098 CEST	53	51352	8.8.8.8	192.168.2.3
Aug 3, 2021 14:45:18.831847906 CEST	59349	53	192.168.2.3	8.8.8.8
Aug 3, 2021 14:45:18.858071089 CEST	53	59349	8.8.8.8	192.168.2.3
Aug 3, 2021 14:45:20.307502031 CEST	57084	53	192.168.2.3	8.8.8.8
Aug 3, 2021 14:45:20.334569931 CEST	53	57084	8.8.8.8	192.168.2.3
Aug 3, 2021 14:45:21.220947981 CEST	58823	53	192.168.2.3	8.8.8.8
Aug 3, 2021 14:45:21.256170034 CEST	53	58823	8.8.8.8	192.168.2.3
Aug 3, 2021 14:45:36.758276939 CEST	57568	53	192.168.2.3	8.8.8.8
Aug 3, 2021 14:45:36.795633078 CEST	53	57568	8.8.8.8	192.168.2.3
Aug 3, 2021 14:45:38.781929970 CEST	50540	53	192.168.2.3	8.8.8.8
Aug 3, 2021 14:45:38.825753927 CEST	53	50540	8.8.8.8	192.168.2.3
Aug 3, 2021 14:45:57.101054907 CEST	54366	53	192.168.2.3	8.8.8.8
Aug 3, 2021 14:45:57.136080027 CEST	53	54366	8.8.8.8	192.168.2.3
Aug 3, 2021 14:45:59.230046988 CEST	53034	53	192.168.2.3	8.8.8.8
Aug 3, 2021 14:45:59.262897015 CEST	53	53034	8.8.8.8	192.168.2.3
Aug 3, 2021 14:45:59.322199106 CEST	57762	53	192.168.2.3	8.8.8.8
Aug 3, 2021 14:45:59.358314037 CEST	53	57762	8.8.8.8	192.168.2.3
Aug 3, 2021 14:46:03.310149908 CEST	55435	53	192.168.2.3	8.8.8.8
Aug 3, 2021 14:46:03.360773087 CEST	53	55435	8.8.8.8	192.168.2.3
Aug 3, 2021 14:46:16.367758036 CEST	50713	53	192.168.2.3	8.8.8.8
Aug 3, 2021 14:46:16.416579962 CEST	53	50713	8.8.8.8	192.168.2.3
Aug 3, 2021 14:46:23.900834084 CEST	56132	53	192.168.2.3	8.8.8.8
Aug 3, 2021 14:46:23.936127901 CEST	53	56132	8.8.8.8	192.168.2.3
Aug 3, 2021 14:46:54.769162893 CEST	58987	53	192.168.2.3	8.8.8.8
Aug 3, 2021 14:46:54.801601887 CEST	53	58987	8.8.8.8	192.168.2.3
Aug 3, 2021 14:46:57.343972921 CEST	56579	53	192.168.2.3	8.8.8.8
Aug 3, 2021 14:46:57.385066986 CEST	53	56579	8.8.8.8	192.168.2.3
Aug 3, 2021 14:46:59.369134903 CEST	60633	53	192.168.2.3	8.8.8.8
Aug 3, 2021 14:46:59.405335903 CEST	53	60633	8.8.8.8	192.168.2.3
Aug 3, 2021 14:47:00.197516918 CEST	61292	53	192.168.2.3	8.8.8.8
Aug 3, 2021 14:47:00.252003908 CEST	53	61292	8.8.8.8	192.168.2.3
Aug 3, 2021 14:47:04.296108007 CEST	63619	53	192.168.2.3	37.235.1.174
Aug 3, 2021 14:47:05.292681932 CEST	63619	53	192.168.2.3	37.235.1.174
Aug 3, 2021 14:47:06.242685080 CEST	63619	53	192.168.2.3	37.235.1.174
Aug 3, 2021 14:47:08.242249966 CEST	63619	53	192.168.2.3	37.235.1.174
Aug 3, 2021 14:47:12.354681015 CEST	63619	53	192.168.2.3	37.235.1.174
Aug 3, 2021 14:47:16.907313108 CEST	64938	53	192.168.2.3	37.235.1.177
Aug 3, 2021 14:47:17.946968079 CEST	64938	53	192.168.2.3	37.235.1.177
Aug 3, 2021 14:47:18.976984024 CEST	64938	53	192.168.2.3	37.235.1.177
Aug 3, 2021 14:47:21.649106979 CEST	64938	53	192.168.2.3	37.235.1.177
Aug 3, 2021 14:47:26.166146040 CEST	64938	53	192.168.2.3	37.235.1.177
Aug 3, 2021 14:47:35.621997118 CEST	61946	53	192.168.2.3	8.8.8.8
Aug 3, 2021 14:47:35.656497002 CEST	53	61946	8.8.8.8	192.168.2.3
Aug 3, 2021 14:47:42.986458063 CEST	64910	53	192.168.2.3	37.235.1.174
Aug 3, 2021 14:47:43.999631882 CEST	64910	53	192.168.2.3	37.235.1.174
Aug 3, 2021 14:47:45.011310101 CEST	64910	53	192.168.2.3	37.235.1.174
Aug 3, 2021 14:47:48.230129004 CEST	64910	53	192.168.2.3	37.235.1.174
Aug 3, 2021 14:47:52.277863979 CEST	64910	53	192.168.2.3	37.235.1.174
Aug 3, 2021 14:48:01.229027033 CEST	52123	53	192.168.2.3	37.235.1.177
Aug 3, 2021 14:48:02.343261957 CEST	52123	53	192.168.2.3	37.235.1.177
Aug 3, 2021 14:48:03.368522882 CEST	52123	53	192.168.2.3	37.235.1.177
Aug 3, 2021 14:48:05.399483919 CEST	52123	53	192.168.2.3	37.235.1.177
Aug 3, 2021 14:48:06.761126995 CEST	56130	53	192.168.2.3	8.8.8.8
Aug 3, 2021 14:48:06.802342892 CEST	53	56130	8.8.8.8	192.168.2.3
Aug 3, 2021 14:48:08.614316940 CEST	56338	53	192.168.2.3	8.8.8.8
Aug 3, 2021 14:48:08.663347006 CEST	53	56338	8.8.8.8	192.168.2.3
Aug 3, 2021 14:48:09.474360943 CEST	52123	53	192.168.2.3	37.235.1.177
Aug 3, 2021 14:48:11.270565033 CEST	59420	53	192.168.2.3	8.8.8.8
Aug 3, 2021 14:48:11.306169033 CEST	53	59420	8.8.8.8	192.168.2.3
Aug 3, 2021 14:48:14.224886894 CEST	58784	53	192.168.2.3	8.8.8.8
Aug 3, 2021 14:48:14.257884979 CEST	53	58784	8.8.8.8	192.168.2.3
Aug 3, 2021 14:48:14.458291054 CEST	63978	53	192.168.2.3	8.8.8.8
Aug 3, 2021 14:48:14.491636992 CEST	53	63978	8.8.8.8	192.168.2.3
Aug 3, 2021 14:48:15.373739004 CEST	62938	53	192.168.2.3	8.8.8.8
Aug 3, 2021 14:48:15.406469107 CEST	53	62938	8.8.8.8	192.168.2.3
Aug 3, 2021 14:48:15.856225967 CEST	55708	53	192.168.2.3	8.8.8.8
Aug 3, 2021 14:48:15.891494036 CEST	53	55708	8.8.8.8	192.168.2.3
Aug 3, 2021 14:48:16.495096922 CEST	56803	53	192.168.2.3	8.8.8.8
Aug 3, 2021 14:48:16.527456999 CEST	53	56803	8.8.8.8	192.168.2.3
Aug 3, 2021 14:48:17.511301994 CEST	57145	53	192.168.2.3	8.8.8.8
Aug 3, 2021 14:48:17.544800043 CEST	53	57145	8.8.8.8	192.168.2.3
Aug 3, 2021 14:48:18.366750002 CEST	55359	53	192.168.2.3	8.8.8.8
Aug 3, 2021 14:48:18.400470972 CEST	53	55359	8.8.8.8	192.168.2.3
Aug 3, 2021 14:48:18.903029919 CEST	58306	53	192.168.2.3	8.8.8.8
Aug 3, 2021 14:48:18.935570002 CEST	53	58306	8.8.8.8	192.168.2.3
Aug 3, 2021 14:48:19.730734110 CEST	64124	53	192.168.2.3	37.235.1.174
Aug 3, 2021 14:48:20.757323027 CEST	64124	53	192.168.2.3	37.235.1.174
Aug 3, 2021 14:48:21.775692940 CEST	64124	53	192.168.2.3	37.235.1.174
Aug 3, 2021 14:48:23.807049036 CEST	64124	53	192.168.2.3	37.235.1.174
Aug 3, 2021 14:48:27.854806900 CEST	64124	53	192.168.2.3	37.235.1.174
Aug 3, 2021 14:48:37.091653109 CEST	49361	53	192.168.2.3	37.235.1.177
Aug 3, 2021 14:48:38.058000088 CEST	49361	53	192.168.2.3	37.235.1.177
Aug 3, 2021 14:48:39.152194023 CEST	49361	53	192.168.2.3	37.235.1.177
Aug 3, 2021 14:48:42.464492083 CEST	49361	53	192.168.2.3	37.235.1.177
Aug 3, 2021 14:48:47.944371939 CEST	49361	53	192.168.2.3	37.235.1.177
Aug 3, 2021 14:48:59.233321905 CEST	63150	53	192.168.2.3	8.8.8.8
Aug 3, 2021 14:48:59.267369032 CEST	53	63150	8.8.8.8	192.168.2.3
Aug 3, 2021 14:49:20.258800983 CEST	53279	53	192.168.2.3	37.235.1.174
Aug 3, 2021 14:49:20.493740082 CEST	56881	53	192.168.2.3	8.8.8.8
Aug 3, 2021 14:49:20.526868105 CEST	53	56881	8.8.8.8	192.168.2.3
Aug 3, 2021 14:49:21.071223021 CEST	53642	53	192.168.2.3	8.8.8.8
Aug 3, 2021 14:49:21.136039019 CEST	53	53642	8.8.8.8	192.168.2.3
Aug 3, 2021 14:49:21.249716043 CEST	53279	53	192.168.2.3	37.235.1.174
Aug 3, 2021 14:49:22.332037926 CEST	53279	53	192.168.2.3	37.235.1.174
Aug 3, 2021 14:49:24.343555927 CEST	53279	53	192.168.2.3	37.235.1.174
Aug 3, 2021 14:49:26.367660046 CEST	55667	53	192.168.2.3	8.8.8.8
Aug 3, 2021 14:49:26.403091908 CEST	53	55667	8.8.8.8	192.168.2.3
Aug 3, 2021 14:49:27.067500114 CEST	54833	53	192.168.2.3	8.8.8.8
Aug 3, 2021 14:49:27.103094101 CEST	53	54833	8.8.8.8	192.168.2.3
Aug 3, 2021 14:49:28.393822908 CEST	53279	53	192.168.2.3	37.235.1.174
Aug 3, 2021 14:49:32.611684084 CEST	62476	53	192.168.2.3	37.235.1.177
Aug 3, 2021 14:49:33.625143051 CEST	62476	53	192.168.2.3	37.235.1.177
Aug 3, 2021 14:49:34.676656008 CEST	62476	53	192.168.2.3	37.235.1.177
Aug 3, 2021 14:49:36.722357988 CEST	62476	53	192.168.2.3	37.235.1.177
Aug 3, 2021 14:49:40.736180067 CEST	62476	53	192.168.2.3	37.235.1.177
Aug 3, 2021 14:49:44.786421061 CEST	49705	53	192.168.2.3	8.8.8.8
Aug 3, 2021 14:49:44.821619034 CEST	53	49705	8.8.8.8	192.168.2.3
Aug 3, 2021 14:49:50.041579962 CEST	61477	53	192.168.2.3	37.235.1.174
Aug 3, 2021 14:49:51.064291000 CEST	61477	53	192.168.2.3	37.235.1.174
Aug 3, 2021 14:49:52.095896006 CEST	61477	53	192.168.2.3	37.235.1.174
Aug 3, 2021 14:49:54.142237902 CEST	61477	53	192.168.2.3	37.235.1.174
Aug 3, 2021 14:49:56.636926889 CEST	61633	53	192.168.2.3	8.8.8.8
Aug 3, 2021 14:49:56.672193050 CEST	53	61633	8.8.8.8	192.168.2.3
Aug 3, 2021 14:49:57.021744967 CEST	55949	53	192.168.2.3	8.8.8.8
Aug 3, 2021 14:49:57.048093081 CEST	53	55949	8.8.8.8	192.168.2.3
Aug 3, 2021 14:49:57.896776915 CEST	57601	53	192.168.2.3	8.8.8.8
Aug 3, 2021 14:49:57.924571037 CEST	53	57601	8.8.8.8	192.168.2.3
Aug 3, 2021 14:49:58.158940077 CEST	61477	53	192.168.2.3	37.235.1.174
Aug 3, 2021 14:49:58.259133101 CEST	49342	53	192.168.2.3	8.8.8.8
Aug 3, 2021 14:49:58.300903082 CEST	53	49342	8.8.8.8	192.168.2.3
Aug 3, 2021 14:49:58.524367094 CEST	56253	53	192.168.2.3	8.8.8.8
Aug 3, 2021 14:49:58.552354097 CEST	53	56253	8.8.8.8	192.168.2.3
Aug 3, 2021 14:50:02.238451004 CEST	49667	53	192.168.2.3	37.235.1.177
Aug 3, 2021 14:50:03.310316086 CEST	49667	53	192.168.2.3	37.235.1.177
Aug 3, 2021 14:50:04.346719027 CEST	49667	53	192.168.2.3	37.235.1.177
Aug 3, 2021 14:50:07.050962925 CEST	49667	53	192.168.2.3	37.235.1.177
Aug 3, 2021 14:50:11.049787998 CEST	49667	53	192.168.2.3	37.235.1.177
Aug 3, 2021 14:50:15.121032953 CEST	55439	53	192.168.2.3	8.8.8.8
Aug 3, 2021 14:50:15.156367064 CEST	53	55439	8.8.8.8	192.168.2.3
Aug 3, 2021 14:50:20.361833096 CEST	57069	53	192.168.2.3	37.235.1.174
Aug 3, 2021 14:50:21.348215103 CEST	57069	53	192.168.2.3	37.235.1.174
Aug 3, 2021 14:50:22.395008087 CEST	57069	53	192.168.2.3	37.235.1.174
Aug 3, 2021 14:50:24.441831112 CEST	57069	53	192.168.2.3	37.235.1.174
Aug 3, 2021 14:50:24.716253042 CEST	53	49667	37.235.1.177	192.168.2.3
Aug 3, 2021 14:50:28.489753962 CEST	57069	53	192.168.2.3	37.235.1.174
Aug 3, 2021 14:50:32.527599096 CEST	57659	53	192.168.2.3	37.235.1.177
Aug 3, 2021 14:50:33.551763058 CEST	57659	53	192.168.2.3	37.235.1.177
Aug 3, 2021 14:50:34.567779064 CEST	57659	53	192.168.2.3	37.235.1.177
Aug 3, 2021 14:50:36.599262953 CEST	57659	53	192.168.2.3	37.235.1.177
Aug 3, 2021 14:50:41.068483114 CEST	57659	53	192.168.2.3	37.235.1.177
Aug 3, 2021 14:50:45.186182022 CEST	54717	53	192.168.2.3	8.8.8.8
Aug 3, 2021 14:50:45.220398903 CEST	53	54717	8.8.8.8	192.168.2.3
Aug 3, 2021 14:51:05.606369019 CEST	63975	53	192.168.2.3	37.235.1.174
Aug 3, 2021 14:51:06.648612022 CEST	63975	53	192.168.2.3	37.235.1.174
Aug 3, 2021 14:51:07.649360895 CEST	63975	53	192.168.2.3	37.235.1.174
Aug 3, 2021 14:51:09.664884090 CEST	63975	53	192.168.2.3	37.235.1.174
Aug 3, 2021 14:51:14.306473970 CEST	63975	53	192.168.2.3	37.235.1.174
Aug 3, 2021 14:51:18.394648075 CEST	56639	53	192.168.2.3	37.235.1.177
Aug 3, 2021 14:51:19.399610043 CEST	56639	53	192.168.2.3	37.235.1.177
Aug 3, 2021 14:51:20.399944067 CEST	56639	53	192.168.2.3	37.235.1.177
Aug 3, 2021 14:51:22.415865898 CEST	56639	53	192.168.2.3	37.235.1.177
Aug 3, 2021 14:51:26.447141886 CEST	56639	53	192.168.2.3	37.235.1.177
Aug 3, 2021 14:51:30.542591095 CEST	51856	53	192.168.2.3	8.8.8.8
Aug 3, 2021 14:51:30.574955940 CEST	53	51856	8.8.8.8	192.168.2.3
Aug 3, 2021 14:51:35.773979902 CEST	56546	53	192.168.2.3	37.235.1.174
Aug 3, 2021 14:51:36.807101965 CEST	56546	53	192.168.2.3	37.235.1.174
Aug 3, 2021 14:51:37.808396101 CEST	56546	53	192.168.2.3	37.235.1.174
Aug 3, 2021 14:51:39.807629108 CEST	56546	53	192.168.2.3	37.235.1.174
Aug 3, 2021 14:51:43.854691982 CEST	56546	53	192.168.2.3	37.235.1.174
Aug 3, 2021 14:51:47.896253109 CEST	62152	53	192.168.2.3	37.235.1.177
Aug 3, 2021 14:51:48.886442900 CEST	62152	53	192.168.2.3	37.235.1.177
Aug 3, 2021 14:51:49.917701006 CEST	62152	53	192.168.2.3	37.235.1.177
Aug 3, 2021 14:51:51.965085983 CEST	62152	53	192.168.2.3	37.235.1.177
Aug 3, 2021 14:51:55.998029947 CEST	62152	53	192.168.2.3	37.235.1.177
Aug 3, 2021 14:52:00.522680044 CEST	53470	53	192.168.2.3	8.8.8.8
Aug 3, 2021 14:52:00.558269024 CEST	53	53470	8.8.8.8	192.168.2.3
Aug 3, 2021 14:52:06.244844913 CEST	56446	53	192.168.2.3	37.235.1.174
Aug 3, 2021 14:52:07.232276917 CEST	56446	53	192.168.2.3	37.235.1.174
Aug 3, 2021 14:52:08.251035929 CEST	56446	53	192.168.2.3	37.235.1.174
Aug 3, 2021 14:52:10.247987032 CEST	56446	53	192.168.2.3	37.235.1.174
Aug 3, 2021 14:52:14.295309067 CEST	56446	53	192.168.2.3	37.235.1.174
Aug 3, 2021 14:52:18.359519005 CEST	59631	53	192.168.2.3	37.235.1.177
Aug 3, 2021 14:52:19.404599905 CEST	59631	53	192.168.2.3	37.235.1.177
Aug 3, 2021 14:52:20.420696020 CEST	59631	53	192.168.2.3	37.235.1.177
Aug 3, 2021 14:52:22.467644930 CEST	59631	53	192.168.2.3	37.235.1.177
Aug 3, 2021 14:52:26.341532946 CEST	55515	53	192.168.2.3	8.8.8.8
Aug 3, 2021 14:52:26.374078989 CEST	53	55515	8.8.8.8	192.168.2.3
Aug 3, 2021 14:52:26.468364000 CEST	59631	53	192.168.2.3	37.235.1.177
Aug 3, 2021 14:52:30.553715944 CEST	64547	53	192.168.2.3	8.8.8.8
Aug 3, 2021 14:52:30.590955973 CEST	53	64547	8.8.8.8	192.168.2.3
Aug 3, 2021 14:52:50.889255047 CEST	51759	53	192.168.2.3	37.235.1.174
Aug 3, 2021 14:52:51.907280922 CEST	51759	53	192.168.2.3	37.235.1.174
Aug 3, 2021 14:52:52.907313108 CEST	51759	53	192.168.2.3	37.235.1.174
Aug 3, 2021 14:52:54.923268080 CEST	51759	53	192.168.2.3	37.235.1.174
Aug 3, 2021 14:52:58.847239971 CEST	59207	53	192.168.2.3	8.8.8.8
Aug 3, 2021 14:52:58.884262085 CEST	53	59207	8.8.8.8	192.168.2.3
Aug 3, 2021 14:52:58.954516888 CEST	51759	53	192.168.2.3	37.235.1.174
Aug 3, 2021 14:52:59.260263920 CEST	54269	53	192.168.2.3	8.8.8.8
Aug 3, 2021 14:52:59.307693958 CEST	53	54269	8.8.8.8	192.168.2.3
Aug 3, 2021 14:53:03.039676905 CEST	54856	53	192.168.2.3	37.235.1.177
Aug 3, 2021 14:53:04.064625978 CEST	54856	53	192.168.2.3	37.235.1.177
Aug 3, 2021 14:53:05.097647905 CEST	54856	53	192.168.2.3	37.235.1.177
Aug 3, 2021 14:53:07.111944914 CEST	54856	53	192.168.2.3	37.235.1.177
Aug 3, 2021 14:53:11.128269911 CEST	54856	53	192.168.2.3	37.235.1.177
Aug 3, 2021 14:53:15.209213972 CEST	64140	53	192.168.2.3	8.8.8.8
Aug 3, 2021 14:53:15.244764090 CEST	53	64140	8.8.8.8	192.168.2.3
Aug 3, 2021 14:53:20.518920898 CEST	62271	53	192.168.2.3	37.235.1.174
Aug 3, 2021 14:53:21.519411087 CEST	62271	53	192.168.2.3	37.235.1.174
Aug 3, 2021 14:53:22.566785097 CEST	62271	53	192.168.2.3	37.235.1.174
Aug 3, 2021 14:53:24.597949028 CEST	62271	53	192.168.2.3	37.235.1.174
Aug 3, 2021 14:53:28.645020008 CEST	62271	53	192.168.2.3	37.235.1.174
Aug 3, 2021 14:53:32.718887091 CEST	57404	53	192.168.2.3	37.235.1.177
Aug 3, 2021 14:53:33.754573107 CEST	57404	53	192.168.2.3	37.235.1.177
Aug 3, 2021 14:53:34.754681110 CEST	57404	53	192.168.2.3	37.235.1.177
Aug 3, 2021 14:53:36.770991087 CEST	57404	53	192.168.2.3	37.235.1.177
Aug 3, 2021 14:53:40.786465883 CEST	57404	53	192.168.2.3	37.235.1.177

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Aug 3, 2021 14:50:24.716542006 CEST	192.168.2.3	37.235.1.177	e78e	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 3, 2021 14:46:59.369134903 CEST	192.168.2.3	8.8.8.8	0xb6c2	Standard query (0)	onedrive.live.com	A (IP address)	IN (0x0001)
Aug 3, 2021 14:47:00.197516918 CEST	192.168.2.3	8.8.8.8	0x1de6	Standard query (0)	vt8dlg.bn.files.1drv.com	A (IP address)	IN (0x0001)
Aug 3, 2021 14:47:04.296108007 CEST	192.168.2.3	37.235.1.174	0xbff2	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:47:05.292681932 CEST	192.168.2.3	37.235.1.174	0xbff2	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:47:06.242685080 CEST	192.168.2.3	37.235.1.174	0xbff2	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:47:08.242249966 CEST	192.168.2.3	37.235.1.174	0xbff2	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:47:12.354681015 CEST	192.168.2.3	37.235.1.174	0xbff2	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:47:16.907313108 CEST	192.168.2.3	37.235.1.177	0xf34	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:47:17.946968079 CEST	192.168.2.3	37.235.1.177	0xf34	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:47:18.976984024 CEST	192.168.2.3	37.235.1.177	0xf34	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:47:21.649106979 CEST	192.168.2.3	37.235.1.177	0xf34	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:47:26.166146040 CEST	192.168.2.3	37.235.1.177	0xf34	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:47:35.621997118 CEST	192.168.2.3	8.8.8.8	0x1eda	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:47:42.986458063 CEST	192.168.2.3	37.235.1.174	0xdd09	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:47:43.999631882 CEST	192.168.2.3	37.235.1.174	0xdd09	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:47:45.011310101 CEST	192.168.2.3	37.235.1.174	0xdd09	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:47:48.230129004 CEST	192.168.2.3	37.235.1.174	0xdd09	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:47:52.277863979 CEST	192.168.2.3	37.235.1.174	0xdd09	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:48:01.229027033 CEST	192.168.2.3	37.235.1.177	0x347e	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:48:02.343261957 CEST	192.168.2.3	37.235.1.177	0x347e	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:48:03.368522882 CEST	192.168.2.3	37.235.1.177	0x347e	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:48:05.399483919 CEST	192.168.2.3	37.235.1.177	0x347e	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:48:09.474360943 CEST	192.168.2.3	37.235.1.177	0x347e	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:48:14.224886894 CEST	192.168.2.3	8.8.8.8	0x6b09	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:48:19.730734110 CEST	192.168.2.3	37.235.1.174	0xcffd	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:48:20.757323027 CEST	192.168.2.3	37.235.1.174	0xcffd	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:48:21.775692940 CEST	192.168.2.3	37.235.1.174	0xcffd	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:48:23.807049036 CEST	192.168.2.3	37.235.1.174	0xcffd	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:48:27.854806900 CEST	192.168.2.3	37.235.1.174	0xcffd	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:48:37.091653109 CEST	192.168.2.3	37.235.1.177	0x6604	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:48:38.058000088 CEST	192.168.2.3	37.235.1.177	0x6604	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:48:39.152194023 CEST	192.168.2.3	37.235.1.177	0x6604	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:48:42.464492083 CEST	192.168.2.3	37.235.1.177	0x6604	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:48:47.944371939 CEST	192.168.2.3	37.235.1.177	0x6604	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:48:59.233321905 CEST	192.168.2.3	8.8.8.8	0x5594	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:49:20.258800983 CEST	192.168.2.3	37.235.1.174	0xdcf7	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:49:20.493740082 CEST	192.168.2.3	8.8.8.8	0xf4fa	Standard query (0)	onedrive.live.com	A (IP address)	IN (0x0001)
Aug 3, 2021 14:49:21.071223021 CEST	192.168.2.3	8.8.8.8	0x9cf0	Standard query (0)	vt8dlg.bn.files.1drv.com	A (IP address)	IN (0x0001)
Aug 3, 2021 14:49:21.249716043 CEST	192.168.2.3	37.235.1.174	0xdcf7	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:49:22.332037926 CEST	192.168.2.3	37.235.1.174	0xdcf7	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:49:24.343555927 CEST	192.168.2.3	37.235.1.174	0xdcf7	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:49:26.367660046 CEST	192.168.2.3	8.8.8.8	0xc35e	Standard query (0)	onedrive.live.com	A (IP address)	IN (0x0001)
Aug 3, 2021 14:49:27.067500114 CEST	192.168.2.3	8.8.8.8	0xaab6	Standard query (0)	vt8dlg.bn.files.1drv.com	A (IP address)	IN (0x0001)
Aug 3, 2021 14:49:28.393822908 CEST	192.168.2.3	37.235.1.174	0xdcf7	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:49:32.611684084 CEST	192.168.2.3	37.235.1.177	0xb62f	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:49:33.625143051 CEST	192.168.2.3	37.235.1.177	0xb62f	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:49:34.676656008 CEST	192.168.2.3	37.235.1.177	0xb62f	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:49:36.722357988 CEST	192.168.2.3	37.235.1.177	0xb62f	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:49:40.736180067 CEST	192.168.2.3	37.235.1.177	0xb62f	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:49:44.786421061 CEST	192.168.2.3	8.8.8.8	0x582e	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:49:50.041579962 CEST	192.168.2.3	37.235.1.174	0xcab9	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:49:51.064291000 CEST	192.168.2.3	37.235.1.174	0xcab9	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:49:52.095896006 CEST	192.168.2.3	37.235.1.174	0xcab9	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:49:54.142237902 CEST	192.168.2.3	37.235.1.174	0xcab9	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:49:58.158940077 CEST	192.168.2.3	37.235.1.174	0xcab9	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:50:02.238451004 CEST	192.168.2.3	37.235.1.177	0xe0ed	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:50:03.310316086 CEST	192.168.2.3	37.235.1.177	0xe0ed	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:50:04.346719027 CEST	192.168.2.3	37.235.1.177	0xe0ed	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:50:07.050962925 CEST	192.168.2.3	37.235.1.177	0xe0ed	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:50:11.049787998 CEST	192.168.2.3	37.235.1.177	0xe0ed	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:50:15.121032953 CEST	192.168.2.3	8.8.8.8	0xf0ba	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:50:20.361833096 CEST	192.168.2.3	37.235.1.174	0x1a01	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:50:21.348215103 CEST	192.168.2.3	37.235.1.174	0x1a01	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:50:22.395008087 CEST	192.168.2.3	37.235.1.174	0x1a01	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:50:24.441831112 CEST	192.168.2.3	37.235.1.174	0x1a01	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:50:28.489753962 CEST	192.168.2.3	37.235.1.174	0x1a01	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:50:32.527599096 CEST	192.168.2.3	37.235.1.177	0xe7d4	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:50:33.551763058 CEST	192.168.2.3	37.235.1.177	0xe7d4	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:50:34.567779064 CEST	192.168.2.3	37.235.1.177	0xe7d4	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:50:36.599262953 CEST	192.168.2.3	37.235.1.177	0xe7d4	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:50:41.068483114 CEST	192.168.2.3	37.235.1.177	0xe7d4	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:50:45.186182022 CEST	192.168.2.3	8.8.8.8	0xa59b	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:51:05.606369019 CEST	192.168.2.3	37.235.1.174	0x1573	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:51:06.648612022 CEST	192.168.2.3	37.235.1.174	0x1573	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:51:07.649360895 CEST	192.168.2.3	37.235.1.174	0x1573	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:51:09.664884090 CEST	192.168.2.3	37.235.1.174	0x1573	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:51:14.306473970 CEST	192.168.2.3	37.235.1.174	0x1573	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:51:18.394648075 CEST	192.168.2.3	37.235.1.177	0xb62b	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:51:19.399610043 CEST	192.168.2.3	37.235.1.177	0xb62b	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:51:20.399944067 CEST	192.168.2.3	37.235.1.177	0xb62b	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:51:22.415865898 CEST	192.168.2.3	37.235.1.177	0xb62b	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:51:26.447141886 CEST	192.168.2.3	37.235.1.177	0xb62b	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:51:30.542591095 CEST	192.168.2.3	8.8.8.8	0x8660	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:51:35.773979902 CEST	192.168.2.3	37.235.1.174	0xa2f0	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:51:36.807101965 CEST	192.168.2.3	37.235.1.174	0xa2f0	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:51:37.808396101 CEST	192.168.2.3	37.235.1.174	0xa2f0	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:51:39.807629108 CEST	192.168.2.3	37.235.1.174	0xa2f0	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:51:43.854691982 CEST	192.168.2.3	37.235.1.174	0xa2f0	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:51:47.896253109 CEST	192.168.2.3	37.235.1.177	0x486f	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:51:48.886442900 CEST	192.168.2.3	37.235.1.177	0x486f	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:51:49.917701006 CEST	192.168.2.3	37.235.1.177	0x486f	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:51:51.965085983 CEST	192.168.2.3	37.235.1.177	0x486f	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:51:55.998029947 CEST	192.168.2.3	37.235.1.177	0x486f	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:52:00.522680044 CEST	192.168.2.3	8.8.8.8	0x1d1	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:52:06.244844913 CEST	192.168.2.3	37.235.1.174	0x69f0	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:52:07.232276917 CEST	192.168.2.3	37.235.1.174	0x69f0	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:52:08.251035929 CEST	192.168.2.3	37.235.1.174	0x69f0	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:52:10.247987032 CEST	192.168.2.3	37.235.1.174	0x69f0	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:52:14.295309067 CEST	192.168.2.3	37.235.1.174	0x69f0	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:52:18.359519005 CEST	192.168.2.3	37.235.1.177	0xae39	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:52:19.404599905 CEST	192.168.2.3	37.235.1.177	0xae39	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:52:20.420696020 CEST	192.168.2.3	37.235.1.177	0xae39	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:52:22.467644930 CEST	192.168.2.3	37.235.1.177	0xae39	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:52:26.468364000 CEST	192.168.2.3	37.235.1.177	0xae39	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:52:30.553715944 CEST	192.168.2.3	8.8.8.8	0x169	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:52:50.889255047 CEST	192.168.2.3	37.235.1.174	0xc6f4	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:52:51.907280922 CEST	192.168.2.3	37.235.1.174	0xc6f4	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:52:52.907313108 CEST	192.168.2.3	37.235.1.174	0xc6f4	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:52:54.923268080 CEST	192.168.2.3	37.235.1.174	0xc6f4	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:52:58.954516888 CEST	192.168.2.3	37.235.1.174	0xc6f4	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:53:03.039676905 CEST	192.168.2.3	37.235.1.177	0xeef9	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:53:04.064625978 CEST	192.168.2.3	37.235.1.177	0xeef9	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:53:05.097647905 CEST	192.168.2.3	37.235.1.177	0xeef9	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:53:07.111944914 CEST	192.168.2.3	37.235.1.177	0xeef9	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:53:11.128269911 CEST	192.168.2.3	37.235.1.177	0xeef9	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:53:15.209213972 CEST	192.168.2.3	8.8.8.8	0xf3cb	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:53:20.518920898 CEST	192.168.2.3	37.235.1.174	0xb4a	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:53:21.519411087 CEST	192.168.2.3	37.235.1.174	0xb4a	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:53:22.566785097 CEST	192.168.2.3	37.235.1.174	0xb4a	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:53:24.597949028 CEST	192.168.2.3	37.235.1.174	0xb4a	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:53:28.645020008 CEST	192.168.2.3	37.235.1.174	0xb4a	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:53:32.718887091 CEST	192.168.2.3	37.235.1.177	0xb966	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:53:33.754573107 CEST	192.168.2.3	37.235.1.177	0xb966	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:53:34.754681110 CEST	192.168.2.3	37.235.1.177	0xb966	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:53:36.770991087 CEST	192.168.2.3	37.235.1.177	0xb966	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 14:53:40.786465883 CEST	192.168.2.3	37.235.1.177	0xb966	Standard query (0)	mexi11.ddns.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Aug 3, 2021 14:46:59.405335903 CEST	8.8.8.8	192.168.2.3	0xb6c2	No error (0)	onedrive.live.com	odc-web-geo.onedrive.akadns.net		CNAME (Canonical name)	IN (0x0001)
Aug 3, 2021 14:47:00.252003908 CEST	8.8.8.8	192.168.2.3	0x1de6	No error (0)	vt8dlg.bn.files.1drv.com	bn-files.fe.1drv.com		CNAME (Canonical name)	IN (0x0001)
Aug 3, 2021 14:47:00.252003908 CEST	8.8.8.8	192.168.2.3	0x1de6	No error (0)	bn-files.fe.1drv.com	odc-bn-files-geo.onedrive.akadns.net		CNAME (Canonical name)	IN (0x0001)
Aug 3, 2021 14:47:35.656497002 CEST	8.8.8.8	192.168.2.3	0x1eda	No error (0)	mexi11.ddns.net		194.5.98.74	A (IP address)	IN (0x0001)
Aug 3, 2021 14:48:14.257884979 CEST	8.8.8.8	192.168.2.3	0x6b09	No error (0)	mexi11.ddns.net		194.5.98.74	A (IP address)	IN (0x0001)
Aug 3, 2021 14:48:59.267369032 CEST	8.8.8.8	192.168.2.3	0x5594	No error (0)	mexi11.ddns.net		194.5.98.74	A (IP address)	IN (0x0001)
Aug 3, 2021 14:49:20.526868105 CEST	8.8.8.8	192.168.2.3	0xf4fa	No error (0)	onedrive.live.com	odc-web-geo.onedrive.akadns.net		CNAME (Canonical name)	IN (0x0001)
Aug 3, 2021 14:49:21.136039019 CEST	8.8.8.8	192.168.2.3	0x9cf0	No error (0)	vt8dlg.bn.files.1drv.com	bn-files.fe.1drv.com		CNAME (Canonical name)	IN (0x0001)
Aug 3, 2021 14:49:21.136039019 CEST	8.8.8.8	192.168.2.3	0x9cf0	No error (0)	bn-files.fe.1drv.com	odc-bn-files-geo.onedrive.akadns.net		CNAME (Canonical name)	IN (0x0001)
Aug 3, 2021 14:49:26.403091908 CEST	8.8.8.8	192.168.2.3	0xc35e	No error (0)	onedrive.live.com	odc-web-geo.onedrive.akadns.net		CNAME (Canonical name)	IN (0x0001)
Aug 3, 2021 14:49:27.103094101 CEST	8.8.8.8	192.168.2.3	0xaab6	No error (0)	vt8dlg.bn.files.1drv.com	bn-files.fe.1drv.com		CNAME (Canonical name)	IN (0x0001)
Aug 3, 2021 14:49:27.103094101 CEST	8.8.8.8	192.168.2.3	0xaab6	No error (0)	bn-files.fe.1drv.com	odc-bn-files-geo.onedrive.akadns.net		CNAME (Canonical name)	IN (0x0001)
Aug 3, 2021 14:49:44.821619034 CEST	8.8.8.8	192.168.2.3	0x582e	No error (0)	mexi11.ddns.net		194.5.98.74	A (IP address)	IN (0x0001)
Aug 3, 2021 14:49:56.672193050 CEST	8.8.8.8	192.168.2.3	0xcd5b	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)
Aug 3, 2021 14:50:15.156367064 CEST	8.8.8.8	192.168.2.3	0xf0ba	No error (0)	mexi11.ddns.net		194.5.98.74	A (IP address)	IN (0x0001)
Aug 3, 2021 14:50:24.716253042 CEST	37.235.1.177	192.168.2.3	0xe0ed	No error (0)	mexi11.ddns.net		194.5.98.74	A (IP address)	IN (0x0001)
Aug 3, 2021 14:50:45.220398903 CEST	8.8.8.8	192.168.2.3	0xa59b	No error (0)	mexi11.ddns.net		194.5.98.74	A (IP address)	IN (0x0001)
Aug 3, 2021 14:51:30.574955940 CEST	8.8.8.8	192.168.2.3	0x8660	No error (0)	mexi11.ddns.net		194.5.98.74	A (IP address)	IN (0x0001)
Aug 3, 2021 14:52:00.558269024 CEST	8.8.8.8	192.168.2.3	0x1d1	No error (0)	mexi11.ddns.net		194.5.98.74	A (IP address)	IN (0x0001)
Aug 3, 2021 14:52:30.590955973 CEST	8.8.8.8	192.168.2.3	0x169	No error (0)	mexi11.ddns.net		194.5.98.74	A (IP address)	IN (0x0001)
Aug 3, 2021 14:53:15.244764090 CEST	8.8.8.8	192.168.2.3	0xf3cb	No error (0)	mexi11.ddns.net		194.5.98.74	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: 7keerHhHvn.exe PID: 1056 Parent PID: 5604

General

Start time:	14:45:09
Start date:	03/08/2021
Path:	C:\Users\user\Desktop\7keerHhHvn.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\7keerHhHvn.exe'
Imagebase:	0x400000
File size:	143360 bytes
MD5 hash:	782783574D2D4B67666B77B686C2E673
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Analysis Process: RegAsm.exe PID: 2476 Parent PID: 1056

General

Start time:	14:46:05
Start date:	03/08/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\7keerHhHvn.exe'
Imagebase:	0xd50000
File size:	53248 bytes
MD5 hash:	529695608EAFBED00ACA9E61EF333A7C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Analysis Process: conhost.exe PID: 3596 Parent PID: 2476

General

Start time:	14:46:05
Start date:	03/08/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: filename1.exe PID: 2344 Parent PID: 3388

General

Start time:	14:47:08
Start date:	03/08/2021
Path:	C:\Users\user\subfolder1\filename1.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\subfolder1\filename1.exe'
Imagebase:	0x400000
File size:	143360 bytes
MD5 hash:	782783574D2D4B67666B77B686C2E673
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 31%, ReversingLabs
Reputation:	low

Analysis Process: filename1.exe PID: 5512 Parent PID: 3388

General

Start time:	14:47:16
Start date:	03/08/2021
Path:	C:\Users\user\subfolder1\filename1.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\subfolder1\filename1.exe'
Imagebase:	0x400000
File size:	143360 bytes
MD5 hash:	782783574D2D4B67666B77B686C2E673
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Analysis Process: RegAsm.exe PID: 4168 Parent PID: 2344

General

Start time:	14:48:18
Start date:	03/08/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\subfolder1\filename1.exe'
Imagebase:	0xd0000
File size:	53248 bytes
MD5 hash:	529695608EAFBED00ACA9E61EF333A7C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: RegAsm.exe PID: 3448 Parent PID: 2344

General

Start time:	14:48:18
Start date:	03/08/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\subfolder1\filename1.exe'
Imagebase:	0x130000
File size:	53248 bytes
MD5 hash:	529695608EAFBED00ACA9E61EF333A7C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: RegAsm.exe PID: 5904 Parent PID: 2344

General

Start time:	14:48:19
Start date:	03/08/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\subfolder1\filename1.exe'
Imagebase:	0xea0000
File size:	53248 bytes
MD5 hash:	529695608EAFBED00ACA9E61EF333A7C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000026.00000002.767234010.000000001F1D1000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000026.00000002.767234010.000000001F1D1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000026.00000002.767134795.000000001E1D1000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000026.00000002.767134795.000000001E1D1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_GuLoader, Description: Yara detected GuLoader, Source: 00000026.00000002.762525078.0000000000FD0000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: conhost.exe PID: 4792 Parent PID: 5904

General

Start time:	14:48:19
Start date:	03/08/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: RegAsm.exe PID: 5376 Parent PID: 5512

General

Start time:	14:48:25
Start date:	03/08/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\subfolder1\filename1.exe'
Imagebase:	0x520000
File size:	53248 bytes
MD5 hash:	529695608EAFBED00ACA9E61EF333A7C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: RegAsm.exe PID: 4736 Parent PID: 5512

General

Start time:	14:48:25
Start date:	03/08/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\subfolder1\filename1.exe'
Imagebase:	0x8c0000
File size:	53248 bytes
MD5 hash:	529695608EAFBED00ACA9E61EF333A7C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000029.00000002.780177556.000000001EBB1000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000029.00000002.780177556.000000001EBB1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000029.00000002.780062745.000000001DBB1000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000029.00000002.780062745.000000001DBB1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_GuLoader, Description: Yara detected GuLoader, Source: 00000029.00000002.774677046.00000000009F0000.00000004.00000001.sdmp, Author: Joe Security

Analysis Process: conhost.exe PID: 5028 Parent PID: 4736

General

Start time:	14:48:26
Start date:	03/08/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report 7keerHhHvn.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

AV Detection:

E-Banking Fraud:

Stealing of Sensitive Information:

Remote Access Functionality:

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin