Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Quotation ATB-PR28500KINH.exe

Overview

General Information

Sample Name:Quotation ATB-PR28500KINH.exe
Analysis ID:321079
MD5:03c41991be46edacb01b18d7ffe97b33
SHA1:17193a4a9fad92f1473d42bbe0d14e83da481a72
SHA256:749b86298b1735b41e92eef8b48c0aa38f1d7fa55bd0958b7b752bfcb5cb5a87
Tags:exeNanoCore

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Drops PE files to the startup folder
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Protects its processes via BreakOnTermination flag
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses taskkill to terminate processes
Yara signature match

Classification

Startup

  • System is w10x64
  • Quotation ATB-PR28500KINH.exe (PID: 3980 cmdline: 'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe' MD5: 03C41991BE46EDACB01B18D7FFE97B33)
    • Quotation ATB-PR28500KINH.exe (PID: 6148 cmdline: Quotation ATB-PR28500KINH.exe MD5: 03C41991BE46EDACB01B18D7FFE97B33)
      • schtasks.exe (PID: 6284 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpECB7.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 1760 cmdline: 'schtasks.exe' /delete /f /tn 'DHCP Monitor' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 1140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 5344 cmdline: 'schtasks.exe' /delete /f /tn 'DHCP Monitor Task' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 1256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 6052 cmdline: 'cmd.exe' /C taskkill /f /im 'Quotation ATB-PR28500KINH.exe' & ping -n 1 -w 3000 1.1.1.1 & type nul > 'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe' & del /f /q 'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 5908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • taskkill.exe (PID: 4968 cmdline: taskkill /f /im 'Quotation ATB-PR28500KINH.exe' MD5: 15E2E0ACD891510C6268CB8899F2A1A1)
        • PING.EXE (PID: 5604 cmdline: ping -n 1 -w 3000 1.1.1.1 MD5: 70C24A306F768936563ABDADB9CA9108)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.320687638.000000000409E000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000006.00000002.328310332.00000000073C0000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x5fee:$x1: NanoCore.ClientPluginHost
    • 0x602b:$x2: IClientNetworkHost
    00000006.00000002.328310332.00000000073C0000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x5fee:$x2: NanoCore.ClientPluginHost
    • 0x9441:$s4: PipeCreated
    • 0x6018:$s5: IClientLoggingHost
    00000006.00000002.316582541.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xff8d:$x1: NanoCore.ClientPluginHost
    • 0xffca:$x2: IClientNetworkHost
    • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000006.00000002.316582541.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 43 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      6.2.Quotation ATB-PR28500KINH.exe.7380000.11.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x170b:$x1: NanoCore.ClientPluginHost
      • 0x1725:$x2: IClientNetworkHost
      6.2.Quotation ATB-PR28500KINH.exe.7380000.11.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0x170b:$x2: NanoCore.ClientPluginHost
      • 0x34b6:$s4: PipeCreated
      • 0x16f8:$s5: IClientLoggingHost
      6.2.Quotation ATB-PR28500KINH.exe.73c0000.13.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x41ee:$x1: NanoCore.ClientPluginHost
      • 0x422b:$x2: IClientNetworkHost
      6.2.Quotation ATB-PR28500KINH.exe.73c0000.13.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0x41ee:$x2: NanoCore.ClientPluginHost
      • 0x7641:$s4: PipeCreated
      • 0x4218:$s5: IClientLoggingHost
      2.2.Quotation ATB-PR28500KINH.exe.54e0000.1.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1018d:$x1: NanoCore.ClientPluginHost
      • 0x101ca:$x2: IClientNetworkHost
      • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      Click to see the 35 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe, ProcessId: 6148, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
      Sigma detected: Scheduled temp file as task from temp locationShow sources
      Source: Process startedAuthor: Joe Security: Data: Command: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpECB7.tmp', CommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpECB7.tmp', CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: Quotation ATB-PR28500KINH.exe, ParentImage: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe, ParentProcessId: 6148, ProcessCommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpECB7.tmp', ProcessId: 6284

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Antivirus / Scanner detection for submitted sampleShow sources
      Source: Quotation ATB-PR28500KINH.exeAvira: detected
      Antivirus detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exeAvira: detection malicious, Label: TR/AD.Nanocore.qhfnr
      Source: C:\Users\user\AppData\Roaming\45678Avira: detection malicious, Label: TR/AD.Nanocore.qhfnr
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\45678ReversingLabs: Detection: 27%
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exeReversingLabs: Detection: 33%
      Multi AV Scanner detection for submitted fileShow sources
      Source: Quotation ATB-PR28500KINH.exeReversingLabs: Detection: 27%
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000006.00000002.320687638.000000000409E000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.316582541.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.320831164.0000000003961000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.321093889.000000000418C000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.321624483.0000000003B61000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.318700397.0000000003041000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.317796226.0000000000E64000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.325804891.00000000057F0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.330776176.00000000054E2000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.317682512.0000000000DA5000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6148, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 3980, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6424, type: MEMORY
      Source: Yara matchFile source: 2.2.Quotation ATB-PR28500KINH.exe.54e0000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.Quotation ATB-PR28500KINH.exe.57f0000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.Quotation ATB-PR28500KINH.exe.57f0000.4.raw.unpack, type: UNPACKEDPE
      Machine Learning detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exeJoe Sandbox ML: detected
      Source: C:\Users\user\AppData\Roaming\45678Joe Sandbox ML: detected
      Machine Learning detection for sampleShow sources
      Source: Quotation ATB-PR28500KINH.exeJoe Sandbox ML: detected
      Source: 6.2.Quotation ATB-PR28500KINH.exe.57f0000.4.unpackAvira: Label: TR/NanoCore.fadte
      Source: 2.2.Quotation ATB-PR28500KINH.exe.54e0000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 6.2.Quotation ATB-PR28500KINH.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7

      Networking:

      barindex
      Uses ping.exe to check the status of other devices and networksShow sources
      Source: unknownProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 1 -w 3000 1.1.1.1
      Source: global trafficTCP traffic: 192.168.2.3:49725 -> 194.5.97.9:1430
      Source: Joe Sandbox ViewIP Address: 1.1.1.1 1.1.1.1
      Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
      Source: unknownDNS traffic detected: queries for: petroleum.sytes.net
      Source: Quotation ATB-PR28500KINH.exe, 00000002.00000002.317601897.0000000000DE8000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
      Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.320687638.000000000409E000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

      E-Banking Fraud:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000006.00000002.320687638.000000000409E000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.316582541.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.320831164.0000000003961000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.321093889.000000000418C000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.321624483.0000000003B61000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.318700397.0000000003041000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.317796226.0000000000E64000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.325804891.00000000057F0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.330776176.00000000054E2000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.317682512.0000000000DA5000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6148, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 3980, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6424, type: MEMORY
      Source: Yara matchFile source: 2.2.Quotation ATB-PR28500KINH.exe.54e0000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.Quotation ATB-PR28500KINH.exe.57f0000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.Quotation ATB-PR28500KINH.exe.57f0000.4.raw.unpack, type: UNPACKEDPE

      Operating System Destruction:

      barindex
      Protects its processes via BreakOnTermination flagShow sources
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: 00 00 00 00 Jump to behavior

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000006.00000002.328310332.00000000073C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000006.00000002.316582541.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000006.00000002.316582541.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000006.00000002.328240077.0000000007380000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000006.00000002.328269653.0000000007390000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000002.320831164.0000000003961000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000002.320831164.0000000003961000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000006.00000002.321093889.000000000418C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000006.00000002.327974006.00000000071E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000006.00000002.325787678.00000000057E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000002.00000002.321624483.0000000003B61000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000002.00000002.321624483.0000000003B61000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000002.00000002.317796226.0000000000E64000.00000004.00000020.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000002.00000002.317796226.0000000000E64000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000006.00000002.325804891.00000000057F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000006.00000002.328184231.0000000007370000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000002.00000002.330776176.00000000054E2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000002.00000002.330776176.00000000054E2000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000006.00000002.326037509.00000000058C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000002.317682512.0000000000DA5000.00000004.00000020.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000002.317682512.0000000000DA5000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6148, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6148, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 3980, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 3980, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6424, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6424, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 6.2.Quotation ATB-PR28500KINH.exe.7380000.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.Quotation ATB-PR28500KINH.exe.73c0000.13.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.2.Quotation ATB-PR28500KINH.exe.54e0000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.2.Quotation ATB-PR28500KINH.exe.54e0000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 6.2.Quotation ATB-PR28500KINH.exe.7370000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.Quotation ATB-PR28500KINH.exe.71e0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.Quotation ATB-PR28500KINH.exe.7370000.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.Quotation ATB-PR28500KINH.exe.57f0000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.Quotation ATB-PR28500KINH.exe.71e0000.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.Quotation ATB-PR28500KINH.exe.73c0000.13.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.Quotation ATB-PR28500KINH.exe.58c0000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.Quotation ATB-PR28500KINH.exe.7390000.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 6.2.Quotation ATB-PR28500KINH.exe.57e0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.Quotation ATB-PR28500KINH.exe.7380000.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.Quotation ATB-PR28500KINH.exe.57f0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.Quotation ATB-PR28500KINH.exe.7390000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.Quotation ATB-PR28500KINH.exe.58c0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Initial sample is a PE file and has a suspicious nameShow sources
      Source: initial sampleStatic PE information: Filename: Quotation ATB-PR28500KINH.exe
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 6_2_0740E180 NtSetInformationProcess,6_2_0740E180
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 6_2_0740E178 NtSetInformationProcess,6_2_0740E178
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 2_2_007472412_2_00747241
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 6_2_00C672416_2_00C67241
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 6_2_016DE4716_2_016DE471
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 6_2_016DE4806_2_016DE480
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 6_2_016DBBD46_2_016DBBD4
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 6_2_074077A06_2_074077A0
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 6_2_074002986_2_07400298
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 6_2_07406ED06_2_07406ED0
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 6_2_0740B9206_2_0740B920
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 6_2_074003566_2_07400356
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 6_2_07406B886_2_07406B88
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 10_2_0064724110_2_00647241
      Source: Quotation ATB-PR28500KINH.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: 45678.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: HJdyTuap.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: Quotation ATB-PR28500KINH.exe, 00000002.00000002.317601897.0000000000DE8000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Quotation ATB-PR28500KINH.exe
      Source: Quotation ATB-PR28500KINH.exe, 00000002.00000002.326733163.00000000046F5000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameafHVuOgBCjbjgXKF.bounce.exe4 vs Quotation ATB-PR28500KINH.exe
      Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.321759485.00000000042E3000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs Quotation ATB-PR28500KINH.exe
      Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.321759485.00000000042E3000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs Quotation ATB-PR28500KINH.exe
      Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.321759485.00000000042E3000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs Quotation ATB-PR28500KINH.exe
      Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.321759485.00000000042E3000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNAudio.dll4 vs Quotation ATB-PR28500KINH.exe
      Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.321759485.00000000042E3000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs Quotation ATB-PR28500KINH.exe
      Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.321759485.00000000042E3000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs Quotation ATB-PR28500KINH.exe
      Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.320687638.000000000409E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs Quotation ATB-PR28500KINH.exe
      Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.320687638.000000000409E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs Quotation ATB-PR28500KINH.exe
      Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.321093889.000000000418C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs Quotation ATB-PR28500KINH.exe
      Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.321093889.000000000418C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs Quotation ATB-PR28500KINH.exe
      Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.321093889.000000000418C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs Quotation ATB-PR28500KINH.exe
      Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.327299358.0000000006FB0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs Quotation ATB-PR28500KINH.exe
      Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.326304055.0000000006240000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Quotation ATB-PR28500KINH.exe
      Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.317789934.000000000138A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Quotation ATB-PR28500KINH.exe
      Source: Quotation ATB-PR28500KINH.exe, 0000000A.00000002.323134586.0000000003F2E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameafHVuOgBCjbjgXKF.bounce.exe4 vs Quotation ATB-PR28500KINH.exe
      Source: Quotation ATB-PR28500KINH.exe, 0000000A.00000002.317624491.0000000000D7A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Quotation ATB-PR28500KINH.exe
      Source: Quotation ATB-PR28500KINH.exe, 0000000A.00000002.332027361.0000000073FE0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Quotation ATB-PR28500KINH.exe
      Source: 00000006.00000002.328310332.00000000073C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000006.00000002.328310332.00000000073C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000006.00000002.316582541.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000006.00000002.316582541.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000006.00000002.328240077.0000000007380000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000006.00000002.328240077.0000000007380000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000006.00000002.328269653.0000000007390000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000006.00000002.328269653.0000000007390000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000A.00000002.320831164.0000000003961000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000A.00000002.320831164.0000000003961000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000006.00000002.321093889.000000000418C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000006.00000002.327974006.00000000071E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000006.00000002.327974006.00000000071E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000006.00000002.325787678.00000000057E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000006.00000002.325787678.00000000057E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000002.00000002.321624483.0000000003B61000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000002.00000002.321624483.0000000003B61000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000002.00000002.317796226.0000000000E64000.00000004.00000020.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000002.00000002.317796226.0000000000E64000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000006.00000002.325804891.00000000057F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000006.00000002.325804891.00000000057F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000006.00000002.328184231.0000000007370000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000006.00000002.328184231.0000000007370000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000002.00000002.330776176.00000000054E2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000002.00000002.330776176.00000000054E2000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000006.00000002.326037509.00000000058C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000006.00000002.326037509.00000000058C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000A.00000002.317682512.0000000000DA5000.00000004.00000020.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000A.00000002.317682512.0000000000DA5000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6148, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6148, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 3980, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 3980, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6424, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6424, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 6.2.Quotation ATB-PR28500KINH.exe.7380000.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.Quotation ATB-PR28500KINH.exe.7380000.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 6.2.Quotation ATB-PR28500KINH.exe.73c0000.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.Quotation ATB-PR28500KINH.exe.73c0000.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.2.Quotation ATB-PR28500KINH.exe.54e0000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.Quotation ATB-PR28500KINH.exe.54e0000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.2.Quotation ATB-PR28500KINH.exe.54e0000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 6.2.Quotation ATB-PR28500KINH.exe.7370000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.Quotation ATB-PR28500KINH.exe.7370000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 6.2.Quotation ATB-PR28500KINH.exe.71e0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.Quotation ATB-PR28500KINH.exe.71e0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 6.2.Quotation ATB-PR28500KINH.exe.7370000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.Quotation ATB-PR28500KINH.exe.7370000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 6.2.Quotation ATB-PR28500KINH.exe.57f0000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.Quotation ATB-PR28500KINH.exe.57f0000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 6.2.Quotation ATB-PR28500KINH.exe.71e0000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.Quotation ATB-PR28500KINH.exe.71e0000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 6.2.Quotation ATB-PR28500KINH.exe.73c0000.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.Quotation ATB-PR28500KINH.exe.73c0000.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 6.2.Quotation ATB-PR28500KINH.exe.58c0000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.Quotation ATB-PR28500KINH.exe.58c0000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 6.2.Quotation ATB-PR28500KINH.exe.7390000.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.Quotation ATB-PR28500KINH.exe.7390000.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 6.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 6.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 6.2.Quotation ATB-PR28500KINH.exe.57e0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.Quotation ATB-PR28500KINH.exe.57e0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 6.2.Quotation ATB-PR28500KINH.exe.7380000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.Quotation ATB-PR28500KINH.exe.7380000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 6.2.Quotation ATB-PR28500KINH.exe.57f0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.Quotation ATB-PR28500KINH.exe.57f0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 6.2.Quotation ATB-PR28500KINH.exe.7390000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.Quotation ATB-PR28500KINH.exe.7390000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 6.2.Quotation ATB-PR28500KINH.exe.58c0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.Quotation ATB-PR28500KINH.exe.58c0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: Quotation ATB-PR28500KINH.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: 45678.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: HJdyTuap.exe.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: 2.2.Quotation ATB-PR28500KINH.exe.54e0000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 2.2.Quotation ATB-PR28500KINH.exe.54e0000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 2.2.Quotation ATB-PR28500KINH.exe.54e0000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: 6.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 6.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 6.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: 6.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 6.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: 2.2.Quotation ATB-PR28500KINH.exe.54e0000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 2.2.Quotation ATB-PR28500KINH.exe.54e0000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: classification engineClassification label: mal100.troj.adwa.evad.winEXE@43520/9@2/3
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeFile created: C:\Users\user\AppData\Roaming\45678Jump to behavior
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1256:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5908:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6300:120:WilError_01
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeMutant created: \Sessions\1\BaseNamedObjects\Startup_shellcode_006
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{c7093f5f-20e4-4efa-a2b8-e96b9af4ad8c}
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1140:120:WilError_01
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeFile created: C:\Users\user\AppData\Local\Temp\tmpECB7.tmpJump to behavior
      Source: Quotation ATB-PR28500KINH.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;Quotation ATB-PR28500KINH.exe&quot;)
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: Quotation ATB-PR28500KINH.exeReversingLabs: Detection: 27%
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeFile read: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe 'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe'
      Source: unknownProcess created: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Quotation ATB-PR28500KINH.exe
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpECB7.tmp'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe 'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe' 0
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /delete /f /tn 'DHCP Monitor'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /delete /f /tn 'DHCP Monitor Task'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /C taskkill /f /im 'Quotation ATB-PR28500KINH.exe' & ping -n 1 -w 3000 1.1.1.1 & type nul > 'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe' & del /f /q 'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im 'Quotation ATB-PR28500KINH.exe'
      Source: unknownProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 1 -w 3000 1.1.1.1
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess created: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Quotation ATB-PR28500KINH.exeJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpECB7.tmp'Jump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /delete /f /tn 'DHCP Monitor'Jump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /delete /f /tn 'DHCP Monitor Task'Jump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /C taskkill /f /im 'Quotation ATB-PR28500KINH.exe' & ping -n 1 -w 3000 1.1.1.1 & type nul > 'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe' & del /f /q 'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe'Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im 'Quotation ATB-PR28500KINH.exe'
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 1 -w 3000 1.1.1.1
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
      Source: Quotation ATB-PR28500KINH.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: Quotation ATB-PR28500KINH.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: \??\C:\Windows\mscorlib.pdb6e source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.317842225.00000000013B2000.00000004.00000020.sdmp
      Source: Binary string: symbols\dll\mscorlib.pdb source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.327278299.0000000006FAC000.00000004.00000010.sdmp
      Source: Binary string: mscorlib.pdb source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.327183574.0000000006D8F000.00000004.00000001.sdmp
      Source: Binary string: p0C:\Windows\mscorlib.pdb source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.327278299.0000000006FAC000.00000004.00000010.sdmp
      Source: Binary string: mscorlib.pdb853321935-2125563209-4053062332-1002_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32 source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.317842225.00000000013B2000.00000004.00000020.sdmp
      Source: Binary string: mscorlib.pdbH source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.327127110.0000000006D70000.00000004.00000001.sdmp

      Data Obfuscation:

      barindex
      .NET source code contains potential unpackerShow sources
      Source: 2.2.Quotation ATB-PR28500KINH.exe.54e0000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 2.2.Quotation ATB-PR28500KINH.exe.54e0000.1.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 6.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 6.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: HJdyTuap.exe.2.drStatic PE information: real checksum: 0x108e0c should be: 0x10980c
      Source: initial sampleStatic PE information: section name: .text entropy: 7.8618274721
      Source: initial sampleStatic PE information: section name: .text entropy: 7.8618274721
      Source: initial sampleStatic PE information: section name: .text entropy: 7.8618274721
      Source: 2.2.Quotation ATB-PR28500KINH.exe.54e0000.1.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 2.2.Quotation ATB-PR28500KINH.exe.54e0000.1.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: 6.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 6.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exeJump to dropped file
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeFile created: C:\Users\user\AppData\Roaming\45678Jump to dropped file
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeFile created: C:\Users\user\AppData\Roaming\45678Jump to dropped file

      Boot Survival:

      barindex
      Drops PE files to the startup folderShow sources
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exeJump to dropped file
      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpECB7.tmp'
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exeJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exeJump to behavior

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeFile opened: C:\Users\user\AppData\Roaming\45678:Zone.Identifier read attributes | deleteJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX

      Malware Analysis System Evasion:

      barindex
      Uses ping.exe to sleepShow sources
      Source: unknownProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 1 -w 3000 1.1.1.1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 1 -w 3000 1.1.1.1
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeWindow / User API: threadDelayed 3215Jump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeWindow / User API: threadDelayed 6337Jump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exeJump to dropped file
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe TID: 6392Thread sleep time: -6456360425798339s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe TID: 6464Thread sleep count: 50 > 30
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.327299358.0000000006FB0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
      Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.327299358.0000000006FB0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
      Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.327299358.0000000006FB0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
      Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.317842225.00000000013B2000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
      Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.327299358.0000000006FB0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 2_2_050300AD mov ecx, dword ptr fs:[00000030h]2_2_050300AD
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 2_2_050300AD mov eax, dword ptr fs:[00000030h]2_2_050300AD
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess token adjusted: Debug
      Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeMemory allocated: page read and write | page guardJump to behavior

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      Maps a DLL or memory area into another processShow sources
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeSection loaded: unknown target: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe protection: execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess created: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Quotation ATB-PR28500KINH.exeJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpECB7.tmp'Jump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /delete /f /tn 'DHCP Monitor'Jump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /delete /f /tn 'DHCP Monitor Task'Jump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /C taskkill /f /im 'Quotation ATB-PR28500KINH.exe' & ping -n 1 -w 3000 1.1.1.1 & type nul > 'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe' & del /f /q 'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe'Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im 'Quotation ATB-PR28500KINH.exe'
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 1 -w 3000 1.1.1.1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im 'Quotation ATB-PR28500KINH.exe'
      Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.328052753.000000000733E000.00000004.00000010.sdmpBinary or memory string: Program Manager
      Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.320469818.0000000003371000.00000004.00000001.sdmpBinary or memory string: Program ManagerHa+l
      Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.318986123.00000000030AB000.00000004.00000001.sdmpBinary or memory string: Program ManagerD$+l
      Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.319565462.00000000031B9000.00000004.00000001.sdmpBinary or memory string: Program Managerx
      Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.320153837.00000000032EB000.00000004.00000001.sdmpBinary or memory string: Program Managert
      Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.327030641.00000000069AB000.00000004.00000010.sdmpBinary or memory string: Program Manager@
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeQueries volume information: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeQueries volume information: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeQueries volume information: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct

      Stealing of Sensitive Information:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000006.00000002.320687638.000000000409E000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.316582541.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.320831164.0000000003961000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.321093889.000000000418C000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.321624483.0000000003B61000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.318700397.0000000003041000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.317796226.0000000000E64000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.325804891.00000000057F0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.330776176.00000000054E2000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.317682512.0000000000DA5000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6148, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 3980, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6424, type: MEMORY
      Source: Yara matchFile source: 2.2.Quotation ATB-PR28500KINH.exe.54e0000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.Quotation ATB-PR28500KINH.exe.57f0000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.Quotation ATB-PR28500KINH.exe.57f0000.4.raw.unpack, type: UNPACKEDPE

      Remote Access Functionality:

      barindex
      Detected Nanocore RatShow sources
      Source: Quotation ATB-PR28500KINH.exe, 00000002.00000002.321624483.0000000003B61000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.321759485.00000000042E3000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.321093889.000000000418C000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: Quotation ATB-PR28500KINH.exe, 0000000A.00000002.320831164.0000000003961000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000006.00000002.320687638.000000000409E000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.316582541.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.320831164.0000000003961000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.321093889.000000000418C000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.321624483.0000000003B61000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.318700397.0000000003041000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.317796226.0000000000E64000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.325804891.00000000057F0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.330776176.00000000054E2000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.317682512.0000000000DA5000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6148, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 3980, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6424, type: MEMORY
      Source: Yara matchFile source: 2.2.Quotation ATB-PR28500KINH.exe.54e0000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.Quotation ATB-PR28500KINH.exe.57f0000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.Quotation ATB-PR28500KINH.exe.57f0000.4.raw.unpack, type: UNPACKEDPE

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management Instrumentation11Startup Items1Startup Items1Disable or Modify Tools11Input Capture21System Information Discovery13Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/Job1Scheduled Task/Job1Process Injection112Deobfuscate/Decode Files or Information1LSASS MemorySecurity Software Discovery111Remote Desktop ProtocolInput Capture21Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Registry Run Keys / Startup Folder12Scheduled Task/Job1Obfuscated Files or Information1Security Account ManagerVirtualization/Sandbox Evasion2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Registry Run Keys / Startup Folder12Software Packing13NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading11LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol1Manipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion2Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection112DCSyncSystem Network Configuration Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobHidden Files and Directories1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 signatures2 2 Behavior Graph ID: 321079 Sample: Quotation ATB-PR28500KINH.exe Startdate: 20/11/2020 Architecture: WINDOWS Score: 100 60 Malicious sample detected (through community Yara rule) 2->60 62 Antivirus detection for dropped file 2->62 64 Antivirus / Scanner detection for submitted sample 2->64 66 14 other signatures 2->66 8 Quotation ATB-PR28500KINH.exe 3 2->8         started        12 Quotation ATB-PR28500KINH.exe 2->12         started        process3 file4 42 C:\Users\user\AppData\...\HJdyTuap.exe, PE32 8->42 dropped 44 C:\Users\user\AppData\Roaming\45678, PE32 8->44 dropped 46 C:\Users\user\...\45678:Zone.Identifier, ASCII 8->46 dropped 70 Maps a DLL or memory area into another process 8->70 72 Hides that the sample has been downloaded from the Internet (zone.identifier) 8->72 14 Quotation ATB-PR28500KINH.exe 1 11 8->14         started        signatures5 process6 dnsIp7 56 petroleum.sytes.net 194.5.97.9, 1430, 49725, 49727 DANILENKODE Netherlands 14->56 48 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 14->48 dropped 50 C:\Users\user\AppData\Local\...\tmpECB7.tmp, XML 14->50 dropped 58 Protects its processes via BreakOnTermination flag 14->58 19 cmd.exe 14->19         started        23 schtasks.exe 1 14->23         started        25 schtasks.exe 14->25         started        27 schtasks.exe 14->27         started        file8 signatures9 process10 dnsIp11 52 1.1.1.1 CLOUDFLARENETUS Australia 19->52 68 Uses ping.exe to sleep 19->68 29 PING.EXE 19->29         started        32 conhost.exe 19->32         started        34 taskkill.exe 19->34         started        36 conhost.exe 23->36         started        38 conhost.exe 25->38         started        40 conhost.exe 27->40         started        signatures12 process13 dnsIp14 54 192.168.2.1 unknown unknown 29->54

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      Quotation ATB-PR28500KINH.exe27%ReversingLabsByteCode-MSIL.Hacktool.Mimikatz
      Quotation ATB-PR28500KINH.exe100%AviraTR/AD.Nanocore.qhfnr
      Quotation ATB-PR28500KINH.exe100%Joe Sandbox ML

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe100%AviraTR/AD.Nanocore.qhfnr
      C:\Users\user\AppData\Roaming\45678100%AviraTR/AD.Nanocore.qhfnr
      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe100%Joe Sandbox ML
      C:\Users\user\AppData\Roaming\45678100%Joe Sandbox ML
      C:\Users\user\AppData\Roaming\4567827%ReversingLabsByteCode-MSIL.Hacktool.Mimikatz
      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe33%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      6.2.Quotation ATB-PR28500KINH.exe.57f0000.4.unpack100%AviraTR/NanoCore.fadteDownload File
      2.2.Quotation ATB-PR28500KINH.exe.54e0000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      6.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

      Domains

      SourceDetectionScannerLabelLink
      petroleum.sytes.net1%VirustotalBrowse

      URLs

      No Antivirus matches

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      petroleum.sytes.net
      		194.5.97.9
      		truefalseunknown

      Contacted IPs

      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs

      Public

      IPDomainCountryFlagASNASN NameMalicious
      1.1.1.1
      		unknownAustralia
      		13335CLOUDFLARENETUStrue
      194.5.97.9
      		unknownNetherlands
      		208476DANILENKODEfalse

      Private

      IP
      192.168.2.1

      General Information

      Joe Sandbox Version:31.0.0 Red Diamond
      Analysis ID:321079
      Start date:20.11.2020
      Start time:10:52:16
      Joe Sandbox Product:CloudBasic
      Overall analysis duration:0h 11m 42s
      Hypervisor based Inspection enabled:false
      Report type:full
      Sample file name:Quotation ATB-PR28500KINH.exe
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
      Number of analysed new started processes analysed:40
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • HDC enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Detection:MAL
      Classification:mal100.troj.adwa.evad.winEXE@43520/9@2/3
      EGA Information:Failed
      HDC Information:
      • Successful, ratio: 0.3% (good quality ratio 0.2%)
      • Quality average: 60.3%
      • Quality standard deviation: 29.8%
      HCA Information:
      • Successful, ratio: 96%
      • Number of executed functions: 21
      • Number of non-executed functions: 2
      Cookbook Comments:
      • Adjust boot time
      • Enable AMSI
      • Found application associated with file extension: .exe
      Warnings:
      Show All
      • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
      • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
      • Excluded IPs from analysis (whitelisted): 52.255.188.83, 92.122.145.220, 104.43.193.48, 23.210.248.85, 84.53.167.113, 51.104.139.180, 8.241.11.126, 8.248.125.254, 8.248.117.254, 67.26.137.254, 8.248.119.254, 52.155.217.156, 20.54.26.129, 95.101.22.134, 95.101.22.125
      • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e15275.g.akamaiedge.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, wildcard.weather.microsoft.com.edgekey.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, fs.microsoft.com, db3p-ris-pf-prod-atm.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, tile-service.weather.microsoft.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, umwatsonrouting.trafficmanager.net, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com
      • Report size exceeded maximum capacity and may have missing behavior information.
      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
      • Report size getting too big, too many NtOpenKeyEx calls found.

      Simulations

      Behavior and APIs

      TimeTypeDescription
      10:53:21AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe
      10:53:33Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe" s>$(Arg0)

      Joe Sandbox View / Context

      IPs

      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
      1.1.1.1QQ9.0.1.exeGet hashmaliciousBrowse
      • url-quality-stat.xf.qq.com/Analyze/Data?v=1&&format=json&&qq=0&&cmd=21&&product=qqdownload
      194.5.97.9Quotation ATB-PR28500KINH.exeGet hashmaliciousBrowse

        Domains

        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
        petroleum.sytes.netQuotation ATB-PR28500KINH.exeGet hashmaliciousBrowse
        • 185.140.53.139
        RFQ-BOHB-SS-FD6L4.exeGet hashmaliciousBrowse
        • 185.140.53.139
        new order is in the attached.exeGet hashmaliciousBrowse
        • 185.244.30.10
        Claim 001 & 002_pdf.exeGet hashmaliciousBrowse
        • 185.244.30.10
        Claim 001 & 002_JPEG.exeGet hashmaliciousBrowse
        • 185.244.30.10
        Product lists.exeGet hashmaliciousBrowse
        • 185.244.30.10
        End of the yr shipment#102120.exeGet hashmaliciousBrowse
        • 185.244.30.10
        ALLPLATES-P.O#008012019.pdf.exeGet hashmaliciousBrowse
        • 185.244.30.10
        ALLPLATES-P.O#008012019.exeGet hashmaliciousBrowse
        • 185.244.30.10
        Request price listing.exeGet hashmaliciousBrowse
        • 185.244.30.10
        894H-2CH-F-C G03 6VDC.exeGet hashmaliciousBrowse
        • 185.244.30.10
        894H-2CH-F-C G03 6VDC.exeGet hashmaliciousBrowse
        • 185.244.30.10

        ASN

        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
        CLOUDFLARENETUS23prRlqeGr.exeGet hashmaliciousBrowse
        • 104.23.98.190
        RFQ-HSO-76411758-1.jarGet hashmaliciousBrowse
        • 104.20.23.46
        RFQ-HSO-76411758-1.jarGet hashmaliciousBrowse
        • 104.20.22.46
        iG9YiwEMru.exeGet hashmaliciousBrowse
        • 104.27.132.115
        Avion Quotation Request.docGet hashmaliciousBrowse
        • 104.22.54.159
        SUSPENSION LETTER ON SIM SWAP.pdf.exeGet hashmaliciousBrowse
        • 172.67.131.55
        Quotation ATB-PR28500KINH.exeGet hashmaliciousBrowse
        • 1.1.1.1
        SaXJC2CZ8m.exeGet hashmaliciousBrowse
        • 104.27.133.115
        PO91666. pdf.exeGet hashmaliciousBrowse
        • 172.67.143.180
        BT2wDapfoI.exeGet hashmaliciousBrowse
        • 104.23.98.190
        ara.exeGet hashmaliciousBrowse
        • 172.65.200.133
        ORDER FORM DENK.exeGet hashmaliciousBrowse
        • 104.18.47.150
        araiki.exeGet hashmaliciousBrowse
        • 172.65.200.133
        arailk.exeGet hashmaliciousBrowse
        • 172.65.200.133
        https://filmconsultancy.bindwall.ml/mike@filmconsultancy.comGet hashmaliciousBrowse
        • 104.26.4.196
        https://trondiamond.co/OMMOM/OM9u8Get hashmaliciousBrowse
        • 104.16.18.94
        https://t.e.vailresorts.com/r/?id=h1bac782d,59eb410,55e61f1&VRI_v73=96008558&cmpid=EML_OPENDAYS_RESO_000_OK_SR_REN1Y_000000_TG0001_20201118_V00_EX001_LOCA_ANN_00000_000Get hashmaliciousBrowse
        • 104.16.149.64
        https://www.canva.com/design/DAEN9RlD8Vk/acBvt6UoL-DafjXmQk38pA/view?utm_content=DAEN9RlD8Vk&utm_campaign=designshare&utm_medium=link&utm_source=publishsharelinkGet hashmaliciousBrowse
        • 104.18.215.67
        https://gazeta-echo.ru/wp-includes/assets/<>/?mail=tfagot@dupaco.comGet hashmaliciousBrowse
        • 104.16.123.175
        https://go.pardot.com/e/395202/siness-insights-dashboard-html/bnmpz6/1446733421?h=AwLDfNsCVbkjEN13pzY-7AXMPolL_XMigGsJSppGaiMGet hashmaliciousBrowse
        • 104.16.19.94
        DANILENKODEQuotation ATB-PR28500KINH.exeGet hashmaliciousBrowse
        • 194.5.97.9
        19112020778IMG78487784.exeGet hashmaliciousBrowse
        • 194.5.97.249
        PaymentConformation.exeGet hashmaliciousBrowse
        • 194.5.97.202
        bGtm3bQKUj.exeGet hashmaliciousBrowse
        • 194.5.98.122
        IMAGE-18112020.exeGet hashmaliciousBrowse
        • 194.5.97.17
        Covid-19 relief.exeGet hashmaliciousBrowse
        • 194.5.97.21
        tax-relief.exeGet hashmaliciousBrowse
        • 194.5.97.166
        Ref-BID PRICE.exeGet hashmaliciousBrowse
        • 194.5.98.252
        1ttmgYD97B.exeGet hashmaliciousBrowse
        • 194.5.99.163
        2mtUEXin7W.exeGet hashmaliciousBrowse
        • 194.5.99.163
        wk59hOo880.exeGet hashmaliciousBrowse
        • 194.5.99.163
        BCVaSYrgmG.exeGet hashmaliciousBrowse
        • 194.5.99.163
        30203490666.exeGet hashmaliciousBrowse
        • 194.5.98.199
        InSppuoN2s.exeGet hashmaliciousBrowse
        • 194.5.98.196
        Av01vC7kS1.exeGet hashmaliciousBrowse
        • 194.5.97.155
        yb1rlaFJuO.exeGet hashmaliciousBrowse
        • 194.5.99.163
        1MwYrZqjEy.exeGet hashmaliciousBrowse
        • 194.5.99.163
        IRS-RELIEF.exeGet hashmaliciousBrowse
        • 194.5.97.21
        Jvdivmn_Signed_.exeGet hashmaliciousBrowse
        • 194.5.97.38
        myupsfile.exeGet hashmaliciousBrowse
        • 194.5.97.38

        JA3 Fingerprints

        No context

        Dropped Files

        No context

        Created / dropped Files

        C:\Users\user\AppData\Local\Temp\tmpECB7.tmp
        Process:C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe
        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):1315
        Entropy (8bit):5.1337076542548274
        Encrypted:false
        SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0LFxtn:cbk4oL600QydbQxIYODOLedq3uFj
        MD5:5C24CCED27B3FB5CB89EE64C7E4FD458
        SHA1:EBC586E78D6BDC8F916D4FAB269033293F7980BD
        SHA-256:D7B6F315482BBFD57BD9AA6C302F2F55798D8BC3655853ABD6412B1D4289AFCC
        SHA-512:48E75213BEDEF4014E44F4C2B38643A7D4DF888CE261DD07908121F4A73B88F2A931AF5F0D27DB3FED120FDA2B7A75E074697CF2C94EEBD54CB403CA9C7F5D70
        Malicious:true
        Reputation:low
        Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
        C:\Users\user\AppData\Roaming\45678
        Process:C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe
        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
        Category:dropped
        Size (bytes):1021440
        Entropy (8bit):6.747456626425728
        Encrypted:false
        SSDEEP:12288:cf9LurGfMzvqv7G9pq+0+Rcd70FOKWb4nlph7Qq4xohcYgpqC:g9LurGfPDmpq+0ZqVWcnlUFDYg
        MD5:03C41991BE46EDACB01B18D7FFE97B33
        SHA1:17193A4A9FAD92F1473D42BBE0D14E83DA481A72
        SHA-256:749B86298B1735B41E92EEF8B48C0AA38F1D7FA55BD0958B7B752BFCB5CB5A87
        SHA-512:0A75BF191A00F1C641F6811D98C987F0248BE5CACEDD8C3C7E93E0CA5AE8913B4813BA792021B035A843DF78BE186D054221A311E185F3A37CC92F28EE2730D0
        Malicious:true
        Antivirus:
        • Antivirus: Avira, Detection: 100%
        • Antivirus: Joe Sandbox ML, Detection: 100%
        • Antivirus: ReversingLabs, Detection: 27%
        Reputation:low
        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._................................. ... ....@.. ....................................@.....................................W.... ..N............................................................................ ............... ..H............text...4.... ...................... ..`.rsrc...N.... ......................@..@.reloc..............................@..B........................H........e..............q..............................................a.b.d.c.e.f.g.h.i.j.k.l.m.n.p.r.q.s.t.u.v.w.z.y.x.0.1.2.3.4.5.6.7.8.9.A.B.C.D.E.F.G.H.I.J.K.L.M.N.Q.P.R.T.S.V.U.W.X.Y.Z.6..(....o....*B...(.....o....&*2.(....t....*.(....&*2.t....o....*F~....~....(.....*..*..(....*.(.........(....(.........(....(....o.........*&...o....*.(....*.(....*.r1..p.....*6..{b...(^...*..o.....{a...{c....{b...oZ...(^...*.so....p...*..oq...*V.{....od....(...+...*J.{....o1....ov...*J
        C:\Users\user\AppData\Roaming\45678:Zone.Identifier
        Process:C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe
        File Type:ASCII text, with CRLF line terminators
        Category:modified
        Size (bytes):26
        Entropy (8bit):3.95006375643621
        Encrypted:false
        SSDEEP:3:ggPYV:rPYV
        MD5:187F488E27DB4AF347237FE461A079AD
        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
        Malicious:true
        Preview: [ZoneTransfer]....ZoneId=0
        C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
        Process:C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe
        File Type:data
        Category:dropped
        Size (bytes):128
        Entropy (8bit):6.527114648336088
        Encrypted:false
        SSDEEP:3:XrURGizD7cnRH5/ljRAaTlKYrI1Sj9txROIsxcMek2:X4LDAn1rplKTYBROIsxek2
        MD5:0A9C5EAE8756D6FC90F59D8D71A79E1E
        SHA1:0F7D6AAED17CD18DC614535ED26335C147E29ED7
        SHA-256:B1921EA14C66927397BAF3FA456C22B93C30C3DE23546087C0B18551CE5001C5
        SHA-512:78C2F399AC49C78D89915DFF99AC955B5E0AB07BAAD61B07B0CE073C88C1D3A9F1D302C2413691B349DD34441B0FF909C08A4F71E2F1B73F46C1FF308BC7CF9A
        Malicious:false
        Preview: Gj.h\.3.A...5.x..&...i+..c(1.P.OT....g.t......'7......)..8zII..K/....n3...3.5.......&.7].)..wL...:}g...@...mV.....JUP...w
        C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
        Process:C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe
        File Type:Non-ISO extended-ASCII text, with NEL line terminators
        Category:dropped
        Size (bytes):8
        Entropy (8bit):3.0
        Encrypted:false
        SSDEEP:3:JIP:aP
        MD5:179401BA509B78E5613624E70B9E2ECA
        SHA1:FB3A31D8A8900CADB2820CAF4FC8B3AE2AA6581F
        SHA-256:9AA369E0924A94912AB3C3CFD1ACC04CFC7470DBBA6829A03BD576FB15537FEC
        SHA-512:9D9379F07B9E607509FC84F858973BB81A03D97CDB620DC9C0F79AB4473DF5E2C37E6F5AA2C57A4E195F11A6082C683A3CC5C7BDB0768E698E1D7740BCA75D94
        Malicious:true
        Preview: ._k....H
        C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
        Process:C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe
        File Type:data
        Category:dropped
        Size (bytes):40
        Entropy (8bit):5.153055907333276
        Encrypted:false
        SSDEEP:3:9bzY6oRDT6P2bfVn1:RzWDT621
        MD5:4E5E92E2369688041CC82EF9650EDED2
        SHA1:15E44F2F3194EE232B44E9684163B6F66472C862
        SHA-256:F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
        SHA-512:1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
        Malicious:false
        Preview: 9iH...}Z.4..f.~a........~.~.......3.U.
        C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
        Process:C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe
        File Type:data
        Category:dropped
        Size (bytes):285608
        Entropy (8bit):7.99942192025113
        Encrypted:true
        SSDEEP:6144:KpKR3kz0ohkLsRC9wjZ59AbuaY5O+gRGD9Hcj4Tdw:IaUYweYC9wjZ59AyA5YFc0Te
        MD5:30E23835B6123B3250D73C3E313FEB01
        SHA1:52CDA23480DA64C5B16D9F6554D6B66E9FA1AE22
        SHA-256:20CC3B053C43B689D3C669DDDA6DF6E3C939B2059F9FA5B578AE2BB887269EB3
        SHA-512:DBF82EE996D82D0DAF95A3A9733056EF1FFE80D05D6ED88514FD728E9AA29161EEA8E75B12BB77E0D0B4F81C77A26CDAE4ABC29C8FA661D40C1941CA51E1749B
        Malicious:false
        Preview: .....W*.....P&4.......E..v+...mc...C<_..0....40=......[..3.q....\..[.I.......g....=.cI5w...h{2...c..l.j...4.R..$*X..<....q%...Y.:19..Y....f.uy..Q....=t...Q....\KuA.Z...ze...?........o....BX...Eh....(FW..|Mn.B>...R.>_Yz......U..>n....h..g5.._..vY.dN..]Bi=....&.._.8...9.Et...y..h1...uMy..G...._1by.)...H.................ws...C.S..?6.i.N..........8:..t..?.Z..?^..{......."..fsb....m.<..3..<.{..;+..v..H.6.....C..r_..Hv.?....z...F.=...%2...'C...LqF]....6/,.......)WuH..~..1.W........#..D.P_.Z8..n.~c. ......F$,bI...m../..dO..O...o..).3.M,...0.q..N..n...%BtO.i...L.N.^i[.<...#_......+z.!(...y.XN....^.K. E....2n.!.wa./yy(../...b:..Oq..j2Q- ......n(..\....Q;..ue...G..#!.2.\@lH....o..\?.K.Q..=qW}..|.....6........{.Y..e:.7..P`.H.........o......}..t."C#.i.<z.4Y.e..j..G.RO.$.[.l8...A....U;(...s..C..|...y....w.7?....}.....D.h......Ip.t.8....9%./...K...#G.2.s......E........tX.}..O...X.....S.9>k.hY..-."\..X.y@w.U...|._3.]R..:.^4l......L..........
        C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
        Process:C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe
        File Type:ASCII text, with no line terminators
        Category:dropped
        Size (bytes):52
        Entropy (8bit):5.003042362247046
        Encrypted:false
        SSDEEP:3:oNWXp5v0fyMQkq3CAdA:oNWXpF0fyn3CN
        MD5:69CBDC701874E0618836B88761CDB7C2
        SHA1:00B9CDA4949AA22EBAAB35427447140F0DAEE0A4
        SHA-256:E4135CACE67B6B8D98545C5BAF81F6762EAA0BF6577BCCC7674E19B4E6DE9EA3
        SHA-512:D61307D607B94A5D70D9AC8FB8DCBF44A0DD9FADACFA59CD3BD160EEBABE578F23CE717D9EB5CA5AEDCB7692BCF5FF11406606504D438F99EFDA9BB81AE0D7E1
        Malicious:false
        Preview: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe
        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe
        Process:C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe
        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
        Category:dropped
        Size (bytes):1024000
        Entropy (8bit):6.742400621297182
        Encrypted:false
        SSDEEP:12288:cf9LurGfMzvqv7G9pq+0+Rcd70FOKWb4nlph7Qq4xohcYgpqC:g9LurGfPDmpq+0ZqVWcnlUFDYg
        MD5:08AD546B0A6F6C8AAC626B2E0F24C879
        SHA1:62B8943CC7F8DDFDF36518398E9393E4C5F336D5
        SHA-256:47B9259DCC96B694585C2E2E216C309E1B83AA46025599A996605B2D2314C3DB
        SHA-512:ECD93E63F4706D5BBFA36C9003B18DFD19CA02FED78E3F59C4ED9B7185AA43274D9327C980E9BAFD879E58CFD77BB120B7922A35C985642E72833AD86FFD64C1
        Malicious:true
        Antivirus:
        • Antivirus: Avira, Detection: 100%
        • Antivirus: Joe Sandbox ML, Detection: 100%
        • Antivirus: ReversingLabs, Detection: 33%
        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._................................. ... ....@.. ....................................@.....................................W.... ..N............................................................................ ............... ..H............text...4.... ...................... ..`.rsrc...N.... ......................@..@.reloc..............................@..B........................H........e..............q..............................................a.b.d.c.e.f.g.h.i.j.k.l.m.n.p.r.q.s.t.u.v.w.z.y.x.0.1.2.3.4.5.6.7.8.9.A.B.C.D.E.F.G.H.I.J.K.L.M.N.Q.P.R.T.S.V.U.W.X.Y.Z.6..(....o....*B...(.....o....&*2.(....t....*.(....&*2.t....o....*F~....~....(.....*..*..(....*.(.........(....(.........(....(....o.........*&...o....*.(....*.(....*.r1..p.....*6..{b...(^...*..o.....{a...{c....{b...oZ...(^...*.so....p...*..oq...*V.{....od....(...+...*J.{....o1....ov...*J

        Static File Info

        General

        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
        Entropy (8bit):6.747456626425728
        TrID:
        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
        • Win32 Executable (generic) a (10002005/4) 49.78%
        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
        • Generic Win/DOS Executable (2004/3) 0.01%
        • DOS Executable Generic (2002/1) 0.01%
        File name:Quotation ATB-PR28500KINH.exe
        File size:1021440
        MD5:03c41991be46edacb01b18d7ffe97b33
        SHA1:17193a4a9fad92f1473d42bbe0d14e83da481a72
        SHA256:749b86298b1735b41e92eef8b48c0aa38f1d7fa55bd0958b7b752bfcb5cb5a87
        SHA512:0a75bf191a00f1c641f6811d98c987f0248be5cacedd8c3c7e93e0ca5ae8913b4813ba792021b035a843df78be186d054221a311e185f3a37cc92f28ee2730d0
        SSDEEP:12288:cf9LurGfMzvqv7G9pq+0+Rcd70FOKWb4nlph7Qq4xohcYgpqC:g9LurGfPDmpq+0ZqVWcnlUFDYg
        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_................................. ... ....@.. ....................................@................................

        File Icon

        Icon Hash:905ada12e9cc368b

        Static PE Info

        General

        Entrypoint:0x4a062e
        Entrypoint Section:.text
        Digitally signed:false
        Imagebase:0x400000
        Subsystem:windows gui
        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
        DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Time Stamp:0x5FB6EFA2 [Thu Nov 19 22:20:18 2020 UTC]
        TLS Callbacks:
        CLR (.Net) Version:v4.0.30319
        OS Version Major:4
        OS Version Minor:0
        File Version Major:4
        File Version Minor:0
        Subsystem Version Major:4
        Subsystem Version Minor:0
        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

        Entrypoint Preview

        Instruction
        jmp dword ptr [00402000h]
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al

        Data Directories

        NameVirtual AddressVirtual Size Is in Section
        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IMPORT0xa05d40x57.text
        IMAGE_DIRECTORY_ENTRY_RESOURCE0xa20000x5a94e.rsrc
        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
        IMAGE_DIRECTORY_ENTRY_BASERELOC0xfe0000xc.reloc
        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

        Sections

        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
        .text0x20000x9e6340x9e800False0.921431388013data7.8618274721IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        .rsrc0xa20000x5a94e0x5aa00False0.0372737068966data2.71520754372IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        .reloc0xfe0000xc0x200False0.044921875data0.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

        Resources

        NameRVASizeTypeLanguageCountry
        RT_ICON0xa21d80x42028dBase III DBT, version number 0, next free block index 40EnglishUnited States
        RT_ICON0xe42000x468GLS_BINARY_LSB_FIRSTEnglishUnited States
        RT_ICON0xe46680x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 2699173413, next used block 2699173413EnglishUnited States
        RT_ICON0xe6c100x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 3236110116, next used block 3236110116EnglishUnited States
        RT_ICON0xe7cb80x10828dBase III DBT, version number 0, next free block index 40EnglishUnited States
        RT_ICON0xf84e00x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 2162368036, next used block 2162368036EnglishUnited States
        RT_GROUP_ICON0xfc7080x5adataEnglishUnited States
        RT_MANIFEST0xfc7640x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

        Imports

        DLLImport
        mscoree.dll_CorExeMain

        Possible Origin

        Language of compilation systemCountry where language is spokenMap
        EnglishUnited States

        Network Behavior

        Snort IDS Alerts

        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
        11/20/20-10:53:57.838381ICMP382ICMP PING Windows192.168.2.31.1.1.1
        11/20/20-10:53:57.838381ICMP384ICMP PING192.168.2.31.1.1.1
        11/20/20-10:53:57.854679ICMP408ICMP Echo Reply1.1.1.1192.168.2.3

        Network Port Distribution

        TCP Packets

        TimestampSource PortDest PortSource IPDest IP
        Nov 20, 2020 10:53:34.705584049 CET497251430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:34.890532017 CET143049725194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:35.408818960 CET497251430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:35.601016045 CET143049725194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:36.205795050 CET497251430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:36.409563065 CET143049725194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:40.529350996 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:40.710572004 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:40.710700989 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:40.935179949 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:41.320521116 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:41.320611954 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:41.528413057 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:41.530108929 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:41.738502026 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:41.765830994 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:42.106080055 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.106118917 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.106195927 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:42.307099104 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.307138920 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.307157993 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.307176113 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.307431936 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:42.519011021 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.519826889 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.519933939 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:42.520948887 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.521869898 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.522413969 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:42.522795916 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.523842096 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.523941040 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:42.533906937 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.533946991 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.534017086 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:42.720133066 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.720911026 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.721029997 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:42.721724987 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.722816944 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.722923040 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:42.724050999 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.724838972 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.724980116 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:42.725795031 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.726804972 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.726888895 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:42.729020119 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.729854107 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.729964972 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:42.730771065 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.731781960 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.731870890 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:42.732804060 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.733844995 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.734746933 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.734822989 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:42.735846043 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.735939980 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:42.930031061 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.930794954 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.930886030 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:42.931830883 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.932857037 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.932943106 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:42.934791088 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.935798883 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.935868025 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:42.936789036 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.937764883 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.938740969 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:42.938790083 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.939851046 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.940080881 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.940145016 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:42.940820932 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.940959930 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:42.942058086 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.942826033 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.942919016 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:42.944037914 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.944782019 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.945833921 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.945914984 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:42.946908951 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.947004080 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:42.947834969 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.948826075 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.948899031 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:42.949785948 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.950874090 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.951874018 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.951981068 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:42.952819109 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.953331947 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:42.953821898 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.954814911 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.954898119 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:42.955823898 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.956788063 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.957544088 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:42.957817078 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.958826065 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.958925009 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:42.959832907 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.960829973 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.961108923 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:43.139126062 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.139184952 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.139271021 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:43.148109913 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.148181915 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.148243904 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:43.165060043 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.165080070 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.165127039 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.165205002 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:43.165211916 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.165451050 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.165484905 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.165504932 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:43.165524960 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.165525913 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:43.165695906 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.165731907 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.165780067 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:43.166306973 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.166361094 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.166416883 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:43.166496992 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.166546106 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:43.166739941 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.168407917 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.168500900 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.168521881 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:43.168535948 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.168648005 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.168684006 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:43.168771982 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.168800116 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.168843985 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:43.170277119 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.170345068 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:43.170389891 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.170494080 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.170557022 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:43.170566082 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.170656919 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.170698881 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:43.175008059 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.175098896 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.175170898 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.175182104 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:43.175200939 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.175251007 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:43.175290108 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.176321983 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.176394939 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:43.176472902 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.176692963 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.176748991 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:43.176770926 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.177808046 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.177841902 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.177906036 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:43.178822041 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.179034948 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:43.179799080 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.179934025 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.179996967 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:43.180985928 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.182744980 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.182879925 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:43.182971954 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.182996988 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.183047056 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:43.184087038 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.184822083 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.184927940 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.184926987 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:43.186089993 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.186161041 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:43.188014030 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.328937054 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.329121113 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:43.329752922 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.336904049 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.337187052 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:43.345956087 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.351937056 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.352066994 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:43.367937088 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.367966890 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.368012905 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.368072033 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:43.368139982 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.368165970 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.368206024 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.368221998 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:43.368263960 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:43.375813961 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.376818895 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.376888990 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:43.377892971 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.377911091 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.377974987 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:43.378701925 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.379784107 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.379859924 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:43.380866051 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.380897045 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.380953074 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:43.381784916 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.382906914 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.382992029 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:43.383825064 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.384778976 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.384850025 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:43.384907961 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.385699987 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.385762930 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:43.386779070 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.386930943 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.386992931 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:43.387696028 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.389842987 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.389910936 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:43.390750885 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.391793013 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.391892910 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:43.392786980 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.393752098 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.393866062 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:43.394762993 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.396889925 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.396986008 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:43.397742033 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.406975985 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.407071114 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:43.407756090 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.407776117 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.407866955 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:43.407975912 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.407995939 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.408065081 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:43.409310102 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.409342051 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.409476042 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:43.409625053 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.410788059 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.410857916 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:43.411834002 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.413681984 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.413743019 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:43.413948059 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.414719105 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.414772034 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:43.415785074 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.518969059 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.519057035 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:43.519855022 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.526958942 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.527137995 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:43.534856081 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.543806076 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.543837070 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.543915987 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:43.550930023 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.551044941 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:43.558918953 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.568042994 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.568063021 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.568130970 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:43.568943977 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.569013119 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:43.569802999 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.569928885 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.570002079 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:43.570699930 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.571800947 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.571883917 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:43.573610067 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.575754881 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.575846910 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:43.576014042 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.577826023 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.577910900 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:43.578831911 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.579842091 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.579916000 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:43.580925941 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.581892014 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.581985950 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:43.583058119 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.583775997 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.583848000 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:43.584893942 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.585736990 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.585819006 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:43.586847067 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.587002993 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.587058067 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:43.588942051 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.588969946 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.589093924 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:43.590270042 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.590761900 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.590852976 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:43.591881037 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.601087093 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.601115942 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.601142883 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.601160049 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:43.601216078 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:43.621618032 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.621917009 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.622077942 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:43.622921944 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.623127937 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.623212099 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:43.623895884 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.632910967 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.632947922 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.633054972 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:43.633265972 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.633295059 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.633321047 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.633347988 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.633366108 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:43.633415937 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:43.633416891 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.633477926 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:43.736896992 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.736927032 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.736944914 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:43.737046003 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:44.452728033 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:44.840471029 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:44.865278006 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:44.957679033 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:45.148472071 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:45.253339052 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:45.279824972 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:45.660396099 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:45.660516977 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:45.848472118 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:45.881239891 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:46.068345070 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:46.253446102 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:46.464380980 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:46.550267935 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:47.505670071 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:47.910418987 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:47.910634995 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:48.320535898 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:49.023756981 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:49.428278923 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:51.328257084 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:51.440239906 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:51.630338907 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:51.748646021 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:51.815779924 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:52.210551977 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:54.048182011 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:54.253065109 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:56.328336954 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:56.440520048 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:59.598645926 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:59.643944025 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:54:01.320288897 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:54:01.362905979 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:54:03.161854029 CET497271430192.168.2.3194.5.97.9

        UDP Packets

        TimestampSource PortDest PortSource IPDest IP
        Nov 20, 2020 10:53:04.989098072 CET5598453192.168.2.38.8.8.8
        Nov 20, 2020 10:53:05.016263008 CET53559848.8.8.8192.168.2.3
        Nov 20, 2020 10:53:05.106074095 CET6418553192.168.2.38.8.8.8
        Nov 20, 2020 10:53:05.143208027 CET53641858.8.8.8192.168.2.3
        Nov 20, 2020 10:53:05.705660105 CET6511053192.168.2.38.8.8.8
        Nov 20, 2020 10:53:05.732884884 CET53651108.8.8.8192.168.2.3
        Nov 20, 2020 10:53:06.417464972 CET5836153192.168.2.38.8.8.8
        Nov 20, 2020 10:53:06.444624901 CET53583618.8.8.8192.168.2.3
        Nov 20, 2020 10:53:11.160722017 CET6349253192.168.2.38.8.8.8
        Nov 20, 2020 10:53:11.187865973 CET53634928.8.8.8192.168.2.3
        Nov 20, 2020 10:53:12.272840977 CET6083153192.168.2.38.8.8.8
        Nov 20, 2020 10:53:12.299959898 CET53608318.8.8.8192.168.2.3
        Nov 20, 2020 10:53:13.435460091 CET6010053192.168.2.38.8.8.8
        Nov 20, 2020 10:53:13.471121073 CET53601008.8.8.8192.168.2.3
        Nov 20, 2020 10:53:14.250729084 CET5319553192.168.2.38.8.8.8
        Nov 20, 2020 10:53:14.277920008 CET53531958.8.8.8192.168.2.3
        Nov 20, 2020 10:53:15.146070957 CET5014153192.168.2.38.8.8.8
        Nov 20, 2020 10:53:15.174118996 CET53501418.8.8.8192.168.2.3
        Nov 20, 2020 10:53:15.943406105 CET5302353192.168.2.38.8.8.8
        Nov 20, 2020 10:53:15.970540047 CET53530238.8.8.8192.168.2.3
        Nov 20, 2020 10:53:16.709011078 CET4956353192.168.2.38.8.8.8
        Nov 20, 2020 10:53:16.755137920 CET53495638.8.8.8192.168.2.3
        Nov 20, 2020 10:53:17.979852915 CET5135253192.168.2.38.8.8.8
        Nov 20, 2020 10:53:18.007013083 CET53513528.8.8.8192.168.2.3
        Nov 20, 2020 10:53:20.954000950 CET5934953192.168.2.38.8.8.8
        Nov 20, 2020 10:53:20.991797924 CET53593498.8.8.8192.168.2.3
        Nov 20, 2020 10:53:21.620935917 CET5708453192.168.2.38.8.8.8
        Nov 20, 2020 10:53:21.647938013 CET53570848.8.8.8192.168.2.3
        Nov 20, 2020 10:53:22.740910053 CET5882353192.168.2.38.8.8.8
        Nov 20, 2020 10:53:22.767949104 CET53588238.8.8.8192.168.2.3
        Nov 20, 2020 10:53:33.483869076 CET5756853192.168.2.38.8.8.8
        Nov 20, 2020 10:53:33.521542072 CET53575688.8.8.8192.168.2.3
        Nov 20, 2020 10:53:34.654174089 CET5054053192.168.2.38.8.8.8
        Nov 20, 2020 10:53:34.693852901 CET53505408.8.8.8192.168.2.3
        Nov 20, 2020 10:53:37.311450958 CET5436653192.168.2.38.8.8.8
        Nov 20, 2020 10:53:37.347163916 CET53543668.8.8.8192.168.2.3
        Nov 20, 2020 10:53:40.491895914 CET5303453192.168.2.38.8.8.8
        Nov 20, 2020 10:53:40.527616024 CET53530348.8.8.8192.168.2.3
        Nov 20, 2020 10:53:40.893130064 CET5776253192.168.2.38.8.8.8
        Nov 20, 2020 10:53:40.920228004 CET53577628.8.8.8192.168.2.3
        Nov 20, 2020 10:53:54.179631948 CET5543553192.168.2.38.8.8.8
        Nov 20, 2020 10:53:54.206603050 CET53554358.8.8.8192.168.2.3
        Nov 20, 2020 10:54:15.100765944 CET5071353192.168.2.38.8.8.8
        Nov 20, 2020 10:54:15.127896070 CET53507138.8.8.8192.168.2.3
        Nov 20, 2020 10:54:15.707856894 CET5613253192.168.2.38.8.8.8
        Nov 20, 2020 10:54:15.735053062 CET53561328.8.8.8192.168.2.3
        Nov 20, 2020 10:54:16.168093920 CET5898753192.168.2.38.8.8.8
        Nov 20, 2020 10:54:16.195135117 CET53589878.8.8.8192.168.2.3
        Nov 20, 2020 10:54:16.528357983 CET5657953192.168.2.38.8.8.8
        Nov 20, 2020 10:54:16.563704967 CET53565798.8.8.8192.168.2.3
        Nov 20, 2020 10:54:16.892540932 CET6063353192.168.2.38.8.8.8
        Nov 20, 2020 10:54:16.928282976 CET53606338.8.8.8192.168.2.3
        Nov 20, 2020 10:54:17.144768953 CET6129253192.168.2.38.8.8.8
        Nov 20, 2020 10:54:17.196007013 CET53612928.8.8.8192.168.2.3
        Nov 20, 2020 10:54:17.540549040 CET6361953192.168.2.38.8.8.8
        Nov 20, 2020 10:54:17.567495108 CET53636198.8.8.8192.168.2.3
        Nov 20, 2020 10:54:18.273814917 CET6493853192.168.2.38.8.8.8
        Nov 20, 2020 10:54:18.300945044 CET53649388.8.8.8192.168.2.3
        Nov 20, 2020 10:54:18.972325087 CET6194653192.168.2.38.8.8.8
        Nov 20, 2020 10:54:19.008033037 CET53619468.8.8.8192.168.2.3
        Nov 20, 2020 10:54:19.800508022 CET6491053192.168.2.38.8.8.8
        Nov 20, 2020 10:54:19.827721119 CET53649108.8.8.8192.168.2.3
        Nov 20, 2020 10:54:20.266268015 CET5212353192.168.2.38.8.8.8
        Nov 20, 2020 10:54:20.301872969 CET53521238.8.8.8192.168.2.3
        Nov 20, 2020 10:54:23.846113920 CET5613053192.168.2.38.8.8.8
        Nov 20, 2020 10:54:23.883203030 CET53561308.8.8.8192.168.2.3
        Nov 20, 2020 10:54:52.467478991 CET5633853192.168.2.38.8.8.8
        Nov 20, 2020 10:54:52.494472027 CET53563388.8.8.8192.168.2.3
        Nov 20, 2020 10:54:54.532007933 CET5942053192.168.2.38.8.8.8
        Nov 20, 2020 10:54:54.559500933 CET53594208.8.8.8192.168.2.3

        ICMP Packets

        TimestampSource IPDest IPChecksumCodeType
        Nov 20, 2020 10:53:57.838381052 CET192.168.2.31.1.1.14d5aEcho
        Nov 20, 2020 10:53:57.854679108 CET1.1.1.1192.168.2.3555aEcho Reply

        DNS Queries

        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
        Nov 20, 2020 10:53:34.654174089 CET192.168.2.38.8.8.80x3a71Standard query (0)petroleum.sytes.netA (IP address)IN (0x0001)
        Nov 20, 2020 10:53:40.491895914 CET192.168.2.38.8.8.80x9891Standard query (0)petroleum.sytes.netA (IP address)IN (0x0001)

        DNS Answers

        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
        Nov 20, 2020 10:53:34.693852901 CET8.8.8.8192.168.2.30x3a71No error (0)petroleum.sytes.net194.5.97.9A (IP address)IN (0x0001)
        Nov 20, 2020 10:53:40.527616024 CET8.8.8.8192.168.2.30x9891No error (0)petroleum.sytes.net194.5.97.9A (IP address)IN (0x0001)

        Code Manipulations

        Statistics

        CPU Usage

        Click to jump to process

        Memory Usage

        Click to jump to process

        High Level Behavior Distribution

        Click to dive into process behavior distribution

        Behavior

        Click to jump to process

        System Behavior

        Analysis Process: Quotation ATB-PR28500KINH.exe PID: 3980 Parent PID: 5548

        General

        Start time:10:53:11
        Start date:20/11/2020
        Path:C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe
        Wow64 process (32bit):true
        Commandline:'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe'
        Imagebase:0x6b0000
        File size:1021440 bytes
        MD5 hash:03C41991BE46EDACB01B18D7FFE97B33
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:.Net C# or VB.NET
        Yara matches:
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.321624483.0000000003B61000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.321624483.0000000003B61000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000002.00000002.321624483.0000000003B61000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.317796226.0000000000E64000.00000004.00000020.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.317796226.0000000000E64000.00000004.00000020.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000002.00000002.317796226.0000000000E64000.00000004.00000020.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.330776176.00000000054E2000.00000040.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.330776176.00000000054E2000.00000040.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000002.00000002.330776176.00000000054E2000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        Reputation:low

        Chronological Activities

        Analysis Process: Quotation ATB-PR28500KINH.exe PID: 6148 Parent PID: 3980

        General

        Start time:10:53:29
        Start date:20/11/2020
        Path:C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe
        Wow64 process (32bit):true
        Commandline:Quotation ATB-PR28500KINH.exe
        Imagebase:0xbd0000
        File size:1021440 bytes
        MD5 hash:03C41991BE46EDACB01B18D7FFE97B33
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:.Net C# or VB.NET
        Yara matches:
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.320687638.000000000409E000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.328310332.00000000073C0000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000006.00000002.328310332.00000000073C0000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.316582541.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.316582541.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000006.00000002.316582541.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.328240077.0000000007380000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000006.00000002.328240077.0000000007380000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.328269653.0000000007390000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000006.00000002.328269653.0000000007390000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.321093889.000000000418C000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000006.00000002.321093889.000000000418C000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.327974006.00000000071E0000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000006.00000002.327974006.00000000071E0000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.325787678.00000000057E0000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000006.00000002.325787678.00000000057E0000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.318700397.0000000003041000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.325804891.00000000057F0000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000006.00000002.325804891.00000000057F0000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.325804891.00000000057F0000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.328184231.0000000007370000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000006.00000002.328184231.0000000007370000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.326037509.00000000058C0000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000006.00000002.326037509.00000000058C0000.00000004.00000001.sdmp, Author: Florian Roth
        Reputation:low

        Chronological Activities

        Analysis Process: schtasks.exe PID: 6284 Parent PID: 6148

        General

        Start time:10:53:31
        Start date:20/11/2020
        Path:C:\Windows\SysWOW64\schtasks.exe
        Wow64 process (32bit):true
        Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpECB7.tmp'
        Imagebase:0x12a0000
        File size:185856 bytes
        MD5 hash:15FF7D8324231381BAD48A052F85DF04
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        Chronological Activities

        Analysis Process: conhost.exe PID: 6300 Parent PID: 6284

        General

        Start time:10:53:32
        Start date:20/11/2020
        Path:C:\Windows\System32\conhost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Imagebase:0x7ff6b2800000
        File size:625664 bytes
        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        Chronological Activities

        Analysis Process: Quotation ATB-PR28500KINH.exe PID: 6424 Parent PID: 528

        General

        Start time:10:53:34
        Start date:20/11/2020
        Path:C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe
        Wow64 process (32bit):true
        Commandline:'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe' 0
        Imagebase:0x5b0000
        File size:1021440 bytes
        MD5 hash:03C41991BE46EDACB01B18D7FFE97B33
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:.Net C# or VB.NET
        Yara matches:
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.320831164.0000000003961000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.320831164.0000000003961000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.320831164.0000000003961000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.317682512.0000000000DA5000.00000004.00000020.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.317682512.0000000000DA5000.00000004.00000020.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.317682512.0000000000DA5000.00000004.00000020.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        Reputation:low

        Chronological Activities

        Analysis Process: schtasks.exe PID: 1760 Parent PID: 6148

        General

        Start time:10:53:53
        Start date:20/11/2020
        Path:C:\Windows\SysWOW64\schtasks.exe
        Wow64 process (32bit):true
        Commandline:'schtasks.exe' /delete /f /tn 'DHCP Monitor'
        Imagebase:0x12a0000
        File size:185856 bytes
        MD5 hash:15FF7D8324231381BAD48A052F85DF04
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        Chronological Activities

        Analysis Process: conhost.exe PID: 1140 Parent PID: 1760

        General

        Start time:10:53:53
        Start date:20/11/2020
        Path:C:\Windows\System32\conhost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Imagebase:0x7ff7488e0000
        File size:625664 bytes
        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        Chronological Activities

        Analysis Process: schtasks.exe PID: 5344 Parent PID: 6148

        General

        Start time:10:53:54
        Start date:20/11/2020
        Path:C:\Windows\SysWOW64\schtasks.exe
        Wow64 process (32bit):true
        Commandline:'schtasks.exe' /delete /f /tn 'DHCP Monitor Task'
        Imagebase:0x12a0000
        File size:185856 bytes
        MD5 hash:15FF7D8324231381BAD48A052F85DF04
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        Chronological Activities

        Analysis Process: conhost.exe PID: 1256 Parent PID: 5344

        General

        Start time:10:53:54
        Start date:20/11/2020
        Path:C:\Windows\System32\conhost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Imagebase:0x7ff7488e0000
        File size:625664 bytes
        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        Chronological Activities

        Analysis Process: cmd.exe PID: 6052 Parent PID: 6148

        General

        Start time:10:53:55
        Start date:20/11/2020
        Path:C:\Windows\SysWOW64\cmd.exe
        Wow64 process (32bit):true
        Commandline:'cmd.exe' /C taskkill /f /im 'Quotation ATB-PR28500KINH.exe' & ping -n 1 -w 3000 1.1.1.1 & type nul > 'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe' & del /f /q 'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe'
        Imagebase:0xbd0000
        File size:232960 bytes
        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        Chronological Activities

        Analysis Process: conhost.exe PID: 5908 Parent PID: 6052

        General

        Start time:10:53:55
        Start date:20/11/2020
        Path:C:\Windows\System32\conhost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Imagebase:0x7ff6b2800000
        File size:625664 bytes
        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        Chronological Activities

        Analysis Process: taskkill.exe PID: 4968 Parent PID: 6052

        General

        Start time:10:53:56
        Start date:20/11/2020
        Path:C:\Windows\SysWOW64\taskkill.exe
        Wow64 process (32bit):true
        Commandline:taskkill /f /im 'Quotation ATB-PR28500KINH.exe'
        Imagebase:0x980000
        File size:74752 bytes
        MD5 hash:15E2E0ACD891510C6268CB8899F2A1A1
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:moderate

        Chronological Activities

        Analysis Process: PING.EXE PID: 5604 Parent PID: 6052

        General

        Start time:10:53:56
        Start date:20/11/2020
        Path:C:\Windows\SysWOW64\PING.EXE
        Wow64 process (32bit):true
        Commandline:ping -n 1 -w 3000 1.1.1.1
        Imagebase:0xf00000
        File size:18944 bytes
        MD5 hash:70C24A306F768936563ABDADB9CA9108
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:moderate

        Chronological Activities

        Disassembly

        Code Analysis

        Reset < >

          Analysis Process: Quotation ATB-PR28500KINH.exe PID: 3980 Parent PID: 5548 Quotation ATB-PR28500KINH.exeCOMMON

          Executed Functions

          Non-executed Functions

          Function 050300AD, Relevance: 6.3, Strings: 5, Instructions: 92COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000002.00000002.330288997.0000000005030000.00000040.00000001.sdmp, Offset: 05030000, based on PE: false
          Similarity
          • API ID:
          • String ID: @$NtMapViewOfSectionNtOpenSection$NtOpenSection$en$wcsl
          • API String ID: 0-2634024955
          • Opcode ID: ca8d08bbda82312d277e41b8cb719b15daffc38e68cad09b1ab1bebb54b543c8
          • Instruction ID: 3bc8a4b613338ef7fff2e76e7bcf1e860fc668187b1decfc595c2205291ad07e
          • Opcode Fuzzy Hash: ca8d08bbda82312d277e41b8cb719b15daffc38e68cad09b1ab1bebb54b543c8
          • Instruction Fuzzy Hash: A03123B1E01258AFCB10CFE4D886BDEBBB8FF08750F20415AE514EB250E7749A05CBA0
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00747241, Relevance: .6, Instructions: 638COMMONCrypto
          Download Yara Rule
          C-Code - Quality: 79%
          			E00747241(signed int __eax, void* __ebx, signed int __ecx, signed int __edx, signed int __edi, signed char __esi) {
				signed char _t304;
				void* _t306;
				signed int _t307;
				signed int _t317;
				void* _t318;
				signed int _t319;
				signed char _t321;
				signed int _t322;
				signed int _t324;
				signed char _t327;
				signed int _t328;
				signed int _t329;
				signed char _t330;
				signed int _t331;
				signed int _t332;
				signed int _t333;
				signed int _t334;
				signed char _t335;
				signed int _t336;
				signed int _t337;
				signed char _t338;
				signed char _t339;
				signed int _t340;
				signed int _t341;
				signed int _t348;
				signed char _t349;
				signed int _t350;
				intOrPtr* _t351;
				intOrPtr* _t352;
				signed int _t353;
				signed int _t354;
				signed int _t356;
				signed int _t357;
				signed int _t358;
				signed char _t364;
				signed char _t365;
				signed char _t368;
				signed char _t369;
				signed char _t370;
				signed char _t371;
				signed char _t372;
				signed char _t373;
				signed char _t374;
				signed char _t375;
				signed int _t376;
				signed int* _t377;
				signed int _t378;
				signed int _t380;
				intOrPtr* _t382;
				signed int _t383;
				signed int _t385;
				signed char _t388;
				signed char _t390;
				signed char _t391;
				signed int _t392;
				signed int _t393;
				signed int* _t394;
				signed char _t399;
				signed int _t401;
				signed int _t402;
				char* _t403;
				signed char _t404;
				intOrPtr* _t405;
				intOrPtr* _t407;
				void* _t414;
				signed char _t416;
				signed int _t418;
				signed char _t420;
				signed int _t421;
				intOrPtr* _t422;
				intOrPtr* _t423;
				void* _t424;
				signed int _t427;
				intOrPtr* _t429;
				signed char _t431;
				signed int _t432;
				void* _t433;
				void* _t434;
				void* _t436;
				signed int* _t437;
				signed int _t439;
				void* _t440;
				intOrPtr* _t441;
				signed int _t442;
				signed char _t443;
				signed int _t444;
				signed int _t446;
				signed char _t447;
				signed char _t449;
				signed int _t452;
				signed int* _t456;
				signed char _t464;
				signed char _t465;
				signed int* _t467;
				void* _t468;
				signed int _t470;

				_t443 = __esi;
				_t442 = __edi;
				_t431 = __edx;
				_t304 = __eax | 0xffffffff9fe00603;
				asm("sbb ecx, [0xb8000102]");
				_pop(ds);
				asm("in al, dx");
				asm("adc eax, [esi]");
				 *((intOrPtr*)(__esi + 0x113ec1b)) =  *((intOrPtr*)(__esi + 0x113ec1b)) + __ecx;
				 *__edx =  *__edx + _t304;
				asm("adc eax, [esi]");
				_t306 = (_t304 & __ecx) + (_t304 & __ecx);
				asm("sbb ebp, esp");
				asm("adc eax, [ecx]");
				_t467[0x43aac7] = _t467[0x43aac7] + _t306;
				_t467[0x407647] = _t467[0x407647] + __ecx;
				_t416 = __ecx + __ecx;
				_pop(ds);
				asm("scasd");
				 *_t416 =  *_t416 + _t306;
				_t307 = _t306 + _t416;
				_pop(ds);
				asm("scasd");
				 *_t416 =  *_t416 + _t307;
				_t399 = __ebx + __edx;
				_pop(ds);
				asm("scasd");
				 *_t416 =  *_t416 + _t307;
				 *((intOrPtr*)(__esi + 0x16)) =  *((intOrPtr*)(__esi + 0x16)) + _t307;
				_pop(ss);
				asm("scasd");
				 *_t416 =  *_t416 + (_t307 | 0x17000102);
				 *((intOrPtr*)(__esi + __edx + 0x1020d)) =  *((intOrPtr*)(__esi + __edx + 0x1020d)) + _t416;
				asm("scasd");
				 *__esi =  *__esi + 0x2c;
				 *__edi =  *__edi + __edx;
				asm("das");
				asm("scasd");
				 *_t416 =  *_t416 + 0x2c;
				 *0x06020D58 =  *((intOrPtr*)(0x6020d58)) + _t399;
				 *0x2c =  *0x2c + 0x2c;
				asm("das");
				_pop(ds);
				 *0x4B000748 =  *0x4B000748 ^ __edx;
				 *[ss:eax+0xf] =  *[ss:eax+0xf] + 0x2c;
				asm("pushad");
				asm("sbb dl, [esi]");
				 *_t416 =  *_t416 + __edx;
				_t467[6] = _t467[6] ^ 0x0000002c;
				_push(ss);
				 *_t399 =  *_t399 + _t399;
				 *(__esi + 0x1a) =  *(__esi + 0x1a) ^ _t416;
				_push(es);
				 *_t416 =  *_t416 + _t399;
				asm("sbb al, 0x1f");
				_push(ss);
				_push(es);
				 *0x4B00074A =  *((intOrPtr*)(0x4b00074a)) + __edx;
				_t467[6] = _t467[6] & _t399;
				 *[ss:eax+0xf] =  *[ss:eax+0xf] + 0x2c;
				_push(ss);
				 *__edi =  *__edi + __edx;
				 *0x66000134 =  *0x66000134 & 0x0000002c;
				_t314 = 0x1700011a;
				ss = ss;
				asm("scasd");
				 *_t416 =  *_t416 + 0x1a;
				_t27 = __esi + __edx + 0x1020d;
				 *_t27 =  *((intOrPtr*)(__esi + __edx + 0x1020d)) + _t416;
				if( *_t27 < 0) {
					 *0x87000102 =  *0x87000102 ^ _t416;
					asm("aad 0x30");
					 *(__edi - 0xcffff00) =  *(__edi - 0xcffff00) ^ _t416;
					_t314 = 0xfffffffff6fa050f ^ _t399;
					asm("sbb al, [ecx]");
					_t416 = _t416 + _t399;
					 *_t416 =  *_t416 ^ 0x0000001a;
					asm("sbb eax, [ecx]");
					 *_t416 =  *_t416 + _t416;
					 *0x19000102 =  *0x19000102 ^ _t416;
				}
				 *_t416 =  *_t416 + _t399;
				 *0x66000102 =  *0x66000102 ^ _t416;
				ss = ss;
				_push(ss);
				_t432 = _t431 &  *(_t442 + 0x2f00060d);
				 *(_t442 + 0x3800010d) =  *(_t442 + 0x3800010d) ^ _t432;
				 *(_t442 + 0x43000109) =  *(_t442 + 0x43000109) ^ _t443;
				_t317 = (_t314 | 0x7f000102) ^ _t442;
				 *_t416 =  *_t416 + _t317;
				_t318 = _t317 + _t399;
				asm("clc");
				 *_t416 =  *_t416 + _t318;
				 *((intOrPtr*)(_t416 + _t443 + 0xd)) =  *((intOrPtr*)(_t416 + _t443 + 0xd)) + _t432;
				_t319 = _t318 +  *_t416;
				 *((intOrPtr*)(_t399 + 0x31)) =  *((intOrPtr*)(_t399 + 0x31)) + _t399;
				asm("sti");
				asm("adc [ecx], al");
				 *((intOrPtr*)(_t432 + 0x31)) =  *((intOrPtr*)(_t432 + 0x31)) + _t416;
				asm("scasd");
				 *_t416 =  *_t416 + _t319;
				 *((intOrPtr*)(_t416 + _t443 - 0x69)) =  *((intOrPtr*)(_t416 + _t443 - 0x69)) + _t432;
				asm("scasd");
				 *_t443 =  *_t443 + _t432;
				_t321 = (_t319 | 0x338f0006) + _t416;
				ss = ss;
				asm("sgdt [es:eax]");
				_push(_t321);
				_t322 = _t321 ^ 0x000000af;
				 *_t416 =  *_t416 + _t322;
				 *((intOrPtr*)(_t442 + 0x34)) =  *((intOrPtr*)(_t442 + 0x34)) + _t322;
				_t324 = (_t322 | 0x82000102) ^ 0x000000af;
				 *_t416 =  *_t416 + _t324;
				_t467[0x4365cd] = _t467[0x4365cd] + _t399;
				 *_t399 =  *_t399 + _t399;
				asm("popfd");
				_t327 = _t324 ^ 0x10d27 | 0x35510001;
				asm("scasd");
				 *_t443 =  *_t443 + _t327;
				_push(es);
				 *0x56020d35 = _t327;
				 *((char*)(_t399 + 0x561c9f35)) =  *((char*)(_t399 + 0x561c9f35)) - 0x80;
				asm("lahf");
				asm("sbb al, 0x56");
				_push(_t327);
				_t328 = _t327 ^ 0x000000af;
				 *_t416 =  *_t416 + _t328;
				_t433 = _t432 + _t416;
				_t329 = _t328 ^ 0x013300af;
				 *_t443 = _t433;
				asm("out 0x1c, eax");
				asm("enter 0x20, 0x0");
				 *_t329 =  *_t329 + _t329;
				_t330 = _t443;
				_t444 = _t329;
				 *((intOrPtr*)(_t442 + 0x1005121)) =  *((intOrPtr*)(_t442 + 0x1005121)) + _t416;
				_t434 = _t433 + _t433;
				 *_t330 =  *_t330 & _t330;
				 *_t330 =  *_t330 + _t330;
				 *((intOrPtr*)(_t444 + 0x6021ae00)) =  *((intOrPtr*)(_t444 + 0x6021ae00)) + _t434;
				 *0x35 =  *0x35 + _t330;
				_t401 = 0x35 + _t330;
				 *_t330 =  *_t330 & _t330;
				 *_t330 =  *_t330 + _t330;
				 *((intOrPtr*)(_t444 + 0x6821cb00)) =  *((intOrPtr*)(_t444 + 0x6821cb00)) + _t434;
				 *0x20f400 =  *0x20f400 + _t330;
				 *_t330 =  *_t330 + _t330;
				 *((intOrPtr*)(_t444 + 0x6e21e400)) =  *((intOrPtr*)(_t444 + 0x6e21e400)) + _t434;
				 *_t444 =  *_t444 + _t330;
				_t331 = _t330 + _t401;
				 *_t331 =  *_t331 & _t331;
				 *_t331 =  *_t331 + _t331;
				 *((intOrPtr*)(_t401 + 0x7621f500)) =  *((intOrPtr*)(_t401 + 0x7621f500)) + _t434;
				 *_t444 =  *_t444 + _t331;
				 *_t416 =  *_t416 + _t416;
				 *_t331 =  *_t331 & _t331;
				 *_t331 =  *_t331 + _t331;
				 *((intOrPtr*)(_t401 + 0x7b220e00)) =  *((intOrPtr*)(_t401 + 0x7b220e00)) + _t434;
				 *_t442 =  *_t442 + _t331;
				 *_t401 =  *_t401 + 0x35;
				 *_t331 =  *_t331 & _t331;
				 *_t331 =  *_t331 + _t331;
				 *((intOrPtr*)(_t401 + 0x7b222400)) =  *((intOrPtr*)(_t401 + 0x7b222400)) + _t434;
				 *_t442 =  *_t442 + _t331;
				 *((intOrPtr*)(_t331 + 0x27)) =  *((intOrPtr*)(_t331 + 0x27)) + _t401;
				 *((intOrPtr*)(_t444 - 0x68ddc100)) =  *((intOrPtr*)(_t444 - 0x68ddc100)) + _t434;
				 *_t442 =  *_t442 + _t331;
				 *_t444 =  *_t444 + 0x35;
				 *_t331 =  *_t331 & _t331;
				 *_t331 =  *_t331 + _t331;
				 *((intOrPtr*)(_t444 - 0x6cf1dae8)) =  *((intOrPtr*)(_t444 - 0x6cf1dae8)) + _t331;
				 *_t331 =  *_t331 + _t416;
				 *_t444 =  *_t444 + _t331;
				 *_t331 =  *_t331 & _t331;
				 *_t331 =  *_t331 + _t331;
				 *((intOrPtr*)(_t416 + 0x6e224e18)) =  *((intOrPtr*)(_t416 + 0x6e224e18)) + _t434;
				 *_t331 =  *_t331 + _t416;
				_t467[8] = _t467[8] + _t434;
				 *_t331 =  *_t331 + _t331;
				 *_t331 =  *_t331 + _t331;
				_t332 = _t401;
				_t402 = _t331;
				 *((intOrPtr*)(_t434 + 0x22)) =  *((intOrPtr*)(_t434 + 0x22)) + _t416;
				asm("daa");
				 *_t332 =  *_t332 + _t332;
				 *_t332 =  *_t332 + _t332;
				_t333 = _t444;
				 *((intOrPtr*)(_t333 + 0xb00e422)) =  *((intOrPtr*)(_t333 + 0xb00e422)) + _t333;
				 *((intOrPtr*)(_t333 + 0x28)) =  *((intOrPtr*)(_t333 + 0x28)) + _t416;
				 *_t333 =  *_t333 + _t333;
				 *_t333 =  *_t333 + _t333;
				_t334 = _t332;
				_t446 = _t333;
				 *((intOrPtr*)(_t402 + 0xc00f522)) =  *((intOrPtr*)(_t402 + 0xc00f522)) + _t416;
				 *((intOrPtr*)(_t442 + 0x21)) =  *((intOrPtr*)(_t442 + 0x21)) + 0x35;
				 *_t334 =  *_t334 + _t334;
				 *_t334 =  *_t334 + _t334;
				_t335 = _t416;
				 *((intOrPtr*)(_t402 + 0xc006e0b)) =  *((intOrPtr*)(_t402 + 0xc006e0b)) + 0xfc000800;
				 *((intOrPtr*)(_t446 + 0x21)) =  *((intOrPtr*)(_t446 + 0x21)) + _t335;
				 *_t335 =  *_t335 + _t335;
				 *_t335 =  *_t335 + _t335;
				_t336 = _t446;
				_t447 = _t335;
				 *((intOrPtr*)(_t442 + 0xc006e22)) =  *((intOrPtr*)(_t442 + 0xc006e22)) + 0x35;
				 *((intOrPtr*)(_t442 + 0x21)) =  *((intOrPtr*)(_t442 + 0x21)) + 0x35;
				 *_t336 =  *_t336 + _t336;
				 *_t336 =  *_t336 + _t336;
				_t337 = _t334;
				_t418 = _t336;
				 *((intOrPtr*)(_t447 + 0xc006e22)) =  *((intOrPtr*)(_t447 + 0xc006e22)) + 0xfc000800;
				 *_t447 =  *_t447 + 0x35;
				 *_t337 =  *_t337 & _t337;
				 *_t337 =  *_t337 + _t337;
				 *((intOrPtr*)(_t447 - 0x6cf1dae8)) =  *((intOrPtr*)(_t447 - 0x6cf1dae8)) + _t337;
				 *((intOrPtr*)(_t337 + _t337)) =  *((intOrPtr*)(_t337 + _t337)) + _t418;
				asm("insd");
				 *_t337 =  *_t337 & _t337;
				 *_t337 =  *_t337 + _t337;
				 *((intOrPtr*)(_t418 + 0x6e224e18)) =  *((intOrPtr*)(_t418 + 0x6e224e18)) + 0xfc000800;
				 *((intOrPtr*)(_t337 + _t337)) =  *((intOrPtr*)(_t337 + _t337)) + _t418;
				 *_t337 = gs;
				 *_t337 =  *_t337 + _t337;
				 *_t337 =  *_t337 + _t337;
				_t338 = _t447;
				_t436 = 0xfc000800 + _t338;
				_t339 = _t338 &  *_t442;
				 *((intOrPtr*)(_t339 + _t339)) =  *((intOrPtr*)(_t339 + _t339)) + _t418;
				asm("les ebp, [eax]");
				 *_t339 =  *_t339 + _t339;
				 *_t339 =  *_t339 + _t339;
				_t340 = _t337;
				_t449 = _t339;
				_t420 = _t418 + 0x00000035 &  *(_t418 + 0x35);
				 *0x294c00 =  *0x294c00 + _t420;
				 *_t340 =  *_t340 + _t340;
				 *((intOrPtr*)(_t449 + 0x67231600)) =  *((intOrPtr*)(_t449 + 0x67231600)) + _t436;
				 *_t449 =  *_t449 + _t420;
				 *((intOrPtr*)(_t340 + 0x29)) =  *((intOrPtr*)(_t340 + 0x29)) + _t340;
				 *((intOrPtr*)(_t449 - 0x6adc9d00)) =  *((intOrPtr*)(_t449 - 0x6adc9d00)) + _t436;
				 *_t420 =  *_t420 + 0xfc000800;
				 *_t340 =  *_t340 + _t340;
				_t341 = _t340 -  *_t340;
				 *_t341 =  *_t341 + _t341;
				 *((intOrPtr*)(_t449 + 0x29238600)) =  *((intOrPtr*)(_t449 + 0x29238600)) + _t436;
				 *0xfc000800 =  *0xfc000800 + 0xfc000800;
				 *((intOrPtr*)(0xfc000800 + _t467)) =  *((intOrPtr*)(0xfc000800 + _t467)) + _t420;
				 *_t341 =  *_t341 + _t341;
				 *((intOrPtr*)(_t420 - 0x48dc4d00)) =  *((intOrPtr*)(_t420 - 0x48dc4d00)) + _t436;
				 *_t402 =  *_t402 + 0xfc000800;
				 *_t449 =  *_t449 + 0x35;
				 *_t341 =  *_t341 & _t341;
				 *_t341 =  *_t341 + _t341;
				 *((intOrPtr*)(_t449 - 0x6cf1dae8)) =  *((intOrPtr*)(_t449 - 0x6cf1dae8)) + _t341;
				 *_t449 =  *_t449 + _t436;
				 *((intOrPtr*)(0xfc000800 + _t467)) =  *((intOrPtr*)(0xfc000800 + _t467)) + _t341;
				 *((intOrPtr*)(_t442 + 0x24)) =  *((intOrPtr*)(_t442 + 0x24)) + _t402;
				_push(ss);
				 *0x0000002D =  *((intOrPtr*)(0x2d)) + _t402;
				 *2 =  *2 + 2;
				 *2 =  *2 + 2;
				 *((intOrPtr*)(_t402 + 0x10)) =  *((intOrPtr*)(_t402 + 0x10)) + _t420;
				 *0xfc000800 =  *0xfc000800 + 1;
				asm("sbb [eax], al");
				L3();
				 *0x52106B02 =  *((intOrPtr*)(0x52106b02)) + _t436;
				_t403 = _t402 +  *0xfc000800;
				 *((intOrPtr*)(_t467 + _t470)) =  *((intOrPtr*)(_t467 + _t470)) + _t420;
				_t452 = _t341;
				 *((intOrPtr*)(_t403 + 0x10)) =  *((intOrPtr*)(_t403 + 0x10)) + _t420;
				 *_t403 =  *_t403 + 0x1c;
				 *0x00000004 =  *((intOrPtr*)(4)) + 2;
				 *((intOrPtr*)(_t452 - 0x35db6900)) =  *((intOrPtr*)(_t452 - 0x35db6900)) + _t436;
				_t404 = _t403 +  *0x2d7800;
				 *((intOrPtr*)(4)) =  *((intOrPtr*)(4)) + 2;
				 *((intOrPtr*)(_t452 + 0x40f8300)) =  *((intOrPtr*)(_t452 + 0x40f8300)) + _t436;
				_t348 = _t452;
				 *((intOrPtr*)(_t404 + 0x1f04040f)) =  *((intOrPtr*)(_t404 + 0x1f04040f)) + 2;
				 *_t348 =  *_t348 + 2;
				 *[cs:eax] =  *[cs:eax] + 2;
				 *_t348 =  *_t348 + 2;
				_t349 = _t420;
				_t421 = _t348;
				 *((intOrPtr*)(_t349 + 0x20044924)) =  *((intOrPtr*)(_t349 + 0x20044924)) + _t421;
				 *((intOrPtr*)(_t349 + 0x2e)) =  *((intOrPtr*)(_t349 + 0x2e)) + _t421;
				 *((intOrPtr*)(_t421 - 0x37db4100)) =  *((intOrPtr*)(_t421 - 0x37db4100)) + _t436;
				_t350 = _t349 + 0x22;
				 *((intOrPtr*)(4)) =  *((intOrPtr*)(4)) + 0x35;
				 *_t350 =  *_t350 & _t350;
				 *_t350 =  *_t350 + 2;
				 *0xFFFFFFFF930E251C =  *((intOrPtr*)(0xffffffff930e251c)) + 2;
				 *0x315000 =  *0x315000 + _t350;
				 *_t350 =  *_t350 + 2;
				 *((intOrPtr*)(_t404 - 0x66f07600)) =  *((intOrPtr*)(_t404 - 0x66f07600)) + 2;
				_t351 = _t350 +  *0x211e00;
				 *_t351 =  *_t351 + 2;
				 *((intOrPtr*)(0xffffffff930e251c)) =  *((intOrPtr*)(0xffffffff930e251c)) + 2;
				 *((intOrPtr*)(4)) =  *((intOrPtr*)(4)) + _t351;
				 *((intOrPtr*)(_t421 + 0x21)) =  *((intOrPtr*)(_t421 + 0x21)) + _t404;
				 *_t351 =  *_t351 + 2;
				 *_t351 =  *_t351 + 2;
				 *_t351 =  *_t351 + 0xffffff97;
				asm("adc [esp+eax], bh");
				 *[es:edi+0x21] =  *[es:edi+0x21] + 2;
				 *((intOrPtr*)(_t404 + 0x1110ad00)) =  *((intOrPtr*)(_t404 + 0x1110ad00)) + 2;
				_t352 = _t351 + 0x21aa0027;
				 *_t352 =  *_t352 + 2;
				 *_t352 =  *_t352 + 2;
				_t353 = _t421;
				_t422 = _t352;
				asm("sbb [esi+0x22], cl");
				asm("outsb");
				 *_t353 =  *_t353 + _t422;
				 *((intOrPtr*)(4)) =  *((intOrPtr*)(4)) + 0x35;
				 *_t353 =  *_t353 & _t353;
				 *_t353 =  *_t353 + 2;
				 *((intOrPtr*)(0xffffffff930e251c)) =  *((intOrPtr*)(0xffffffff930e251c)) + 2;
				 *_t353 =  *_t353 + _t422;
				 *0x00000025 =  *((intOrPtr*)(0x25)) + _t436;
				 *((intOrPtr*)(_t404 + 0x4e0f6400)) =  *((intOrPtr*)(_t404 + 0x4e0f6400)) + 2;
				_t423 = _t422 +  *_t353;
				 *((intOrPtr*)(4)) =  *((intOrPtr*)(4)) + 0x35;
				 *_t353 =  *_t353 & _t353;
				 *_t353 =  *_t353 + 2;
				 *((intOrPtr*)(0xffffffff930e251c)) =  *((intOrPtr*)(0xffffffff930e251c)) + 2;
				 *_t423 =  *_t423 + _t423;
				 *((intOrPtr*)(_t353 + 0x32)) =  *((intOrPtr*)(_t353 + 0x32)) + _t423;
				 *_t353 =  *_t353 + 2;
				 *_t353 =  *_t353 + 2;
				 *_t353 =  *_t353 + 0x27;
				_t354 = _t353 & 0x0029056a;
				_push(ds);
				 *_t354 =  *_t354 & _t354;
				 *_t354 =  *_t354 + 2;
				 *((intOrPtr*)(0xffffffff930e251c)) =  *((intOrPtr*)(0xffffffff930e251c)) + 2;
				 *0xfc000800 =  *0xfc000800 + _t423;
				 *((intOrPtr*)(0x25)) =  *((intOrPtr*)(0x25)) + _t404;
				 *((intOrPtr*)(_t404 + 0x3c254b00)) =  *((intOrPtr*)(_t404 + 0x3c254b00)) + 2;
				_t356 = _t354 + 0x2a + _t436;
				 *_t356 =  *_t356 & _t356;
				 *_t356 =  *_t356 + 2;
				 *((intOrPtr*)(_t404 - 0x66daa600)) =  *((intOrPtr*)(_t404 - 0x66daa600)) + 2;
				_t424 = _t423 +  *_t404;
				 *0xFFFFFFFFFC000804 =  *((intOrPtr*)(0xfffffffffc000804)) + _t424;
				 *_t356 =  *_t356 + 0x6e;
				_t357 = _t356 & 0x002c057f;
				_push(ds);
				 *_t357 =  *_t357 & _t357;
				 *_t357 =  *_t357 + 2;
				 *((intOrPtr*)(0xffffffff930e251c)) =  *((intOrPtr*)(0xffffffff930e251c)) + 2;
				 *0x21e700 =  *0x21e700 + _t424;
				 *_t357 =  *_t357 + 2;
				 *((intOrPtr*)(_t404 + 0x3c259900)) =  *((intOrPtr*)(_t404 + 0x3c259900)) + 2;
				_t358 = _t357 + 0x2d;
				_t437 = _t436 + _t404;
				 *_t358 =  *_t358 & _t358;
				 *_t358 =  *_t358 + 2;
				 *((intOrPtr*)(_t424 + 0x6e224e18)) =  *((intOrPtr*)(_t424 + 0x6e224e18)) + _t437;
				 *((intOrPtr*)(4)) =  *((intOrPtr*)(4)) + _t424;
				 *((intOrPtr*)(4)) =  *((intOrPtr*)(4)) + 0x35;
				 *_t358 =  *_t358 & _t358;
				 *_t358 =  *_t358 + 2;
				 *((intOrPtr*)(0xffffffff930e251c)) =  *((intOrPtr*)(0xffffffff930e251c)) + 2;
				 *((intOrPtr*)(4)) =  *((intOrPtr*)(4)) + _t424;
				 *((intOrPtr*)(0x25)) =  *((intOrPtr*)(0x25)) + _t437;
				 *((intOrPtr*)(_t404 + 0x4e25b500)) =  *((intOrPtr*)(_t404 + 0x4e25b500)) + 2;
				 *((intOrPtr*)(_t404 + 4)) =  *((intOrPtr*)(_t404 + 4)) + _t358;
				 *_t358 =  *_t358 + 2;
				 *_t358 =  *_t358 + 2;
				 *0x33 =  *0x33 + 2;
				 *0x33 =  *0x33 + 2;
				_t427 = _t424 +  *((intOrPtr*)(4)) + _t437 + _t437;
				_push(es);
				_t364 = _t358 & 0x0032064a &  *(_t358 & 0x0032064a);
				 *_t364 =  *_t364 + 2;
				 *((intOrPtr*)(_t427 + 0x6e224e18)) =  *((intOrPtr*)(_t427 + 0x6e224e18)) + _t437;
				 *_t442 = _t437 +  *_t442;
				 *0x33 =  *0x33 + 0x35;
				 *_t364 =  *_t364 & _t364;
				 *_t364 =  *_t364 + 2;
				 *0xFFFFFFFF930E254B =  *((intOrPtr*)(0xffffffff930e254b)) + 2;
				 *_t442 = _t437 +  *_t442;
				 *0xfc000800 =  *0xfc000800 + _t437;
				_t365 = _t364 &  *_t364;
				 *_t365 =  *_t365 + 2;
				 *((intOrPtr*)(_t404 - 0x7cd9e200)) =  *((intOrPtr*)(_t404 - 0x7cd9e200)) + 2;
				_push(es);
				asm("aaa");
				 *((intOrPtr*)(0x33 + _t470)) =  *((intOrPtr*)(0x33 + _t470)) + _t427;
				 *_t365 =  *_t365 + 2;
				 *_t365 =  *_t365 + 2;
				_t366 = 0x33;
				_t456 = _t365;
				 *0xFFFFFFFFFC000826 =  *((intOrPtr*)(0xfffffffffc000826)) + 0x35;
				asm("clc");
				_push(es);
				if( *0x33 >= 2) {
					 *0x33 =  *0x33 + 2;
					 *0x33 =  *0x33 + 2;
					_t394 = _t456;
					 *0x37075A26 =  *((intOrPtr*)(0x37075a26)) + _t427;
					_t394[0xd] = _t394[0xd] + 0x35;
					 *0xFFFFFFFF80269C33 =  *((intOrPtr*)(0xffffffff80269c33)) + _t437;
					 *0x3be000 =  *0x3be000 | _t442;
					 *_t394 =  *_t394 + 2;
					 *0x0D26A833 =  *((intOrPtr*)(0xd26a833)) + _t437;
					_t404 = _t404 |  *0x33;
					 *_t442 =  *_t442 + _t427;
					_t366 = 0x33;
					_t456 = _t394;
					 *0x400A6959 =  *((intOrPtr*)(0x400a6959)) + _t427;
				}
				 *0x22 =  *0x22 + _t437;
				_t456[0x1c837bc2] = _t366 + _t456[0x1c837bc2];
				 *_t404 = _t366 +  *_t404;
				asm("sbb eax, 0x22");
				 *((intOrPtr*)(_t456 - 0x66d8edf8)) =  *((intOrPtr*)(_t456 - 0x66d8edf8)) + _t366;
				_t368 = _t366 +  *_t404 &  *[es:eax];
				 *_t368 =  *_t368 + _t368;
				_t456[0x689c6c2] = _t456[0x689c6c2] + _t368;
				 *((intOrPtr*)(_t368 + _t368 + 0x2e)) =  *((intOrPtr*)(_t368 + _t368 + 0x2e)) + _t368;
				_t369 = _t368 &  *_t368;
				 *_t369 =  *_t369 + _t369;
				 *((intOrPtr*)(_t456 - 0x77d8daf8)) =  *((intOrPtr*)(_t456 - 0x77d8daf8)) + _t369;
				_t370 = _t369 |  *(_t369 + _t369 + 0x1e);
				 *_t370 =  *_t370 & _t370;
				 *_t370 =  *_t370 + _t370;
				 *((intOrPtr*)(_t456 - 0x6cf1dae8)) =  *((intOrPtr*)(_t456 - 0x6cf1dae8)) + _t370;
				 *_t467 =  *_t467 + _t370;
				asm("aaa");
				_t371 = _t370 &  *_t370;
				 *_t371 =  *_t371 + _t371;
				 *((intOrPtr*)(_t456 - 0x72f1dae8)) =  *((intOrPtr*)(_t456 - 0x72f1dae8)) + _t371;
				_t372 = _t371 |  *_t467;
				_push(ds);
				 *_t372 =  *_t372 & _t372;
				 *_t372 =  *_t372 + _t372;
				 *((intOrPtr*)(_t456 - 0x6cf1dae8)) =  *((intOrPtr*)(_t456 - 0x6cf1dae8)) + _t372;
				 *_t442 =  *_t442 + _t372;
				_t468 = _t467 - 1;
				_t373 = _t372 &  *_t372;
				 *_t373 =  *_t373 + _t373;
				 *((intOrPtr*)(_t404 - 0x15ed5a00)) =  *((intOrPtr*)(_t404 - 0x15ed5a00)) + _t373;
				 *_t442 =  *_t442 | _t373;
				_push(ds);
				 *_t373 =  *_t373 & _t373;
				 *_t373 =  *_t373 + _t373;
				 *((intOrPtr*)(_t456 - 0x6cf1dae8)) =  *((intOrPtr*)(_t456 - 0x6cf1dae8)) + _t373;
				 *_t373 =  *_t373 + _t427;
				asm("pushad");
				_t374 = _t373 &  *_t373;
				 *_t374 =  *_t374 + _t374;
				 *((intOrPtr*)(_t404 - 0x15ed3700)) =  *((intOrPtr*)(_t404 - 0x15ed3700)) + _t374;
				 *_t374 =  *_t374 | _t427;
				_push(ds);
				 *_t374 =  *_t374 & _t374;
				 *_t374 =  *_t374 + _t374;
				 *((intOrPtr*)(_t456 - 0x6cf1dae8)) =  *((intOrPtr*)(_t456 - 0x6cf1dae8)) + _t374;
				 *_t427 =  *_t427 + _t427;
				_t375 = _t374 ^ 0x0000003f;
				 *_t375 =  *_t375 + _t375;
				 *_t375 =  *_t375 + _t375;
				 *_t375 =  *_t375 + 0xffffffe2;
				asm("adc ch, dl");
				 *_t427 =  *_t427 | _t427;
				if( *_t427 == 0) {
					 *_t375 =  *_t375 + _t375;
					 *_t375 =  *_t375 + _t375;
					_t263 = _t375;
					_t375 = _t427;
					_t427 = _t263;
					asm("sbb [esi+0x22], cl");
					asm("outsb");
					 *_t437 =  *_t437 + _t427;
					_push(ds);
					 *_t375 =  *_t375 & _t375;
					 *_t375 =  *_t375 + _t375;
					 *((intOrPtr*)(_t456 - 0x6cf1dae8)) =  *((intOrPtr*)(_t456 - 0x6cf1dae8)) + _t375;
					 *_t437 =  *_t437 + _t427;
					 *_t437 =  *_t437 & 0x00000000;
					 *_t375 =  *_t375 + 0x2f;
				}
				asm("das");
				asm("adc bl, [edx]");
				 *_t437 =  *_t437 | _t427;
				asm("adc ah, [edx]");
				 *_t375 =  *_t375 + _t375;
				 *_t375 =  *_t375 + _t375;
				 *_t375 =  *_t375 + 0x4c;
				asm("adc bh, [eax]");
				 *_t404 =  *_t404 | _t427;
				 *_t437 = _t470;
				 *_t375 =  *_t375 + _t375;
				 *_t375 =  *_t375 + _t375;
				 *_t375 =  *_t375 + 0x71;
				asm("adc bh, [ecx+0x8]");
				 *_t437 = _t437 +  *_t437;
				 *_t375 =  *_t375 + 0xffffff8e;
				asm("adc ch, [ebx+0x1e004d08]");
				 *_t375 =  *_t375 & _t375;
				 *_t375 =  *_t375 + _t375;
				 *((intOrPtr*)(_t456 - 0x6cf1dae8)) =  *((intOrPtr*)(_t456 - 0x6cf1dae8)) + _t375;
				 *_t456 =  *_t456 + _t427;
				asm("aas");
				 *_t375 =  *_t375 + _t375;
				 *_t375 =  *_t375 + _t375;
				 *_t375 =  *_t375 + 0xffffffec;
				asm("adc ecx, ecx");
				 *_t456 =  *_t456 | _t427;
				asm("pushfd");
				_t376 = _t375 &  *_t375;
				 *_t376 =  *_t376 + _t376;
				 *((intOrPtr*)(_t427 + 0x6e224e18)) =  *((intOrPtr*)(_t427 + 0x6e224e18)) + _t437;
				 *_t442 =  *_t442 + _t427;
				_push(ds);
				 *_t376 =  *_t376 & _t376;
				 *_t376 =  *_t376 + _t376;
				 *((intOrPtr*)(_t456 - 0x6cf1dae8)) =  *((intOrPtr*)(_t456 - 0x6cf1dae8)) + _t376;
				 *_t442 =  *_t442 + _t427;
				 *_t376 =  *_t376 + _t376;
				 *_t376 =  *_t376 + _t376;
				 *_t376 =  *_t376 + 0x26;
				asm("adc al, 0xc9");
				 *_t442 =  *_t442 | _t427;
				asm("int3");
				asm("aas");
				 *_t376 =  *_t376 + _t376;
				 *_t376 =  *_t376 + _t376;
				_t377 = _t456;
				_t405 = _t404 + _t427;
				asm("daa");
				 *_t405 =  *_t405 - _t427;
				_push(_t377);
				_t377[0x10] = _t377 + _t377[0x10];
				 *_t377 = _t377 +  *_t377;
				 *_t377 = _t377 +  *_t377;
				_t378 = _t376;
				asm("daa");
				_t439 =  &(_t437[0]) | _t437[0];
				asm("loopne 0x42");
				 *_t378 =  *_t378 + _t378;
				 *_t378 =  *_t378 + _t378;
				_t407 = _t405 + _t427 + _t427;
				asm("daa");
				 *_t407 = _t427;
				_t380 = _t377 + _t439;
				_t429 =  *_t407 + 1;
				 *_t380 =  *_t380 + _t380;
				 *_t380 =  *_t380 + _t380;
				asm("daa");
				_t382 = _t468;
				 *_t382 =  *_t382 + _t429;
				_t440 = _t439 + 1;
				 *_t382 =  *_t382 + _t382;
				 *_t382 =  *_t382 + _t382;
				_t383 = _t380;
				asm("daa");
				asm("fisttp qword [ebx]");
				 *((intOrPtr*)(_t440 + _t383 * 2)) =  *((intOrPtr*)(_t440 + _t383 * 2)) + 0xb;
				 *_t383 =  *_t383 + _t383;
				 *_t383 =  *_t383 + _t383;
				 *_t442 =  *_t442 + _t440;
				_t385 = _t382 - 0xb + _t429;
				asm("pushfd");
				_t441 = _t440 + 1;
				 *_t385 =  *_t385 + _t385;
				 *_t385 =  *_t385 + _t385;
				asm("daa");
				_t388 = (_t383 | 0x00000060) + _t441;
				 *_t388 =  *_t388 + _t388;
				 *_t388 =  *_t388 + _t388;
				_t464 = _t388;
				 *((intOrPtr*)(_t464 + 0x28)) =  *((intOrPtr*)(_t464 + 0x28)) + _t441;
				_pop(_t414);
				_t390 = _t385 | 0x00000064;
				 *_t390 =  *_t390 + _t390;
				 *_t390 =  *_t390 + _t390;
				 *_t390 =  *_t390 + _t390;
				_t391 = _t464;
				_t465 = _t390;
				 *((intOrPtr*)(_t391 + 0x650c8028)) =  *((intOrPtr*)(_t391 + 0x650c8028)) + _t391;
				 *((intOrPtr*)(_t391 + 0x44)) =  *((intOrPtr*)(_t391 + 0x44)) + _t441;
				 *((intOrPtr*)(_t465 - 0x3ad75a00)) =  *((intOrPtr*)(_t465 - 0x3ad75a00)) + _t441;
				_t392 = _t391 | 0x00000068;
				 *_t465 =  *_t465 + _t414;
				 *_t392 =  *_t392 & _t392;
				 *_t392 =  *_t392 + _t392;
				 *((intOrPtr*)(_t465 - 0x6cf1dae8)) =  *((intOrPtr*)(_t465 - 0x6cf1dae8)) + _t392;
				 *_t429 =  *_t429 + _t429;
				 *_t392 =  *_t392 + _t392;
				 *_t392 =  *_t392 + _t392;
				 *_t392 =  *_t392 + 0xffffffc3;
				asm("adc al, 0x3c");
				_t393 = _t392 + 0x69;
				 *_t465 =  *_t465 + _t414;
				 *_t393 =  *_t393 & _t393;
				 *_t393 =  *_t393 + _t393;
				 *((intOrPtr*)(_t465 - 0x6cf1dae8)) =  *((intOrPtr*)(_t465 - 0x6cf1dae8)) + _t393;
				 *_t441 =  *_t441 + 0x22;
				return _t393;
			}



































































































          0x00747241
          0x00747241
          0x00747241
          0x00747246
          0x0074724b
          0x00747251
          0x00747252
          0x00747253
          0x00747255
          0x0074725b
          0x0074725f
          0x00747261
          0x00747263
          0x00747265
          0x00747267
          0x0074726d
          0x00747273
          0x00747275
          0x00747276
          0x00747277
          0x00747279
          0x0074727b
          0x0074727c
          0x0074727d
          0x0074727f
          0x00747281
          0x00747282
          0x00747283
          0x00747285
          0x0074728d
          0x0074728e
          0x0074728f
          0x00747291
          0x0074729a
          0x0074729b
          0x0074729d
          0x0074729f
          0x007472a0
          0x007472a1
          0x007472a3
          0x007472a9
          0x007472ab
          0x007472b1
          0x007472b7
          0x007472ba
          0x007472be
          0x007472bf
          0x007472c1
          0x007472c3
          0x007472c6
          0x007472c7
          0x007472c9
          0x007472cc
          0x007472cd
          0x007472cf
          0x007472d1
          0x007472d2
          0x007472d3
          0x007472db
          0x007472de
          0x007472e4
          0x007472e5
          0x007472e7
          0x007472ee
          0x007472f3
          0x007472f4
          0x007472f5
          0x007472f7
          0x007472f7
          0x007472fe
          0x00747305
          0x00747310
          0x00747317
          0x0074731d
          0x0074731f
          0x00747321
          0x00747323
          0x00747325
          0x00747327
          0x00747329
          0x00747329
          0x0074732d
          0x0074732f
          0x0074733b
          0x00747341
          0x00747347
          0x0074734d
          0x00747353
          0x00747359
          0x0074735b
          0x0074735d
          0x00747360
          0x00747361
          0x00747363
          0x00747367
          0x00747369
          0x0074736c
          0x0074736d
          0x0074736f
          0x00747372
          0x00747373
          0x00747375
          0x0074737e
          0x0074737f
          0x00747381
          0x00747383
          0x00747384
          0x00747388
          0x00747389
          0x0074738b
          0x0074738d
          0x00747395
          0x00747397
          0x00747399
          0x0074739f
          0x007473a6
          0x007473a9
          0x007473ae
          0x007473af
          0x007473b1
          0x007473b2
          0x007473b7
          0x007473c0
          0x007473c1
          0x007473ca
          0x007473cb
          0x007473cd
          0x007473cf
          0x007473d1
          0x007473d6
          0x007473d8
          0x007473da
          0x007473de
          0x007473e0
          0x007473e0
          0x007473e1
          0x007473e7
          0x007473e9
          0x007473eb
          0x007473ed
          0x007473f3
          0x007473f5
          0x007473f7
          0x007473f9
          0x007473fb
          0x00747401
          0x00747407
          0x00747409
          0x0074740f
          0x00747411
          0x00747413
          0x00747415
          0x00747417
          0x0074741d
          0x0074741f
          0x00747421
          0x00747423
          0x00747425
          0x0074742b
          0x0074742d
          0x0074742f
          0x00747431
          0x00747433
          0x00747439
          0x0074743b
          0x00747441
          0x00747447
          0x00747449
          0x0074744b
          0x0074744d
          0x0074744f
          0x00747455
          0x00747457
          0x00747459
          0x0074745b
          0x0074745d
          0x00747463
          0x00747465
          0x00747468
          0x0074746a
          0x0074746c
          0x0074746c
          0x0074746d
          0x00747475
          0x00747476
          0x00747478
          0x0074747a
          0x0074747b
          0x00747481
          0x00747484
          0x00747486
          0x00747488
          0x00747488
          0x00747489
          0x0074748f
          0x00747492
          0x00747494
          0x00747496
          0x00747497
          0x0074749d
          0x007474a0
          0x007474a2
          0x007474a4
          0x007474a4
          0x007474a5
          0x007474ab
          0x007474ae
          0x007474b0
          0x007474b2
          0x007474b2
          0x007474b3
          0x007474b9
          0x007474bb
          0x007474bd
          0x007474bf
          0x007474c5
          0x007474c8
          0x007474c9
          0x007474cb
          0x007474cd
          0x007474d3
          0x007474d6
          0x007474d8
          0x007474da
          0x007474dc
          0x007474dd
          0x007474df
          0x007474e1
          0x007474e4
          0x007474e6
          0x007474e8
          0x007474ea
          0x007474ea
          0x007474ed
          0x007474ef
          0x007474f5
          0x007474f7
          0x007474fd
          0x007474ff
          0x00747505
          0x0074750b
          0x0074750d
          0x0074750f
          0x00747511
          0x00747513
          0x00747519
          0x0074751b
          0x0074751f
          0x00747521
          0x00747527
          0x00747529
          0x0074752b
          0x0074752d
          0x0074752f
          0x00747535
          0x00747537
          0x0074753f
          0x00747544
          0x00747545
          0x00747548
          0x0074754a
          0x0074754d
          0x00747550
          0x00747552
          0x00747554
          0x00747559
          0x0074755f
          0x00747561
          0x00747568
          0x00747569
          0x0074756c
          0x00747573
          0x00747575
          0x0074757b
          0x00747581
          0x00747583
          0x00747584
          0x00747585
          0x0074758b
          0x0074758d
          0x00747590
          0x00747592
          0x00747592
          0x00747593
          0x00747599
          0x0074759f
          0x007475a5
          0x007475a7
          0x007475a9
          0x007475ab
          0x007475ad
          0x007475b3
          0x007475b9
          0x007475bb
          0x007475c1
          0x007475c7
          0x007475c9
          0x007475cf
          0x007475d1
          0x007475d4
          0x007475d6
          0x007475d8
          0x007475db
          0x007475de
          0x007475e5
          0x007475eb
          0x007475f0
          0x007475f2
          0x007475f4
          0x007475f4
          0x007475f5
          0x007475f8
          0x007475f9
          0x007475fb
          0x007475fd
          0x007475ff
          0x00747601
          0x00747607
          0x00747609
          0x0074760f
          0x00747615
          0x00747617
          0x00747619
          0x0074761b
          0x0074761d
          0x00747623
          0x00747625
          0x00747628
          0x0074762a
          0x0074762c
          0x0074762f
          0x00747634
          0x00747635
          0x00747637
          0x00747639
          0x0074763f
          0x00747641
          0x00747647
          0x0074764f
          0x00747651
          0x00747653
          0x00747655
          0x0074765b
          0x0074765d
          0x00747664
          0x00747667
          0x0074766c
          0x0074766d
          0x0074766f
          0x00747671
          0x00747677
          0x0074767d
          0x0074767f
          0x00747685
          0x00747687
          0x00747689
          0x0074768b
          0x0074768d
          0x00747693
          0x00747695
          0x00747697
          0x00747699
          0x0074769b
          0x007476a1
          0x007476a3
          0x007476a9
          0x007476b1
          0x007476b4
          0x007476b6
          0x007476c2
          0x007476c4
          0x007476c7
          0x007476ce
          0x007476cf
          0x007476d1
          0x007476d3
          0x007476d9
          0x007476db
          0x007476dd
          0x007476df
          0x007476e1
          0x007476e7
          0x007476e9
          0x007476eb
          0x007476ed
          0x007476ef
          0x007476f5
          0x007476f6
          0x007476f7
          0x007476fa
          0x007476fc
          0x007476fe
          0x007476fe
          0x007476ff
          0x00747702
          0x00747703
          0x00747706
          0x00747708
          0x0074770a
          0x0074770c
          0x0074770d
          0x00747713
          0x00747719
          0x0074771f
          0x00747725
          0x00747727
          0x0074772d
          0x0074772f
          0x00747736
          0x00747736
          0x00747737
          0x00747737
          0x0074773d
          0x00747743
          0x00747749
          0x0074774c
          0x00747751
          0x0074775a
          0x0074775d
          0x0074775f
          0x00747765
          0x00747769
          0x0074776b
          0x0074776d
          0x00747773
          0x00747777
          0x00747779
          0x0074777b
          0x00747781
          0x00747784
          0x00747785
          0x00747787
          0x00747789
          0x0074778f
          0x00747792
          0x00747793
          0x00747795
          0x00747797
          0x0074779d
          0x007477a0
          0x007477a1
          0x007477a3
          0x007477a5
          0x007477ab
          0x007477ae
          0x007477af
          0x007477b1
          0x007477b3
          0x007477b9
          0x007477bc
          0x007477bd
          0x007477bf
          0x007477c1
          0x007477c7
          0x007477ca
          0x007477cb
          0x007477cd
          0x007477cf
          0x007477d5
          0x007477d8
          0x007477da
          0x007477dc
          0x007477de
          0x007477e1
          0x007477e3
          0x007477e6
          0x007477e8
          0x007477ea
          0x007477ec
          0x007477ec
          0x007477ec
          0x007477ed
          0x007477f0
          0x007477f1
          0x007477f4
          0x007477f5
          0x007477f7
          0x007477f9
          0x007477ff
          0x00747802
          0x00747808
          0x00747808
          0x0074780a
          0x0074780b
          0x0074780d
          0x00747810
          0x00747812
          0x00747814
          0x00747816
          0x00747819
          0x0074781b
          0x0074781e
          0x00747820
          0x00747822
          0x00747824
          0x00747827
          0x0074782b
          0x00747832
          0x00747835
          0x0074783b
          0x0074783d
          0x0074783f
          0x00747845
          0x00747848
          0x0074784a
          0x0074784c
          0x0074784e
          0x00747851
          0x00747853
          0x00747856
          0x00747857
          0x00747859
          0x0074785b
          0x00747861
          0x00747864
          0x00747865
          0x00747867
          0x00747869
          0x0074786f
          0x00747874
          0x00747876
          0x00747878
          0x0074787b
          0x0074787d
          0x00747880
          0x00747881
          0x00747882
          0x00747884
          0x00747886
          0x00747887
          0x00747889
          0x0074788a
          0x0074788c
          0x0074788d
          0x00747890
          0x00747892
          0x00747894
          0x00747897
          0x00747899
          0x0074789c
          0x0074789e
          0x007478a0
          0x007478a3
          0x007478a5
          0x007478a6
          0x007478a9
          0x007478ab
          0x007478ac
          0x007478ae
          0x007478b3
          0x007478b6
          0x007478b7
          0x007478b9
          0x007478ba
          0x007478bc
          0x007478be
          0x007478c1
          0x007478c2
          0x007478c5
          0x007478c8
          0x007478ca
          0x007478cd
          0x007478cf
          0x007478d4
          0x007478d5
          0x007478d6
          0x007478d8
          0x007478dd
          0x007478e1
          0x007478e4
          0x007478e6
          0x007478e8
          0x007478e9
          0x007478ec
          0x007478ed
          0x007478ef
          0x007478f2
          0x007478f4
          0x007478f6
          0x007478f6
          0x007478f7
          0x007478fd
          0x00747903
          0x00747909
          0x0074790b
          0x0074790d
          0x0074790f
          0x00747911
          0x00747917
          0x0074791c
          0x0074791e
          0x00747920
          0x00747923
          0x00747925
          0x00747927
          0x00747929
          0x0074792b
          0x0074792d
          0x00747933
          0x00747936

          Memory Dump Source
          • Source File: 00000002.00000002.316581946.00000000006B2000.00000002.00020000.sdmp, Offset: 006B0000, based on PE: true
          • Associated: 00000002.00000002.316564049.00000000006B0000.00000002.00020000.sdmp Download File
          • Associated: 00000002.00000002.316764975.0000000000752000.00000002.00020000.sdmp Download File
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 04b201e0b9c39f988c70f632229dafc4114fc50539d3e1d72dc68da451c52eb3
          • Instruction ID: 03fcb19dd03219ab859202d3046582e4acbb95e44a253db6b718bcc58adcfba5
          • Opcode Fuzzy Hash: 04b201e0b9c39f988c70f632229dafc4114fc50539d3e1d72dc68da451c52eb3
          • Instruction Fuzzy Hash: 0D42EC6154E3D25FD7138B708CB5682BFB0AE1312471E4ADFC0C1CF9A3E258599AD762
          Uniqueness

          Uniqueness Score: -1.00%

          Analysis Process: Quotation ATB-PR28500KINH.exe PID: 6148 Parent PID: 3980 Quotation ATB-PR28500KINH.exeCOMMON

          Executed Functions

          Function 0740E178, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53nativeCOMMON
          Download Yara Rule
          APIs
          • NtSetInformationProcess.NTDLL(?,?,?,?), ref: 0740E1F3
          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.328385316.0000000007400000.00000040.00000001.sdmp, Offset: 07400000, based on PE: false
          Similarity
          • API ID: InformationProcess
          • String ID: 7)@
          • API String ID: 1801817001-2336975141
          • Opcode ID: 10c9f153c9c982f313824eea73e1c47d4d618f2707bd90fb16e97d885928163d
          • Instruction ID: 91e7491983468f6e76b7080d7dfa2f4d46d29360a1a632c9969fcdafb465cff4
          • Opcode Fuzzy Hash: 10c9f153c9c982f313824eea73e1c47d4d618f2707bd90fb16e97d885928163d
          • Instruction Fuzzy Hash: 511126B5D002599FCB10DF9AD484BDEFBF4FB48324F10882AE828A7240C374A945CFA1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0740E180, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 51nativeCOMMON
          Download Yara Rule
          APIs
          • NtSetInformationProcess.NTDLL(?,?,?,?), ref: 0740E1F3
          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.328385316.0000000007400000.00000040.00000001.sdmp, Offset: 07400000, based on PE: false
          Similarity
          • API ID: InformationProcess
          • String ID: 7)@
          • API String ID: 1801817001-2336975141
          • Opcode ID: eef0c54e00a94f18ec6e15c44e2e919b33c520a16b34f28165eeda33b6f8c6a6
          • Instruction ID: 3a790751ace1ae5041d1c963ed141fc20310293ef271f1598e0be84e17774702
          • Opcode Fuzzy Hash: eef0c54e00a94f18ec6e15c44e2e919b33c520a16b34f28165eeda33b6f8c6a6
          • Instruction Fuzzy Hash: C511F6B59042599FCB10DF9AD884BDEFBF4FB48324F10842AE419A7250D774A944CFA1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 016DB6C0, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 126threadCOMMON
          Download Yara Rule
          APIs
          • GetCurrentProcess.KERNEL32 ref: 016DB730
          • GetCurrentThread.KERNEL32 ref: 016DB76D
          • GetCurrentProcess.KERNEL32 ref: 016DB7AA
          • GetCurrentThreadId.KERNEL32 ref: 016DB803
          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.318494350.00000000016D0000.00000040.00000001.sdmp, Offset: 016D0000, based on PE: false
          Similarity
          • API ID: Current$ProcessThread
          • String ID: 7)@
          • API String ID: 2063062207-2336975141
          • Opcode ID: f7c8d7838c13b239df74731a3c6da0e29b50f233650d2dc8c5d0518e7b83db1d
          • Instruction ID: 2f70f26e45f4d661cb5188ebac9c76dd5c81ed8376daf0ffebdc56fab777850e
          • Opcode Fuzzy Hash: f7c8d7838c13b239df74731a3c6da0e29b50f233650d2dc8c5d0518e7b83db1d
          • Instruction Fuzzy Hash: 845175B4D006488FEB14CFAAC989BEEBBF0FB48314F258559E019A3350CB746844CF65
          Uniqueness

          Uniqueness Score: -1.00%

          Function 016DB6D0, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120threadCOMMON
          Download Yara Rule
          APIs
          • GetCurrentProcess.KERNEL32 ref: 016DB730
          • GetCurrentThread.KERNEL32 ref: 016DB76D
          • GetCurrentProcess.KERNEL32 ref: 016DB7AA
          • GetCurrentThreadId.KERNEL32 ref: 016DB803
          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.318494350.00000000016D0000.00000040.00000001.sdmp, Offset: 016D0000, based on PE: false
          Similarity
          • API ID: Current$ProcessThread
          • String ID: 7)@
          • API String ID: 2063062207-2336975141
          • Opcode ID: fe0ed15d1980cff44c7191600e6ba83d9bc8959318c809a166ed249a54d0b569
          • Instruction ID: 84f4d75eb76b89a4d9a1b12aca92d8b97eac59adcea9aa49bd2f42fba09afd60
          • Opcode Fuzzy Hash: fe0ed15d1980cff44c7191600e6ba83d9bc8959318c809a166ed249a54d0b569
          • Instruction Fuzzy Hash: 905175B4D046088FEB14CFAAC988BEEBBF0BF49314F25841AE019A7360CB745844CF65
          Uniqueness

          Uniqueness Score: -1.00%

          Function 016DFB20, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 182COMMON
          Download Yara Rule
          APIs
          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 016DFD0A
          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.318494350.00000000016D0000.00000040.00000001.sdmp, Offset: 016D0000, based on PE: false
          Similarity
          • API ID: CreateWindow
          • String ID: 7)@$7)@
          • API String ID: 716092398-991042236
          • Opcode ID: 8746b7c3cddb87fbc7bbb80c4c06752c47912ce314fcbcb19145e5c3bed19018
          • Instruction ID: dfd3d079c012a8e54d71cee3b9e2e271df3fcab1173fa65686256359cb3e3b8d
          • Opcode Fuzzy Hash: 8746b7c3cddb87fbc7bbb80c4c06752c47912ce314fcbcb19145e5c3bed19018
          • Instruction Fuzzy Hash: 336155B1C043489FDB15CFA9D880ADEBFB1FF49310F18816AE815AB251D7749946CF51
          Uniqueness

          Uniqueness Score: -1.00%

          Function 016DFB98, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 145COMMON
          Download Yara Rule
          APIs
          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 016DFD0A
          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.318494350.00000000016D0000.00000040.00000001.sdmp, Offset: 016D0000, based on PE: false
          Similarity
          • API ID: CreateWindow
          • String ID: 7)@$7)@
          • API String ID: 716092398-991042236
          • Opcode ID: 2f1ae9320f7e295e53462e80b6a3af2abde05dc6652dc1ad8be6a6e566fb2bc6
          • Instruction ID: 95cc6cc9c4172a3824892093acef6b55e2c402ed20cb9e551c49b05af71facb5
          • Opcode Fuzzy Hash: 2f1ae9320f7e295e53462e80b6a3af2abde05dc6652dc1ad8be6a6e566fb2bc6
          • Instruction Fuzzy Hash: 985113B1C04249AFDF15CFA9C880ADEBFB1FF48314F25816AE919AB221D7759845CF90
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0740E224, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 137COMMON
          Download Yara Rule
          APIs
          • MoveFileExA.KERNEL32(00000000,?,?), ref: 0740E365
          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.328385316.0000000007400000.00000040.00000001.sdmp, Offset: 07400000, based on PE: false
          Similarity
          • API ID: FileMove
          • String ID: 7)@$7)@
          • API String ID: 3562171763-991042236
          • Opcode ID: 75b6a3a903dc3a950fbd4a62da5e3793e58f6e264dcdea9038005fe90033dc57
          • Instruction ID: 1431ab8927889c55eacc18ac6baafcf463313605c729ab272694e88095d1c3a1
          • Opcode Fuzzy Hash: 75b6a3a903dc3a950fbd4a62da5e3793e58f6e264dcdea9038005fe90033dc57
          • Instruction Fuzzy Hash: 6B5176B0D00629CFDB10DFA9D9857EEBBF1BB48714F14892AE815E7380D7748491CB81
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0740B8F4, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 136COMMON
          Download Yara Rule
          APIs
          • MoveFileExA.KERNEL32(00000000,?,?), ref: 0740E365
          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.328385316.0000000007400000.00000040.00000001.sdmp, Offset: 07400000, based on PE: false
          Similarity
          • API ID: FileMove
          • String ID: 7)@$7)@
          • API String ID: 3562171763-991042236
          • Opcode ID: d175c2db748502dcd969e347614a607ddba7b3d20d159d7a874fbf02a52e3193
          • Instruction ID: fc509e9e2a8baa73669f83b49e0f9923e61fbdfa3c1e32e5000eddb5ecbd927a
          • Opcode Fuzzy Hash: d175c2db748502dcd969e347614a607ddba7b3d20d159d7a874fbf02a52e3193
          • Instruction Fuzzy Hash: F95176B0D00629DFDB10DFA9C9857EEBBF1BB48714F14892AE855E7380D7749891CB82
          Uniqueness

          Uniqueness Score: -1.00%

          Function 016DFBF8, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113COMMON
          Download Yara Rule
          APIs
          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 016DFD0A
          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.318494350.00000000016D0000.00000040.00000001.sdmp, Offset: 016D0000, based on PE: false
          Similarity
          • API ID: CreateWindow
          • String ID: 7)@$7)@
          • API String ID: 716092398-991042236
          • Opcode ID: d60664fae32eac787433eda896f02bb0dd497985bb2862fa8e17cc3e11f49897
          • Instruction ID: de63117af839dbc2b78bd1c5eefd53ee455865bff4e6a91403e9618d2bee4c67
          • Opcode Fuzzy Hash: d60664fae32eac787433eda896f02bb0dd497985bb2862fa8e17cc3e11f49897
          • Instruction Fuzzy Hash: 6341B1B1D003099FDF14CF99D884ADEBBB5BF48314F24812AE819AB250D7749945CF91
          Uniqueness

          Uniqueness Score: -1.00%

          Function 074043ED, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 90libraryCOMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.328385316.0000000007400000.00000040.00000001.sdmp, Offset: 07400000, based on PE: false
          Similarity
          • API ID: LibraryLoad
          • String ID: 7)@$7)@
          • API String ID: 1029625771-991042236
          • Opcode ID: 6dc11ff20ebba1ad592be6e4de1a6a8a6c682164823ddc7e487c56e493029f7e
          • Instruction ID: 50383d0ff9e7dea2ab07cc3ead711292559cdcd80573a784ee16bab97018ef22
          • Opcode Fuzzy Hash: 6dc11ff20ebba1ad592be6e4de1a6a8a6c682164823ddc7e487c56e493029f7e
          • Instruction Fuzzy Hash: 4E3143B0D002899FDB10CFA8D985BDEBBF1BB09314F14852AE915A7380D7789485CF92
          Uniqueness

          Uniqueness Score: -1.00%

          Function 07401A50, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 89libraryCOMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.328385316.0000000007400000.00000040.00000001.sdmp, Offset: 07400000, based on PE: false
          Similarity
          • API ID: LibraryLoad
          • String ID: 7)@$7)@
          • API String ID: 1029625771-991042236
          • Opcode ID: eeb93da836dfaa1097fc40e0c33586f8aea867c9ace576e86fd7ba8c0867fb00
          • Instruction ID: 71ae13b55ddd89d868dc135e87ff2481ef90ab3d076c4ce32cff16a8ad866597
          • Opcode Fuzzy Hash: eeb93da836dfaa1097fc40e0c33586f8aea867c9ace576e86fd7ba8c0867fb00
          • Instruction Fuzzy Hash: 533155B0D002899FCB14CFA9C884BDEBBF5FB0A314F14852AE915A7380D7789445CF92
          Uniqueness

          Uniqueness Score: -1.00%

          Function 016D93E8, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 194COMMON
          Download Yara Rule
          APIs
          • GetModuleHandleW.KERNEL32(00000000), ref: 016D962E
          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.318494350.00000000016D0000.00000040.00000001.sdmp, Offset: 016D0000, based on PE: false
          Similarity
          • API ID: HandleModule
          • String ID: 7)@
          • API String ID: 4139908857-2336975141
          • Opcode ID: 90a59a1116e2acccea6c6b2233fb7174531bc2c9b01cf705bea2559a4733485a
          • Instruction ID: 21ace7c2651d7d2265f0f8f2010fa4f5c3d770003acc68ed13d585317bf1e918
          • Opcode Fuzzy Hash: 90a59a1116e2acccea6c6b2233fb7174531bc2c9b01cf705bea2559a4733485a
          • Instruction Fuzzy Hash: 6C712470A00B058FDB24DF2AC8457AABBF5BF88308F10892DD58AD7B50DB34E805CB91
          Uniqueness

          Uniqueness Score: -1.00%

          Function 016DBCF9, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
          Download Yara Rule
          APIs
          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 016DBD87
          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.318494350.00000000016D0000.00000040.00000001.sdmp, Offset: 016D0000, based on PE: false
          Similarity
          • API ID: DuplicateHandle
          • String ID: 7)@
          • API String ID: 3793708945-2336975141
          • Opcode ID: 1b4173cc18ffbc19af996f2cf16c3ec687ddf42977189470ff89204dac5f6247
          • Instruction ID: 8f87dcf72f3ab1912271140547c33c36abb7f2f28825eedd6bb870a4e992989e
          • Opcode Fuzzy Hash: 1b4173cc18ffbc19af996f2cf16c3ec687ddf42977189470ff89204dac5f6247
          • Instruction Fuzzy Hash: 1821E5B5D002489FDF10CFA9D984AEEBBF4BB48324F15841AE958A7310C3789944CF61
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0740B900, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON
          Download Yara Rule
          APIs
          • SetKernelObjectSecurity.KERNELBASE(012848E8,00000004,00000000,?,?,?,?,?,00000000,?,0740DF74,00000000), ref: 0740E00E
          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.328385316.0000000007400000.00000040.00000001.sdmp, Offset: 07400000, based on PE: false
          Similarity
          • API ID: KernelObjectSecurity
          • String ID: 7)@
          • API String ID: 3015937269-2336975141
          • Opcode ID: 8aa7733e4d3a6dd93cbfb280448a49e8c6c64acd4b5100f0f8dcb5208568b8de
          • Instruction ID: 258cf30fe5f333739e9f32400aac1a705ee0dcb32f211e8164826f36a6f989c1
          • Opcode Fuzzy Hash: 8aa7733e4d3a6dd93cbfb280448a49e8c6c64acd4b5100f0f8dcb5208568b8de
          • Instruction Fuzzy Hash: 2F2118B1A04219DFCB10CF9AC885BEEBBF4EB48314F10842AE519A7340D778A944CFA5
          Uniqueness

          Uniqueness Score: -1.00%

          Function 016DBD00, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62COMMON
          Download Yara Rule
          APIs
          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 016DBD87
          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.318494350.00000000016D0000.00000040.00000001.sdmp, Offset: 016D0000, based on PE: false
          Similarity
          • API ID: DuplicateHandle
          • String ID: 7)@
          • API String ID: 3793708945-2336975141
          • Opcode ID: 145363f94ce455b7bb74baa8d19c2a700f0cc61dace626ca697db257532bc358
          • Instruction ID: b143873bcce8765d68411231ee287851c3e156d8503cbff2a19bb03601fec52c
          • Opcode Fuzzy Hash: 145363f94ce455b7bb74baa8d19c2a700f0cc61dace626ca697db257532bc358
          • Instruction Fuzzy Hash: 0821B3B59002489FDB10CFAAD984ADEBBF4EB48324F15841AE958A7350D778A944CFA1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0740DF89, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62COMMON
          Download Yara Rule
          APIs
          • SetKernelObjectSecurity.KERNELBASE(012848E8,00000004,00000000,?,?,?,?,?,00000000,?,0740DF74,00000000), ref: 0740E00E
          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.328385316.0000000007400000.00000040.00000001.sdmp, Offset: 07400000, based on PE: false
          Similarity
          • API ID: KernelObjectSecurity
          • String ID: 7)@
          • API String ID: 3015937269-2336975141
          • Opcode ID: 648066e7d4549816fc3dfca8f80e954b804df2d8b7db84e9480e7fed093c050d
          • Instruction ID: 7543ed93276851999d08bd2fd1d53e3a7548d288a8137142c9989e7680df804b
          • Opcode Fuzzy Hash: 648066e7d4549816fc3dfca8f80e954b804df2d8b7db84e9480e7fed093c050d
          • Instruction Fuzzy Hash: 7D2149B1900259DFCB10CFAAC485BEEBBF4FB48324F14842AE458A7740D778A944CFA1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 016D8768, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55libraryCOMMON
          Download Yara Rule
          APIs
          • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,016D96A9,00000800,00000000,00000000), ref: 016D98BA
          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.318494350.00000000016D0000.00000040.00000001.sdmp, Offset: 016D0000, based on PE: false
          Similarity
          • API ID: LibraryLoad
          • String ID: 7)@
          • API String ID: 1029625771-2336975141
          • Opcode ID: 03e51d0a787d381ac59291f2f36eab8743990d2f05e2d56c4d671f5e491c8b6f
          • Instruction ID: 05707fe7375fc9df654af43a190a77d5bc4394a388ca79b7123fbcf8cd312ef7
          • Opcode Fuzzy Hash: 03e51d0a787d381ac59291f2f36eab8743990d2f05e2d56c4d671f5e491c8b6f
          • Instruction Fuzzy Hash: 7E1124B5D002489FDB10CF9AC844ADEBBF4EB88314F11842AD519A7600C774A945CFA1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 016D9849, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55libraryCOMMON
          Download Yara Rule
          APIs
          • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,016D96A9,00000800,00000000,00000000), ref: 016D98BA
          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.318494350.00000000016D0000.00000040.00000001.sdmp, Offset: 016D0000, based on PE: false
          Similarity
          • API ID: LibraryLoad
          • String ID: 7)@
          • API String ID: 1029625771-2336975141
          • Opcode ID: cd2dfe1e491322e502a6ce32686b3f373aca41b4d2dc0cd09c74a09bb85552ee
          • Instruction ID: 4eb4e4e87b6b4c42c73529cb4dd59e9cb64f6325f9c0d787b87d8b585076bb82
          • Opcode Fuzzy Hash: cd2dfe1e491322e502a6ce32686b3f373aca41b4d2dc0cd09c74a09bb85552ee
          • Instruction Fuzzy Hash: CE1144B2D002089FDB10CF9AC844BDEFBF4EB88324F15842AD419A7300C778A545CFA1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 016D95C8, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
          Download Yara Rule
          APIs
          • GetModuleHandleW.KERNEL32(00000000), ref: 016D962E
          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.318494350.00000000016D0000.00000040.00000001.sdmp, Offset: 016D0000, based on PE: false
          Similarity
          • API ID: HandleModule
          • String ID: 7)@
          • API String ID: 4139908857-2336975141
          • Opcode ID: 6f0cf53d109362abab6626d2b19c22c4bcbe26586c9df79c3917a5ec24e094c6
          • Instruction ID: d74aae16f58a547234b915fd7c404c4b4a75efd7ea5e7841dd794a5db12a146d
          • Opcode Fuzzy Hash: 6f0cf53d109362abab6626d2b19c22c4bcbe26586c9df79c3917a5ec24e094c6
          • Instruction Fuzzy Hash: B01110B5D006498FDB10CF9AC844BDEFBF4EB88328F14842AD419A7600C378A545CFA1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 016DFE38, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
          Download Yara Rule
          APIs
          • SetWindowLongW.USER32(?,?,?), ref: 016DFE9D
          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.318494350.00000000016D0000.00000040.00000001.sdmp, Offset: 016D0000, based on PE: false
          Similarity
          • API ID: LongWindow
          • String ID: 7)@
          • API String ID: 1378638983-2336975141
          • Opcode ID: 3063b300ed6d34639dc731fa7bb4d83446bcc35f2fd361cd43a0d2601f2656e2
          • Instruction ID: abc96e4c7b946aa48e49e16981f8c844dbaf2e219b75e72597d0af7822cbd8f1
          • Opcode Fuzzy Hash: 3063b300ed6d34639dc731fa7bb4d83446bcc35f2fd361cd43a0d2601f2656e2
          • Instruction Fuzzy Hash: E21122B58002489FDB10CF99D889BDEFBF8EB48324F10891AD819A3340C378A944CFA1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 016DFE40, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44COMMON
          Download Yara Rule
          APIs
          • SetWindowLongW.USER32(?,?,?), ref: 016DFE9D
          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.318494350.00000000016D0000.00000040.00000001.sdmp, Offset: 016D0000, based on PE: false
          Similarity
          • API ID: LongWindow
          • String ID: 7)@
          • API String ID: 1378638983-2336975141
          • Opcode ID: efab74ec6f04a2410953d9fda10fa340b2a03c830bc3a0b843d7fab369c2a2a9
          • Instruction ID: 5c9d0ca9631659410de2824adc55a7ea2b075eefd68572b13c8951190325232d
          • Opcode Fuzzy Hash: efab74ec6f04a2410953d9fda10fa340b2a03c830bc3a0b843d7fab369c2a2a9
          • Instruction Fuzzy Hash: 851112B59002489FDB10CF9AD985BDFFBF8EB88324F10845AD919A7340C378A944CFA1
          Uniqueness

          Uniqueness Score: -1.00%

          Non-executed Functions