Windows Analysis Report E0QkjJowwG

Overview

General Information

Sample Name: E0QkjJowwG (renamed file extension from none to exe)
Analysis ID: 492550
MD5: a1b69800aeb7ecbc49ebb13ce4a88737
SHA1: 96e25aed75903a5a84be3175c6e834a44833bc5d
SHA256: 09bc9c08f80f93317cd8769f85d8921787c677033a5b12a6c310fb92d83f6e41
Tags: exenjrat
Infos:

Most interesting Screenshot:

Detection

Njrat
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Yara detected Njrat
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Hides threads from debuggers
Uses netsh to modify the Windows network and firewall settings
Drops PE files to the startup folder
Tries to evade analysis by execution special instruction which cause usermode exception
Connects to many ports of the same IP (likely port scanning)
.NET source code references suspicious native API functions
Contains functionality to log keystrokes (.Net Source)
Changes the view of files in windows explorer (hidden files and folders)
Machine Learning detection for sample
.NET source code contains potential unpacker
PE file has nameless sections
Machine Learning detection for dropped file
Creates autostart registry keys with suspicious names
Drops PE files to the user root directory
Modifies the windows firewall
Contains functionality to spread to USB devices (.Net source)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
May infect USB drives
PE file contains sections with non-standard names
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Entry point lies outside standard sections
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Creates a start menu entry (Start Menu\Programs\Startup)
Sigma detected: Netsh Port or Application Allowed
Drops PE files to the user directory
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: E0QkjJowwG.exe Virustotal: Detection: 42% Perma Link
Source: E0QkjJowwG.exe Metadefender: Detection: 34% Perma Link
Source: E0QkjJowwG.exe ReversingLabs: Detection: 60%
Yara detected Njrat
Source: Yara match File source: 0.2.E0QkjJowwG.exe.f20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.305336564.0000000000F22000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.360786474.0000000000072000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.558514473.0000000003CCE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.556263491.0000000000072000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.378938056.0000000000072000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.396666249.0000000000072000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: E0QkjJowwG.exe PID: 2700, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Yandex.exe PID: 3100, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Yandex.exe PID: 4420, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Yandex.exe PID: 4796, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Yandex.exe PID: 4764, type: MEMORYSTR
Antivirus / Scanner detection for submitted sample
Source: E0QkjJowwG.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\33a62d2d2e6f6fc30153b1b0408eca36.exe Avira: detection malicious, Label: HEUR/AGEN.1142875
Source: C:\Users\user\Yandex.exe Avira: detection malicious, Label: HEUR/AGEN.1142875
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\33a62d2d2e6f6fc30153b1b0408eca36.exe Metadefender: Detection: 34% Perma Link
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\33a62d2d2e6f6fc30153b1b0408eca36.exe ReversingLabs: Detection: 60%
Source: C:\Users\user\Yandex.exe Metadefender: Detection: 34% Perma Link
Source: C:\Users\user\Yandex.exe ReversingLabs: Detection: 60%
Machine Learning detection for sample
Source: E0QkjJowwG.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\33a62d2d2e6f6fc30153b1b0408eca36.exe Joe Sandbox ML: detected
Source: C:\Users\user\Yandex.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 5.2.Yandex.exe.a0000.2.unpack Avira: Label: TR/Patched.Ren.Gen2
Source: 6.2.Yandex.exe.70000.0.unpack Avira: Label: TR/ATRAPS.Gen
Source: 1.2.Yandex.exe.70000.0.unpack Avira: Label: TR/ATRAPS.Gen
Source: 0.2.E0QkjJowwG.exe.f20000.0.unpack Avira: Label: TR/ATRAPS.Gen
Source: 7.2.Yandex.exe.70000.0.unpack Avira: Label: TR/ATRAPS.Gen
Source: 5.2.Yandex.exe.70000.0.unpack Avira: Label: TR/ATRAPS.Gen
Source: 0.2.E0QkjJowwG.exe.f50000.2.unpack Avira: Label: TR/Patched.Ren.Gen2
Source: 1.2.Yandex.exe.a0000.1.unpack Avira: Label: TR/Patched.Ren.Gen2
Source: 6.2.Yandex.exe.a0000.2.unpack Avira: Label: TR/Patched.Ren.Gen2
Source: 7.2.Yandex.exe.a0000.1.unpack Avira: Label: TR/Patched.Ren.Gen2

Compliance:

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\E0QkjJowwG.exe Unpacked PE file: 0.2.E0QkjJowwG.exe.f20000.0.unpack
Source: C:\Users\user\Yandex.exe Unpacked PE file: 1.2.Yandex.exe.70000.0.unpack
Source: C:\Users\user\Yandex.exe Unpacked PE file: 5.2.Yandex.exe.70000.0.unpack
Source: C:\Users\user\Yandex.exe Unpacked PE file: 6.2.Yandex.exe.70000.0.unpack
Source: C:\Users\user\Yandex.exe Unpacked PE file: 7.2.Yandex.exe.70000.0.unpack
Uses 32bit PE files
Source: E0QkjJowwG.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: C:\Users\user\Desktop\E0QkjJowwG.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior

Spreading:

barindex
Contains functionality to spread to USB devices (.Net source)
Source: 0.2.E0QkjJowwG.exe.f20000.0.unpack, OK.cs .Net Code: USBspr
Source: 1.2.Yandex.exe.70000.0.unpack, OK.cs .Net Code: USBspr
Source: 5.2.Yandex.exe.70000.0.unpack, OK.cs .Net Code: USBspr
Source: 6.2.Yandex.exe.70000.0.unpack, OK.cs .Net Code: USBspr
Source: 7.2.Yandex.exe.70000.0.unpack, OK.cs .Net Code: USBspr
May infect USB drives
Source: E0QkjJowwG.exe Binary or memory string: [autorun] open=
Source: E0QkjJowwG.exe Binary or memory string: autorun.inf
Source: E0QkjJowwG.exe, 00000000.00000002.305336564.0000000000F22000.00000040.00020000.sdmp Binary or memory string: autorun.inf![autorun]
Source: E0QkjJowwG.exe, 00000000.00000002.305336564.0000000000F22000.00000040.00020000.sdmp Binary or memory string: autorun.inf![autorun]
Source: Yandex.exe Binary or memory string: autorun.inf
Source: Yandex.exe Binary or memory string: [autorun] open=
Source: Yandex.exe, 00000001.00000002.558514473.0000000003CCE000.00000004.00000001.sdmp Binary or memory string: [autorun]
Source: Yandex.exe, 00000001.00000002.556263491.0000000000072000.00000040.00020000.sdmp Binary or memory string: autorun.inf![autorun]
Source: Yandex.exe, 00000001.00000002.556263491.0000000000072000.00000040.00020000.sdmp Binary or memory string: autorun.inf![autorun]
Source: Yandex.exe Binary or memory string: autorun.inf
Source: Yandex.exe Binary or memory string: [autorun] open=
Source: Yandex.exe, 00000005.00000002.360786474.0000000000072000.00000040.00020000.sdmp Binary or memory string: autorun.inf![autorun]
Source: Yandex.exe, 00000005.00000002.360786474.0000000000072000.00000040.00020000.sdmp Binary or memory string: autorun.inf![autorun]
Source: Yandex.exe Binary or memory string: autorun.inf
Source: Yandex.exe Binary or memory string: [autorun] open=
Source: Yandex.exe, 00000006.00000002.378938056.0000000000072000.00000040.00020000.sdmp Binary or memory string: autorun.inf![autorun]
Source: Yandex.exe, 00000006.00000002.378938056.0000000000072000.00000040.00020000.sdmp Binary or memory string: autorun.inf![autorun]
Source: Yandex.exe, 00000007.00000002.396666249.0000000000072000.00000040.00020000.sdmp Binary or memory string: autorun.inf![autorun]
Source: Yandex.exe, 00000007.00000002.396666249.0000000000072000.00000040.00020000.sdmp Binary or memory string: autorun.inf![autorun]

Networking:

barindex
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 3.142.167.4 ports 1,2,12549,4,5,9
Source: global traffic TCP traffic: 13.58.157.220 ports 1,2,12549,4,5,9
Source: global traffic TCP traffic: 3.142.167.54 ports 1,2,12549,4,5,9
Source: global traffic TCP traffic: 3.142.129.56 ports 1,2,12549,4,5,9
Source: global traffic TCP traffic: 3.142.81.166 ports 1,2,12549,4,5,9
Source: global traffic TCP traffic: 3.19.130.43 ports 1,2,12549,4,5,9
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49690 -> 3.19.130.43:12549
Source: global traffic TCP traffic: 192.168.2.3:49693 -> 3.142.129.56:12549
Source: global traffic TCP traffic: 192.168.2.3:49695 -> 3.142.81.166:12549
Source: global traffic TCP traffic: 192.168.2.3:49696 -> 3.142.167.4:12549
Source: global traffic TCP traffic: 192.168.2.3:49706 -> 13.58.157.220:12549
Source: global traffic TCP traffic: 192.168.2.3:49715 -> 3.142.167.54:12549
Source: E0QkjJowwG.exe String found in binary or memory: http://pki-crl.symauth.com/ca_732b6ec148d290c0a071efd1dac8e288/LatestCRL.crl07
Source: E0QkjJowwG.exe String found in binary or memory: http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.cr
Source: E0QkjJowwG.exe String found in binary or memory: http://pki-ocsp.symauth.com0
Source: Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp String found in binary or memory: http://www.enigmaprotector.com/
Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp String found in binary or memory: http://www.enigmaprotector.com/openU
Source: unknown DNS traffic detected: queries for: 8.tcp.ngrok.io

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to log keystrokes (.Net Source)
Source: 0.2.E0QkjJowwG.exe.f20000.0.unpack, kl.cs .Net Code: VKCodeToUnicode
Source: 1.2.Yandex.exe.70000.0.unpack, kl.cs .Net Code: VKCodeToUnicode
Source: 5.2.Yandex.exe.70000.0.unpack, kl.cs .Net Code: VKCodeToUnicode
Source: 6.2.Yandex.exe.70000.0.unpack, kl.cs .Net Code: VKCodeToUnicode
Source: 7.2.Yandex.exe.70000.0.unpack, kl.cs .Net Code: VKCodeToUnicode
Creates a DirectInput object (often for capturing keystrokes)
Source: E0QkjJowwG.exe, 00000000.00000002.306621221.00000000013EA000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected Njrat
Source: Yara match File source: 0.2.E0QkjJowwG.exe.f20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.305336564.0000000000F22000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.360786474.0000000000072000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.558514473.0000000003CCE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.556263491.0000000000072000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.378938056.0000000000072000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.396666249.0000000000072000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: E0QkjJowwG.exe PID: 2700, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Yandex.exe PID: 3100, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Yandex.exe PID: 4420, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Yandex.exe PID: 4796, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Yandex.exe PID: 4764, type: MEMORYSTR

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.E0QkjJowwG.exe.f20000.0.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.2.E0QkjJowwG.exe.f20000.0.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 5.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 7.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 7.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 1.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 6.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.305336564.0000000000F22000.00000040.00020000.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000000.00000002.305336564.0000000000F22000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.360786474.0000000000072000.00000040.00020000.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000005.00000002.360786474.0000000000072000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.556263491.0000000000072000.00000040.00020000.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000001.00000002.556263491.0000000000072000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.378938056.0000000000072000.00000040.00020000.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000006.00000002.378938056.0000000000072000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.396666249.0000000000072000.00000040.00020000.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000007.00000002.396666249.0000000000072000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
PE file has nameless sections
Source: E0QkjJowwG.exe Static PE information: section name:
Source: E0QkjJowwG.exe Static PE information: section name:
Source: E0QkjJowwG.exe Static PE information: section name:
Source: E0QkjJowwG.exe Static PE information: section name:
Source: Yandex.exe.0.dr Static PE information: section name:
Source: Yandex.exe.0.dr Static PE information: section name:
Source: Yandex.exe.0.dr Static PE information: section name:
Source: Yandex.exe.0.dr Static PE information: section name:
Source: 33a62d2d2e6f6fc30153b1b0408eca36.exe.1.dr Static PE information: section name:
Source: 33a62d2d2e6f6fc30153b1b0408eca36.exe.1.dr Static PE information: section name:
Source: 33a62d2d2e6f6fc30153b1b0408eca36.exe.1.dr Static PE information: section name:
Source: 33a62d2d2e6f6fc30153b1b0408eca36.exe.1.dr Static PE information: section name:
Uses 32bit PE files
Source: E0QkjJowwG.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: E0QkjJowwG.exe, type: SAMPLE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 1.0.Yandex.exe.70000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 5.0.Yandex.exe.70000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 0.0.E0QkjJowwG.exe.f20000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 6.0.Yandex.exe.70000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 7.0.Yandex.exe.70000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 0.2.E0QkjJowwG.exe.f20000.0.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.2.E0QkjJowwG.exe.f20000.0.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 5.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 5.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 7.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 7.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 1.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 1.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 6.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 6.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000000.00000002.305336564.0000000000F22000.00000040.00020000.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000002.305336564.0000000000F22000.00000040.00020000.sdmp, type: MEMORY Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000005.00000002.360786474.0000000000072000.00000040.00020000.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000005.00000002.360786474.0000000000072000.00000040.00020000.sdmp, type: MEMORY Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000001.00000002.556263491.0000000000072000.00000040.00020000.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000001.00000002.556263491.0000000000072000.00000040.00020000.sdmp, type: MEMORY Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000006.00000002.378938056.0000000000072000.00000040.00020000.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000006.00000002.378938056.0000000000072000.00000040.00020000.sdmp, type: MEMORY Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000007.00000002.396666249.0000000000072000.00000040.00020000.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000007.00000002.396666249.0000000000072000.00000040.00020000.sdmp, type: MEMORY Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\33a62d2d2e6f6fc30153b1b0408eca36.exe, type: DROPPED Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: C:\Users\user\Yandex.exe, type: DROPPED Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Detected potential crypto function
Source: C:\Users\user\Desktop\E0QkjJowwG.exe Code function: 0_2_010AE411 0_2_010AE411
Source: C:\Users\user\Yandex.exe Code function: 1_2_000E00CF 1_2_000E00CF
Source: C:\Users\user\Yandex.exe Code function: 5_2_000E00CF 5_2_000E00CF
Source: C:\Users\user\Yandex.exe Code function: 6_2_000E00CF 6_2_000E00CF
Source: E0QkjJowwG.exe Virustotal: Detection: 42%
Source: E0QkjJowwG.exe Metadefender: Detection: 34%
Source: E0QkjJowwG.exe ReversingLabs: Detection: 60%
Source: C:\Users\user\Desktop\E0QkjJowwG.exe File read: C:\Users\user\Desktop\E0QkjJowwG.exe Jump to behavior
Source: C:\Users\user\Desktop\E0QkjJowwG.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\E0QkjJowwG.exe 'C:\Users\user\Desktop\E0QkjJowwG.exe'
Source: C:\Users\user\Desktop\E0QkjJowwG.exe Process created: C:\Users\user\Yandex.exe 'C:\Users\user\Yandex.exe'
Source: C:\Users\user\Yandex.exe Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram 'C:\Users\user\Yandex.exe' 'Yandex.exe' ENABLE
Source: C:\Windows\SysWOW64\netsh.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\Yandex.exe 'C:\Users\user\Yandex.exe' ..
Source: unknown Process created: C:\Users\user\Yandex.exe 'C:\Users\user\Yandex.exe' ..
Source: unknown Process created: C:\Users\user\Yandex.exe 'C:\Users\user\Yandex.exe' ..
Source: C:\Users\user\Desktop\E0QkjJowwG.exe Process created: C:\Users\user\Yandex.exe 'C:\Users\user\Yandex.exe' Jump to behavior
Source: C:\Users\user\Yandex.exe Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram 'C:\Users\user\Yandex.exe' 'Yandex.exe' ENABLE Jump to behavior
Source: C:\Users\user\Desktop\E0QkjJowwG.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\E0QkjJowwG.exe File created: C:\Users\user\Yandex.exe Jump to behavior
Source: classification engine Classification label: mal100.spre.troj.adwa.spyw.evad.winEXE@9/3@32/6
Source: C:\Users\user\Desktop\E0QkjJowwG.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\E0QkjJowwG.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\E0QkjJowwG.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Yandex.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Yandex.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Yandex.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Yandex.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Yandex.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Yandex.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Yandex.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Yandex.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\E0QkjJowwG.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\E0QkjJowwG.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\Desktop\E0QkjJowwG.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\Yandex.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Yandex.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\Yandex.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\Yandex.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Yandex.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\Yandex.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\Yandex.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Yandex.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\Yandex.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\Yandex.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Yandex.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\Yandex.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4292:120:WilError_01
Source: C:\Users\user\Yandex.exe Mutant created: \Sessions\1\BaseNamedObjects\33a62d2d2e6f6fc30153b1b0408eca36SGFjS2Vk
Source: C:\Users\user\Yandex.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\Yandex.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Yandex.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Yandex.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\E0QkjJowwG.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: E0QkjJowwG.exe Static file information: File size 1246208 > 1048576

Data Obfuscation:

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\E0QkjJowwG.exe Unpacked PE file: 0.2.E0QkjJowwG.exe.f20000.0.unpack
Source: C:\Users\user\Yandex.exe Unpacked PE file: 1.2.Yandex.exe.70000.0.unpack
Source: C:\Users\user\Yandex.exe Unpacked PE file: 5.2.Yandex.exe.70000.0.unpack
Source: C:\Users\user\Yandex.exe Unpacked PE file: 6.2.Yandex.exe.70000.0.unpack
Source: C:\Users\user\Yandex.exe Unpacked PE file: 7.2.Yandex.exe.70000.0.unpack
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\E0QkjJowwG.exe Unpacked PE file: 0.2.E0QkjJowwG.exe.f20000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;.rsrc:EW;Unknown_Section4:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;.rsrc:ER;Unknown_Section4:ER;.data:ER;
Source: C:\Users\user\Yandex.exe Unpacked PE file: 1.2.Yandex.exe.70000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;.rsrc:EW;Unknown_Section4:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;.rsrc:ER;Unknown_Section4:ER;.data:ER;
Source: C:\Users\user\Yandex.exe Unpacked PE file: 5.2.Yandex.exe.70000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;.rsrc:EW;Unknown_Section4:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;.rsrc:ER;Unknown_Section4:ER;.data:ER;
Source: C:\Users\user\Yandex.exe Unpacked PE file: 6.2.Yandex.exe.70000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;.rsrc:EW;Unknown_Section4:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;.rsrc:ER;Unknown_Section4:ER;.data:ER;
Source: C:\Users\user\Yandex.exe Unpacked PE file: 7.2.Yandex.exe.70000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;.rsrc:EW;Unknown_Section4:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;.rsrc:ER;Unknown_Section4:ER;.data:ER;
.NET source code contains potential unpacker
Source: 0.2.E0QkjJowwG.exe.f20000.0.unpack, OK.cs .Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.Yandex.exe.70000.0.unpack, OK.cs .Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.Yandex.exe.70000.0.unpack, OK.cs .Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.2.Yandex.exe.70000.0.unpack, OK.cs .Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.Yandex.exe.70000.0.unpack, OK.cs .Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\E0QkjJowwG.exe Code function: 0_2_00F26DC3 push cs; retf 0_2_00F26DC4
Source: C:\Users\user\Yandex.exe Code function: 1_2_00076DC3 push cs; retf 1_2_00076DC4
Source: C:\Users\user\Yandex.exe Code function: 5_2_00076DC3 push cs; retf 5_2_00076DC4
Source: C:\Users\user\Yandex.exe Code function: 6_2_00076DC3 push cs; retf 6_2_00076DC4
PE file contains sections with non-standard names
Source: E0QkjJowwG.exe Static PE information: section name:
Source: E0QkjJowwG.exe Static PE information: section name:
Source: E0QkjJowwG.exe Static PE information: section name:
Source: E0QkjJowwG.exe Static PE information: section name:
Source: Yandex.exe.0.dr Static PE information: section name:
Source: Yandex.exe.0.dr Static PE information: section name:
Source: Yandex.exe.0.dr Static PE information: section name:
Source: Yandex.exe.0.dr Static PE information: section name:
Source: 33a62d2d2e6f6fc30153b1b0408eca36.exe.1.dr Static PE information: section name:
Source: 33a62d2d2e6f6fc30153b1b0408eca36.exe.1.dr Static PE information: section name:
Source: 33a62d2d2e6f6fc30153b1b0408eca36.exe.1.dr Static PE information: section name:
Source: 33a62d2d2e6f6fc30153b1b0408eca36.exe.1.dr Static PE information: section name:
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .data
Source: initial sample Static PE information: section name: entropy: 7.92098871266
Source: initial sample Static PE information: section name: .data entropy: 7.98017185611
Source: initial sample Static PE information: section name: entropy: 7.92098871266
Source: initial sample Static PE information: section name: .data entropy: 7.98017185611
Source: initial sample Static PE information: section name: entropy: 7.92098871266
Source: initial sample Static PE information: section name: .data entropy: 7.98017185611

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\E0QkjJowwG.exe File created: C:\Users\user\Yandex.exe Jump to dropped file
Source: C:\Users\user\Yandex.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\33a62d2d2e6f6fc30153b1b0408eca36.exe Jump to dropped file
Drops PE files to the user directory
Source: C:\Users\user\Desktop\E0QkjJowwG.exe File created: C:\Users\user\Yandex.exe Jump to dropped file

Boot Survival:

barindex
Drops PE files to the startup folder
Source: C:\Users\user\Yandex.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\33a62d2d2e6f6fc30153b1b0408eca36.exe Jump to dropped file
Creates autostart registry keys with suspicious names
Source: C:\Users\user\Yandex.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 33a62d2d2e6f6fc30153b1b0408eca36 Jump to behavior
Drops PE files to the user root directory
Source: C:\Users\user\Desktop\E0QkjJowwG.exe File created: C:\Users\user\Yandex.exe Jump to dropped file
Stores files to the Windows start menu directory
Source: C:\Users\user\Yandex.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\33a62d2d2e6f6fc30153b1b0408eca36.exe Jump to behavior
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\Yandex.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\33a62d2d2e6f6fc30153b1b0408eca36.exe Jump to behavior
Source: C:\Users\user\Yandex.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 33a62d2d2e6f6fc30153b1b0408eca36 Jump to behavior
Source: C:\Users\user\Yandex.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 33a62d2d2e6f6fc30153b1b0408eca36 Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Changes the view of files in windows explorer (hidden files and folders)
Source: C:\Users\user\Yandex.exe Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden Jump to behavior
Source: C:\Users\user\Desktop\E0QkjJowwG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\E0QkjJowwG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\E0QkjJowwG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\E0QkjJowwG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\E0QkjJowwG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\E0QkjJowwG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\E0QkjJowwG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\E0QkjJowwG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\E0QkjJowwG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\E0QkjJowwG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\E0QkjJowwG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\E0QkjJowwG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\E0QkjJowwG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\E0QkjJowwG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\E0QkjJowwG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\E0QkjJowwG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\E0QkjJowwG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\E0QkjJowwG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\E0QkjJowwG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\E0QkjJowwG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\E0QkjJowwG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\E0QkjJowwG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\E0QkjJowwG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Yandex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to evade analysis by execution special instruction which cause usermode exception
Source: C:\Users\user\Desktop\E0QkjJowwG.exe Special instruction interceptor: First address: 0000000001030700 instructions 0F0B caused by: Known instruction #UD exception
Source: C:\Users\user\Yandex.exe Special instruction interceptor: First address: 0000000000180700 instructions 0F0B caused by: Known instruction #UD exception
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\E0QkjJowwG.exe TID: 5480 Thread sleep count: 76 > 30 Jump to behavior
Source: C:\Users\user\Yandex.exe TID: 5104 Thread sleep time: -48000s >= -30000s Jump to behavior
Source: C:\Users\user\Yandex.exe TID: 3648 Thread sleep time: -34000s >= -30000s Jump to behavior
Source: C:\Users\user\Yandex.exe TID: 5416 Thread sleep count: 76 > 30 Jump to behavior
Source: C:\Users\user\Yandex.exe TID: 5416 Thread sleep count: 322 > 30 Jump to behavior
Source: C:\Users\user\Yandex.exe TID: 4756 Thread sleep count: 586 > 30 Jump to behavior
Source: C:\Users\user\Yandex.exe TID: 4756 Thread sleep count: 51 > 30 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Yandex.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Yandex.exe Window / User API: threadDelayed 362 Jump to behavior
Source: C:\Users\user\Yandex.exe Window / User API: threadDelayed 6086 Jump to behavior
Source: C:\Users\user\Yandex.exe Window / User API: threadDelayed 608 Jump to behavior
Source: C:\Users\user\Yandex.exe Window / User API: threadDelayed 586 Jump to behavior
Source: C:\Users\user\Desktop\E0QkjJowwG.exe Process information queried: ProcessInformation Jump to behavior
Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: 3Windows 2012 Server Standard without Hyper-V (core)
Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: #Windows 10 Microsoft Hyper-V Server
Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: Windows 8.1 Microsoft Hyper-V Server
Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: Windows 2012 Server Standard without Hyper-V
Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: Windows 8 Microsoft Hyper-V Server
Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (core)
Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: 3Windows 2016 Server Standard without Hyper-V (core)
Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: Windows 8.1 Server Standard without Hyper-V (core)
Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: (Windows 2012 R2 Microsoft Hyper-V Server
Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: 6Windows 2012 R2 Server Standard without Hyper-V (core)
Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V
Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: Windows 8 Server Datacenter without Hyper-V (core)
Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: Windows 10 Server Datacenter without Hyper-V (core)
Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: 0Windows 8 Server Standard without Hyper-V (core)
Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: 6Windows 8.1 Essential Server Solutions without Hyper-V
Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: Windows 8 Server Standard without Hyper-V
Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: 4Windows 8 Essential Server Solutions without Hyper-V
Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (full)
Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: Windows 2016 Essential Server Solutions without Hyper-V
Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (full)
Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (core)
Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: "Windows 8 Microsoft Hyper-V Server
Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (full)
Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: Windows 10 Server Standard without Hyper-V
Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: Windows 2012 R2 Microsoft Hyper-V Server
Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (core)
Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: Windows 8.1 Essential Server Solutions without Hyper-V
Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V (core)
Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: Hyper-V (guest)
Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: Windows 10 Microsoft Hyper-V Server
Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: Windows 2012 Essential Server Solutions without Hyper-V
Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: Yandex.exe, Yandex.exe, 00000007.00000002.396880289.00000000001FC000.00000040.00020000.sdmp Binary or memory string: ~VirtualMachineTypes
Source: Yandex.exe, Yandex.exe, 00000007.00000002.396880289.00000000001FC000.00000040.00020000.sdmp Binary or memory string: ]DLL_Loader_VirtualMachine
Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: Windows 2016 Microsoft Hyper-V Server
Source: E0QkjJowwG.exe, 00000000.00000002.305995650.00000000010AC000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556923512.00000000001FC000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.362061726.00000000001FC000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.379152364.00000000001FC000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396880289.00000000001FC000.00000040.00020000.sdmp Binary or memory string: DLL_Loader_Marker]DLL_Loader_VirtualMachineZDLL_Loader_Reloc_Unit
Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: /Windows 2012 R2 Server Standard without Hyper-V
Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: )Windows 8 Server Standard without Hyper-V
Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (core)
Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (core)
Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: Hyper-V
Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: %Windows 2012 Microsoft Hyper-V Server
Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: $Windows 8.1 Microsoft Hyper-V Server
Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: ,Windows 2012 Server Standard without Hyper-V
Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (full)
Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: Windows 2012 Microsoft Hyper-V Server
Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (core)
Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: Windows 10 Essential Server Solutions without Hyper-V
Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: Windows 8 Essential Server Solutions without Hyper-V
Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (core)
Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: Windows 10 Server Standard without Hyper-V (core)
Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: 7Windows 2012 Essential Server Solutions without Hyper-V
Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: Windows 8 Server Enterprise without Hyper-V (full)
Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (core)
Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (full)
Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (full)
Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: %Windows 2016 Microsoft Hyper-V Server
Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (full)
Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (core)
Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: 7Windows 2016 Essential Server Solutions without Hyper-V
Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: +Windows 8.1 Server Standard without Hyper-V
Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: Windows 2016 Server Standard without Hyper-V
Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (core)
Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (full)
Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (full)
Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (core)
Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: Windows 10 Server Enterprise without Hyper-V (core)
Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: Windows 10 Server Datacenter without Hyper-V (full)
Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: :Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: Windows 2016 Server Standard without Hyper-V (core)
Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: Windows 8 Server Standard without Hyper-V (core)
Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: 5Windows 10 Essential Server Solutions without Hyper-V
Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (core)
Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (full)
Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (full)
Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: Windows 8 Server Enterprise without Hyper-V (core)
Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: ,Windows 2016 Server Standard without Hyper-V
Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: Windows 2012 Server Standard without Hyper-V (core)
Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (core)
Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (core)
Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (full)
Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: Windows 8 Server Datacenter without Hyper-V (full)
Source: Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: VBoxService.exe
Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: Windows 8.1 Server Standard without Hyper-V
Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: Hyper-VU
Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: *Windows 10 Server Standard without Hyper-V
Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: 1Windows 10 Server Standard without Hyper-V (core)
Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (full)
Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (full)
Source: Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: VMWare
Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (core)
Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: Windows 10 Server Enterprise without Hyper-V (full)
Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: 2Windows 8.1 Server Standard without Hyper-V (core)
Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (full)
Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (core)
Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmp Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (full)

Anti Debugging:

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\E0QkjJowwG.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\E0QkjJowwG.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Yandex.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Yandex.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Yandex.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Yandex.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Yandex.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Yandex.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Yandex.exe Thread information set: HideFromDebugger Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\E0QkjJowwG.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Yandex.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\E0QkjJowwG.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
.NET source code references suspicious native API functions
Source: 0.2.E0QkjJowwG.exe.f20000.0.unpack, OK.cs Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 0.2.E0QkjJowwG.exe.f20000.0.unpack, kl.cs Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 1.2.Yandex.exe.70000.0.unpack, OK.cs Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 1.2.Yandex.exe.70000.0.unpack, kl.cs Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 5.2.Yandex.exe.70000.0.unpack, OK.cs Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 5.2.Yandex.exe.70000.0.unpack, kl.cs Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 6.2.Yandex.exe.70000.0.unpack, OK.cs Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 6.2.Yandex.exe.70000.0.unpack, kl.cs Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 7.2.Yandex.exe.70000.0.unpack, OK.cs Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 7.2.Yandex.exe.70000.0.unpack, kl.cs Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\E0QkjJowwG.exe Process created: C:\Users\user\Yandex.exe 'C:\Users\user\Yandex.exe' Jump to behavior
Source: Yandex.exe, 00000001.00000002.557656558.00000000014E0000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: Yandex.exe, 00000001.00000002.557656558.00000000014E0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: Yandex.exe, 00000001.00000002.557656558.00000000014E0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: Yandex.exe, 00000001.00000002.557656558.00000000014E0000.00000002.00020000.sdmp Binary or memory string: Progmanlock
Source: Yandex.exe, 00000001.00000002.558616833.0000000003DB0000.00000004.00000001.sdmp Binary or memory string: Program Manager|9
Source: Yandex.exe, 00000001.00000002.558616833.0000000003DB0000.00000004.00000001.sdmp Binary or memory string: Program Manager<

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\netsh.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Yandex.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Uses netsh to modify the Windows network and firewall settings
Source: C:\Users\user\Yandex.exe Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram 'C:\Users\user\Yandex.exe' 'Yandex.exe' ENABLE
Modifies the windows firewall
Source: C:\Users\user\Yandex.exe Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram 'C:\Users\user\Yandex.exe' 'Yandex.exe' ENABLE

Stealing of Sensitive Information:

barindex
Yara detected Njrat
Source: Yara match File source: 0.2.E0QkjJowwG.exe.f20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.305336564.0000000000F22000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.360786474.0000000000072000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.558514473.0000000003CCE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.556263491.0000000000072000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.378938056.0000000000072000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.396666249.0000000000072000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: E0QkjJowwG.exe PID: 2700, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Yandex.exe PID: 3100, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Yandex.exe PID: 4420, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Yandex.exe PID: 4796, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Yandex.exe PID: 4764, type: MEMORYSTR

Remote Access Functionality:

barindex
Yara detected Njrat
Source: Yara match File source: 0.2.E0QkjJowwG.exe.f20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.305336564.0000000000F22000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.360786474.0000000000072000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.558514473.0000000003CCE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.556263491.0000000000072000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.378938056.0000000000072000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.396666249.0000000000072000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: E0QkjJowwG.exe PID: 2700, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Yandex.exe PID: 3100, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Yandex.exe PID: 4420, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Yandex.exe PID: 4796, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Yandex.exe PID: 4764, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 492550 Sample: E0QkjJowwG Startdate: 28/09/2021 Architecture: WINDOWS Score: 100 32 8.tcp.ngrok.io 2->32 40 Malicious sample detected (through community Yara rule) 2->40 42 Antivirus detection for dropped file 2->42 44 Antivirus / Scanner detection for submitted sample 2->44 46 11 other signatures 2->46 9 E0QkjJowwG.exe 3 4 2->9         started        13 Yandex.exe 2 2->13         started        15 Yandex.exe 2 2->15         started        17 Yandex.exe 2 2->17         started        signatures3 process4 file5 30 C:\Users\user\Yandex.exe, PE32 9->30 dropped 56 Detected unpacking (changes PE section rights) 9->56 58 Detected unpacking (overwrites its own PE header) 9->58 60 Drops PE files to the user root directory 9->60 62 Tries to evade analysis by execution special instruction which cause usermode exception 9->62 19 Yandex.exe 4 5 9->19         started        64 Hides threads from debuggers 13->64 signatures6 process7 dnsIp8 34 13.58.157.220, 12549, 49706, 49714 AMAZON-02US United States 19->34 36 3.142.129.56, 12549, 49693, 49694 AMAZON-02US United States 19->36 38 4 other IPs or domains 19->38 28 C:\...\33a62d2d2e6f6fc30153b1b0408eca36.exe, PE32 19->28 dropped 48 Antivirus detection for dropped file 19->48 50 Multi AV Scanner detection for dropped file 19->50 52 Detected unpacking (changes PE section rights) 19->52 54 9 other signatures 19->54 24 netsh.exe 1 3 19->24         started        file9 signatures10 process11 process12 26 conhost.exe 24->26         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
3.142.129.56
 unknown United States
16509 AMAZON-02US true
3.142.81.166
 unknown United States
16509 AMAZON-02US true
3.142.167.4
 unknown United States
16509 AMAZON-02US true
3.19.130.43
 8.tcp.ngrok.io United States
16509 AMAZON-02US false
13.58.157.220
 unknown United States
16509 AMAZON-02US true
3.142.167.54
 unknown United States
16509 AMAZON-02US true

Contacted Domains

Name IP Active
8.tcp.ngrok.io 3.19.130.43 true