Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Quotation ATB-PR28500KINH.exe

Overview

General Information

Sample Name:Quotation ATB-PR28500KINH.exe
Analysis ID:321079
MD5:03c41991be46edacb01b18d7ffe97b33
SHA1:17193a4a9fad92f1473d42bbe0d14e83da481a72
SHA256:749b86298b1735b41e92eef8b48c0aa38f1d7fa55bd0958b7b752bfcb5cb5a87
Tags:exeNanoCore

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Drops PE files to the startup folder
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Protects its processes via BreakOnTermination flag
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses taskkill to terminate processes
Yara signature match

Classification

Startup

  • System is w10x64
  • Quotation ATB-PR28500KINH.exe (PID: 3980 cmdline: 'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe' MD5: 03C41991BE46EDACB01B18D7FFE97B33)
    • Quotation ATB-PR28500KINH.exe (PID: 6148 cmdline: Quotation ATB-PR28500KINH.exe MD5: 03C41991BE46EDACB01B18D7FFE97B33)
      • schtasks.exe (PID: 6284 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpECB7.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 1760 cmdline: 'schtasks.exe' /delete /f /tn 'DHCP Monitor' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 1140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 5344 cmdline: 'schtasks.exe' /delete /f /tn 'DHCP Monitor Task' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 1256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 6052 cmdline: 'cmd.exe' /C taskkill /f /im 'Quotation ATB-PR28500KINH.exe' & ping -n 1 -w 3000 1.1.1.1 & type nul > 'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe' & del /f /q 'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 5908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • taskkill.exe (PID: 4968 cmdline: taskkill /f /im 'Quotation ATB-PR28500KINH.exe' MD5: 15E2E0ACD891510C6268CB8899F2A1A1)
        • PING.EXE (PID: 5604 cmdline: ping -n 1 -w 3000 1.1.1.1 MD5: 70C24A306F768936563ABDADB9CA9108)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.320687638.000000000409E000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000006.00000002.328310332.00000000073C0000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x5fee:$x1: NanoCore.ClientPluginHost
    • 0x602b:$x2: IClientNetworkHost
    00000006.00000002.328310332.00000000073C0000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x5fee:$x2: NanoCore.ClientPluginHost
    • 0x9441:$s4: PipeCreated
    • 0x6018:$s5: IClientLoggingHost
    00000006.00000002.316582541.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xff8d:$x1: NanoCore.ClientPluginHost
    • 0xffca:$x2: IClientNetworkHost
    • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000006.00000002.316582541.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 43 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      6.2.Quotation ATB-PR28500KINH.exe.7380000.11.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x170b:$x1: NanoCore.ClientPluginHost
      • 0x1725:$x2: IClientNetworkHost
      6.2.Quotation ATB-PR28500KINH.exe.7380000.11.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0x170b:$x2: NanoCore.ClientPluginHost
      • 0x34b6:$s4: PipeCreated
      • 0x16f8:$s5: IClientLoggingHost
      6.2.Quotation ATB-PR28500KINH.exe.73c0000.13.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x41ee:$x1: NanoCore.ClientPluginHost
      • 0x422b:$x2: IClientNetworkHost
      6.2.Quotation ATB-PR28500KINH.exe.73c0000.13.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0x41ee:$x2: NanoCore.ClientPluginHost
      • 0x7641:$s4: PipeCreated
      • 0x4218:$s5: IClientLoggingHost
      2.2.Quotation ATB-PR28500KINH.exe.54e0000.1.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1018d:$x1: NanoCore.ClientPluginHost
      • 0x101ca:$x2: IClientNetworkHost
      • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      Click to see the 35 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe, ProcessId: 6148, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
      Sigma detected: Scheduled temp file as task from temp locationShow sources
      Source: Process startedAuthor: Joe Security: Data: Command: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpECB7.tmp', CommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpECB7.tmp', CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: Quotation ATB-PR28500KINH.exe, ParentImage: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe, ParentProcessId: 6148, ProcessCommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpECB7.tmp', ProcessId: 6284

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Antivirus / Scanner detection for submitted sampleShow sources
      Source: Quotation ATB-PR28500KINH.exeAvira: detected
      Antivirus detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exeAvira: detection malicious, Label: TR/AD.Nanocore.qhfnr
      Source: C:\Users\user\AppData\Roaming\45678Avira: detection malicious, Label: TR/AD.Nanocore.qhfnr
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\45678ReversingLabs: Detection: 27%
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exeReversingLabs: Detection: 33%
      Multi AV Scanner detection for submitted fileShow sources
      Source: Quotation ATB-PR28500KINH.exeReversingLabs: Detection: 27%
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000006.00000002.320687638.000000000409E000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.316582541.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.320831164.0000000003961000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.321093889.000000000418C000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.321624483.0000000003B61000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.318700397.0000000003041000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.317796226.0000000000E64000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.325804891.00000000057F0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.330776176.00000000054E2000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.317682512.0000000000DA5000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6148, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 3980, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6424, type: MEMORY
      Source: Yara matchFile source: 2.2.Quotation ATB-PR28500KINH.exe.54e0000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.Quotation ATB-PR28500KINH.exe.57f0000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.Quotation ATB-PR28500KINH.exe.57f0000.4.raw.unpack, type: UNPACKEDPE
      Machine Learning detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exeJoe Sandbox ML: detected
      Source: C:\Users\user\AppData\Roaming\45678Joe Sandbox ML: detected
      Machine Learning detection for sampleShow sources
      Source: Quotation ATB-PR28500KINH.exeJoe Sandbox ML: detected
      Source: 6.2.Quotation ATB-PR28500KINH.exe.57f0000.4.unpackAvira: Label: TR/NanoCore.fadte
      Source: 2.2.Quotation ATB-PR28500KINH.exe.54e0000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 6.2.Quotation ATB-PR28500KINH.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7

      Networking:

      barindex
      Uses ping.exe to check the status of other devices and networksShow sources
      Source: unknownProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 1 -w 3000 1.1.1.1
      Source: global trafficTCP traffic: 192.168.2.3:49725 -> 194.5.97.9:1430
      Source: Joe Sandbox ViewIP Address: 1.1.1.1 1.1.1.1
      Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
      Source: unknownDNS traffic detected: queries for: petroleum.sytes.net
      Source: Quotation ATB-PR28500KINH.exe, 00000002.00000002.317601897.0000000000DE8000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
      Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.320687638.000000000409E000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

      E-Banking Fraud:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000006.00000002.320687638.000000000409E000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.316582541.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.320831164.0000000003961000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.321093889.000000000418C000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.321624483.0000000003B61000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.318700397.0000000003041000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.317796226.0000000000E64000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.325804891.00000000057F0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.330776176.00000000054E2000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.317682512.0000000000DA5000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6148, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 3980, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6424, type: MEMORY
      Source: Yara matchFile source: 2.2.Quotation ATB-PR28500KINH.exe.54e0000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.Quotation ATB-PR28500KINH.exe.57f0000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.Quotation ATB-PR28500KINH.exe.57f0000.4.raw.unpack, type: UNPACKEDPE

      Operating System Destruction:

      barindex
      Protects its processes via BreakOnTermination flagShow sources
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: 00 00 00 00

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000006.00000002.328310332.00000000073C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000006.00000002.316582541.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000006.00000002.316582541.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000006.00000002.328240077.0000000007380000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000006.00000002.328269653.0000000007390000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000002.320831164.0000000003961000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000002.320831164.0000000003961000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000006.00000002.321093889.000000000418C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000006.00000002.327974006.00000000071E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000006.00000002.325787678.00000000057E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000002.00000002.321624483.0000000003B61000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000002.00000002.321624483.0000000003B61000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000002.00000002.317796226.0000000000E64000.00000004.00000020.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000002.00000002.317796226.0000000000E64000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000006.00000002.325804891.00000000057F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000006.00000002.328184231.0000000007370000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000002.00000002.330776176.00000000054E2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000002.00000002.330776176.00000000054E2000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000006.00000002.326037509.00000000058C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000002.317682512.0000000000DA5000.00000004.00000020.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000002.317682512.0000000000DA5000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6148, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6148, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 3980, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 3980, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6424, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6424, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 6.2.Quotation ATB-PR28500KINH.exe.7380000.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.Quotation ATB-PR28500KINH.exe.73c0000.13.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.2.Quotation ATB-PR28500KINH.exe.54e0000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.2.Quotation ATB-PR28500KINH.exe.54e0000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 6.2.Quotation ATB-PR28500KINH.exe.7370000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.Quotation ATB-PR28500KINH.exe.71e0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.Quotation ATB-PR28500KINH.exe.7370000.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.Quotation ATB-PR28500KINH.exe.57f0000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.Quotation ATB-PR28500KINH.exe.71e0000.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.Quotation ATB-PR28500KINH.exe.73c0000.13.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.Quotation ATB-PR28500KINH.exe.58c0000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.Quotation ATB-PR28500KINH.exe.7390000.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 6.2.Quotation ATB-PR28500KINH.exe.57e0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.Quotation ATB-PR28500KINH.exe.7380000.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.Quotation ATB-PR28500KINH.exe.57f0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.Quotation ATB-PR28500KINH.exe.7390000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.Quotation ATB-PR28500KINH.exe.58c0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Initial sample is a PE file and has a suspicious nameShow sources
      Source: initial sampleStatic PE information: Filename: Quotation ATB-PR28500KINH.exe
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 6_2_0740E180 NtSetInformationProcess,
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 6_2_0740E178 NtSetInformationProcess,
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 2_2_00747241
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 6_2_00C67241
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 6_2_016DE471
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 6_2_016DE480
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 6_2_016DBBD4
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 6_2_074077A0
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 6_2_07400298
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 6_2_07406ED0
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 6_2_0740B920
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 6_2_07400356
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 6_2_07406B88
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 10_2_00647241
      Source: Quotation ATB-PR28500KINH.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: 45678.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: HJdyTuap.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: Quotation ATB-PR28500KINH.exe, 00000002.00000002.317601897.0000000000DE8000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Quotation ATB-PR28500KINH.exe
      Source: Quotation ATB-PR28500KINH.exe, 00000002.00000002.326733163.00000000046F5000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameafHVuOgBCjbjgXKF.bounce.exe4 vs Quotation ATB-PR28500KINH.exe
      Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.321759485.00000000042E3000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs Quotation ATB-PR28500KINH.exe
      Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.321759485.00000000042E3000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs Quotation ATB-PR28500KINH.exe
      Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.321759485.00000000042E3000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs Quotation ATB-PR28500KINH.exe
      Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.321759485.00000000042E3000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNAudio.dll4 vs Quotation ATB-PR28500KINH.exe
      Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.321759485.00000000042E3000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs Quotation ATB-PR28500KINH.exe
      Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.321759485.00000000042E3000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs Quotation ATB-PR28500KINH.exe
      Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.320687638.000000000409E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs Quotation ATB-PR28500KINH.exe
      Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.320687638.000000000409E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs Quotation ATB-PR28500KINH.exe
      Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.321093889.000000000418C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs Quotation ATB-PR28500KINH.exe
      Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.321093889.000000000418C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs Quotation ATB-PR28500KINH.exe
      Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.321093889.000000000418C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs Quotation ATB-PR28500KINH.exe
      Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.327299358.0000000006FB0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs Quotation ATB-PR28500KINH.exe
      Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.326304055.0000000006240000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Quotation ATB-PR28500KINH.exe
      Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.317789934.000000000138A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Quotation ATB-PR28500KINH.exe
      Source: Quotation ATB-PR28500KINH.exe, 0000000A.00000002.323134586.0000000003F2E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameafHVuOgBCjbjgXKF.bounce.exe4 vs Quotation ATB-PR28500KINH.exe
      Source: Quotation ATB-PR28500KINH.exe, 0000000A.00000002.317624491.0000000000D7A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Quotation ATB-PR28500KINH.exe
      Source: Quotation ATB-PR28500KINH.exe, 0000000A.00000002.332027361.0000000073FE0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Quotation ATB-PR28500KINH.exe
      Source: 00000006.00000002.328310332.00000000073C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000006.00000002.328310332.00000000073C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000006.00000002.316582541.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000006.00000002.316582541.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000006.00000002.328240077.0000000007380000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000006.00000002.328240077.0000000007380000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000006.00000002.328269653.0000000007390000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000006.00000002.328269653.0000000007390000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000A.00000002.320831164.0000000003961000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000A.00000002.320831164.0000000003961000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000006.00000002.321093889.000000000418C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000006.00000002.327974006.00000000071E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000006.00000002.327974006.00000000071E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000006.00000002.325787678.00000000057E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000006.00000002.325787678.00000000057E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000002.00000002.321624483.0000000003B61000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000002.00000002.321624483.0000000003B61000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000002.00000002.317796226.0000000000E64000.00000004.00000020.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000002.00000002.317796226.0000000000E64000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000006.00000002.325804891.00000000057F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000006.00000002.325804891.00000000057F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000006.00000002.328184231.0000000007370000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000006.00000002.328184231.0000000007370000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000002.00000002.330776176.00000000054E2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000002.00000002.330776176.00000000054E2000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000006.00000002.326037509.00000000058C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000006.00000002.326037509.00000000058C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000A.00000002.317682512.0000000000DA5000.00000004.00000020.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000A.00000002.317682512.0000000000DA5000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6148, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6148, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 3980, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 3980, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6424, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6424, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 6.2.Quotation ATB-PR28500KINH.exe.7380000.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.Quotation ATB-PR28500KINH.exe.7380000.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 6.2.Quotation ATB-PR28500KINH.exe.73c0000.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.Quotation ATB-PR28500KINH.exe.73c0000.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.2.Quotation ATB-PR28500KINH.exe.54e0000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.Quotation ATB-PR28500KINH.exe.54e0000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.2.Quotation ATB-PR28500KINH.exe.54e0000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 6.2.Quotation ATB-PR28500KINH.exe.7370000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.Quotation ATB-PR28500KINH.exe.7370000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 6.2.Quotation ATB-PR28500KINH.exe.71e0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.Quotation ATB-PR28500KINH.exe.71e0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 6.2.Quotation ATB-PR28500KINH.exe.7370000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.Quotation ATB-PR28500KINH.exe.7370000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 6.2.Quotation ATB-PR28500KINH.exe.57f0000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.Quotation ATB-PR28500KINH.exe.57f0000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 6.2.Quotation ATB-PR28500KINH.exe.71e0000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.Quotation ATB-PR28500KINH.exe.71e0000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 6.2.Quotation ATB-PR28500KINH.exe.73c0000.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.Quotation ATB-PR28500KINH.exe.73c0000.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 6.2.Quotation ATB-PR28500KINH.exe.58c0000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.Quotation ATB-PR28500KINH.exe.58c0000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 6.2.Quotation ATB-PR28500KINH.exe.7390000.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.Quotation ATB-PR28500KINH.exe.7390000.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 6.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 6.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 6.2.Quotation ATB-PR28500KINH.exe.57e0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.Quotation ATB-PR28500KINH.exe.57e0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 6.2.Quotation ATB-PR28500KINH.exe.7380000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.Quotation ATB-PR28500KINH.exe.7380000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 6.2.Quotation ATB-PR28500KINH.exe.57f0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.Quotation ATB-PR28500KINH.exe.57f0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 6.2.Quotation ATB-PR28500KINH.exe.7390000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.Quotation ATB-PR28500KINH.exe.7390000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 6.2.Quotation ATB-PR28500KINH.exe.58c0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.Quotation ATB-PR28500KINH.exe.58c0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: Quotation ATB-PR28500KINH.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: 45678.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: HJdyTuap.exe.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: 2.2.Quotation ATB-PR28500KINH.exe.54e0000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 2.2.Quotation ATB-PR28500KINH.exe.54e0000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 2.2.Quotation ATB-PR28500KINH.exe.54e0000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: 6.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 6.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 6.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: 6.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 6.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: 2.2.Quotation ATB-PR28500KINH.exe.54e0000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 2.2.Quotation ATB-PR28500KINH.exe.54e0000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: classification engineClassification label: mal100.troj.adwa.evad.winEXE@43520/9@2/3
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeFile created: C:\Users\user\AppData\Roaming\45678Jump to behavior
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1256:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5908:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6300:120:WilError_01
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeMutant created: \Sessions\1\BaseNamedObjects\Startup_shellcode_006
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{c7093f5f-20e4-4efa-a2b8-e96b9af4ad8c}
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1140:120:WilError_01
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeFile created: C:\Users\user\AppData\Local\Temp\tmpECB7.tmpJump to behavior
      Source: Quotation ATB-PR28500KINH.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;Quotation ATB-PR28500KINH.exe&quot;)
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: Quotation ATB-PR28500KINH.exeReversingLabs: Detection: 27%
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeFile read: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe 'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe'
      Source: unknownProcess created: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Quotation ATB-PR28500KINH.exe
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpECB7.tmp'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe 'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe' 0
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /delete /f /tn 'DHCP Monitor'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /delete /f /tn 'DHCP Monitor Task'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /C taskkill /f /im 'Quotation ATB-PR28500KINH.exe' & ping -n 1 -w 3000 1.1.1.1 & type nul > 'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe' & del /f /q 'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im 'Quotation ATB-PR28500KINH.exe'
      Source: unknownProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 1 -w 3000 1.1.1.1
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess created: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Quotation ATB-PR28500KINH.exe
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpECB7.tmp'
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /delete /f /tn 'DHCP Monitor'
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /delete /f /tn 'DHCP Monitor Task'
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /C taskkill /f /im 'Quotation ATB-PR28500KINH.exe' & ping -n 1 -w 3000 1.1.1.1 & type nul > 'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe' & del /f /q 'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe'
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im 'Quotation ATB-PR28500KINH.exe'
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 1 -w 3000 1.1.1.1
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
      Source: Quotation ATB-PR28500KINH.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: Quotation ATB-PR28500KINH.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: \??\C:\Windows\mscorlib.pdb6e source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.317842225.00000000013B2000.00000004.00000020.sdmp
      Source: Binary string: symbols\dll\mscorlib.pdb source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.327278299.0000000006FAC000.00000004.00000010.sdmp
      Source: Binary string: mscorlib.pdb source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.327183574.0000000006D8F000.00000004.00000001.sdmp
      Source: Binary string: p0C:\Windows\mscorlib.pdb source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.327278299.0000000006FAC000.00000004.00000010.sdmp
      Source: Binary string: mscorlib.pdb853321935-2125563209-4053062332-1002_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32 source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.317842225.00000000013B2000.00000004.00000020.sdmp
      Source: Binary string: mscorlib.pdbH source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.327127110.0000000006D70000.00000004.00000001.sdmp

      Data Obfuscation:

      barindex
      .NET source code contains potential unpackerShow sources
      Source: 2.2.Quotation ATB-PR28500KINH.exe.54e0000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 2.2.Quotation ATB-PR28500KINH.exe.54e0000.1.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 6.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 6.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: HJdyTuap.exe.2.drStatic PE information: real checksum: 0x108e0c should be: 0x10980c
      Source: initial sampleStatic PE information: section name: .text entropy: 7.8618274721
      Source: initial sampleStatic PE information: section name: .text entropy: 7.8618274721
      Source: initial sampleStatic PE information: section name: .text entropy: 7.8618274721
      Source: 2.2.Quotation ATB-PR28500KINH.exe.54e0000.1.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 2.2.Quotation ATB-PR28500KINH.exe.54e0000.1.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: 6.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 6.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exeJump to dropped file
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeFile created: C:\Users\user\AppData\Roaming\45678Jump to dropped file
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeFile created: C:\Users\user\AppData\Roaming\45678Jump to dropped file

      Boot Survival:

      barindex
      Drops PE files to the startup folderShow sources
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exeJump to dropped file
      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpECB7.tmp'
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exeJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exeJump to behavior

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeFile opened: C:\Users\user\AppData\Roaming\45678:Zone.Identifier read attributes | delete
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX

      Malware Analysis System Evasion:

      barindex
      Uses ping.exe to sleepShow sources
      Source: unknownProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 1 -w 3000 1.1.1.1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 1 -w 3000 1.1.1.1
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeWindow / User API: threadDelayed 3215
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeWindow / User API: threadDelayed 6337
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exeJump to dropped file
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe TID: 6392Thread sleep time: -6456360425798339s >= -30000s
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe TID: 6464Thread sleep count: 50 > 30
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.327299358.0000000006FB0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
      Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.327299358.0000000006FB0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
      Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.327299358.0000000006FB0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
      Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.317842225.00000000013B2000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
      Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.327299358.0000000006FB0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information queried: ProcessInformation
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 2_2_050300AD mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 2_2_050300AD mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess token adjusted: Debug
      Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeMemory allocated: page read and write | page guard

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      Maps a DLL or memory area into another processShow sources
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeSection loaded: unknown target: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe protection: execute and read and write
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess created: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Quotation ATB-PR28500KINH.exe
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpECB7.tmp'
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /delete /f /tn 'DHCP Monitor'
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /delete /f /tn 'DHCP Monitor Task'
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /C taskkill /f /im 'Quotation ATB-PR28500KINH.exe' & ping -n 1 -w 3000 1.1.1.1 & type nul > 'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe' & del /f /q 'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe'
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im 'Quotation ATB-PR28500KINH.exe'
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 1 -w 3000 1.1.1.1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im 'Quotation ATB-PR28500KINH.exe'
      Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.328052753.000000000733E000.00000004.00000010.sdmpBinary or memory string: Program Manager
      Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.320469818.0000000003371000.00000004.00000001.sdmpBinary or memory string: Program ManagerHa+l
      Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.318986123.00000000030AB000.00000004.00000001.sdmpBinary or memory string: Program ManagerD$+l
      Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.319565462.00000000031B9000.00000004.00000001.sdmpBinary or memory string: Program Managerx
      Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.320153837.00000000032EB000.00000004.00000001.sdmpBinary or memory string: Program Managert
      Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.327030641.00000000069AB000.00000004.00000010.sdmpBinary or memory string: Program Manager@
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeQueries volume information: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe VolumeInformation
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeQueries volume information: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe VolumeInformation
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeQueries volume information: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe VolumeInformation
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct

      Stealing of Sensitive Information:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000006.00000002.320687638.000000000409E000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.316582541.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.320831164.0000000003961000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.321093889.000000000418C000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.321624483.0000000003B61000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.318700397.0000000003041000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.317796226.0000000000E64000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.325804891.00000000057F0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.330776176.00000000054E2000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.317682512.0000000000DA5000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6148, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 3980, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6424, type: MEMORY
      Source: Yara matchFile source: 2.2.Quotation ATB-PR28500KINH.exe.54e0000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.Quotation ATB-PR28500KINH.exe.57f0000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.Quotation ATB-PR28500KINH.exe.57f0000.4.raw.unpack, type: UNPACKEDPE

      Remote Access Functionality:

      barindex
      Detected Nanocore RatShow sources
      Source: Quotation ATB-PR28500KINH.exe, 00000002.00000002.321624483.0000000003B61000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.321759485.00000000042E3000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.321093889.000000000418C000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: Quotation ATB-PR28500KINH.exe, 0000000A.00000002.320831164.0000000003961000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000006.00000002.320687638.000000000409E000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.316582541.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.320831164.0000000003961000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.321093889.000000000418C000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.321624483.0000000003B61000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.318700397.0000000003041000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.317796226.0000000000E64000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.325804891.00000000057F0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.330776176.00000000054E2000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.317682512.0000000000DA5000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6148, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 3980, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6424, type: MEMORY
      Source: Yara matchFile source: 2.2.Quotation ATB-PR28500KINH.exe.54e0000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.Quotation ATB-PR28500KINH.exe.57f0000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.Quotation ATB-PR28500KINH.exe.57f0000.4.raw.unpack, type: UNPACKEDPE

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management Instrumentation11Startup Items1Startup Items1Disable or Modify Tools11Input Capture21System Information Discovery13Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/Job1Scheduled Task/Job1Process Injection112Deobfuscate/Decode Files or Information1LSASS MemorySecurity Software Discovery111Remote Desktop ProtocolInput Capture21Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Registry Run Keys / Startup Folder12Scheduled Task/Job1Obfuscated Files or Information1Security Account ManagerVirtualization/Sandbox Evasion2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Registry Run Keys / Startup Folder12Software Packing13NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading11LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol1Manipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion2Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection112DCSyncSystem Network Configuration Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobHidden Files and Directories1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 signatures2 2 Behavior Graph ID: 321079 Sample: Quotation ATB-PR28500KINH.exe Startdate: 20/11/2020 Architecture: WINDOWS Score: 100 60 Malicious sample detected (through community Yara rule) 2->60 62 Antivirus detection for dropped file 2->62 64 Antivirus / Scanner detection for submitted sample 2->64 66 14 other signatures 2->66 8 Quotation ATB-PR28500KINH.exe 3 2->8         started        12 Quotation ATB-PR28500KINH.exe 2->12         started        process3 file4 42 C:\Users\user\AppData\...\HJdyTuap.exe, PE32 8->42 dropped 44 C:\Users\user\AppData\Roaming\45678, PE32 8->44 dropped 46 C:\Users\user\...\45678:Zone.Identifier, ASCII 8->46 dropped 70 Maps a DLL or memory area into another process 8->70 72 Hides that the sample has been downloaded from the Internet (zone.identifier) 8->72 14 Quotation ATB-PR28500KINH.exe 1 11 8->14         started        signatures5 process6 dnsIp7 56 petroleum.sytes.net 194.5.97.9, 1430, 49725, 49727 DANILENKODE Netherlands 14->56 48 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 14->48 dropped 50 C:\Users\user\AppData\Local\...\tmpECB7.tmp, XML 14->50 dropped 58 Protects its processes via BreakOnTermination flag 14->58 19 cmd.exe 14->19         started        23 schtasks.exe 1 14->23         started        25 schtasks.exe 14->25         started        27 schtasks.exe 14->27         started        file8 signatures9 process10 dnsIp11 52 1.1.1.1 CLOUDFLARENETUS Australia 19->52 68 Uses ping.exe to sleep 19->68 29 PING.EXE 19->29         started        32 conhost.exe 19->32         started        34 taskkill.exe 19->34         started        36 conhost.exe 23->36         started        38 conhost.exe 25->38         started        40 conhost.exe 27->40         started        signatures12 process13 dnsIp14 54 192.168.2.1 unknown unknown 29->54

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      Quotation ATB-PR28500KINH.exe27%ReversingLabsByteCode-MSIL.Hacktool.Mimikatz
      Quotation ATB-PR28500KINH.exe100%AviraTR/AD.Nanocore.qhfnr
      Quotation ATB-PR28500KINH.exe100%Joe Sandbox ML

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe100%AviraTR/AD.Nanocore.qhfnr
      C:\Users\user\AppData\Roaming\45678100%AviraTR/AD.Nanocore.qhfnr
      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe100%Joe Sandbox ML
      C:\Users\user\AppData\Roaming\45678100%Joe Sandbox ML
      C:\Users\user\AppData\Roaming\4567827%ReversingLabsByteCode-MSIL.Hacktool.Mimikatz
      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe33%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      6.2.Quotation ATB-PR28500KINH.exe.57f0000.4.unpack100%AviraTR/NanoCore.fadteDownload File
      2.2.Quotation ATB-PR28500KINH.exe.54e0000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      6.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

      Domains

      SourceDetectionScannerLabelLink
      petroleum.sytes.net1%VirustotalBrowse

      URLs

      No Antivirus matches

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      petroleum.sytes.net
      		194.5.97.9
      		truefalseunknown

      Contacted IPs

      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs

      Public

      IPDomainCountryFlagASNASN NameMalicious
      1.1.1.1
      		unknownAustralia
      		13335CLOUDFLARENETUStrue
      194.5.97.9
      		unknownNetherlands
      		208476DANILENKODEfalse

      Private

      IP
      192.168.2.1

      General Information

      Joe Sandbox Version:31.0.0 Red Diamond
      Analysis ID:321079
      Start date:20.11.2020
      Start time:10:52:16
      Joe Sandbox Product:CloudBasic
      Overall analysis duration:0h 11m 42s
      Hypervisor based Inspection enabled:false
      Report type:light
      Sample file name:Quotation ATB-PR28500KINH.exe
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
      Number of analysed new started processes analysed:40
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • HDC enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Detection:MAL
      Classification:mal100.troj.adwa.evad.winEXE@43520/9@2/3
      EGA Information:Failed
      HDC Information:
      • Successful, ratio: 0.3% (good quality ratio 0.2%)
      • Quality average: 60.3%
      • Quality standard deviation: 29.8%
      HCA Information:
      • Successful, ratio: 96%
      • Number of executed functions: 0
      • Number of non-executed functions: 0
      Cookbook Comments:
      • Adjust boot time
      • Enable AMSI
      • Found application associated with file extension: .exe
      Warnings:
      Show All
      • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
      • TCP Packets have been reduced to 100
      • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
      • Excluded IPs from analysis (whitelisted): 52.255.188.83, 92.122.145.220, 104.43.193.48, 23.210.248.85, 84.53.167.113, 51.104.139.180, 8.241.11.126, 8.248.125.254, 8.248.117.254, 67.26.137.254, 8.248.119.254, 52.155.217.156, 20.54.26.129, 95.101.22.134, 95.101.22.125
      • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e15275.g.akamaiedge.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, wildcard.weather.microsoft.com.edgekey.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, fs.microsoft.com, db3p-ris-pf-prod-atm.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, tile-service.weather.microsoft.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, umwatsonrouting.trafficmanager.net, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com
      • Report size exceeded maximum capacity and may have missing behavior information.
      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
      • Report size getting too big, too many NtOpenKeyEx calls found.

      Simulations

      Behavior and APIs

      TimeTypeDescription
      10:53:21AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe
      10:53:33Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe" s>$(Arg0)

      Joe Sandbox View / Context

      IPs

      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
      1.1.1.1QQ9.0.1.exeGet hashmaliciousBrowse
      • url-quality-stat.xf.qq.com/Analyze/Data?v=1&&format=json&&qq=0&&cmd=21&&product=qqdownload
      194.5.97.9Quotation ATB-PR28500KINH.exeGet hashmaliciousBrowse

        Domains

        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
        petroleum.sytes.netQuotation ATB-PR28500KINH.exeGet hashmaliciousBrowse
        • 185.140.53.139
        RFQ-BOHB-SS-FD6L4.exeGet hashmaliciousBrowse
        • 185.140.53.139
        new order is in the attached.exeGet hashmaliciousBrowse
        • 185.244.30.10
        Claim 001 & 002_pdf.exeGet hashmaliciousBrowse
        • 185.244.30.10
        Claim 001 & 002_JPEG.exeGet hashmaliciousBrowse
        • 185.244.30.10
        Product lists.exeGet hashmaliciousBrowse
        • 185.244.30.10
        End of the yr shipment#102120.exeGet hashmaliciousBrowse
        • 185.244.30.10
        ALLPLATES-P.O#008012019.pdf.exeGet hashmaliciousBrowse
        • 185.244.30.10
        ALLPLATES-P.O#008012019.exeGet hashmaliciousBrowse
        • 185.244.30.10
        Request price listing.exeGet hashmaliciousBrowse
        • 185.244.30.10
        894H-2CH-F-C G03 6VDC.exeGet hashmaliciousBrowse
        • 185.244.30.10
        894H-2CH-F-C G03 6VDC.exeGet hashmaliciousBrowse
        • 185.244.30.10

        ASN

        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
        CLOUDFLARENETUS23prRlqeGr.exeGet hashmaliciousBrowse
        • 104.23.98.190
        RFQ-HSO-76411758-1.jarGet hashmaliciousBrowse
        • 104.20.23.46
        RFQ-HSO-76411758-1.jarGet hashmaliciousBrowse
        • 104.20.22.46
        iG9YiwEMru.exeGet hashmaliciousBrowse
        • 104.27.132.115
        Avion Quotation Request.docGet hashmaliciousBrowse
        • 104.22.54.159
        SUSPENSION LETTER ON SIM SWAP.pdf.exeGet hashmaliciousBrowse
        • 172.67.131.55
        Quotation ATB-PR28500KINH.exeGet hashmaliciousBrowse
        • 1.1.1.1
        SaXJC2CZ8m.exeGet hashmaliciousBrowse
        • 104.27.133.115
        PO91666. pdf.exeGet hashmaliciousBrowse
        • 172.67.143.180
        BT2wDapfoI.exeGet hashmaliciousBrowse
        • 104.23.98.190
        ara.exeGet hashmaliciousBrowse
        • 172.65.200.133
        ORDER FORM DENK.exeGet hashmaliciousBrowse
        • 104.18.47.150
        araiki.exeGet hashmaliciousBrowse
        • 172.65.200.133
        arailk.exeGet hashmaliciousBrowse
        • 172.65.200.133
        https://filmconsultancy.bindwall.ml/mike@filmconsultancy.comGet hashmaliciousBrowse
        • 104.26.4.196
        https://trondiamond.co/OMMOM/OM9u8Get hashmaliciousBrowse
        • 104.16.18.94
        https://t.e.vailresorts.com/r/?id=h1bac782d,59eb410,55e61f1&VRI_v73=96008558&cmpid=EML_OPENDAYS_RESO_000_OK_SR_REN1Y_000000_TG0001_20201118_V00_EX001_LOCA_ANN_00000_000Get hashmaliciousBrowse
        • 104.16.149.64
        https://www.canva.com/design/DAEN9RlD8Vk/acBvt6UoL-DafjXmQk38pA/view?utm_content=DAEN9RlD8Vk&utm_campaign=designshare&utm_medium=link&utm_source=publishsharelinkGet hashmaliciousBrowse
        • 104.18.215.67
        https://gazeta-echo.ru/wp-includes/assets/<>/?mail=tfagot@dupaco.comGet hashmaliciousBrowse
        • 104.16.123.175
        https://go.pardot.com/e/395202/siness-insights-dashboard-html/bnmpz6/1446733421?h=AwLDfNsCVbkjEN13pzY-7AXMPolL_XMigGsJSppGaiMGet hashmaliciousBrowse
        • 104.16.19.94
        DANILENKODEQuotation ATB-PR28500KINH.exeGet hashmaliciousBrowse
        • 194.5.97.9
        19112020778IMG78487784.exeGet hashmaliciousBrowse
        • 194.5.97.249
        PaymentConformation.exeGet hashmaliciousBrowse
        • 194.5.97.202
        bGtm3bQKUj.exeGet hashmaliciousBrowse
        • 194.5.98.122
        IMAGE-18112020.exeGet hashmaliciousBrowse
        • 194.5.97.17
        Covid-19 relief.exeGet hashmaliciousBrowse
        • 194.5.97.21
        tax-relief.exeGet hashmaliciousBrowse
        • 194.5.97.166
        Ref-BID PRICE.exeGet hashmaliciousBrowse
        • 194.5.98.252
        1ttmgYD97B.exeGet hashmaliciousBrowse
        • 194.5.99.163
        2mtUEXin7W.exeGet hashmaliciousBrowse
        • 194.5.99.163
        wk59hOo880.exeGet hashmaliciousBrowse
        • 194.5.99.163
        BCVaSYrgmG.exeGet hashmaliciousBrowse
        • 194.5.99.163
        30203490666.exeGet hashmaliciousBrowse
        • 194.5.98.199
        InSppuoN2s.exeGet hashmaliciousBrowse
        • 194.5.98.196
        Av01vC7kS1.exeGet hashmaliciousBrowse
        • 194.5.97.155
        yb1rlaFJuO.exeGet hashmaliciousBrowse
        • 194.5.99.163
        1MwYrZqjEy.exeGet hashmaliciousBrowse
        • 194.5.99.163
        IRS-RELIEF.exeGet hashmaliciousBrowse
        • 194.5.97.21
        Jvdivmn_Signed_.exeGet hashmaliciousBrowse
        • 194.5.97.38
        myupsfile.exeGet hashmaliciousBrowse
        • 194.5.97.38

        JA3 Fingerprints

        No context

        Dropped Files

        No context

        Created / dropped Files

        C:\Users\user\AppData\Local\Temp\tmpECB7.tmp
        Process:C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe
        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):1315
        Entropy (8bit):5.1337076542548274
        Encrypted:false
        SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0LFxtn:cbk4oL600QydbQxIYODOLedq3uFj
        MD5:5C24CCED27B3FB5CB89EE64C7E4FD458
        SHA1:EBC586E78D6BDC8F916D4FAB269033293F7980BD
        SHA-256:D7B6F315482BBFD57BD9AA6C302F2F55798D8BC3655853ABD6412B1D4289AFCC
        SHA-512:48E75213BEDEF4014E44F4C2B38643A7D4DF888CE261DD07908121F4A73B88F2A931AF5F0D27DB3FED120FDA2B7A75E074697CF2C94EEBD54CB403CA9C7F5D70
        Malicious:true
        Reputation:low
        Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
        C:\Users\user\AppData\Roaming\45678
        Process:C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe
        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
        Category:dropped
        Size (bytes):1021440
        Entropy (8bit):6.747456626425728
        Encrypted:false
        SSDEEP:12288:cf9LurGfMzvqv7G9pq+0+Rcd70FOKWb4nlph7Qq4xohcYgpqC:g9LurGfPDmpq+0ZqVWcnlUFDYg
        MD5:03C41991BE46EDACB01B18D7FFE97B33
        SHA1:17193A4A9FAD92F1473D42BBE0D14E83DA481A72
        SHA-256:749B86298B1735B41E92EEF8B48C0AA38F1D7FA55BD0958B7B752BFCB5CB5A87
        SHA-512:0A75BF191A00F1C641F6811D98C987F0248BE5CACEDD8C3C7E93E0CA5AE8913B4813BA792021B035A843DF78BE186D054221A311E185F3A37CC92F28EE2730D0
        Malicious:true
        Antivirus:
        • Antivirus: Avira, Detection: 100%
        • Antivirus: Joe Sandbox ML, Detection: 100%
        • Antivirus: ReversingLabs, Detection: 27%
        Reputation:low
        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._................................. ... ....@.. ....................................@.....................................W.... ..N............................................................................ ............... ..H............text...4.... ...................... ..`.rsrc...N.... ......................@..@.reloc..............................@..B........................H........e..............q..............................................a.b.d.c.e.f.g.h.i.j.k.l.m.n.p.r.q.s.t.u.v.w.z.y.x.0.1.2.3.4.5.6.7.8.9.A.B.C.D.E.F.G.H.I.J.K.L.M.N.Q.P.R.T.S.V.U.W.X.Y.Z.6..(....o....*B...(.....o....&*2.(....t....*.(....&*2.t....o....*F~....~....(.....*..*..(....*.(.........(....(.........(....(....o.........*&...o....*.(....*.(....*.r1..p.....*6..{b...(^...*..o.....{a...{c....{b...oZ...(^...*.so....p...*..oq...*V.{....od....(...+...*J.{....o1....ov...*J
        C:\Users\user\AppData\Roaming\45678:Zone.Identifier
        Process:C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe
        File Type:ASCII text, with CRLF line terminators
        Category:modified
        Size (bytes):26
        Entropy (8bit):3.95006375643621
        Encrypted:false
        SSDEEP:3:ggPYV:rPYV
        MD5:187F488E27DB4AF347237FE461A079AD
        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
        Malicious:true
        Preview: [ZoneTransfer]....ZoneId=0
        C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
        Process:C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe
        File Type:data
        Category:dropped
        Size (bytes):128
        Entropy (8bit):6.527114648336088
        Encrypted:false
        SSDEEP:3:XrURGizD7cnRH5/ljRAaTlKYrI1Sj9txROIsxcMek2:X4LDAn1rplKTYBROIsxek2
        MD5:0A9C5EAE8756D6FC90F59D8D71A79E1E
        SHA1:0F7D6AAED17CD18DC614535ED26335C147E29ED7
        SHA-256:B1921EA14C66927397BAF3FA456C22B93C30C3DE23546087C0B18551CE5001C5
        SHA-512:78C2F399AC49C78D89915DFF99AC955B5E0AB07BAAD61B07B0CE073C88C1D3A9F1D302C2413691B349DD34441B0FF909C08A4F71E2F1B73F46C1FF308BC7CF9A
        Malicious:false
        Preview: Gj.h\.3.A...5.x..&...i+..c(1.P.OT....g.t......'7......)..8zII..K/....n3...3.5.......&.7].)..wL...:}g...@...mV.....JUP...w
        C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
        Process:C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe
        File Type:Non-ISO extended-ASCII text, with NEL line terminators
        Category:dropped
        Size (bytes):8
        Entropy (8bit):3.0
        Encrypted:false
        SSDEEP:3:JIP:aP
        MD5:179401BA509B78E5613624E70B9E2ECA
        SHA1:FB3A31D8A8900CADB2820CAF4FC8B3AE2AA6581F
        SHA-256:9AA369E0924A94912AB3C3CFD1ACC04CFC7470DBBA6829A03BD576FB15537FEC
        SHA-512:9D9379F07B9E607509FC84F858973BB81A03D97CDB620DC9C0F79AB4473DF5E2C37E6F5AA2C57A4E195F11A6082C683A3CC5C7BDB0768E698E1D7740BCA75D94
        Malicious:true
        Preview: ._k....H
        C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
        Process:C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe
        File Type:data
        Category:dropped
        Size (bytes):40
        Entropy (8bit):5.153055907333276
        Encrypted:false
        SSDEEP:3:9bzY6oRDT6P2bfVn1:RzWDT621
        MD5:4E5E92E2369688041CC82EF9650EDED2
        SHA1:15E44F2F3194EE232B44E9684163B6F66472C862
        SHA-256:F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
        SHA-512:1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
        Malicious:false
        Preview: 9iH...}Z.4..f.~a........~.~.......3.U.
        C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
        Process:C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe
        File Type:data
        Category:dropped
        Size (bytes):285608
        Entropy (8bit):7.99942192025113
        Encrypted:true
        SSDEEP:6144:KpKR3kz0ohkLsRC9wjZ59AbuaY5O+gRGD9Hcj4Tdw:IaUYweYC9wjZ59AyA5YFc0Te
        MD5:30E23835B6123B3250D73C3E313FEB01
        SHA1:52CDA23480DA64C5B16D9F6554D6B66E9FA1AE22
        SHA-256:20CC3B053C43B689D3C669DDDA6DF6E3C939B2059F9FA5B578AE2BB887269EB3
        SHA-512:DBF82EE996D82D0DAF95A3A9733056EF1FFE80D05D6ED88514FD728E9AA29161EEA8E75B12BB77E0D0B4F81C77A26CDAE4ABC29C8FA661D40C1941CA51E1749B
        Malicious:false
        Preview: .....W*.....P&4.......E..v+...mc...C<_..0....40=......[..3.q....\..[.I.......g....=.cI5w...h{2...c..l.j...4.R..$*X..<....q%...Y.:19..Y....f.uy..Q....=t...Q....\KuA.Z...ze...?........o....BX...Eh....(FW..|Mn.B>...R.>_Yz......U..>n....h..g5.._..vY.dN..]Bi=....&.._.8...9.Et...y..h1...uMy..G...._1by.)...H.................ws...C.S..?6.i.N..........8:..t..?.Z..?^..{......."..fsb....m.<..3..<.{..;+..v..H.6.....C..r_..Hv.?....z...F.=...%2...'C...LqF]....6/,.......)WuH..~..1.W........#..D.P_.Z8..n.~c. ......F$,bI...m../..dO..O...o..).3.M,...0.q..N..n...%BtO.i...L.N.^i[.<...#_......+z.!(...y.XN....^.K. E....2n.!.wa./yy(../...b:..Oq..j2Q- ......n(..\....Q;..ue...G..#!.2.\@lH....o..\?.K.Q..=qW}..|.....6........{.Y..e:.7..P`.H.........o......}..t."C#.i.<z.4Y.e..j..G.RO.$.[.l8...A....U;(...s..C..|...y....w.7?....}.....D.h......Ip.t.8....9%./...K...#G.2.s......E........tX.}..O...X.....S.9>k.hY..-."\..X.y@w.U...|._3.]R..:.^4l......L..........
        C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
        Process:C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe
        File Type:ASCII text, with no line terminators
        Category:dropped
        Size (bytes):52
        Entropy (8bit):5.003042362247046
        Encrypted:false
        SSDEEP:3:oNWXp5v0fyMQkq3CAdA:oNWXpF0fyn3CN
        MD5:69CBDC701874E0618836B88761CDB7C2
        SHA1:00B9CDA4949AA22EBAAB35427447140F0DAEE0A4
        SHA-256:E4135CACE67B6B8D98545C5BAF81F6762EAA0BF6577BCCC7674E19B4E6DE9EA3
        SHA-512:D61307D607B94A5D70D9AC8FB8DCBF44A0DD9FADACFA59CD3BD160EEBABE578F23CE717D9EB5CA5AEDCB7692BCF5FF11406606504D438F99EFDA9BB81AE0D7E1
        Malicious:false
        Preview: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe
        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe
        Process:C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe
        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
        Category:dropped
        Size (bytes):1024000
        Entropy (8bit):6.742400621297182
        Encrypted:false
        SSDEEP:12288:cf9LurGfMzvqv7G9pq+0+Rcd70FOKWb4nlph7Qq4xohcYgpqC:g9LurGfPDmpq+0ZqVWcnlUFDYg
        MD5:08AD546B0A6F6C8AAC626B2E0F24C879
        SHA1:62B8943CC7F8DDFDF36518398E9393E4C5F336D5
        SHA-256:47B9259DCC96B694585C2E2E216C309E1B83AA46025599A996605B2D2314C3DB
        SHA-512:ECD93E63F4706D5BBFA36C9003B18DFD19CA02FED78E3F59C4ED9B7185AA43274D9327C980E9BAFD879E58CFD77BB120B7922A35C985642E72833AD86FFD64C1
        Malicious:true
        Antivirus:
        • Antivirus: Avira, Detection: 100%
        • Antivirus: Joe Sandbox ML, Detection: 100%
        • Antivirus: ReversingLabs, Detection: 33%
        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._................................. ... ....@.. ....................................@.....................................W.... ..N............................................................................ ............... ..H............text...4.... ...................... ..`.rsrc...N.... ......................@..@.reloc..............................@..B........................H........e..............q..............................................a.b.d.c.e.f.g.h.i.j.k.l.m.n.p.r.q.s.t.u.v.w.z.y.x.0.1.2.3.4.5.6.7.8.9.A.B.C.D.E.F.G.H.I.J.K.L.M.N.Q.P.R.T.S.V.U.W.X.Y.Z.6..(....o....*B...(.....o....&*2.(....t....*.(....&*2.t....o....*F~....~....(.....*..*..(....*.(.........(....(.........(....(....o.........*&...o....*.(....*.(....*.r1..p.....*6..{b...(^...*..o.....{a...{c....{b...oZ...(^...*.so....p...*..oq...*V.{....od....(...+...*J.{....o1....ov...*J

        Static File Info

        General

        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
        Entropy (8bit):6.747456626425728
        TrID:
        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
        • Win32 Executable (generic) a (10002005/4) 49.78%
        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
        • Generic Win/DOS Executable (2004/3) 0.01%
        • DOS Executable Generic (2002/1) 0.01%
        File name:Quotation ATB-PR28500KINH.exe
        File size:1021440
        MD5:03c41991be46edacb01b18d7ffe97b33
        SHA1:17193a4a9fad92f1473d42bbe0d14e83da481a72
        SHA256:749b86298b1735b41e92eef8b48c0aa38f1d7fa55bd0958b7b752bfcb5cb5a87
        SHA512:0a75bf191a00f1c641f6811d98c987f0248be5cacedd8c3c7e93e0ca5ae8913b4813ba792021b035a843df78be186d054221a311e185f3a37cc92f28ee2730d0
        SSDEEP:12288:cf9LurGfMzvqv7G9pq+0+Rcd70FOKWb4nlph7Qq4xohcYgpqC:g9LurGfPDmpq+0ZqVWcnlUFDYg
        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_................................. ... ....@.. ....................................@................................

        File Icon

        Icon Hash:905ada12e9cc368b

        Static PE Info

        General

        Entrypoint:0x4a062e
        Entrypoint Section:.text
        Digitally signed:false
        Imagebase:0x400000
        Subsystem:windows gui
        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
        DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Time Stamp:0x5FB6EFA2 [Thu Nov 19 22:20:18 2020 UTC]
        TLS Callbacks:
        CLR (.Net) Version:v4.0.30319
        OS Version Major:4
        OS Version Minor:0
        File Version Major:4
        File Version Minor:0
        Subsystem Version Major:4
        Subsystem Version Minor:0
        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

        Entrypoint Preview

        Instruction
        jmp dword ptr [00402000h]
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al

        Data Directories

        NameVirtual AddressVirtual Size Is in Section
        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IMPORT0xa05d40x57.text
        IMAGE_DIRECTORY_ENTRY_RESOURCE0xa20000x5a94e.rsrc
        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
        IMAGE_DIRECTORY_ENTRY_BASERELOC0xfe0000xc.reloc
        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

        Sections

        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
        .text0x20000x9e6340x9e800False0.921431388013data7.8618274721IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        .rsrc0xa20000x5a94e0x5aa00False0.0372737068966data2.71520754372IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        .reloc0xfe0000xc0x200False0.044921875data0.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

        Resources

        NameRVASizeTypeLanguageCountry
        RT_ICON0xa21d80x42028dBase III DBT, version number 0, next free block index 40EnglishUnited States
        RT_ICON0xe42000x468GLS_BINARY_LSB_FIRSTEnglishUnited States
        RT_ICON0xe46680x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 2699173413, next used block 2699173413EnglishUnited States
        RT_ICON0xe6c100x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 3236110116, next used block 3236110116EnglishUnited States
        RT_ICON0xe7cb80x10828dBase III DBT, version number 0, next free block index 40EnglishUnited States
        RT_ICON0xf84e00x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 2162368036, next used block 2162368036EnglishUnited States
        RT_GROUP_ICON0xfc7080x5adataEnglishUnited States
        RT_MANIFEST0xfc7640x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

        Imports

        DLLImport
        mscoree.dll_CorExeMain

        Possible Origin

        Language of compilation systemCountry where language is spokenMap
        EnglishUnited States

        Network Behavior

        Snort IDS Alerts

        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
        11/20/20-10:53:57.838381ICMP382ICMP PING Windows192.168.2.31.1.1.1
        11/20/20-10:53:57.838381ICMP384ICMP PING192.168.2.31.1.1.1
        11/20/20-10:53:57.854679ICMP408ICMP Echo Reply1.1.1.1192.168.2.3

        Network Port Distribution

        TCP Packets

        TimestampSource PortDest PortSource IPDest IP
        Nov 20, 2020 10:53:34.705584049 CET497251430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:34.890532017 CET143049725194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:35.408818960 CET497251430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:35.601016045 CET143049725194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:36.205795050 CET497251430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:36.409563065 CET143049725194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:40.529350996 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:40.710572004 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:40.710700989 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:40.935179949 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:41.320521116 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:41.320611954 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:41.528413057 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:41.530108929 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:41.738502026 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:41.765830994 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:42.106080055 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.106118917 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.106195927 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:42.307099104 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.307138920 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.307157993 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.307176113 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.307431936 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:42.519011021 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.519826889 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.519933939 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:42.520948887 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.521869898 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.522413969 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:42.522795916 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.523842096 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.523941040 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:42.533906937 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.533946991 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.534017086 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:42.720133066 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.720911026 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.721029997 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:42.721724987 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.722816944 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.722923040 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:42.724050999 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.724838972 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.724980116 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:42.725795031 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.726804972 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.726888895 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:42.729020119 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.729854107 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.729964972 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:42.730771065 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.731781960 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.731870890 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:42.732804060 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.733844995 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.734746933 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.734822989 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:42.735846043 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.735939980 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:42.930031061 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.930794954 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.930886030 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:42.931830883 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.932857037 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.932943106 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:42.934791088 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.935798883 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.935868025 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:42.936789036 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.937764883 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.938740969 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:42.938790083 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.939851046 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.940080881 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.940145016 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:42.940820932 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.940959930 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:42.942058086 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.942826033 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.942919016 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:42.944037914 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.944782019 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.945833921 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.945914984 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:42.946908951 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.947004080 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:42.947834969 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.948826075 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.948899031 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:42.949785948 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.950874090 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.951874018 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.951981068 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:42.952819109 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.953331947 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:42.953821898 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.954814911 CET143049727194.5.97.9192.168.2.3
        Nov 20, 2020 10:53:42.954898119 CET497271430192.168.2.3194.5.97.9
        Nov 20, 2020 10:53:42.955823898 CET143049727194.5.97.9192.168.2.3

        UDP Packets

        TimestampSource PortDest PortSource IPDest IP
        Nov 20, 2020 10:53:04.989098072 CET5598453192.168.2.38.8.8.8
        Nov 20, 2020 10:53:05.016263008 CET53559848.8.8.8192.168.2.3
        Nov 20, 2020 10:53:05.106074095 CET6418553192.168.2.38.8.8.8
        Nov 20, 2020 10:53:05.143208027 CET53641858.8.8.8192.168.2.3
        Nov 20, 2020 10:53:05.705660105 CET6511053192.168.2.38.8.8.8
        Nov 20, 2020 10:53:05.732884884 CET53651108.8.8.8192.168.2.3
        Nov 20, 2020 10:53:06.417464972 CET5836153192.168.2.38.8.8.8
        Nov 20, 2020 10:53:06.444624901 CET53583618.8.8.8192.168.2.3
        Nov 20, 2020 10:53:11.160722017 CET6349253192.168.2.38.8.8.8
        Nov 20, 2020 10:53:11.187865973 CET53634928.8.8.8192.168.2.3
        Nov 20, 2020 10:53:12.272840977 CET6083153192.168.2.38.8.8.8
        Nov 20, 2020 10:53:12.299959898 CET53608318.8.8.8192.168.2.3
        Nov 20, 2020 10:53:13.435460091 CET6010053192.168.2.38.8.8.8
        Nov 20, 2020 10:53:13.471121073 CET53601008.8.8.8192.168.2.3
        Nov 20, 2020 10:53:14.250729084 CET5319553192.168.2.38.8.8.8
        Nov 20, 2020 10:53:14.277920008 CET53531958.8.8.8192.168.2.3
        Nov 20, 2020 10:53:15.146070957 CET5014153192.168.2.38.8.8.8
        Nov 20, 2020 10:53:15.174118996 CET53501418.8.8.8192.168.2.3
        Nov 20, 2020 10:53:15.943406105 CET5302353192.168.2.38.8.8.8
        Nov 20, 2020 10:53:15.970540047 CET53530238.8.8.8192.168.2.3
        Nov 20, 2020 10:53:16.709011078 CET4956353192.168.2.38.8.8.8
        Nov 20, 2020 10:53:16.755137920 CET53495638.8.8.8192.168.2.3
        Nov 20, 2020 10:53:17.979852915 CET5135253192.168.2.38.8.8.8
        Nov 20, 2020 10:53:18.007013083 CET53513528.8.8.8192.168.2.3
        Nov 20, 2020 10:53:20.954000950 CET5934953192.168.2.38.8.8.8
        Nov 20, 2020 10:53:20.991797924 CET53593498.8.8.8192.168.2.3
        Nov 20, 2020 10:53:21.620935917 CET5708453192.168.2.38.8.8.8
        Nov 20, 2020 10:53:21.647938013 CET53570848.8.8.8192.168.2.3
        Nov 20, 2020 10:53:22.740910053 CET5882353192.168.2.38.8.8.8
        Nov 20, 2020 10:53:22.767949104 CET53588238.8.8.8192.168.2.3
        Nov 20, 2020 10:53:33.483869076 CET5756853192.168.2.38.8.8.8
        Nov 20, 2020 10:53:33.521542072 CET53575688.8.8.8192.168.2.3
        Nov 20, 2020 10:53:34.654174089 CET5054053192.168.2.38.8.8.8
        Nov 20, 2020 10:53:34.693852901 CET53505408.8.8.8192.168.2.3
        Nov 20, 2020 10:53:37.311450958 CET5436653192.168.2.38.8.8.8
        Nov 20, 2020 10:53:37.347163916 CET53543668.8.8.8192.168.2.3
        Nov 20, 2020 10:53:40.491895914 CET5303453192.168.2.38.8.8.8
        Nov 20, 2020 10:53:40.527616024 CET53530348.8.8.8192.168.2.3
        Nov 20, 2020 10:53:40.893130064 CET5776253192.168.2.38.8.8.8
        Nov 20, 2020 10:53:40.920228004 CET53577628.8.8.8192.168.2.3
        Nov 20, 2020 10:53:54.179631948 CET5543553192.168.2.38.8.8.8
        Nov 20, 2020 10:53:54.206603050 CET53554358.8.8.8192.168.2.3
        Nov 20, 2020 10:54:15.100765944 CET5071353192.168.2.38.8.8.8
        Nov 20, 2020 10:54:15.127896070 CET53507138.8.8.8192.168.2.3
        Nov 20, 2020 10:54:15.707856894 CET5613253192.168.2.38.8.8.8
        Nov 20, 2020 10:54:15.735053062 CET53561328.8.8.8192.168.2.3
        Nov 20, 2020 10:54:16.168093920 CET5898753192.168.2.38.8.8.8
        Nov 20, 2020 10:54:16.195135117 CET53589878.8.8.8192.168.2.3
        Nov 20, 2020 10:54:16.528357983 CET5657953192.168.2.38.8.8.8
        Nov 20, 2020 10:54:16.563704967 CET53565798.8.8.8192.168.2.3
        Nov 20, 2020 10:54:16.892540932 CET6063353192.168.2.38.8.8.8
        Nov 20, 2020 10:54:16.928282976 CET53606338.8.8.8192.168.2.3
        Nov 20, 2020 10:54:17.144768953 CET6129253192.168.2.38.8.8.8
        Nov 20, 2020 10:54:17.196007013 CET53612928.8.8.8192.168.2.3
        Nov 20, 2020 10:54:17.540549040 CET6361953192.168.2.38.8.8.8
        Nov 20, 2020 10:54:17.567495108 CET53636198.8.8.8192.168.2.3
        Nov 20, 2020 10:54:18.273814917 CET6493853192.168.2.38.8.8.8
        Nov 20, 2020 10:54:18.300945044 CET53649388.8.8.8192.168.2.3
        Nov 20, 2020 10:54:18.972325087 CET6194653192.168.2.38.8.8.8
        Nov 20, 2020 10:54:19.008033037 CET53619468.8.8.8192.168.2.3
        Nov 20, 2020 10:54:19.800508022 CET6491053192.168.2.38.8.8.8
        Nov 20, 2020 10:54:19.827721119 CET53649108.8.8.8192.168.2.3
        Nov 20, 2020 10:54:20.266268015 CET5212353192.168.2.38.8.8.8
        Nov 20, 2020 10:54:20.301872969 CET53521238.8.8.8192.168.2.3
        Nov 20, 2020 10:54:23.846113920 CET5613053192.168.2.38.8.8.8
        Nov 20, 2020 10:54:23.883203030 CET53561308.8.8.8192.168.2.3
        Nov 20, 2020 10:54:52.467478991 CET5633853192.168.2.38.8.8.8
        Nov 20, 2020 10:54:52.494472027 CET53563388.8.8.8192.168.2.3
        Nov 20, 2020 10:54:54.532007933 CET5942053192.168.2.38.8.8.8
        Nov 20, 2020 10:54:54.559500933 CET53594208.8.8.8192.168.2.3

        ICMP Packets

        TimestampSource IPDest IPChecksumCodeType
        Nov 20, 2020 10:53:57.838381052 CET192.168.2.31.1.1.14d5aEcho
        Nov 20, 2020 10:53:57.854679108 CET1.1.1.1192.168.2.3555aEcho Reply

        DNS Queries

        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
        Nov 20, 2020 10:53:34.654174089 CET192.168.2.38.8.8.80x3a71Standard query (0)petroleum.sytes.netA (IP address)IN (0x0001)
        Nov 20, 2020 10:53:40.491895914 CET192.168.2.38.8.8.80x9891Standard query (0)petroleum.sytes.netA (IP address)IN (0x0001)

        DNS Answers

        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
        Nov 20, 2020 10:53:34.693852901 CET8.8.8.8192.168.2.30x3a71No error (0)petroleum.sytes.net194.5.97.9A (IP address)IN (0x0001)
        Nov 20, 2020 10:53:40.527616024 CET8.8.8.8192.168.2.30x9891No error (0)petroleum.sytes.net194.5.97.9A (IP address)IN (0x0001)

        Code Manipulations

        Statistics

        Behavior

        Click to jump to process

        System Behavior

        Analysis Process: Quotation ATB-PR28500KINH.exe PID: 3980 Parent PID: 5548

        General

        Start time:10:53:11
        Start date:20/11/2020
        Path:C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe
        Wow64 process (32bit):true
        Commandline:'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe'
        Imagebase:0x6b0000
        File size:1021440 bytes
        MD5 hash:03C41991BE46EDACB01B18D7FFE97B33
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:.Net C# or VB.NET
        Yara matches:
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.321624483.0000000003B61000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.321624483.0000000003B61000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000002.00000002.321624483.0000000003B61000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.317796226.0000000000E64000.00000004.00000020.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.317796226.0000000000E64000.00000004.00000020.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000002.00000002.317796226.0000000000E64000.00000004.00000020.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.330776176.00000000054E2000.00000040.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.330776176.00000000054E2000.00000040.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000002.00000002.330776176.00000000054E2000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        Reputation:low

        Analysis Process: Quotation ATB-PR28500KINH.exe PID: 6148 Parent PID: 3980

        General

        Start time:10:53:29
        Start date:20/11/2020
        Path:C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe
        Wow64 process (32bit):true
        Commandline:Quotation ATB-PR28500KINH.exe
        Imagebase:0xbd0000
        File size:1021440 bytes
        MD5 hash:03C41991BE46EDACB01B18D7FFE97B33
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:.Net C# or VB.NET
        Yara matches:
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.320687638.000000000409E000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.328310332.00000000073C0000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000006.00000002.328310332.00000000073C0000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.316582541.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.316582541.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000006.00000002.316582541.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.328240077.0000000007380000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000006.00000002.328240077.0000000007380000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.328269653.0000000007390000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000006.00000002.328269653.0000000007390000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.321093889.000000000418C000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000006.00000002.321093889.000000000418C000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.327974006.00000000071E0000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000006.00000002.327974006.00000000071E0000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.325787678.00000000057E0000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000006.00000002.325787678.00000000057E0000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.318700397.0000000003041000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.325804891.00000000057F0000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000006.00000002.325804891.00000000057F0000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.325804891.00000000057F0000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.328184231.0000000007370000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000006.00000002.328184231.0000000007370000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.326037509.00000000058C0000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000006.00000002.326037509.00000000058C0000.00000004.00000001.sdmp, Author: Florian Roth
        Reputation:low

        Analysis Process: schtasks.exe PID: 6284 Parent PID: 6148

        General

        Start time:10:53:31
        Start date:20/11/2020
        Path:C:\Windows\SysWOW64\schtasks.exe
        Wow64 process (32bit):true
        Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpECB7.tmp'
        Imagebase:0x12a0000
        File size:185856 bytes
        MD5 hash:15FF7D8324231381BAD48A052F85DF04
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        Analysis Process: conhost.exe PID: 6300 Parent PID: 6284

        General

        Start time:10:53:32
        Start date:20/11/2020
        Path:C:\Windows\System32\conhost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Imagebase:0x7ff6b2800000
        File size:625664 bytes
        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        Analysis Process: Quotation ATB-PR28500KINH.exe PID: 6424 Parent PID: 528

        General

        Start time:10:53:34
        Start date:20/11/2020
        Path:C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe
        Wow64 process (32bit):true
        Commandline:'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe' 0
        Imagebase:0x5b0000
        File size:1021440 bytes
        MD5 hash:03C41991BE46EDACB01B18D7FFE97B33
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:.Net C# or VB.NET
        Yara matches:
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.320831164.0000000003961000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.320831164.0000000003961000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.320831164.0000000003961000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.317682512.0000000000DA5000.00000004.00000020.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.317682512.0000000000DA5000.00000004.00000020.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.317682512.0000000000DA5000.00000004.00000020.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        Reputation:low

        Analysis Process: schtasks.exe PID: 1760 Parent PID: 6148

        General

        Start time:10:53:53
        Start date:20/11/2020
        Path:C:\Windows\SysWOW64\schtasks.exe
        Wow64 process (32bit):true
        Commandline:'schtasks.exe' /delete /f /tn 'DHCP Monitor'
        Imagebase:0x12a0000
        File size:185856 bytes
        MD5 hash:15FF7D8324231381BAD48A052F85DF04
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        Analysis Process: conhost.exe PID: 1140 Parent PID: 1760

        General

        Start time:10:53:53
        Start date:20/11/2020
        Path:C:\Windows\System32\conhost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Imagebase:0x7ff7488e0000
        File size:625664 bytes
        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        Analysis Process: schtasks.exe PID: 5344 Parent PID: 6148

        General

        Start time:10:53:54
        Start date:20/11/2020
        Path:C:\Windows\SysWOW64\schtasks.exe
        Wow64 process (32bit):true
        Commandline:'schtasks.exe' /delete /f /tn 'DHCP Monitor Task'
        Imagebase:0x12a0000
        File size:185856 bytes
        MD5 hash:15FF7D8324231381BAD48A052F85DF04
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        Analysis Process: conhost.exe PID: 1256 Parent PID: 5344

        General

        Start time:10:53:54
        Start date:20/11/2020
        Path:C:\Windows\System32\conhost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Imagebase:0x7ff7488e0000
        File size:625664 bytes
        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        Analysis Process: cmd.exe PID: 6052 Parent PID: 6148

        General

        Start time:10:53:55
        Start date:20/11/2020
        Path:C:\Windows\SysWOW64\cmd.exe
        Wow64 process (32bit):true
        Commandline:'cmd.exe' /C taskkill /f /im 'Quotation ATB-PR28500KINH.exe' & ping -n 1 -w 3000 1.1.1.1 & type nul > 'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe' & del /f /q 'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe'
        Imagebase:0xbd0000
        File size:232960 bytes
        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        Analysis Process: conhost.exe PID: 5908 Parent PID: 6052

        General

        Start time:10:53:55
        Start date:20/11/2020
        Path:C:\Windows\System32\conhost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Imagebase:0x7ff6b2800000
        File size:625664 bytes
        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        Analysis Process: taskkill.exe PID: 4968 Parent PID: 6052

        General

        Start time:10:53:56
        Start date:20/11/2020
        Path:C:\Windows\SysWOW64\taskkill.exe
        Wow64 process (32bit):true
        Commandline:taskkill /f /im 'Quotation ATB-PR28500KINH.exe'
        Imagebase:0x980000
        File size:74752 bytes
        MD5 hash:15E2E0ACD891510C6268CB8899F2A1A1
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:moderate

        Analysis Process: PING.EXE PID: 5604 Parent PID: 6052

        General

        Start time:10:53:56
        Start date:20/11/2020
        Path:C:\Windows\SysWOW64\PING.EXE
        Wow64 process (32bit):true
        Commandline:ping -n 1 -w 3000 1.1.1.1
        Imagebase:0xf00000
        File size:18944 bytes
        MD5 hash:70C24A306F768936563ABDADB9CA9108
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:moderate

        Disassembly

        Code Analysis

        Reset < >