Windows Analysis Report
UOp1kufsuw.exe

Overview

General Information

Sample name:	UOp1kufsuw.exe renamed because original name is a hash value
Original sample name:	3B4EE472D9C872BA1D96B7A676E809BA.exe
Analysis ID:	1542429
MD5:	3b4ee472d9c872ba1d96b7a676e809ba
SHA1:	33186a216fe8a37a993f42477b8f813a56ba5f09
SHA256:	a317bcadef76feec57223d92244a322eb4409990808a7bab96cc929fbc4a7164
Tags:	exeNanoCoreRATuser-abuse_ch
Infos:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Suricata IDS alerts for network traffic

Yara detected Nanocore RAT

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Machine Learning detection for sample

Uses dynamic DNS services

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to call native functions

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Sample file is different than original file name gathered from version info

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Nanocore RAT, NanoCore	Nanocore is a Remote Access Tool used to steal credentials and to spy on cameras. It as been used for a while by numerous criminal actors as well as by nation state threat actors.	APT33 The Gorgon Group	https://assets.virustotal.com/reports/2021trends.pdf https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/ https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/ https://blog.cluster25.duskrise.com/2023/10/12/cve-2023-38831-russian-attack	https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: UOp1kufsuw.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://google.com

URL Reputation: Label: malware

Antivirus detection for dropped file

Source: C:\Program Files (x86)\DNS Host\dnshost.exe

Avira: detection malicious, Label: TR/Dropper.MSIL.Gen7

Found malware configuration

Source: 0.2.UOp1kufsuw.exe.40f04be.4.raw.unpack

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "eb61e2ce-2d81-45ac-8d80-3083f0de", "Group": "Default", "Domain1": "josh289232.duckdns.org", "Domain2": "", "Port": 1608, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Enable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Enable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 29985, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8006, "BufferSize": "02000100", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "1.1.1.1", "BackupDNSServer": "1.0.0.1", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\DNS Host\dnshost.exe

ReversingLabs: Detection: 97%

Multi AV Scanner detection for submitted file

Source: UOp1kufsuw.exe

ReversingLabs: Detection: 97%

Yara detected Nanocore RAT

Source: Yara match	File source: UOp1kufsuw.exe, type: SAMPLE
Source: Yara match	File source: 0.2.UOp1kufsuw.exe.5db4629.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UOp1kufsuw.exe.5db0000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.UOp1kufsuw.exe.860000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UOp1kufsuw.exe.5db0000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UOp1kufsuw.exe.40f04be.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UOp1kufsuw.exe.40f52ea.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UOp1kufsuw.exe.410151c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2063014436.0000000000862000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3011096842.0000000005DB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3009021651.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: UOp1kufsuw.exe PID: 7540, type: MEMORYSTR
Source: Yara match	File source: C:\Program Files (x86)\DNS Host\dnshost.exe, type: DROPPED

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\DNS Host\dnshost.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: UOp1kufsuw.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: UOp1kufsuw.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\UOp1kufsuw.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Source:	Binary string: \??\C:\Windows\dll\System.pdb source: UOp1kufsuw.exe, 00000000.00000002.3006187082.0000000000F01000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\dll\System.pdb source: UOp1kufsuw.exe, 00000000.00000002.3007060261.0000000001545000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: UOp1kufsuw.exe, 00000000.00000002.3007308460.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, UOp1kufsuw.exe, 00000000.00000002.3009021651.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, UOp1kufsuw.exe, 00000000.00000002.3010828111.0000000005D20000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: UOp1kufsuw.exe, 00000000.00000002.3010856655.0000000005D30000.00000004.08000000.00040000.00000000.sdmp, UOp1kufsuw.exe, 00000000.00000002.3007308460.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, UOp1kufsuw.exe, 00000000.00000002.3009021651.00000000040EC000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: UOp1kufsuw.exe, 00000000.00000002.3010932431.0000000005D60000.00000004.08000000.00040000.00000000.sdmp, UOp1kufsuw.exe, 00000000.00000002.3007308460.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, UOp1kufsuw.exe, 00000000.00000002.3009021651.00000000040EC000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdb source: UOp1kufsuw.exe, 00000000.00000002.3006187082.0000000000F01000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: indows\System.pdbpdbtem.pdb source: UOp1kufsuw.exe, 00000000.00000002.3007060261.0000000001545000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.pdb source: UOp1kufsuw.exe, 00000000.00000002.3007060261.0000000001545000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: UOp1kufsuw.exe, 00000000.00000002.3007308460.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, UOp1kufsuw.exe, 00000000.00000002.3010804900.0000000005D10000.00000004.08000000.00040000.00000000.sdmp, UOp1kufsuw.exe, 00000000.00000002.3009021651.00000000040EC000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: UOp1kufsuw.exe, 00000000.00000002.3010902877.0000000005D50000.00000004.08000000.00040000.00000000.sdmp, UOp1kufsuw.exe, 00000000.00000002.3007308460.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, UOp1kufsuw.exe, 00000000.00000002.3009021651.00000000040EC000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: UOp1kufsuw.exe, 00000000.00000002.3007060261.0000000001545000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: UOp1kufsuw.exe, 00000000.00000002.3010879379.0000000005D40000.00000004.08000000.00040000.00000000.sdmp, UOp1kufsuw.exe, 00000000.00000002.3007308460.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, UOp1kufsuw.exe, 00000000.00000002.3009021651.00000000040EC000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: UOp1kufsuw.exe, 00000000.00000002.3007060261.0000000001545000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.pdb source: UOp1kufsuw.exe, 00000000.00000002.3007060261.0000000001545000.00000004.00000020.00020000.00000000.sdmp

Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.5:49716 -> 192.169.69.26:1608
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.5:49716 -> 192.169.69.26:1608
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.5:49741 -> 192.169.69.26:1608
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.5:49720 -> 192.169.69.26:1608
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.5:49741 -> 192.169.69.26:1608
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.5:49720 -> 192.169.69.26:1608
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.5:49722 -> 192.169.69.26:1608
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.5:49722 -> 192.169.69.26:1608
Source: Network traffic	Suricata IDS: 2816718 - Severity 1 - ETPRO MALWARE NanoCore RAT Keep-Alive Beacon : 192.168.2.5:49720 -> 192.169.69.26:1608
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.5:49867 -> 192.169.69.26:1608
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.5:49867 -> 192.169.69.26:1608
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.5:49826 -> 192.169.69.26:1608
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.5:49826 -> 192.169.69.26:1608
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.5:49897 -> 192.169.69.26:1608
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.5:49924 -> 192.169.69.26:1608
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.5:49924 -> 192.169.69.26:1608
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.5:49897 -> 192.169.69.26:1608
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.5:49996 -> 192.169.69.26:1608
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.5:50000 -> 192.169.69.26:1608
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.5:50000 -> 192.169.69.26:1608
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.5:49997 -> 192.169.69.26:1608
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.5:49996 -> 192.169.69.26:1608
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.5:49997 -> 192.169.69.26:1608

Source: Malware configuration extractor	URLs:
Source: Malware configuration extractor	URLs: josh289232.duckdns.org

Source: Joe Sandbox View	IP Address: 192.169.69.26 192.169.69.26
Source: Joe Sandbox View	IP Address: 192.169.69.26 192.169.69.26

Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49716 -> 192.169.69.26:1608
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49741 -> 192.169.69.26:1608
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49720 -> 192.169.69.26:1608
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49722 -> 192.169.69.26:1608
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49826 -> 192.169.69.26:1608
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49867 -> 192.169.69.26:1608
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49897 -> 192.169.69.26:1608
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49924 -> 192.169.69.26:1608
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49996 -> 192.169.69.26:1608
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49997 -> 192.169.69.26:1608
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:50000 -> 192.169.69.26:1608

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.0.0.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.0.0.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.0.0.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.0.0.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.0.0.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.0.0.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.0.0.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.0.0.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.0.0.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.0.0.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: UOp1kufsuw.exe, 00000000.00000002.3010902877.0000000005D50000.00000004.08000000.00040000.00000000.sdmp, UOp1kufsuw.exe, 00000000.00000002.3007308460.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, UOp1kufsuw.exe, 00000000.00000002.3009021651.00000000040EC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://google.com
Source: Amcache.hve.4.dr	String found in binary or memory: http://upx.sf.net

Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Code function: 0_2_05271966 NtQuerySystemInformation,		0_2_05271966
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Code function: 0_2_0527192B NtQuerySystemInformation,		0_2_0527192B

Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Code function: 0_2_05F342EB	0_2_05F342EB
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Code function: 0_2_05F346D3	0_2_05F346D3
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Code function: 0_2_05F33324	0_2_05F33324
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Code function: 0_2_050B3850	0_2_050B3850
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Code function: 0_2_050B9370	0_2_050B9370
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Code function: 0_2_050B9F70	0_2_050B9F70
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Code function: 0_2_050B2FA8	0_2_050B2FA8
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Code function: 0_2_050B23A0	0_2_050B23A0
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Code function: 0_2_050BE2C8	0_2_050BE2C8
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Code function: 0_2_050BBAC0	0_2_050BBAC0
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Code function: 0_2_050BA037	0_2_050BA037
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Code function: 0_2_050B306F	0_2_050B306F
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Code function: 0_2_050BC787	0_2_050BC787
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Code function: 0_2_050B32BB	0_2_050B32BB
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Code function: 0_2_050BC6C0	0_2_050BC6C0

Source: UOp1kufsuw.exe, 00000000.00000002.3010902877.0000000005D50000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs UOp1kufsuw.exe
Source: UOp1kufsuw.exe, 00000000.00000002.3010879379.0000000005D40000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameFileBrowserClient.dllT vs UOp1kufsuw.exe
Source: UOp1kufsuw.exe, 00000000.00000002.3010856655.0000000005D30000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs UOp1kufsuw.exe
Source: UOp1kufsuw.exe, 00000000.00000002.3010569730.0000000005950000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs UOp1kufsuw.exe
Source: UOp1kufsuw.exe, 00000000.00000002.3010932431.0000000005D60000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs UOp1kufsuw.exe
Source: UOp1kufsuw.exe, 00000000.00000002.3010345944.00000000056C0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs UOp1kufsuw.exe
Source: UOp1kufsuw.exe, 00000000.00000002.3011260033.0000000005EF0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs UOp1kufsuw.exe
Source: UOp1kufsuw.exe, 00000000.00000002.3011260033.0000000005EF0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNAudio.dll4 vs UOp1kufsuw.exe
Source: UOp1kufsuw.exe, 00000000.00000002.3007308460.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs UOp1kufsuw.exe
Source: UOp1kufsuw.exe, 00000000.00000002.3007308460.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs UOp1kufsuw.exe
Source: UOp1kufsuw.exe, 00000000.00000002.3007308460.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs UOp1kufsuw.exe
Source: UOp1kufsuw.exe, 00000000.00000002.3007308460.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreBase.dll< vs UOp1kufsuw.exe
Source: UOp1kufsuw.exe, 00000000.00000002.3007308460.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs UOp1kufsuw.exe
Source: UOp1kufsuw.exe, 00000000.00000002.3007308460.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs UOp1kufsuw.exe
Source: UOp1kufsuw.exe, 00000000.00000002.3007308460.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFileBrowserClient.dllT vs UOp1kufsuw.exe
Source: UOp1kufsuw.exe, 00000000.00000002.3007308460.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs UOp1kufsuw.exe
Source: UOp1kufsuw.exe, 00000000.00000002.3007308460.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs UOp1kufsuw.exe
Source: UOp1kufsuw.exe, 00000000.00000002.3007308460.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs UOp1kufsuw.exe
Source: UOp1kufsuw.exe, 00000000.00000002.3007308460.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs UOp1kufsuw.exe
Source: UOp1kufsuw.exe, 00000000.00000002.3007308460.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs UOp1kufsuw.exe
Source: UOp1kufsuw.exe, 00000000.00000002.3010804900.0000000005D10000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreBase.dll< vs UOp1kufsuw.exe
Source: UOp1kufsuw.exe, 00000000.00000002.3011050016.0000000005DA8000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs UOp1kufsuw.exe
Source: UOp1kufsuw.exe, 00000000.00000002.3009021651.00000000040EC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs UOp1kufsuw.exe
Source: UOp1kufsuw.exe, 00000000.00000002.3009021651.00000000040EC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs UOp1kufsuw.exe
Source: UOp1kufsuw.exe, 00000000.00000002.3009021651.00000000040EC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs UOp1kufsuw.exe
Source: UOp1kufsuw.exe, 00000000.00000002.3009021651.00000000040EC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreBase.dll< vs UOp1kufsuw.exe
Source: UOp1kufsuw.exe, 00000000.00000002.3009021651.00000000040EC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs UOp1kufsuw.exe
Source: UOp1kufsuw.exe, 00000000.00000002.3009021651.00000000040EC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs UOp1kufsuw.exe
Source: UOp1kufsuw.exe, 00000000.00000002.3009021651.00000000040EC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFileBrowserClient.dllT vs UOp1kufsuw.exe
Source: UOp1kufsuw.exe, 00000000.00000002.3009021651.00000000040EC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs UOp1kufsuw.exe
Source: UOp1kufsuw.exe, 00000000.00000002.3009021651.00000000040EC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs UOp1kufsuw.exe
Source: UOp1kufsuw.exe, 00000000.00000002.3009021651.00000000040EC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs UOp1kufsuw.exe
Source: UOp1kufsuw.exe, 00000000.00000002.3009021651.00000000040EC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs UOp1kufsuw.exe
Source: UOp1kufsuw.exe, 00000000.00000002.3009021651.00000000040EC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs UOp1kufsuw.exe
Source: UOp1kufsuw.exe, 00000000.00000002.3009021651.00000000040EC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs UOp1kufsuw.exe
Source: UOp1kufsuw.exe, 00000000.00000002.3009021651.00000000040EC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs UOp1kufsuw.exe
Source: UOp1kufsuw.exe, 00000000.00000002.3009021651.00000000040EC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNAudio.dll4 vs UOp1kufsuw.exe
Source: UOp1kufsuw.exe, 00000000.00000002.3009021651.00000000040EC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs UOp1kufsuw.exe
Source: UOp1kufsuw.exe, 00000000.00000002.3009021651.00000000040EC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs UOp1kufsuw.exe
Source: UOp1kufsuw.exe, 00000000.00000002.3011096842.0000000005DB0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs UOp1kufsuw.exe
Source: UOp1kufsuw.exe, 00000000.00000002.3011096842.0000000005DB0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs UOp1kufsuw.exe
Source: UOp1kufsuw.exe, 00000000.00000002.3006187082.0000000000ECE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemscorwks.dllT vs UOp1kufsuw.exe
Source: UOp1kufsuw.exe, 00000000.00000002.3011376200.0000000005F3E000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs UOp1kufsuw.exe
Source: UOp1kufsuw.exe, 00000000.00000002.3010955468.0000000005D70000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs UOp1kufsuw.exe
Source: UOp1kufsuw.exe, 00000000.00000002.3010644369.0000000005BE0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs UOp1kufsuw.exe
Source: UOp1kufsuw.exe, 00000000.00000002.3010828111.0000000005D20000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs UOp1kufsuw.exe
Source: UOp1kufsuw.exe, 00000000.00000002.3011260033.0000000005F18000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs UOp1kufsuw.exe
Source: UOp1kufsuw.exe, 00000000.00000002.3011160273.0000000005DE0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs UOp1kufsuw.exe

Source: UOp1kufsuw.exe	Static PE information: Section: .rsrc ZLIB complexity 1.0003032248858448
Source: dnshost.exe.0.dr	Static PE information: Section: .rsrc ZLIB complexity 1.0003032248858448

Source: UOp1kufsuw.exe, --qVxXNKnhAcArgJoGGYXiyyQ--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: UOp1kufsuw.exe, --qVxXNKnhAcArgJoGGYXiyyQ--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: UOp1kufsuw.exe, --qjIje6jGWLd2EOkfZXKqBbg--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: dnshost.exe.0.dr, --qVxXNKnhAcArgJoGGYXiyyQ--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: dnshost.exe.0.dr, --qVxXNKnhAcArgJoGGYXiyyQ--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: dnshost.exe.0.dr, --qjIje6jGWLd2EOkfZXKqBbg--.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: UOp1kufsuw.exe, --qjIje6jGWLd2EOkfZXKqBbg--.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: UOp1kufsuw.exe, --qjIje6jGWLd2EOkfZXKqBbg--.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: dnshost.exe.0.dr, --qjIje6jGWLd2EOkfZXKqBbg--.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: dnshost.exe.0.dr, --qjIje6jGWLd2EOkfZXKqBbg--.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Code function: 0_2_05271726 AdjustTokenPrivileges,		0_2_05271726
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Code function: 0_2_052716EF AdjustTokenPrivileges,		0_2_052716EF

Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{eb61e2ce-2d81-45ac-8d80-3083f0def8b6}
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: unknown	Process created: C:\Users\user\Desktop\UOp1kufsuw.exe "C:\Users\user\Desktop\UOp1kufsuw.exe"
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2356
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2356	Jump to behavior

Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: UOp1kufsuw.exe, --qjIje6jGWLd2EOkfZXKqBbg--.cs	.Net Code: _0023_003Dqf3c4WtE_0024_0024thN5QyBMvo3u0lth2VF5hmfUsIv1r8yRkg_003D System.Reflection.Assembly.Load(byte[])
Source: UOp1kufsuw.exe, --qjIje6jGWLd2EOkfZXKqBbg--.cs	.Net Code: _0023_003Dq_FL69pQf17BUSAFbWYu1SStMAbdu_0024R1GJ8VY8UL5_EA_003D System.Reflection.Assembly.Load(byte[])
Source: UOp1kufsuw.exe, --qxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecU-.cs	.Net Code: _0023_003DqKU0J1fiP8KA33eFK1owekQ_003D_003D System.Reflection.Assembly.Load(byte[])
Source: dnshost.exe.0.dr, --qjIje6jGWLd2EOkfZXKqBbg--.cs	.Net Code: _0023_003Dqf3c4WtE_0024_0024thN5QyBMvo3u0lth2VF5hmfUsIv1r8yRkg_003D System.Reflection.Assembly.Load(byte[])
Source: dnshost.exe.0.dr, --qjIje6jGWLd2EOkfZXKqBbg--.cs	.Net Code: _0023_003Dq_FL69pQf17BUSAFbWYu1SStMAbdu_0024R1GJ8VY8UL5_EA_003D System.Reflection.Assembly.Load(byte[])
Source: dnshost.exe.0.dr, --qxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecU-.cs	.Net Code: _0023_003DqKU0J1fiP8KA33eFK1owekQ_003D_003D System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Code function: 0_2_011E9E24 pushfd ; retf		0_2_011E9E25
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Code function: 0_2_011E9E5C pushfd ; retf		0_2_011E9E5D

Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run DNS Host			Jump to behavior
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run DNS Host			Jump to behavior

Windows Analysis Report UOp1kufsuw.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
UOp1kufsuw.exe

Malware Threat Intel
Provided by

Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Memory allocated: 1270000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Memory allocated: 2FA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Memory allocated: 1270000 memory commit \| memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Window / User API: threadDelayed 7216	Jump to behavior
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Window / User API: foregroundWindowGot 726	Jump to behavior
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Window / User API: foregroundWindowGot 773	Jump to behavior

Source: C:\Users\user\Desktop\UOp1kufsuw.exe TID: 7616	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UOp1kufsuw.exe TID: 7628	Thread sleep time: -43500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UOp1kufsuw.exe TID: 7612	Thread sleep time: -420000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UOp1kufsuw.exe TID: 7628	Thread sleep time: -3608000s >= -30000s	Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: VMware
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: dw20.exe, 00000004.00000003.3005555367.000000000053F000.00000004.00000020.00020000.00000000.sdmp, dw20.exe, 00000004.00000002.3006882712.000000000051B000.00000004.00000020.00020000.00000000.sdmp, dw20.exe, 00000004.00000002.3006882712.0000000000540000.00000004.00000020.00020000.00000000.sdmp, dw20.exe, 00000004.00000003.3005457294.000000000053D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.4.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: dw20.exe, 00000004.00000003.3005555367.000000000053F000.00000004.00000020.00020000.00000000.sdmp, dw20.exe, 00000004.00000002.3006882712.0000000000540000.00000004.00000020.00020000.00000000.sdmp, dw20.exe, 00000004.00000003.3005457294.000000000053D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWh
Source: Amcache.hve.4.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: UOp1kufsuw.exe, 00000000.00000002.3006187082.0000000000F01000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.4.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Code function: 0_2_05272DFA bind,		0_2_05272DFA
Source: C:\Users\user\Desktop\UOp1kufsuw.exe	Code function: 0_2_05272DDA bind,		0_2_05272DDA

ID:	1542429
Product:	CloudBasic
Start time:	22:41:05
Start date:	25.10.2024
Sample:	UOp1kufsuw.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	3b4ee472d9c872ba1d96b7a676e809ba
SHA1:	33186a216fe8a37a993f42477b8f813a56ba5f09
SHA256:	a317bcadef76feec57223d92244a322eb4409990808a7bab96cc929fbc4a7164
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Name	Type	MD5	SHA1	SHA256
C:\Program Files (x86)\DNS Host\dnshost.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	3B4EE472D9C872BA1D96B7A676E809BA	33186A216FE8A37A993F42477B8F813A56BA5F09	A317BCADEF76FEEC57223D92244A322EB4409990808A7BAB96CC929FBC4A7164
C:\Program Files (x86)\DNS Host\dnshost.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_UOp1kufsuw.exe_4343b25f289f3e5955695467cabea10b29f50_00000000_d9943c9d-5599-4d1e-8d3e-c6c5c2579d62\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	7AA543332D9F2ED0FF75E7D6B2CF8EE3	5B775019CB007DC6FE21785BF036EF4CC0AD45BB	79F0F5626CD6F57703FC31CA49E8A659BFFD631E194DF6FB3058EE25E5B05F53
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2592.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	9D483F7035A9FCF71315E65A994488E7	7C243B7640772DDC11E0D2B49767912501F67FA7	F3C19E40C3EB7B934EB4957A02C2C5C3C7FA407D4A58DE5B903914CD2CDECA5F
C:\ProgramData\Microsoft\Windows\WER\Temp\WER25D1.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	652BDF7D0855F5C288A4CF252CDB05ED	BC678413B4CA6A8AEE721B34B59AC6BFFAA99C63	A6FD88DCFF981F529A1EEE1D51AE8D3F0FF96EC86A6FAF08A687D31FF8E196E5
C:\Users\user\AppData\Roaming\9E146BE9-C76A-4720-BCDB-53011B87BD06\run.dat	Non-ISO extended-ASCII text, with no line terminators	CEBE65DF942FE8D2741077126898DE2C	3AAE2C1782E0957ADE39F7BB36DB3CA1A0C0DCEE	E968B85C0C0116FC66C82754910F81B47B6E995394D3863BDF3B947E97375E0B
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	8767C1AE156C82FA7BD03B002E6CE479	4F13EC8C94F2867693E087B81FB4B1117E26CB12	618973639A1B3D2C86A5C011AE3F5FAEC44F8A1C633DE5C9501FE7783DA9EA7A