Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report E0QkjJowwG

Overview

General Information

Sample Name:E0QkjJowwG (renamed file extension from none to exe)
Analysis ID:492550
MD5:a1b69800aeb7ecbc49ebb13ce4a88737
SHA1:96e25aed75903a5a84be3175c6e834a44833bc5d
SHA256:09bc9c08f80f93317cd8769f85d8921787c677033a5b12a6c310fb92d83f6e41
Tags:exenjrat
Infos:

Most interesting Screenshot:

Detection

Njrat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Yara detected Njrat
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Hides threads from debuggers
Uses netsh to modify the Windows network and firewall settings
Drops PE files to the startup folder
Tries to evade analysis by execution special instruction which cause usermode exception
Connects to many ports of the same IP (likely port scanning)
.NET source code references suspicious native API functions
Contains functionality to log keystrokes (.Net Source)
Changes the view of files in windows explorer (hidden files and folders)
Machine Learning detection for sample
.NET source code contains potential unpacker
PE file has nameless sections
Machine Learning detection for dropped file
Creates autostart registry keys with suspicious names
Drops PE files to the user root directory
Modifies the windows firewall
Contains functionality to spread to USB devices (.Net source)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
May infect USB drives
PE file contains sections with non-standard names
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Entry point lies outside standard sections
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Creates a start menu entry (Start Menu\Programs\Startup)
Sigma detected: Netsh Port or Application Allowed
Drops PE files to the user directory
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • E0QkjJowwG.exe (PID: 2700 cmdline: 'C:\Users\user\Desktop\E0QkjJowwG.exe' MD5: A1B69800AEB7ECBC49EBB13CE4A88737)
    • Yandex.exe (PID: 3100 cmdline: 'C:\Users\user\Yandex.exe' MD5: A1B69800AEB7ECBC49EBB13CE4A88737)
      • netsh.exe (PID: 4492 cmdline: netsh firewall add allowedprogram 'C:\Users\user\Yandex.exe' 'Yandex.exe' ENABLE MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
        • conhost.exe (PID: 4292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • Yandex.exe (PID: 4420 cmdline: 'C:\Users\user\Yandex.exe' .. MD5: A1B69800AEB7ECBC49EBB13CE4A88737)
  • Yandex.exe (PID: 4796 cmdline: 'C:\Users\user\Yandex.exe' .. MD5: A1B69800AEB7ECBC49EBB13CE4A88737)
  • Yandex.exe (PID: 4764 cmdline: 'C:\Users\user\Yandex.exe' .. MD5: A1B69800AEB7ECBC49EBB13CE4A88737)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
E0QkjJowwG.exeSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
  • 0x45713:$s1: http://
  • 0x4577d:$s1: http://
  • 0x45b33:$s1: http://
  • 0x12f302:$s1: \xA4\xB8\xB8\xBC\xF6\xE3\xE3
  • 0x45713:$f1: http://
  • 0x4577d:$f1: http://
  • 0x45b33:$f1: http://

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\33a62d2d2e6f6fc30153b1b0408eca36.exeSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
  • 0x45713:$s1: http://
  • 0x4577d:$s1: http://
  • 0x45b33:$s1: http://
  • 0x12f302:$s1: \xA4\xB8\xB8\xBC\xF6\xE3\xE3
  • 0x45713:$f1: http://
  • 0x4577d:$f1: http://
  • 0x45b33:$f1: http://
C:\Users\user\Yandex.exeSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
  • 0x45713:$s1: http://
  • 0x4577d:$s1: http://
  • 0x45b33:$s1: http://
  • 0x12f302:$s1: \xA4\xB8\xB8\xBC\xF6\xE3\xE3
  • 0x45713:$f1: http://
  • 0x4577d:$f1: http://
  • 0x45b33:$f1: http://

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.305336564.0000000000F22000.00000040.00020000.sdmpJoeSecurity_NjratYara detected NjratJoe Security
    00000000.00000002.305336564.0000000000F22000.00000040.00020000.sdmpnjrat1Identify njRatBrian Wallace @botnet_hunter
    • 0x6dab:$a1: netsh firewall add allowedprogram
    • 0x6d7b:$a2: SEE_MASK_NOZONECHECKS
    • 0x6f9b:$b1: [TAP]
    • 0x6e97:$c3: cmd.exe /c ping
    00000000.00000002.305336564.0000000000F22000.00000040.00020000.sdmpNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
    • 0x6d7b:$reg: SEE_MASK_NOZONECHECKS
    • 0x6a6a:$msg: Execute ERROR
    • 0x6ac2:$msg: Execute ERROR
    • 0x6e97:$ping: cmd.exe /c ping 0 -n 2 & del
    00000005.00000002.360786474.0000000000072000.00000040.00020000.sdmpJoeSecurity_NjratYara detected NjratJoe Security
      00000005.00000002.360786474.0000000000072000.00000040.00020000.sdmpnjrat1Identify njRatBrian Wallace @botnet_hunter
      • 0x6dab:$a1: netsh firewall add allowedprogram
      • 0x6d7b:$a2: SEE_MASK_NOZONECHECKS
      • 0x6f9b:$b1: [TAP]
      • 0x6e97:$c3: cmd.exe /c ping
      Click to see the 16 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.0.Yandex.exe.70000.0.unpackSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
      • 0x45713:$s1: http://
      • 0x4577d:$s1: http://
      • 0x45b33:$s1: http://
      • 0x12f302:$s1: \xA4\xB8\xB8\xBC\xF6\xE3\xE3
      • 0x45713:$f1: http://
      • 0x4577d:$f1: http://
      • 0x45b33:$f1: http://
      5.0.Yandex.exe.70000.0.unpackSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
      • 0x45713:$s1: http://
      • 0x4577d:$s1: http://
      • 0x45b33:$s1: http://
      • 0x12f302:$s1: \xA4\xB8\xB8\xBC\xF6\xE3\xE3
      • 0x45713:$f1: http://
      • 0x4577d:$f1: http://
      • 0x45b33:$f1: http://
      0.0.E0QkjJowwG.exe.f20000.0.unpackSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
      • 0x45713:$s1: http://
      • 0x4577d:$s1: http://
      • 0x45b33:$s1: http://
      • 0x12f302:$s1: \xA4\xB8\xB8\xBC\xF6\xE3\xE3
      • 0x45713:$f1: http://
      • 0x4577d:$f1: http://
      • 0x45b33:$f1: http://
      6.0.Yandex.exe.70000.0.unpackSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
      • 0x45713:$s1: http://
      • 0x4577d:$s1: http://
      • 0x45b33:$s1: http://
      • 0x12f302:$s1: \xA4\xB8\xB8\xBC\xF6\xE3\xE3
      • 0x45713:$f1: http://
      • 0x4577d:$f1: http://
      • 0x45b33:$f1: http://
      7.0.Yandex.exe.70000.0.unpackSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
      • 0x45713:$s1: http://
      • 0x4577d:$s1: http://
      • 0x45b33:$s1: http://
      • 0x12f302:$s1: \xA4\xB8\xB8\xBC\xF6\xE3\xE3
      • 0x45713:$f1: http://
      • 0x4577d:$f1: http://
      • 0x45b33:$f1: http://
      Click to see the 15 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: Netsh Port or Application AllowedShow sources
      Source: Process startedAuthor: Markus Neis, Sander Wiebing: Data: Command: netsh firewall add allowedprogram 'C:\Users\user\Yandex.exe' 'Yandex.exe' ENABLE, CommandLine: netsh firewall add allowedprogram 'C:\Users\user\Yandex.exe' 'Yandex.exe' ENABLE, CommandLine|base64offset|contains: l, Image: C:\Windows\SysWOW64\netsh.exe, NewProcessName: C:\Windows\SysWOW64\netsh.exe, OriginalFileName: C:\Windows\SysWOW64\netsh.exe, ParentCommandLine: 'C:\Users\user\Yandex.exe' , ParentImage: C:\Users\user\Yandex.exe, ParentProcessId: 3100, ProcessCommandLine: netsh firewall add allowedprogram 'C:\Users\user\Yandex.exe' 'Yandex.exe' ENABLE, ProcessId: 4492

      Jbx Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for submitted fileShow sources
      Source: E0QkjJowwG.exeVirustotal: Detection: 42%Perma Link
      Source: E0QkjJowwG.exeMetadefender: Detection: 34%Perma Link
      Source: E0QkjJowwG.exeReversingLabs: Detection: 60%
      Yara detected NjratShow sources
      Source: Yara matchFile source: 0.2.E0QkjJowwG.exe.f20000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 7.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000000.00000002.305336564.0000000000F22000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.360786474.0000000000072000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.558514473.0000000003CCE000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.556263491.0000000000072000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.378938056.0000000000072000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000007.00000002.396666249.0000000000072000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: E0QkjJowwG.exe PID: 2700, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: Yandex.exe PID: 3100, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: Yandex.exe PID: 4420, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: Yandex.exe PID: 4796, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: Yandex.exe PID: 4764, type: MEMORYSTR
      Antivirus / Scanner detection for submitted sampleShow sources
      Source: E0QkjJowwG.exeAvira: detected
      Antivirus detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\33a62d2d2e6f6fc30153b1b0408eca36.exeAvira: detection malicious, Label: HEUR/AGEN.1142875
      Source: C:\Users\user\Yandex.exeAvira: detection malicious, Label: HEUR/AGEN.1142875
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\33a62d2d2e6f6fc30153b1b0408eca36.exeMetadefender: Detection: 34%Perma Link
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\33a62d2d2e6f6fc30153b1b0408eca36.exeReversingLabs: Detection: 60%
      Source: C:\Users\user\Yandex.exeMetadefender: Detection: 34%Perma Link
      Source: C:\Users\user\Yandex.exeReversingLabs: Detection: 60%
      Machine Learning detection for sampleShow sources
      Source: E0QkjJowwG.exeJoe Sandbox ML: detected
      Machine Learning detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\33a62d2d2e6f6fc30153b1b0408eca36.exeJoe Sandbox ML: detected
      Source: C:\Users\user\Yandex.exeJoe Sandbox ML: detected
      Source: 5.2.Yandex.exe.a0000.2.unpackAvira: Label: TR/Patched.Ren.Gen2
      Source: 6.2.Yandex.exe.70000.0.unpackAvira: Label: TR/ATRAPS.Gen
      Source: 1.2.Yandex.exe.70000.0.unpackAvira: Label: TR/ATRAPS.Gen
      Source: 0.2.E0QkjJowwG.exe.f20000.0.unpackAvira: Label: TR/ATRAPS.Gen
      Source: 7.2.Yandex.exe.70000.0.unpackAvira: Label: TR/ATRAPS.Gen
      Source: 5.2.Yandex.exe.70000.0.unpackAvira: Label: TR/ATRAPS.Gen
      Source: 0.2.E0QkjJowwG.exe.f50000.2.unpackAvira: Label: TR/Patched.Ren.Gen2
      Source: 1.2.Yandex.exe.a0000.1.unpackAvira: Label: TR/Patched.Ren.Gen2
      Source: 6.2.Yandex.exe.a0000.2.unpackAvira: Label: TR/Patched.Ren.Gen2
      Source: 7.2.Yandex.exe.a0000.1.unpackAvira: Label: TR/Patched.Ren.Gen2

      Compliance:

      barindex
      Detected unpacking (overwrites its own PE header)Show sources
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeUnpacked PE file: 0.2.E0QkjJowwG.exe.f20000.0.unpack
      Source: C:\Users\user\Yandex.exeUnpacked PE file: 1.2.Yandex.exe.70000.0.unpack
      Source: C:\Users\user\Yandex.exeUnpacked PE file: 5.2.Yandex.exe.70000.0.unpack
      Source: C:\Users\user\Yandex.exeUnpacked PE file: 6.2.Yandex.exe.70000.0.unpack
      Source: C:\Users\user\Yandex.exeUnpacked PE file: 7.2.Yandex.exe.70000.0.unpack
      Source: E0QkjJowwG.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

      Spreading:

      barindex
      Contains functionality to spread to USB devices (.Net source)Show sources
      Source: 0.2.E0QkjJowwG.exe.f20000.0.unpack, OK.cs.Net Code: USBspr
      Source: 1.2.Yandex.exe.70000.0.unpack, OK.cs.Net Code: USBspr
      Source: 5.2.Yandex.exe.70000.0.unpack, OK.cs.Net Code: USBspr
      Source: 6.2.Yandex.exe.70000.0.unpack, OK.cs.Net Code: USBspr
      Source: 7.2.Yandex.exe.70000.0.unpack, OK.cs.Net Code: USBspr
      Source: E0QkjJowwG.exeBinary or memory string: [autorun] open=
      Source: E0QkjJowwG.exeBinary or memory string: autorun.inf
      Source: E0QkjJowwG.exe, 00000000.00000002.305336564.0000000000F22000.00000040.00020000.sdmpBinary or memory string: autorun.inf![autorun]
      Source: E0QkjJowwG.exe, 00000000.00000002.305336564.0000000000F22000.00000040.00020000.sdmpBinary or memory string: autorun.inf![autorun]
      Source: Yandex.exeBinary or memory string: autorun.inf
      Source: Yandex.exeBinary or memory string: [autorun] open=
      Source: Yandex.exe, 00000001.00000002.558514473.0000000003CCE000.00000004.00000001.sdmpBinary or memory string: [autorun]
      Source: Yandex.exe, 00000001.00000002.556263491.0000000000072000.00000040.00020000.sdmpBinary or memory string: autorun.inf![autorun]
      Source: Yandex.exe, 00000001.00000002.556263491.0000000000072000.00000040.00020000.sdmpBinary or memory string: autorun.inf![autorun]
      Source: Yandex.exeBinary or memory string: autorun.inf
      Source: Yandex.exeBinary or memory string: [autorun] open=
      Source: Yandex.exe, 00000005.00000002.360786474.0000000000072000.00000040.00020000.sdmpBinary or memory string: autorun.inf![autorun]
      Source: Yandex.exe, 00000005.00000002.360786474.0000000000072000.00000040.00020000.sdmpBinary or memory string: autorun.inf![autorun]
      Source: Yandex.exeBinary or memory string: autorun.inf
      Source: Yandex.exeBinary or memory string: [autorun] open=
      Source: Yandex.exe, 00000006.00000002.378938056.0000000000072000.00000040.00020000.sdmpBinary or memory string: autorun.inf![autorun]
      Source: Yandex.exe, 00000006.00000002.378938056.0000000000072000.00000040.00020000.sdmpBinary or memory string: autorun.inf![autorun]
      Source: Yandex.exe, 00000007.00000002.396666249.0000000000072000.00000040.00020000.sdmpBinary or memory string: autorun.inf![autorun]
      Source: Yandex.exe, 00000007.00000002.396666249.0000000000072000.00000040.00020000.sdmpBinary or memory string: autorun.inf![autorun]

      Networking:

      barindex
      Connects to many ports of the same IP (likely port scanning)Show sources
      Source: global trafficTCP traffic: 3.142.167.4 ports 1,2,12549,4,5,9
      Source: global trafficTCP traffic: 13.58.157.220 ports 1,2,12549,4,5,9
      Source: global trafficTCP traffic: 3.142.167.54 ports 1,2,12549,4,5,9
      Source: global trafficTCP traffic: 3.142.129.56 ports 1,2,12549,4,5,9
      Source: global trafficTCP traffic: 3.142.81.166 ports 1,2,12549,4,5,9
      Source: global trafficTCP traffic: 3.19.130.43 ports 1,2,12549,4,5,9
      Source: global trafficTCP traffic: 192.168.2.3:49690 -> 3.19.130.43:12549
      Source: global trafficTCP traffic: 192.168.2.3:49693 -> 3.142.129.56:12549
      Source: global trafficTCP traffic: 192.168.2.3:49695 -> 3.142.81.166:12549
      Source: global trafficTCP traffic: 192.168.2.3:49696 -> 3.142.167.4:12549
      Source: global trafficTCP traffic: 192.168.2.3:49706 -> 13.58.157.220:12549
      Source: global trafficTCP traffic: 192.168.2.3:49715 -> 3.142.167.54:12549
      Source: E0QkjJowwG.exeString found in binary or memory: http://pki-crl.symauth.com/ca_732b6ec148d290c0a071efd1dac8e288/LatestCRL.crl07
      Source: E0QkjJowwG.exeString found in binary or memory: http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.cr
      Source: E0QkjJowwG.exeString found in binary or memory: http://pki-ocsp.symauth.com0
      Source: Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpString found in binary or memory: http://www.enigmaprotector.com/
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpString found in binary or memory: http://www.enigmaprotector.com/openU
      Source: unknownDNS traffic detected: queries for: 8.tcp.ngrok.io

      Key, Mouse, Clipboard, Microphone and Screen Capturing:

      barindex
      Contains functionality to log keystrokes (.Net Source)Show sources
      Source: 0.2.E0QkjJowwG.exe.f20000.0.unpack, kl.cs.Net Code: VKCodeToUnicode
      Source: 1.2.Yandex.exe.70000.0.unpack, kl.cs.Net Code: VKCodeToUnicode
      Source: 5.2.Yandex.exe.70000.0.unpack, kl.cs.Net Code: VKCodeToUnicode
      Source: 6.2.Yandex.exe.70000.0.unpack, kl.cs.Net Code: VKCodeToUnicode
      Source: 7.2.Yandex.exe.70000.0.unpack, kl.cs.Net Code: VKCodeToUnicode
      Source: E0QkjJowwG.exe, 00000000.00000002.306621221.00000000013EA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

      E-Banking Fraud:

      barindex
      Yara detected NjratShow sources
      Source: Yara matchFile source: 0.2.E0QkjJowwG.exe.f20000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 7.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000000.00000002.305336564.0000000000F22000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.360786474.0000000000072000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.558514473.0000000003CCE000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.556263491.0000000000072000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.378938056.0000000000072000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000007.00000002.396666249.0000000000072000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: E0QkjJowwG.exe PID: 2700, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: Yandex.exe PID: 3100, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: Yandex.exe PID: 4420, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: Yandex.exe PID: 4796, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: Yandex.exe PID: 4764, type: MEMORYSTR

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 0.2.E0QkjJowwG.exe.f20000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
      Source: 0.2.E0QkjJowwG.exe.f20000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
      Source: 5.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
      Source: 5.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
      Source: 7.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
      Source: 7.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
      Source: 1.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
      Source: 1.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
      Source: 6.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
      Source: 6.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
      Source: 00000000.00000002.305336564.0000000000F22000.00000040.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
      Source: 00000000.00000002.305336564.0000000000F22000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
      Source: 00000005.00000002.360786474.0000000000072000.00000040.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
      Source: 00000005.00000002.360786474.0000000000072000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
      Source: 00000001.00000002.556263491.0000000000072000.00000040.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
      Source: 00000001.00000002.556263491.0000000000072000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
      Source: 00000006.00000002.378938056.0000000000072000.00000040.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
      Source: 00000006.00000002.378938056.0000000000072000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
      Source: 00000007.00000002.396666249.0000000000072000.00000040.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
      Source: 00000007.00000002.396666249.0000000000072000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
      PE file has nameless sectionsShow sources
      Source: E0QkjJowwG.exeStatic PE information: section name:
      Source: E0QkjJowwG.exeStatic PE information: section name:
      Source: E0QkjJowwG.exeStatic PE information: section name:
      Source: E0QkjJowwG.exeStatic PE information: section name:
      Source: Yandex.exe.0.drStatic PE information: section name:
      Source: Yandex.exe.0.drStatic PE information: section name:
      Source: Yandex.exe.0.drStatic PE information: section name:
      Source: Yandex.exe.0.drStatic PE information: section name:
      Source: 33a62d2d2e6f6fc30153b1b0408eca36.exe.1.drStatic PE information: section name:
      Source: 33a62d2d2e6f6fc30153b1b0408eca36.exe.1.drStatic PE information: section name:
      Source: 33a62d2d2e6f6fc30153b1b0408eca36.exe.1.drStatic PE information: section name:
      Source: 33a62d2d2e6f6fc30153b1b0408eca36.exe.1.drStatic PE information: section name:
      Source: E0QkjJowwG.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: E0QkjJowwG.exe, type: SAMPLEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
      Source: 1.0.Yandex.exe.70000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
      Source: 5.0.Yandex.exe.70000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
      Source: 0.0.E0QkjJowwG.exe.f20000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
      Source: 6.0.Yandex.exe.70000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
      Source: 7.0.Yandex.exe.70000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
      Source: 0.2.E0QkjJowwG.exe.f20000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
      Source: 0.2.E0QkjJowwG.exe.f20000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
      Source: 5.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
      Source: 5.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
      Source: 7.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
      Source: 7.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
      Source: 1.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
      Source: 1.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
      Source: 6.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
      Source: 6.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
      Source: 00000000.00000002.305336564.0000000000F22000.00000040.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
      Source: 00000000.00000002.305336564.0000000000F22000.00000040.00020000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
      Source: 00000005.00000002.360786474.0000000000072000.00000040.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
      Source: 00000005.00000002.360786474.0000000000072000.00000040.00020000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
      Source: 00000001.00000002.556263491.0000000000072000.00000040.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
      Source: 00000001.00000002.556263491.0000000000072000.00000040.00020000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
      Source: 00000006.00000002.378938056.0000000000072000.00000040.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
      Source: 00000006.00000002.378938056.0000000000072000.00000040.00020000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
      Source: 00000007.00000002.396666249.0000000000072000.00000040.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
      Source: 00000007.00000002.396666249.0000000000072000.00000040.00020000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\33a62d2d2e6f6fc30153b1b0408eca36.exe, type: DROPPEDMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
      Source: C:\Users\user\Yandex.exe, type: DROPPEDMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeCode function: 0_2_010AE411
      Source: C:\Users\user\Yandex.exeCode function: 1_2_000E00CF
      Source: C:\Users\user\Yandex.exeCode function: 5_2_000E00CF
      Source: C:\Users\user\Yandex.exeCode function: 6_2_000E00CF
      Source: E0QkjJowwG.exeVirustotal: Detection: 42%
      Source: E0QkjJowwG.exeMetadefender: Detection: 34%
      Source: E0QkjJowwG.exeReversingLabs: Detection: 60%
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeFile read: C:\Users\user\Desktop\E0QkjJowwG.exeJump to behavior
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: unknownProcess created: C:\Users\user\Desktop\E0QkjJowwG.exe 'C:\Users\user\Desktop\E0QkjJowwG.exe'
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeProcess created: C:\Users\user\Yandex.exe 'C:\Users\user\Yandex.exe'
      Source: C:\Users\user\Yandex.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram 'C:\Users\user\Yandex.exe' 'Yandex.exe' ENABLE
      Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Users\user\Yandex.exe 'C:\Users\user\Yandex.exe' ..
      Source: unknownProcess created: C:\Users\user\Yandex.exe 'C:\Users\user\Yandex.exe' ..
      Source: unknownProcess created: C:\Users\user\Yandex.exe 'C:\Users\user\Yandex.exe' ..
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeProcess created: C:\Users\user\Yandex.exe 'C:\Users\user\Yandex.exe'
      Source: C:\Users\user\Yandex.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram 'C:\Users\user\Yandex.exe' 'Yandex.exe' ENABLE
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeFile created: C:\Users\user\Yandex.exeJump to behavior
      Source: classification engineClassification label: mal100.spre.troj.adwa.spyw.evad.winEXE@9/3@32/6
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
      Source: C:\Users\user\Yandex.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
      Source: C:\Users\user\Yandex.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
      Source: C:\Users\user\Yandex.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
      Source: C:\Users\user\Yandex.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
      Source: C:\Users\user\Yandex.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
      Source: C:\Users\user\Yandex.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
      Source: C:\Users\user\Yandex.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
      Source: C:\Users\user\Yandex.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
      Source: C:\Users\user\Yandex.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
      Source: C:\Users\user\Yandex.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
      Source: C:\Users\user\Yandex.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
      Source: C:\Users\user\Yandex.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
      Source: C:\Users\user\Yandex.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
      Source: C:\Users\user\Yandex.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
      Source: C:\Users\user\Yandex.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
      Source: C:\Users\user\Yandex.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
      Source: C:\Users\user\Yandex.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
      Source: C:\Users\user\Yandex.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
      Source: C:\Users\user\Yandex.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
      Source: C:\Users\user\Yandex.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4292:120:WilError_01
      Source: C:\Users\user\Yandex.exeMutant created: \Sessions\1\BaseNamedObjects\33a62d2d2e6f6fc30153b1b0408eca36SGFjS2Vk
      Source: C:\Users\user\Yandex.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
      Source: C:\Users\user\Yandex.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Yandex.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Yandex.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
      Source: E0QkjJowwG.exeStatic file information: File size 1246208 > 1048576

      Data Obfuscation:

      barindex
      Detected unpacking (overwrites its own PE header)Show sources
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeUnpacked PE file: 0.2.E0QkjJowwG.exe.f20000.0.unpack
      Source: C:\Users\user\Yandex.exeUnpacked PE file: 1.2.Yandex.exe.70000.0.unpack
      Source: C:\Users\user\Yandex.exeUnpacked PE file: 5.2.Yandex.exe.70000.0.unpack
      Source: C:\Users\user\Yandex.exeUnpacked PE file: 6.2.Yandex.exe.70000.0.unpack
      Source: C:\Users\user\Yandex.exeUnpacked PE file: 7.2.Yandex.exe.70000.0.unpack
      Detected unpacking (changes PE section rights)Show sources
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeUnpacked PE file: 0.2.E0QkjJowwG.exe.f20000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;.rsrc:EW;Unknown_Section4:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;.rsrc:ER;Unknown_Section4:ER;.data:ER;
      Source: C:\Users\user\Yandex.exeUnpacked PE file: 1.2.Yandex.exe.70000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;.rsrc:EW;Unknown_Section4:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;.rsrc:ER;Unknown_Section4:ER;.data:ER;
      Source: C:\Users\user\Yandex.exeUnpacked PE file: 5.2.Yandex.exe.70000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;.rsrc:EW;Unknown_Section4:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;.rsrc:ER;Unknown_Section4:ER;.data:ER;
      Source: C:\Users\user\Yandex.exeUnpacked PE file: 6.2.Yandex.exe.70000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;.rsrc:EW;Unknown_Section4:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;.rsrc:ER;Unknown_Section4:ER;.data:ER;
      Source: C:\Users\user\Yandex.exeUnpacked PE file: 7.2.Yandex.exe.70000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;.rsrc:EW;Unknown_Section4:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;.rsrc:ER;Unknown_Section4:ER;.data:ER;
      .NET source code contains potential unpackerShow sources
      Source: 0.2.E0QkjJowwG.exe.f20000.0.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 1.2.Yandex.exe.70000.0.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 5.2.Yandex.exe.70000.0.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 6.2.Yandex.exe.70000.0.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 7.2.Yandex.exe.70000.0.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeCode function: 0_2_00F26DC3 push cs; retf
      Source: C:\Users\user\Yandex.exeCode function: 1_2_00076DC3 push cs; retf
      Source: C:\Users\user\Yandex.exeCode function: 5_2_00076DC3 push cs; retf
      Source: C:\Users\user\Yandex.exeCode function: 6_2_00076DC3 push cs; retf
      Source: E0QkjJowwG.exeStatic PE information: section name:
      Source: E0QkjJowwG.exeStatic PE information: section name:
      Source: E0QkjJowwG.exeStatic PE information: section name:
      Source: E0QkjJowwG.exeStatic PE information: section name:
      Source: Yandex.exe.0.drStatic PE information: section name:
      Source: Yandex.exe.0.drStatic PE information: section name:
      Source: Yandex.exe.0.drStatic PE information: section name:
      Source: Yandex.exe.0.drStatic PE information: section name:
      Source: 33a62d2d2e6f6fc30153b1b0408eca36.exe.1.drStatic PE information: section name:
      Source: 33a62d2d2e6f6fc30153b1b0408eca36.exe.1.drStatic PE information: section name:
      Source: 33a62d2d2e6f6fc30153b1b0408eca36.exe.1.drStatic PE information: section name:
      Source: 33a62d2d2e6f6fc30153b1b0408eca36.exe.1.drStatic PE information: section name:
      Source: initial sampleStatic PE information: section where entry point is pointing to: .data
      Source: initial sampleStatic PE information: section name: entropy: 7.92098871266
      Source: initial sampleStatic PE information: section name: .data entropy: 7.98017185611
      Source: initial sampleStatic PE information: section name: entropy: 7.92098871266
      Source: initial sampleStatic PE information: section name: .data entropy: 7.98017185611
      Source: initial sampleStatic PE information: section name: entropy: 7.92098871266
      Source: initial sampleStatic PE information: section name: .data entropy: 7.98017185611
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeFile created: C:\Users\user\Yandex.exeJump to dropped file
      Source: C:\Users\user\Yandex.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\33a62d2d2e6f6fc30153b1b0408eca36.exeJump to dropped file
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeFile created: C:\Users\user\Yandex.exeJump to dropped file

      Boot Survival:

      barindex
      Drops PE files to the startup folderShow sources
      Source: C:\Users\user\Yandex.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\33a62d2d2e6f6fc30153b1b0408eca36.exeJump to dropped file
      Creates autostart registry keys with suspicious namesShow sources
      Source: C:\Users\user\Yandex.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 33a62d2d2e6f6fc30153b1b0408eca36Jump to behavior
      Drops PE files to the user root directoryShow sources
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeFile created: C:\Users\user\Yandex.exeJump to dropped file
      Source: C:\Users\user\Yandex.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\33a62d2d2e6f6fc30153b1b0408eca36.exeJump to behavior
      Source: C:\Users\user\Yandex.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\33a62d2d2e6f6fc30153b1b0408eca36.exeJump to behavior
      Source: C:\Users\user\Yandex.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 33a62d2d2e6f6fc30153b1b0408eca36Jump to behavior
      Source: C:\Users\user\Yandex.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 33a62d2d2e6f6fc30153b1b0408eca36Jump to behavior

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Changes the view of files in windows explorer (hidden files and folders)Show sources
      Source: C:\Users\user\Yandex.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HiddenJump to behavior
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Yandex.exeProcess information set: NOOPENFILEERRORBOX

      Malware Analysis System Evasion:

      barindex
      Tries to evade analysis by execution special instruction which cause usermode exceptionShow sources
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeSpecial instruction interceptor: First address: 0000000001030700 instructions 0F0B caused by: Known instruction #UD exception
      Source: C:\Users\user\Yandex.exeSpecial instruction interceptor: First address: 0000000000180700 instructions 0F0B caused by: Known instruction #UD exception
      Source: C:\Users\user\Desktop\E0QkjJowwG.exe TID: 5480Thread sleep count: 76 > 30
      Source: C:\Users\user\Yandex.exe TID: 5104Thread sleep time: -48000s >= -30000s
      Source: C:\Users\user\Yandex.exe TID: 3648Thread sleep time: -34000s >= -30000s
      Source: C:\Users\user\Yandex.exe TID: 5416Thread sleep count: 76 > 30
      Source: C:\Users\user\Yandex.exe TID: 5416Thread sleep count: 322 > 30
      Source: C:\Users\user\Yandex.exe TID: 4756Thread sleep count: 586 > 30
      Source: C:\Users\user\Yandex.exe TID: 4756Thread sleep count: 51 > 30
      Source: C:\Users\user\Yandex.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Users\user\Yandex.exeWindow / User API: threadDelayed 362
      Source: C:\Users\user\Yandex.exeWindow / User API: threadDelayed 6086
      Source: C:\Users\user\Yandex.exeWindow / User API: threadDelayed 608
      Source: C:\Users\user\Yandex.exeWindow / User API: threadDelayed 586
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeProcess information queried: ProcessInformation
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: 3Windows 2012 Server Standard without Hyper-V (core)
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: #Windows 10 Microsoft Hyper-V Server
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 8.1 Microsoft Hyper-V Server
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 2012 Server Standard without Hyper-V
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 8 Microsoft Hyper-V Server
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (core)
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: 3Windows 2016 Server Standard without Hyper-V (core)
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 8.1 Server Standard without Hyper-V (core)
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: (Windows 2012 R2 Microsoft Hyper-V Server
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: 6Windows 2012 R2 Server Standard without Hyper-V (core)
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 2012 R2 Server Standard without Hyper-V
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 8 Server Datacenter without Hyper-V (core)
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 10 Server Datacenter without Hyper-V (core)
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: 0Windows 8 Server Standard without Hyper-V (core)
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: 6Windows 8.1 Essential Server Solutions without Hyper-V
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 8 Server Standard without Hyper-V
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: 4Windows 8 Essential Server Solutions without Hyper-V
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (full)
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 2016 Essential Server Solutions without Hyper-V
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (full)
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (full)
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: 2Windows 8 Server Enterprise without Hyper-V (core)
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: "Windows 8 Microsoft Hyper-V Server
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (full)
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 10 Server Standard without Hyper-V
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 2012 R2 Microsoft Hyper-V Server
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (core)
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (full)
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (core)
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 8.1 Essential Server Solutions without Hyper-V
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 2012 R2 Server Standard without Hyper-V (core)
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Hyper-V (guest)
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 10 Microsoft Hyper-V Server
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 2012 Essential Server Solutions without Hyper-V
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (full)
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396880289.00000000001FC000.00000040.00020000.sdmpBinary or memory string: ~VirtualMachineTypes
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396880289.00000000001FC000.00000040.00020000.sdmpBinary or memory string: ]DLL_Loader_VirtualMachine
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 2016 Microsoft Hyper-V Server
      Source: E0QkjJowwG.exe, 00000000.00000002.305995650.00000000010AC000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556923512.00000000001FC000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.362061726.00000000001FC000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.379152364.00000000001FC000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396880289.00000000001FC000.00000040.00020000.sdmpBinary or memory string: DLL_Loader_Marker]DLL_Loader_VirtualMachineZDLL_Loader_Reloc_Unit
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: /Windows 2012 R2 Server Standard without Hyper-V
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: )Windows 8 Server Standard without Hyper-V
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (core)
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (core)
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Hyper-V
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: %Windows 2012 Microsoft Hyper-V Server
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: $Windows 8.1 Microsoft Hyper-V Server
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: ,Windows 2012 Server Standard without Hyper-V
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: 3Windows 10 Server Datacenter without Hyper-V (full)
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 2012 Microsoft Hyper-V Server
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 2012 Server Enterprise without Hyper-V (core)
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (core)
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 10 Essential Server Solutions without Hyper-V
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 8 Essential Server Solutions without Hyper-V
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (full)
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 8.1 Server Enterprise without Hyper-V (core)
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 10 Server Standard without Hyper-V (core)
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (core)
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: 7Windows 2012 Essential Server Solutions without Hyper-V
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 8 Server Enterprise without Hyper-V (full)
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 2016 Server Enterprise without Hyper-V (core)
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 2016 Server Datacenter without Hyper-V (full)
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 8.1 Server Datacenter without Hyper-V (full)
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: %Windows 2016 Microsoft Hyper-V Server
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (full)
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: 3Windows 10 Server Enterprise without Hyper-V (core)
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: 7Windows 2016 Essential Server Solutions without Hyper-V
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: +Windows 8.1 Server Standard without Hyper-V
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 2016 Server Standard without Hyper-V
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: 3Windows 10 Server Datacenter without Hyper-V (core)
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (full)
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (full)
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: 2Windows 8 Server Datacenter without Hyper-V (core)
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 10 Server Enterprise without Hyper-V (core)
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 10 Server Datacenter without Hyper-V (full)
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: :Windows 2012 R2 Essential Server Solutions without Hyper-V
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 2016 Server Standard without Hyper-V (core)
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 8 Server Standard without Hyper-V (core)
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: 5Windows 10 Essential Server Solutions without Hyper-V
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (core)
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 2012 Server Datacenter without Hyper-V (core)
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: 3Windows 10 Server Enterprise without Hyper-V (full)
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 8.1 Server Enterprise without Hyper-V (full)
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 8 Server Enterprise without Hyper-V (core)
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 2012 R2 Essential Server Solutions without Hyper-V
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: ,Windows 2016 Server Standard without Hyper-V
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 2012 Server Standard without Hyper-V (core)
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 8.1 Server Datacenter without Hyper-V (core)
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 2016 Server Datacenter without Hyper-V (core)
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 2016 Server Enterprise without Hyper-V (full)
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 8 Server Datacenter without Hyper-V (full)
      Source: Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: VBoxService.exe
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 8.1 Server Standard without Hyper-V
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Hyper-VU
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: *Windows 10 Server Standard without Hyper-V
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: 1Windows 10 Server Standard without Hyper-V (core)
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 2012 Server Enterprise without Hyper-V (full)
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 2012 Server Datacenter without Hyper-V (full)
      Source: Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: VMWare
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (core)
      Source: Yandex.exe, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: Windows 10 Server Enterprise without Hyper-V (full)
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: 2Windows 8.1 Server Standard without Hyper-V (core)
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: 2Windows 8 Server Datacenter without Hyper-V (full)
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (core)
      Source: E0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpBinary or memory string: 2Windows 8 Server Enterprise without Hyper-V (full)

      Anti Debugging:

      barindex
      Hides threads from debuggersShow sources
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeThread information set: HideFromDebugger
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeThread information set: HideFromDebugger
      Source: C:\Users\user\Yandex.exeThread information set: HideFromDebugger
      Source: C:\Users\user\Yandex.exeThread information set: HideFromDebugger
      Source: C:\Users\user\Yandex.exeThread information set: HideFromDebugger
      Source: C:\Users\user\Yandex.exeThread information set: HideFromDebugger
      Source: C:\Users\user\Yandex.exeThread information set: HideFromDebugger
      Source: C:\Users\user\Yandex.exeThread information set: HideFromDebugger
      Source: C:\Users\user\Yandex.exeThread information set: HideFromDebugger
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeProcess token adjusted: Debug
      Source: C:\Users\user\Yandex.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeMemory allocated: page read and write | page guard

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      .NET source code references suspicious native API functionsShow sources
      Source: 0.2.E0QkjJowwG.exe.f20000.0.unpack, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
      Source: 0.2.E0QkjJowwG.exe.f20000.0.unpack, kl.csReference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
      Source: 1.2.Yandex.exe.70000.0.unpack, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
      Source: 1.2.Yandex.exe.70000.0.unpack, kl.csReference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
      Source: 5.2.Yandex.exe.70000.0.unpack, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
      Source: 5.2.Yandex.exe.70000.0.unpack, kl.csReference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
      Source: 6.2.Yandex.exe.70000.0.unpack, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
      Source: 6.2.Yandex.exe.70000.0.unpack, kl.csReference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
      Source: 7.2.Yandex.exe.70000.0.unpack, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
      Source: 7.2.Yandex.exe.70000.0.unpack, kl.csReference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
      Source: C:\Users\user\Desktop\E0QkjJowwG.exeProcess created: C:\Users\user\Yandex.exe 'C:\Users\user\Yandex.exe'
      Source: Yandex.exe, 00000001.00000002.557656558.00000000014E0000.00000002.00020000.sdmpBinary or memory string: Program Manager
      Source: Yandex.exe, 00000001.00000002.557656558.00000000014E0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
      Source: Yandex.exe, 00000001.00000002.557656558.00000000014E0000.00000002.00020000.sdmpBinary or memory string: Progman
      Source: Yandex.exe, 00000001.00000002.557656558.00000000014E0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
      Source: Yandex.exe, 00000001.00000002.558616833.0000000003DB0000.00000004.00000001.sdmpBinary or memory string: Program Manager|9
      Source: Yandex.exe, 00000001.00000002.558616833.0000000003DB0000.00000004.00000001.sdmpBinary or memory string: Program Manager<
      Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Users\user\Yandex.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

      Lowering of HIPS / PFW / Operating System Security Settings:

      barindex
      Uses netsh to modify the Windows network and firewall settingsShow sources
      Source: C:\Users\user\Yandex.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram 'C:\Users\user\Yandex.exe' 'Yandex.exe' ENABLE
      Modifies the windows firewallShow sources
      Source: C:\Users\user\Yandex.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram 'C:\Users\user\Yandex.exe' 'Yandex.exe' ENABLE

      Stealing of Sensitive Information:

      barindex
      Yara detected NjratShow sources
      Source: Yara matchFile source: 0.2.E0QkjJowwG.exe.f20000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 7.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000000.00000002.305336564.0000000000F22000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.360786474.0000000000072000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.558514473.0000000003CCE000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.556263491.0000000000072000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.378938056.0000000000072000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000007.00000002.396666249.0000000000072000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: E0QkjJowwG.exe PID: 2700, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: Yandex.exe PID: 3100, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: Yandex.exe PID: 4420, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: Yandex.exe PID: 4796, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: Yandex.exe PID: 4764, type: MEMORYSTR

      Remote Access Functionality:

      barindex
      Yara detected NjratShow sources
      Source: Yara matchFile source: 0.2.E0QkjJowwG.exe.f20000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 7.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.Yandex.exe.70000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000000.00000002.305336564.0000000000F22000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.360786474.0000000000072000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.558514473.0000000003CCE000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.556263491.0000000000072000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.378938056.0000000000072000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000007.00000002.396666249.0000000000072000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: E0QkjJowwG.exe PID: 2700, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: Yandex.exe PID: 3100, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: Yandex.exe PID: 4420, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: Yandex.exe PID: 4796, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: Yandex.exe PID: 4764, type: MEMORYSTR

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Replication Through Removable Media11Native API1Startup Items1Startup Items1Masquerading111Input Capture11Security Software Discovery31Replication Through Removable Media11Input Capture11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobRegistry Run Keys / Startup Folder221Process Injection12Virtualization/Sandbox Evasion11LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Registry Run Keys / Startup Folder221Disable or Modify Tools21Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection12NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol1SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptHidden Files and Directories1LSA SecretsPeripheral Device Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information2Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing32DCSyncFile and Directory Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Information Discovery112Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 492550 Sample: E0QkjJowwG Startdate: 28/09/2021 Architecture: WINDOWS Score: 100 32 8.tcp.ngrok.io 2->32 40 Malicious sample detected (through community Yara rule) 2->40 42 Antivirus detection for dropped file 2->42 44 Antivirus / Scanner detection for submitted sample 2->44 46 11 other signatures 2->46 9 E0QkjJowwG.exe 3 4 2->9         started        13 Yandex.exe 2 2->13         started        15 Yandex.exe 2 2->15         started        17 Yandex.exe 2 2->17         started        signatures3 process4 file5 30 C:\Users\user\Yandex.exe, PE32 9->30 dropped 56 Detected unpacking (changes PE section rights) 9->56 58 Detected unpacking (overwrites its own PE header) 9->58 60 Drops PE files to the user root directory 9->60 62 Tries to evade analysis by execution special instruction which cause usermode exception 9->62 19 Yandex.exe 4 5 9->19         started        64 Hides threads from debuggers 13->64 signatures6 process7 dnsIp8 34 13.58.157.220, 12549, 49706, 49714 AMAZON-02US United States 19->34 36 3.142.129.56, 12549, 49693, 49694 AMAZON-02US United States 19->36 38 4 other IPs or domains 19->38 28 C:\...\33a62d2d2e6f6fc30153b1b0408eca36.exe, PE32 19->28 dropped 48 Antivirus detection for dropped file 19->48 50 Multi AV Scanner detection for dropped file 19->50 52 Detected unpacking (changes PE section rights) 19->52 54 9 other signatures 19->54 24 netsh.exe 1 3 19->24         started        file9 signatures10 process11 process12 26 conhost.exe 24->26         started       

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      E0QkjJowwG.exe43%VirustotalBrowse
      E0QkjJowwG.exe34%MetadefenderBrowse
      E0QkjJowwG.exe60%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi
      E0QkjJowwG.exe100%AviraHEUR/AGEN.1142875
      E0QkjJowwG.exe100%Joe Sandbox ML

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\33a62d2d2e6f6fc30153b1b0408eca36.exe100%AviraHEUR/AGEN.1142875
      C:\Users\user\Yandex.exe100%AviraHEUR/AGEN.1142875
      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\33a62d2d2e6f6fc30153b1b0408eca36.exe100%Joe Sandbox ML
      C:\Users\user\Yandex.exe100%Joe Sandbox ML
      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\33a62d2d2e6f6fc30153b1b0408eca36.exe34%MetadefenderBrowse
      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\33a62d2d2e6f6fc30153b1b0408eca36.exe60%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi
      C:\Users\user\Yandex.exe34%MetadefenderBrowse
      C:\Users\user\Yandex.exe60%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      5.2.Yandex.exe.a0000.2.unpack100%AviraTR/Patched.Ren.Gen2Download File
      6.2.Yandex.exe.70000.0.unpack100%AviraTR/ATRAPS.GenDownload File
      1.2.Yandex.exe.70000.0.unpack100%AviraTR/ATRAPS.GenDownload File
      6.0.Yandex.exe.70000.0.unpack100%AviraHEUR/AGEN.1142875Download File
      0.2.E0QkjJowwG.exe.f20000.0.unpack100%AviraTR/ATRAPS.GenDownload File
      7.2.Yandex.exe.70000.0.unpack100%AviraTR/ATRAPS.GenDownload File
      5.2.Yandex.exe.70000.0.unpack100%AviraTR/ATRAPS.GenDownload File
      5.0.Yandex.exe.70000.0.unpack100%AviraHEUR/AGEN.1142875Download File
      0.2.E0QkjJowwG.exe.f50000.2.unpack100%AviraTR/Patched.Ren.Gen2Download File
      1.2.Yandex.exe.a0000.1.unpack100%AviraTR/Patched.Ren.Gen2Download File
      1.0.Yandex.exe.70000.0.unpack100%AviraHEUR/AGEN.1142875Download File
      7.0.Yandex.exe.70000.0.unpack100%AviraHEUR/AGEN.1142875Download File
      0.0.E0QkjJowwG.exe.f20000.0.unpack100%AviraHEUR/AGEN.1142875Download File
      6.2.Yandex.exe.a0000.2.unpack100%AviraTR/Patched.Ren.Gen2Download File
      7.2.Yandex.exe.a0000.1.unpack100%AviraTR/Patched.Ren.Gen2Download File

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://www.enigmaprotector.com/0%URL Reputationsafe
      http://pki-ocsp.symauth.com00%URL Reputationsafe
      http://www.enigmaprotector.com/openU0%URL Reputationsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      8.tcp.ngrok.io
      		3.19.130.43
      		truefalse
        		high

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.crE0QkjJowwG.exefalse
          		high
          http://www.enigmaprotector.com/Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://pki-ocsp.symauth.com0E0QkjJowwG.exefalse
          • URL Reputation: safe
          		unknown
          http://pki-crl.symauth.com/ca_732b6ec148d290c0a071efd1dac8e288/LatestCRL.crl07E0QkjJowwG.exefalse
            		high
            http://www.enigmaprotector.com/openUE0QkjJowwG.exe, 00000000.00000002.305395430.0000000000F50000.00000040.00020000.sdmp, Yandex.exe, 00000001.00000002.556321941.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000005.00000002.360850734.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000006.00000002.378968325.00000000000A0000.00000040.00020000.sdmp, Yandex.exe, 00000007.00000002.396704118.00000000000A0000.00000040.00020000.sdmpfalse
            • URL Reputation: safe
            		unknown

            Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public

            IPDomainCountryFlagASNASN NameMalicious
            3.142.129.56
            		unknownUnited States
            		16509AMAZON-02UStrue
            3.142.81.166
            		unknownUnited States
            		16509AMAZON-02UStrue
            3.142.167.4
            		unknownUnited States
            		16509AMAZON-02UStrue
            3.19.130.43
            		8.tcp.ngrok.ioUnited States
            		16509AMAZON-02USfalse
            13.58.157.220
            		unknownUnited States
            		16509AMAZON-02UStrue
            3.142.167.54
            		unknownUnited States
            		16509AMAZON-02UStrue

            General Information

            Joe Sandbox Version:33.0.0 White Diamond
            Analysis ID:492550
            Start date:28.09.2021
            Start time:20:03:17
            Joe Sandbox Product:CloudBasic
            Overall analysis duration:0h 12m 58s
            Hypervisor based Inspection enabled:false
            Report type:light
            Sample file name:E0QkjJowwG (renamed file extension from none to exe)
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
            Number of analysed new started processes analysed:12
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • HDC enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Detection:MAL
            Classification:mal100.spre.troj.adwa.spyw.evad.winEXE@9/3@32/6
            EGA Information:Failed
            HDC Information:
            • Successful, ratio: 88.1% (good quality ratio 83%)
            • Quality average: 77.9%
            • Quality standard deviation: 27.8%
            HCA Information:Failed
            Cookbook Comments:
            • Adjust boot time
            • Enable AMSI
            Warnings:
            Show All
            • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe
            • TCP Packets have been reduced to 100
            • Excluded IPs from analysis (whitelisted): 8.253.207.121, 8.248.119.254, 8.238.85.126, 67.26.139.254, 8.248.139.254
            • Excluded domains from analysis (whitelisted): fg.download.windowsupdate.com.c.footprint.net, wu-shim.trafficmanager.net, ctldl.windowsupdate.com
            • Not all processes where analyzed, report is missing behavior information
            • Report creation exceeded maximum time and may have missing disassembly code information.
            • Report size exceeded maximum capacity and may have missing behavior information.
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtProtectVirtualMemory calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            20:04:33AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 33a62d2d2e6f6fc30153b1b0408eca36 "C:\Users\user\Yandex.exe" ..
            20:04:41AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run 33a62d2d2e6f6fc30153b1b0408eca36 "C:\Users\user\Yandex.exe" ..
            20:04:49AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 33a62d2d2e6f6fc30153b1b0408eca36 "C:\Users\user\Yandex.exe" ..
            20:04:58AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\33a62d2d2e6f6fc30153b1b0408eca36.exe

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            No context

            ASN

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\33a62d2d2e6f6fc30153b1b0408eca36.exe
            Process:C:\Users\user\Yandex.exe
            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):1246208
            Entropy (8bit):7.913768279846037
            Encrypted:false
            SSDEEP:24576:e5Cunz2U3pf2TDdQc1BSLppkpYTBFf4obQ4E7x12VludRAgxlJ:27f2TG+BSdpkqTBFpbVE7xYudOMl
            MD5:A1B69800AEB7ECBC49EBB13CE4A88737
            SHA1:96E25AED75903A5A84BE3175C6E834A44833BC5D
            SHA-256:09BC9C08F80F93317CD8769F85D8921787C677033A5B12A6C310FB92D83F6E41
            SHA-512:D4D5112B5F7C7ED676B2D41828B25A339A39235AAF8DE51BC1CFDD35A73ACF279CD3E7AC0434F93EAF20D35F9A5173FF0C49987B6D5B8E4E03131C29DEDC20C5
            Malicious:true
            Yara Hits:
            • Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\33a62d2d2e6f6fc30153b1b0408eca36.exe, Author: Florian Roth
            Antivirus:
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            • Antivirus: Metadefender, Detection: 34%, Browse
            • Antivirus: ReversingLabs, Detection: 60%
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a.................z...........:.. ........@.. ........................:.. ........@... .. .... .. .................. P,..............................P,.................................................................................................. ...<... ..............@............ ...........\..............@............ ...........^..............@....rsrc.... ...........`..............@............ )..........l..............@....data........ ,......T..............@............................................b0..J.6$.r..(........................................................................................................................................................................................................................................................................................................................................
            C:\Users\user\Yandex.exe
            Process:C:\Users\user\Desktop\E0QkjJowwG.exe
            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):1246208
            Entropy (8bit):7.913768279846037
            Encrypted:false
            SSDEEP:24576:e5Cunz2U3pf2TDdQc1BSLppkpYTBFf4obQ4E7x12VludRAgxlJ:27f2TG+BSdpkqTBFpbVE7xYudOMl
            MD5:A1B69800AEB7ECBC49EBB13CE4A88737
            SHA1:96E25AED75903A5A84BE3175C6E834A44833BC5D
            SHA-256:09BC9C08F80F93317CD8769F85D8921787C677033A5B12A6C310FB92D83F6E41
            SHA-512:D4D5112B5F7C7ED676B2D41828B25A339A39235AAF8DE51BC1CFDD35A73ACF279CD3E7AC0434F93EAF20D35F9A5173FF0C49987B6D5B8E4E03131C29DEDC20C5
            Malicious:true
            Yara Hits:
            • Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: C:\Users\user\Yandex.exe, Author: Florian Roth
            Antivirus:
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            • Antivirus: Metadefender, Detection: 34%, Browse
            • Antivirus: ReversingLabs, Detection: 60%
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a.................z...........:.. ........@.. ........................:.. ........@... .. .... .. .................. P,..............................P,.................................................................................................. ...<... ..............@............ ...........\..............@............ ...........^..............@....rsrc.... ...........`..............@............ )..........l..............@....data........ ,......T..............@............................................b0..J.6$.r..(........................................................................................................................................................................................................................................................................................................................................
            \Device\ConDrv
            Process:C:\Windows\SysWOW64\netsh.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):313
            Entropy (8bit):4.971939296804078
            Encrypted:false
            SSDEEP:6:/ojfKsUTGN8Ypox42k9L+DbGMKeQE+vigqAZs2E+AYeDPO+Yswyha:wjPIGNrkHk9iaeIM6ADDPOHyha
            MD5:689E2126A85BF55121488295EE068FA1
            SHA1:09BAAA253A49D80C18326DFBCA106551EBF22DD6
            SHA-256:D968A966EF474068E41256321F77807A042F1965744633D37A203A705662EC25
            SHA-512:C3736A8FC7E6573FA1B26FE6A901C05EE85C55A4A276F8F569D9EADC9A58BEC507D1BB90DBF9EA62AE79A6783178C69304187D6B90441D82E46F5F56172B5C5C
            Malicious:false
            Reputation:unknown
            Preview: ..IMPORTANT: Command executed successfully...However, "netsh firewall" is deprecated;..use "netsh advfirewall firewall" instead...For more information on using "netsh advfirewall firewall" commands..instead of "netsh firewall", see KB article 947709..at https://go.microsoft.com/fwlink/?linkid=121488 .....Ok.....

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386, for MS Windows
            Entropy (8bit):7.913768279846037
            TrID:
            • Win32 Executable (generic) a (10002005/4) 99.94%
            • Win16/32 Executable Delphi generic (2074/23) 0.02%
            • Generic Win/DOS Executable (2004/3) 0.02%
            • DOS Executable Generic (2002/1) 0.02%
            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
            File name:E0QkjJowwG.exe
            File size:1246208
            MD5:a1b69800aeb7ecbc49ebb13ce4a88737
            SHA1:96e25aed75903a5a84be3175c6e834a44833bc5d
            SHA256:09bc9c08f80f93317cd8769f85d8921787c677033a5b12a6c310fb92d83f6e41
            SHA512:d4d5112b5f7c7ed676b2d41828b25a339a39235aaf8de51bc1cfdd35a73acf279cd3e7ac0434f93eaf20d35f9a5173ff0c49987b6d5b8e4e03131c29dedc20c5
            SSDEEP:24576:e5Cunz2U3pf2TDdQc1BSLppkpYTBFf4obQ4E7x12VludRAgxlJ:27f2TG+BSdpkqTBFpbVE7xYudOMl
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a.................z............:.. ........@.. ........................:.. ........@... .. .... .. .................

            File Icon

            Icon Hash:70c09286acceec31

            Static PE Info

            General

            Entrypoint:0x7ab9ec
            Entrypoint Section:.data
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
            DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE
            Time Stamp:0x610909D1 [Tue Aug 3 09:18:09 2021 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:4
            OS Version Minor:0
            File Version Major:4
            File Version Minor:0
            Subsystem Version Major:4
            Subsystem Version Minor:0
            Import Hash:2e5467cba76f44a088d39f78c5e807b6

            Entrypoint Preview

            Instruction
            jmp 00007F91C0E9A83Ah
            add byte ptr [esp+eax+00h], dl
            add byte ptr [eax], al
            add byte ptr [eax], al
            pushad
            call 00007F91C0E9A835h
            pop ebp
            sub ebp, 00000010h
            sub ebp, 003AB9ECh
            jmp 00007F91C0E9A839h
            xlatb
            mov cl, D8h
            sbb eax, 3AB9ECB8h
            add byte ptr [ebx], al
            lds eax, fword ptr [ecx+00004CC0h]
            add byte ptr [ecx+000005C0h], bh
            mov edx, D833A21Dh
            xor byte ptr [eax], dl
            inc eax
            dec ecx
            jne 00007F91C0E9A82Ch
            jmp 00007F91C0E9A839h
            and eax, 9682B3C4h
            rcl byte ptr [esi+1D1D2194h], 1
            sbb eax, 1DE5DC9Ch
            sbb eax, A5D01E1Dh
            sbb dword ptr [35A71D1Dh], ebx
            sbb eax, FFEA1D1Dh
            push ds
            aad 96h
            pushfd
            adc dword ptr [D81E1D1Dh], ebx
            dec ebp
            dec ebp
            jne 00007F91C0E9A7CFh
            jp 00007F91C0E9A845h
            sbb eax, 314F7775h
            sbb eax, 7539311Ch
            shl byte ptr [ecx], 1
            sti
            dec esi
            cmc
            sbb byte ptr [37F41D1Dh], bl
            sbb eax, 90481D1Dh
            jno 00007F91C0E9A86Bh
            sbb eax, 1D159896h
            sbb eax, 1188961Dh
            sbb eax, 90961D1Dh
            or eax, DC1D1D1Dh
            hlt
            pop ds
            sub al, 1Fh
            sahf
            fistp word ptr [ecx]
            push esp
            adc bl, byte ptr [eax-1D1D1D17h]
            inc eax
            fist word ptr [ecx]
            sbb eax, 19399196h
            sbb eax, 9D751D1Dh

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0x2c50200x210.data
            IMAGE_DIRECTORY_ENTRY_RESOURCE0x1e0000x10b0c.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x2c50000xc.data
            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
            0x20000x80000x3c00False0.970572916667data7.92098871266IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
            0xa0000x120000x200False0.072265625data0.487890975135IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
            0x1c0000x20000x200False0.056640625data0.321716074313IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
            .rsrc0x1e0000x120000x10c00False0.185867537313data4.58721100046IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
            0x300000x2920000x2e800unknownunknownunknownunknownIMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
            .data0x2c20000xec0000xeb000False0.987041846742data7.98017185611IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountry
            RT_ICON0x1e0e80x10828dBase III DBT, version number 0, next free block index 40
            RT_GROUP_ICON0x2e9100x14data
            RT_MANIFEST0x2e9240x1e7XML 1.0 document, ASCII text, with CRLF line terminators

            Imports

            DLLImport
            kernel32.dllGetModuleHandleA, GetProcAddress, ExitProcess, LoadLibraryA
            user32.dllMessageBoxA
            advapi32.dllRegCloseKey
            oleaut32.dllSysFreeString
            gdi32.dllCreateFontA
            shell32.dllShellExecuteA
            version.dllGetFileVersionInfoA
            mscoree.dll_CorExeMain

            Network Behavior

            Snort IDS Alerts

            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
            09/28/21-20:04:32.486838UDP254DNS SPOOF query response with TTL of 1 min. and no authority53604968.8.8.8192.168.2.3
            09/28/21-20:04:43.011013UDP254DNS SPOOF query response with TTL of 1 min. and no authority53621518.8.8.8192.168.2.3
            09/28/21-20:04:50.439909UDP254DNS SPOOF query response with TTL of 1 min. and no authority53495398.8.8.8192.168.2.3
            09/28/21-20:04:54.112899UDP254DNS SPOOF query response with TTL of 1 min. and no authority53575588.8.8.8192.168.2.3
            09/28/21-20:05:11.955219UDP254DNS SPOOF query response with TTL of 1 min. and no authority53580458.8.8.8192.168.2.3
            09/28/21-20:05:15.454923UDP254DNS SPOOF query response with TTL of 1 min. and no authority53574598.8.8.8192.168.2.3
            09/28/21-20:05:22.686753UDP254DNS SPOOF query response with TTL of 1 min. and no authority53541548.8.8.8192.168.2.3
            09/28/21-20:05:26.417990UDP254DNS SPOOF query response with TTL of 1 min. and no authority53528068.8.8.8192.168.2.3
            09/28/21-20:05:58.855200UDP254DNS SPOOF query response with TTL of 1 min. and no authority53521308.8.8.8192.168.2.3
            09/28/21-20:06:13.000628UDP254DNS SPOOF query response with TTL of 1 min. and no authority53495598.8.8.8192.168.2.3
            09/28/21-20:06:20.264329UDP254DNS SPOOF query response with TTL of 1 min. and no authority53632978.8.8.8192.168.2.3

            Network Port Distribution

            TCP Packets

            TimestampSource PortDest PortSource IPDest IP
            Sep 28, 2021 20:04:32.494705915 CEST4969012549192.168.2.33.19.130.43
            Sep 28, 2021 20:04:32.646075964 CEST12549496903.19.130.43192.168.2.3
            Sep 28, 2021 20:04:33.152524948 CEST4969012549192.168.2.33.19.130.43
            Sep 28, 2021 20:04:33.301923037 CEST12549496903.19.130.43192.168.2.3
            Sep 28, 2021 20:04:33.809551954 CEST4969012549192.168.2.33.19.130.43
            Sep 28, 2021 20:04:33.958230019 CEST12549496903.19.130.43192.168.2.3
            Sep 28, 2021 20:04:36.009938002 CEST4969112549192.168.2.33.19.130.43
            Sep 28, 2021 20:04:36.158320904 CEST12549496913.19.130.43192.168.2.3
            Sep 28, 2021 20:04:36.669785976 CEST4969112549192.168.2.33.19.130.43
            Sep 28, 2021 20:04:36.818339109 CEST12549496913.19.130.43192.168.2.3
            Sep 28, 2021 20:04:37.324877024 CEST4969112549192.168.2.33.19.130.43
            Sep 28, 2021 20:04:37.474112988 CEST12549496913.19.130.43192.168.2.3
            Sep 28, 2021 20:04:39.509716988 CEST4969212549192.168.2.33.19.130.43
            Sep 28, 2021 20:04:39.657840014 CEST12549496923.19.130.43192.168.2.3
            Sep 28, 2021 20:04:40.168752909 CEST4969212549192.168.2.33.19.130.43
            Sep 28, 2021 20:04:40.316986084 CEST12549496923.19.130.43192.168.2.3
            Sep 28, 2021 20:04:40.825207949 CEST4969212549192.168.2.33.19.130.43
            Sep 28, 2021 20:04:40.973334074 CEST12549496923.19.130.43192.168.2.3
            Sep 28, 2021 20:04:43.013307095 CEST4969312549192.168.2.33.142.129.56
            Sep 28, 2021 20:04:43.162750959 CEST12549496933.142.129.56192.168.2.3
            Sep 28, 2021 20:04:43.670242071 CEST4969312549192.168.2.33.142.129.56
            Sep 28, 2021 20:04:43.820327997 CEST12549496933.142.129.56192.168.2.3
            Sep 28, 2021 20:04:44.325480938 CEST4969312549192.168.2.33.142.129.56
            Sep 28, 2021 20:04:44.474318981 CEST12549496933.142.129.56192.168.2.3
            Sep 28, 2021 20:04:46.514872074 CEST4969412549192.168.2.33.142.129.56
            Sep 28, 2021 20:04:46.663427114 CEST12549496943.142.129.56192.168.2.3
            Sep 28, 2021 20:04:47.169485092 CEST4969412549192.168.2.33.142.129.56
            Sep 28, 2021 20:04:47.317873955 CEST12549496943.142.129.56192.168.2.3
            Sep 28, 2021 20:04:47.825602055 CEST4969412549192.168.2.33.142.129.56
            Sep 28, 2021 20:04:48.120898008 CEST12549496943.142.129.56192.168.2.3
            Sep 28, 2021 20:04:50.589143991 CEST4969512549192.168.2.33.142.81.166
            Sep 28, 2021 20:04:50.738152981 CEST12549496953.142.81.166192.168.2.3
            Sep 28, 2021 20:04:51.248143911 CEST4969512549192.168.2.33.142.81.166
            Sep 28, 2021 20:04:51.397202969 CEST12549496953.142.81.166192.168.2.3
            Sep 28, 2021 20:04:51.906282902 CEST4969512549192.168.2.33.142.81.166
            Sep 28, 2021 20:04:52.055583954 CEST12549496953.142.81.166192.168.2.3
            Sep 28, 2021 20:04:54.115447044 CEST4969612549192.168.2.33.142.167.4
            Sep 28, 2021 20:04:54.264077902 CEST12549496963.142.167.4192.168.2.3
            Sep 28, 2021 20:04:54.763753891 CEST4969612549192.168.2.33.142.167.4
            Sep 28, 2021 20:04:54.912102938 CEST12549496963.142.167.4192.168.2.3
            Sep 28, 2021 20:04:55.420063972 CEST4969612549192.168.2.33.142.167.4
            Sep 28, 2021 20:04:55.569694996 CEST12549496963.142.167.4192.168.2.3
            Sep 28, 2021 20:04:57.606873989 CEST4969712549192.168.2.33.19.130.43
            Sep 28, 2021 20:04:57.755604982 CEST12549496973.19.130.43192.168.2.3
            Sep 28, 2021 20:04:58.264122963 CEST4969712549192.168.2.33.19.130.43
            Sep 28, 2021 20:04:58.413053989 CEST12549496973.19.130.43192.168.2.3
            Sep 28, 2021 20:04:58.920432091 CEST4969712549192.168.2.33.19.130.43
            Sep 28, 2021 20:04:59.069017887 CEST12549496973.19.130.43192.168.2.3
            Sep 28, 2021 20:05:01.104893923 CEST4969812549192.168.2.33.142.167.4
            Sep 28, 2021 20:05:01.253823042 CEST12549496983.142.167.4192.168.2.3
            Sep 28, 2021 20:05:01.764389992 CEST4969812549192.168.2.33.142.167.4
            Sep 28, 2021 20:05:01.916882992 CEST12549496983.142.167.4192.168.2.3
            Sep 28, 2021 20:05:02.420602083 CEST4969812549192.168.2.33.142.167.4
            Sep 28, 2021 20:05:02.569538116 CEST12549496983.142.167.4192.168.2.3
            Sep 28, 2021 20:05:04.752793074 CEST4970012549192.168.2.33.142.167.4
            Sep 28, 2021 20:05:04.900978088 CEST12549497003.142.167.4192.168.2.3
            Sep 28, 2021 20:05:05.405242920 CEST4970012549192.168.2.33.142.167.4
            Sep 28, 2021 20:05:05.553455114 CEST12549497003.142.167.4192.168.2.3
            Sep 28, 2021 20:05:06.061832905 CEST4970012549192.168.2.33.142.167.4
            Sep 28, 2021 20:05:06.209996939 CEST12549497003.142.167.4192.168.2.3
            Sep 28, 2021 20:05:08.449039936 CEST4970112549192.168.2.33.19.130.43
            Sep 28, 2021 20:05:08.597362041 CEST12549497013.19.130.43192.168.2.3
            Sep 28, 2021 20:05:09.108802080 CEST4970112549192.168.2.33.19.130.43
            Sep 28, 2021 20:05:09.257083893 CEST12549497013.19.130.43192.168.2.3
            Sep 28, 2021 20:05:09.764964104 CEST4970112549192.168.2.33.19.130.43
            Sep 28, 2021 20:05:09.913146973 CEST12549497013.19.130.43192.168.2.3
            Sep 28, 2021 20:05:11.957526922 CEST4970212549192.168.2.33.19.130.43
            Sep 28, 2021 20:05:12.106084108 CEST12549497023.19.130.43192.168.2.3
            Sep 28, 2021 20:05:12.608983040 CEST4970212549192.168.2.33.19.130.43
            Sep 28, 2021 20:05:12.757340908 CEST12549497023.19.130.43192.168.2.3
            Sep 28, 2021 20:05:13.265381098 CEST4970212549192.168.2.33.19.130.43
            Sep 28, 2021 20:05:13.414545059 CEST12549497023.19.130.43192.168.2.3
            Sep 28, 2021 20:05:15.456262112 CEST4970312549192.168.2.33.19.130.43
            Sep 28, 2021 20:05:15.604578972 CEST12549497033.19.130.43192.168.2.3
            Sep 28, 2021 20:05:16.109292030 CEST4970312549192.168.2.33.19.130.43
            Sep 28, 2021 20:05:16.257626057 CEST12549497033.19.130.43192.168.2.3
            Sep 28, 2021 20:05:16.765732050 CEST4970312549192.168.2.33.19.130.43
            Sep 28, 2021 20:05:16.914838076 CEST12549497033.19.130.43192.168.2.3
            Sep 28, 2021 20:05:18.951183081 CEST4970412549192.168.2.33.19.130.43
            Sep 28, 2021 20:05:19.099478006 CEST12549497043.19.130.43192.168.2.3
            Sep 28, 2021 20:05:19.609648943 CEST4970412549192.168.2.33.19.130.43
            Sep 28, 2021 20:05:19.759922981 CEST12549497043.19.130.43192.168.2.3
            Sep 28, 2021 20:05:20.265989065 CEST4970412549192.168.2.33.19.130.43
            Sep 28, 2021 20:05:20.416990995 CEST12549497043.19.130.43192.168.2.3
            Sep 28, 2021 20:05:22.689666033 CEST4970512549192.168.2.33.19.130.43
            Sep 28, 2021 20:05:22.838098049 CEST12549497053.19.130.43192.168.2.3
            Sep 28, 2021 20:05:23.344409943 CEST4970512549192.168.2.33.19.130.43
            Sep 28, 2021 20:05:23.493143082 CEST12549497053.19.130.43192.168.2.3
            Sep 28, 2021 20:05:24.000622034 CEST4970512549192.168.2.33.19.130.43
            Sep 28, 2021 20:05:24.148941040 CEST12549497053.19.130.43192.168.2.3
            Sep 28, 2021 20:05:26.423860073 CEST4970612549192.168.2.313.58.157.220
            Sep 28, 2021 20:05:26.578692913 CEST125494970613.58.157.220192.168.2.3
            Sep 28, 2021 20:05:27.079024076 CEST4970612549192.168.2.313.58.157.220
            Sep 28, 2021 20:05:27.227451086 CEST125494970613.58.157.220192.168.2.3
            Sep 28, 2021 20:05:27.735289097 CEST4970612549192.168.2.313.58.157.220
            Sep 28, 2021 20:05:27.884355068 CEST125494970613.58.157.220192.168.2.3
            Sep 28, 2021 20:05:29.928553104 CEST4970712549192.168.2.33.142.167.4
            Sep 28, 2021 20:05:30.077085972 CEST12549497073.142.167.4192.168.2.3
            Sep 28, 2021 20:05:30.579598904 CEST4970712549192.168.2.33.142.167.4
            Sep 28, 2021 20:05:30.728188992 CEST12549497073.142.167.4192.168.2.3

            UDP Packets

            TimestampSource PortDest PortSource IPDest IP
            Sep 28, 2021 20:04:32.464540958 CEST6049653192.168.2.38.8.8.8
            Sep 28, 2021 20:04:32.486838102 CEST53604968.8.8.8192.168.2.3
            Sep 28, 2021 20:04:35.990257978 CEST5957953192.168.2.38.8.8.8
            Sep 28, 2021 20:04:36.007617950 CEST53595798.8.8.8192.168.2.3
            Sep 28, 2021 20:04:39.490201950 CEST5478153192.168.2.38.8.8.8
            Sep 28, 2021 20:04:39.507852077 CEST53547818.8.8.8192.168.2.3
            Sep 28, 2021 20:04:42.990324020 CEST6215153192.168.2.38.8.8.8
            Sep 28, 2021 20:04:43.011013031 CEST53621518.8.8.8192.168.2.3
            Sep 28, 2021 20:04:46.492119074 CEST5120953192.168.2.38.8.8.8
            Sep 28, 2021 20:04:46.511693001 CEST53512098.8.8.8192.168.2.3
            Sep 28, 2021 20:04:50.417612076 CEST4953953192.168.2.38.8.8.8
            Sep 28, 2021 20:04:50.439908981 CEST53495398.8.8.8192.168.2.3
            Sep 28, 2021 20:04:54.089463949 CEST5755853192.168.2.38.8.8.8
            Sep 28, 2021 20:04:54.112899065 CEST53575588.8.8.8192.168.2.3
            Sep 28, 2021 20:04:57.585732937 CEST5318753192.168.2.38.8.8.8
            Sep 28, 2021 20:04:57.604866028 CEST53531878.8.8.8192.168.2.3
            Sep 28, 2021 20:05:01.084588051 CEST5860453192.168.2.38.8.8.8
            Sep 28, 2021 20:05:01.102406979 CEST53586048.8.8.8192.168.2.3
            Sep 28, 2021 20:05:01.439946890 CEST5166853192.168.2.38.8.8.8
            Sep 28, 2021 20:05:01.457065105 CEST53516688.8.8.8192.168.2.3
            Sep 28, 2021 20:05:04.733242989 CEST5220653192.168.2.38.8.8.8
            Sep 28, 2021 20:05:04.751188993 CEST53522068.8.8.8192.168.2.3
            Sep 28, 2021 20:05:08.423963070 CEST5684453192.168.2.38.8.8.8
            Sep 28, 2021 20:05:08.443677902 CEST53568448.8.8.8192.168.2.3
            Sep 28, 2021 20:05:11.933850050 CEST5804553192.168.2.38.8.8.8
            Sep 28, 2021 20:05:11.955219030 CEST53580458.8.8.8192.168.2.3
            Sep 28, 2021 20:05:15.433373928 CEST5745953192.168.2.38.8.8.8
            Sep 28, 2021 20:05:15.454922915 CEST53574598.8.8.8192.168.2.3
            Sep 28, 2021 20:05:18.929981947 CEST5787553192.168.2.38.8.8.8
            Sep 28, 2021 20:05:18.949404001 CEST53578758.8.8.8192.168.2.3
            Sep 28, 2021 20:05:22.664371967 CEST5415453192.168.2.38.8.8.8
            Sep 28, 2021 20:05:22.686753035 CEST53541548.8.8.8192.168.2.3
            Sep 28, 2021 20:05:26.395843029 CEST5280653192.168.2.38.8.8.8
            Sep 28, 2021 20:05:26.417989969 CEST53528068.8.8.8192.168.2.3
            Sep 28, 2021 20:05:29.904227972 CEST5391053192.168.2.38.8.8.8
            Sep 28, 2021 20:05:29.924336910 CEST53539108.8.8.8192.168.2.3
            Sep 28, 2021 20:05:33.407552004 CEST6402153192.168.2.38.8.8.8
            Sep 28, 2021 20:05:33.427434921 CEST53640218.8.8.8192.168.2.3
            Sep 28, 2021 20:05:36.903136969 CEST6078453192.168.2.38.8.8.8
            Sep 28, 2021 20:05:36.920691013 CEST53607848.8.8.8192.168.2.3
            Sep 28, 2021 20:05:40.521313906 CEST5114353192.168.2.38.8.8.8
            Sep 28, 2021 20:05:40.541754007 CEST53511438.8.8.8192.168.2.3
            Sep 28, 2021 20:05:44.543060064 CEST5600953192.168.2.38.8.8.8
            Sep 28, 2021 20:05:44.562714100 CEST53560098.8.8.8192.168.2.3
            Sep 28, 2021 20:05:48.072393894 CEST5902653192.168.2.38.8.8.8
            Sep 28, 2021 20:05:48.091933012 CEST53590268.8.8.8192.168.2.3
            Sep 28, 2021 20:05:51.574587107 CEST4957253192.168.2.38.8.8.8
            Sep 28, 2021 20:05:51.594619036 CEST53495728.8.8.8192.168.2.3
            Sep 28, 2021 20:05:55.132102966 CEST6082353192.168.2.38.8.8.8
            Sep 28, 2021 20:05:55.154114962 CEST53608238.8.8.8192.168.2.3
            Sep 28, 2021 20:05:58.832813025 CEST5213053192.168.2.38.8.8.8
            Sep 28, 2021 20:05:58.855200052 CEST53521308.8.8.8192.168.2.3
            Sep 28, 2021 20:06:02.340394020 CEST5510253192.168.2.38.8.8.8
            Sep 28, 2021 20:06:02.361852884 CEST53551028.8.8.8192.168.2.3
            Sep 28, 2021 20:06:05.844444990 CEST5623653192.168.2.38.8.8.8
            Sep 28, 2021 20:06:05.864159107 CEST53562368.8.8.8192.168.2.3
            Sep 28, 2021 20:06:09.352875948 CEST5652753192.168.2.38.8.8.8
            Sep 28, 2021 20:06:09.373269081 CEST53565278.8.8.8192.168.2.3
            Sep 28, 2021 20:06:12.970681906 CEST4955953192.168.2.38.8.8.8
            Sep 28, 2021 20:06:13.000627995 CEST53495598.8.8.8192.168.2.3
            Sep 28, 2021 20:06:16.756254911 CEST5265053192.168.2.38.8.8.8
            Sep 28, 2021 20:06:16.776082039 CEST53526508.8.8.8192.168.2.3
            Sep 28, 2021 20:06:20.244434118 CEST6329753192.168.2.38.8.8.8
            Sep 28, 2021 20:06:20.264328957 CEST53632978.8.8.8192.168.2.3
            Sep 28, 2021 20:06:23.741792917 CEST5836153192.168.2.38.8.8.8
            Sep 28, 2021 20:06:23.761253119 CEST53583618.8.8.8192.168.2.3

            DNS Queries

            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
            Sep 28, 2021 20:04:32.464540958 CEST192.168.2.38.8.8.80x453Standard query (0)8.tcp.ngrok.ioA (IP address)IN (0x0001)
            Sep 28, 2021 20:04:35.990257978 CEST192.168.2.38.8.8.80x97b8Standard query (0)8.tcp.ngrok.ioA (IP address)IN (0x0001)
            Sep 28, 2021 20:04:39.490201950 CEST192.168.2.38.8.8.80x1b5Standard query (0)8.tcp.ngrok.ioA (IP address)IN (0x0001)
            Sep 28, 2021 20:04:42.990324020 CEST192.168.2.38.8.8.80x18eaStandard query (0)8.tcp.ngrok.ioA (IP address)IN (0x0001)
            Sep 28, 2021 20:04:46.492119074 CEST192.168.2.38.8.8.80x5c16Standard query (0)8.tcp.ngrok.ioA (IP address)IN (0x0001)
            Sep 28, 2021 20:04:50.417612076 CEST192.168.2.38.8.8.80x9793Standard query (0)8.tcp.ngrok.ioA (IP address)IN (0x0001)
            Sep 28, 2021 20:04:54.089463949 CEST192.168.2.38.8.8.80x62d6Standard query (0)8.tcp.ngrok.ioA (IP address)IN (0x0001)
            Sep 28, 2021 20:04:57.585732937 CEST192.168.2.38.8.8.80x3b62Standard query (0)8.tcp.ngrok.ioA (IP address)IN (0x0001)
            Sep 28, 2021 20:05:01.084588051 CEST192.168.2.38.8.8.80xa907Standard query (0)8.tcp.ngrok.ioA (IP address)IN (0x0001)
            Sep 28, 2021 20:05:04.733242989 CEST192.168.2.38.8.8.80xd04aStandard query (0)8.tcp.ngrok.ioA (IP address)IN (0x0001)
            Sep 28, 2021 20:05:08.423963070 CEST192.168.2.38.8.8.80x1621Standard query (0)8.tcp.ngrok.ioA (IP address)IN (0x0001)
            Sep 28, 2021 20:05:11.933850050 CEST192.168.2.38.8.8.80x6106Standard query (0)8.tcp.ngrok.ioA (IP address)IN (0x0001)
            Sep 28, 2021 20:05:15.433373928 CEST192.168.2.38.8.8.80x62bdStandard query (0)8.tcp.ngrok.ioA (IP address)IN (0x0001)
            Sep 28, 2021 20:05:18.929981947 CEST192.168.2.38.8.8.80x813dStandard query (0)8.tcp.ngrok.ioA (IP address)IN (0x0001)
            Sep 28, 2021 20:05:22.664371967 CEST192.168.2.38.8.8.80xb69cStandard query (0)8.tcp.ngrok.ioA (IP address)IN (0x0001)
            Sep 28, 2021 20:05:26.395843029 CEST192.168.2.38.8.8.80xe838Standard query (0)8.tcp.ngrok.ioA (IP address)IN (0x0001)
            Sep 28, 2021 20:05:29.904227972 CEST192.168.2.38.8.8.80x3488Standard query (0)8.tcp.ngrok.ioA (IP address)IN (0x0001)
            Sep 28, 2021 20:05:33.407552004 CEST192.168.2.38.8.8.80x666bStandard query (0)8.tcp.ngrok.ioA (IP address)IN (0x0001)
            Sep 28, 2021 20:05:36.903136969 CEST192.168.2.38.8.8.80x9ecaStandard query (0)8.tcp.ngrok.ioA (IP address)IN (0x0001)
            Sep 28, 2021 20:05:40.521313906 CEST192.168.2.38.8.8.80x7931Standard query (0)8.tcp.ngrok.ioA (IP address)IN (0x0001)
            Sep 28, 2021 20:05:44.543060064 CEST192.168.2.38.8.8.80xcb20Standard query (0)8.tcp.ngrok.ioA (IP address)IN (0x0001)
            Sep 28, 2021 20:05:48.072393894 CEST192.168.2.38.8.8.80x485Standard query (0)8.tcp.ngrok.ioA (IP address)IN (0x0001)
            Sep 28, 2021 20:05:51.574587107 CEST192.168.2.38.8.8.80x65ffStandard query (0)8.tcp.ngrok.ioA (IP address)IN (0x0001)
            Sep 28, 2021 20:05:55.132102966 CEST192.168.2.38.8.8.80x9d9fStandard query (0)8.tcp.ngrok.ioA (IP address)IN (0x0001)
            Sep 28, 2021 20:05:58.832813025 CEST192.168.2.38.8.8.80x3be7Standard query (0)8.tcp.ngrok.ioA (IP address)IN (0x0001)
            Sep 28, 2021 20:06:02.340394020 CEST192.168.2.38.8.8.80x9005Standard query (0)8.tcp.ngrok.ioA (IP address)IN (0x0001)
            Sep 28, 2021 20:06:05.844444990 CEST192.168.2.38.8.8.80x5888Standard query (0)8.tcp.ngrok.ioA (IP address)IN (0x0001)
            Sep 28, 2021 20:06:09.352875948 CEST192.168.2.38.8.8.80x1be3Standard query (0)8.tcp.ngrok.ioA (IP address)IN (0x0001)
            Sep 28, 2021 20:06:12.970681906 CEST192.168.2.38.8.8.80xd553Standard query (0)8.tcp.ngrok.ioA (IP address)IN (0x0001)
            Sep 28, 2021 20:06:16.756254911 CEST192.168.2.38.8.8.80xc9d8Standard query (0)8.tcp.ngrok.ioA (IP address)IN (0x0001)
            Sep 28, 2021 20:06:20.244434118 CEST192.168.2.38.8.8.80x611aStandard query (0)8.tcp.ngrok.ioA (IP address)IN (0x0001)
            Sep 28, 2021 20:06:23.741792917 CEST192.168.2.38.8.8.80xd1dbStandard query (0)8.tcp.ngrok.ioA (IP address)IN (0x0001)

            DNS Answers

            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
            Sep 28, 2021 20:04:32.486838102 CEST8.8.8.8192.168.2.30x453No error (0)8.tcp.ngrok.io3.19.130.43A (IP address)IN (0x0001)
            Sep 28, 2021 20:04:36.007617950 CEST8.8.8.8192.168.2.30x97b8No error (0)8.tcp.ngrok.io3.19.130.43A (IP address)IN (0x0001)
            Sep 28, 2021 20:04:39.507852077 CEST8.8.8.8192.168.2.30x1b5No error (0)8.tcp.ngrok.io3.19.130.43A (IP address)IN (0x0001)
            Sep 28, 2021 20:04:43.011013031 CEST8.8.8.8192.168.2.30x18eaNo error (0)8.tcp.ngrok.io3.142.129.56A (IP address)IN (0x0001)
            Sep 28, 2021 20:04:46.511693001 CEST8.8.8.8192.168.2.30x5c16No error (0)8.tcp.ngrok.io3.142.129.56A (IP address)IN (0x0001)
            Sep 28, 2021 20:04:50.439908981 CEST8.8.8.8192.168.2.30x9793No error (0)8.tcp.ngrok.io3.142.81.166A (IP address)IN (0x0001)
            Sep 28, 2021 20:04:54.112899065 CEST8.8.8.8192.168.2.30x62d6No error (0)8.tcp.ngrok.io3.142.167.4A (IP address)IN (0x0001)
            Sep 28, 2021 20:04:57.604866028 CEST8.8.8.8192.168.2.30x3b62No error (0)8.tcp.ngrok.io3.19.130.43A (IP address)IN (0x0001)
            Sep 28, 2021 20:05:01.102406979 CEST8.8.8.8192.168.2.30xa907No error (0)8.tcp.ngrok.io3.142.167.4A (IP address)IN (0x0001)
            Sep 28, 2021 20:05:04.751188993 CEST8.8.8.8192.168.2.30xd04aNo error (0)8.tcp.ngrok.io3.142.167.4A (IP address)IN (0x0001)
            Sep 28, 2021 20:05:08.443677902 CEST8.8.8.8192.168.2.30x1621No error (0)8.tcp.ngrok.io3.19.130.43A (IP address)IN (0x0001)
            Sep 28, 2021 20:05:11.955219030 CEST8.8.8.8192.168.2.30x6106No error (0)8.tcp.ngrok.io3.19.130.43A (IP address)IN (0x0001)
            Sep 28, 2021 20:05:15.454922915 CEST8.8.8.8192.168.2.30x62bdNo error (0)8.tcp.ngrok.io3.19.130.43A (IP address)IN (0x0001)
            Sep 28, 2021 20:05:18.949404001 CEST8.8.8.8192.168.2.30x813dNo error (0)8.tcp.ngrok.io3.19.130.43A (IP address)IN (0x0001)
            Sep 28, 2021 20:05:22.686753035 CEST8.8.8.8192.168.2.30xb69cNo error (0)8.tcp.ngrok.io3.19.130.43A (IP address)IN (0x0001)
            Sep 28, 2021 20:05:26.417989969 CEST8.8.8.8192.168.2.30xe838No error (0)8.tcp.ngrok.io13.58.157.220A (IP address)IN (0x0001)
            Sep 28, 2021 20:05:29.924336910 CEST8.8.8.8192.168.2.30x3488No error (0)8.tcp.ngrok.io3.142.167.4A (IP address)IN (0x0001)
            Sep 28, 2021 20:05:33.427434921 CEST8.8.8.8192.168.2.30x666bNo error (0)8.tcp.ngrok.io3.19.130.43A (IP address)IN (0x0001)
            Sep 28, 2021 20:05:36.920691013 CEST8.8.8.8192.168.2.30x9ecaNo error (0)8.tcp.ngrok.io3.19.130.43A (IP address)IN (0x0001)
            Sep 28, 2021 20:05:40.541754007 CEST8.8.8.8192.168.2.30x7931No error (0)8.tcp.ngrok.io3.19.130.43A (IP address)IN (0x0001)
            Sep 28, 2021 20:05:44.562714100 CEST8.8.8.8192.168.2.30xcb20No error (0)8.tcp.ngrok.io3.142.167.4A (IP address)IN (0x0001)
            Sep 28, 2021 20:05:48.091933012 CEST8.8.8.8192.168.2.30x485No error (0)8.tcp.ngrok.io3.19.130.43A (IP address)IN (0x0001)
            Sep 28, 2021 20:05:51.594619036 CEST8.8.8.8192.168.2.30x65ffNo error (0)8.tcp.ngrok.io3.19.130.43A (IP address)IN (0x0001)
            Sep 28, 2021 20:05:55.154114962 CEST8.8.8.8192.168.2.30x9d9fNo error (0)8.tcp.ngrok.io13.58.157.220A (IP address)IN (0x0001)
            Sep 28, 2021 20:05:58.855200052 CEST8.8.8.8192.168.2.30x3be7No error (0)8.tcp.ngrok.io3.142.167.54A (IP address)IN (0x0001)
            Sep 28, 2021 20:06:02.361852884 CEST8.8.8.8192.168.2.30x9005No error (0)8.tcp.ngrok.io3.142.167.54A (IP address)IN (0x0001)
            Sep 28, 2021 20:06:05.864159107 CEST8.8.8.8192.168.2.30x5888No error (0)8.tcp.ngrok.io3.19.130.43A (IP address)IN (0x0001)
            Sep 28, 2021 20:06:09.373269081 CEST8.8.8.8192.168.2.30x1be3No error (0)8.tcp.ngrok.io3.19.130.43A (IP address)IN (0x0001)
            Sep 28, 2021 20:06:13.000627995 CEST8.8.8.8192.168.2.30xd553No error (0)8.tcp.ngrok.io3.19.130.43A (IP address)IN (0x0001)
            Sep 28, 2021 20:06:16.776082039 CEST8.8.8.8192.168.2.30xc9d8No error (0)8.tcp.ngrok.io3.142.167.54A (IP address)IN (0x0001)
            Sep 28, 2021 20:06:20.264328957 CEST8.8.8.8192.168.2.30x611aNo error (0)8.tcp.ngrok.io3.142.129.56A (IP address)IN (0x0001)
            Sep 28, 2021 20:06:23.761253119 CEST8.8.8.8192.168.2.30xd1dbNo error (0)8.tcp.ngrok.io3.142.167.54A (IP address)IN (0x0001)

            Code Manipulations

            Statistics

            Behavior

            Click to jump to process

            System Behavior

            Analysis Process: E0QkjJowwG.exe PID: 2700 Parent PID: 4840

            General

            Start time:20:04:14
            Start date:28/09/2021
            Path:C:\Users\user\Desktop\E0QkjJowwG.exe
            Wow64 process (32bit):true
            Commandline:'C:\Users\user\Desktop\E0QkjJowwG.exe'
            Imagebase:0xf20000
            File size:1246208 bytes
            MD5 hash:A1B69800AEB7ECBC49EBB13CE4A88737
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:Borland Delphi
            Yara matches:
            • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000002.305336564.0000000000F22000.00000040.00020000.sdmp, Author: Joe Security
            • Rule: njrat1, Description: Identify njRat, Source: 00000000.00000002.305336564.0000000000F22000.00000040.00020000.sdmp, Author: Brian Wallace @botnet_hunter
            • Rule: Njrat, Description: detect njRAT in memory, Source: 00000000.00000002.305336564.0000000000F22000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
            Reputation:low

            Analysis Process: Yandex.exe PID: 3100 Parent PID: 2700

            General

            Start time:20:04:21
            Start date:28/09/2021
            Path:C:\Users\user\Yandex.exe
            Wow64 process (32bit):true
            Commandline:'C:\Users\user\Yandex.exe'
            Imagebase:0x70000
            File size:1246208 bytes
            MD5 hash:A1B69800AEB7ECBC49EBB13CE4A88737
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:Borland Delphi
            Yara matches:
            • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000001.00000002.558514473.0000000003CCE000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000001.00000002.556263491.0000000000072000.00000040.00020000.sdmp, Author: Joe Security
            • Rule: njrat1, Description: Identify njRat, Source: 00000001.00000002.556263491.0000000000072000.00000040.00020000.sdmp, Author: Brian Wallace @botnet_hunter
            • Rule: Njrat, Description: detect njRAT in memory, Source: 00000001.00000002.556263491.0000000000072000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
            • Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: C:\Users\user\Yandex.exe, Author: Florian Roth
            Antivirus matches:
            • Detection: 100%, Avira
            • Detection: 100%, Joe Sandbox ML
            • Detection: 34%, Metadefender, Browse
            • Detection: 60%, ReversingLabs
            Reputation:low

            Analysis Process: netsh.exe PID: 4492 Parent PID: 3100

            General

            Start time:20:04:29
            Start date:28/09/2021
            Path:C:\Windows\SysWOW64\netsh.exe
            Wow64 process (32bit):true
            Commandline:netsh firewall add allowedprogram 'C:\Users\user\Yandex.exe' 'Yandex.exe' ENABLE
            Imagebase:0xe40000
            File size:82944 bytes
            MD5 hash:A0AA3322BB46BBFC36AB9DC1DBBBB807
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            Analysis Process: conhost.exe PID: 4292 Parent PID: 4492

            General

            Start time:20:04:30
            Start date:28/09/2021
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff7f20f0000
            File size:625664 bytes
            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            Analysis Process: Yandex.exe PID: 4420 Parent PID: 3352

            General

            Start time:20:04:41
            Start date:28/09/2021
            Path:C:\Users\user\Yandex.exe
            Wow64 process (32bit):true
            Commandline:'C:\Users\user\Yandex.exe' ..
            Imagebase:0x70000
            File size:1246208 bytes
            MD5 hash:A1B69800AEB7ECBC49EBB13CE4A88737
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:Borland Delphi
            Yara matches:
            • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000005.00000002.360786474.0000000000072000.00000040.00020000.sdmp, Author: Joe Security
            • Rule: njrat1, Description: Identify njRat, Source: 00000005.00000002.360786474.0000000000072000.00000040.00020000.sdmp, Author: Brian Wallace @botnet_hunter
            • Rule: Njrat, Description: detect njRAT in memory, Source: 00000005.00000002.360786474.0000000000072000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
            Reputation:low

            Analysis Process: Yandex.exe PID: 4796 Parent PID: 3352

            General

            Start time:20:04:50
            Start date:28/09/2021
            Path:C:\Users\user\Yandex.exe
            Wow64 process (32bit):true
            Commandline:'C:\Users\user\Yandex.exe' ..
            Imagebase:0x70000
            File size:1246208 bytes
            MD5 hash:A1B69800AEB7ECBC49EBB13CE4A88737
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:Borland Delphi
            Yara matches:
            • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000006.00000002.378938056.0000000000072000.00000040.00020000.sdmp, Author: Joe Security
            • Rule: njrat1, Description: Identify njRat, Source: 00000006.00000002.378938056.0000000000072000.00000040.00020000.sdmp, Author: Brian Wallace @botnet_hunter
            • Rule: Njrat, Description: detect njRAT in memory, Source: 00000006.00000002.378938056.0000000000072000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
            Reputation:low

            Analysis Process: Yandex.exe PID: 4764 Parent PID: 3352

            General

            Start time:20:04:58
            Start date:28/09/2021
            Path:C:\Users\user\Yandex.exe
            Wow64 process (32bit):true
            Commandline:'C:\Users\user\Yandex.exe' ..
            Imagebase:0x70000
            File size:1246208 bytes
            MD5 hash:A1B69800AEB7ECBC49EBB13CE4A88737
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:Borland Delphi
            Yara matches:
            • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000007.00000002.396666249.0000000000072000.00000040.00020000.sdmp, Author: Joe Security
            • Rule: njrat1, Description: Identify njRat, Source: 00000007.00000002.396666249.0000000000072000.00000040.00020000.sdmp, Author: Brian Wallace @botnet_hunter
            • Rule: Njrat, Description: detect njRAT in memory, Source: 00000007.00000002.396666249.0000000000072000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
            Reputation:low

            Disassembly

            Code Analysis

            Reset < >