Analysis Report QUOTATIONs44888_A2221_TOAN_TAN_LOC_TRADING_SERVICES_JOINT_STOCKs.doc

Overview

General Information

Sample Name: QUOTATIONs44888_A2221_TOAN_TAN_LOC_TRADING_SERVICES_JOINT_STOCKs.doc
Analysis ID: 358179
MD5: bc1c94e783483f1c218efb5dcaf5f67e
SHA1: 7747c98d3d2da16f6e8b2fc56bd0e84532e3a543
SHA256: d1e84cab5bf5eadd159b04374dce5a78a0e93156086475d41ad86665357dfc66
Tags: doc
Infos:

Most interesting Screenshot:

Detection

Nanocore GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected GuLoader
Yara detected Nanocore RAT
C2 URLs / IPs found in malware configuration
Connects to a URL shortener service
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Drops PE files to the user root directory
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Sigma detected: Executables Started in Suspicious Folder
Sigma detected: Execution in Non-Executable Folder
Sigma detected: Suspicious Program Location Process Starts
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Adds / modifies Windows certificates
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the user directory
Drops certificate files (DER)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Office Equation Editor has been started
PE file contains strange resources
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000006.00000002.2382867266.000000001F3FF000.00000004.00000001.sdmp Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "92421eeb-c456-44c2-ab8d-5a66d7e5ab97", "Group": "Company", "Domain1": "194.5.98.202", "Domain2": "", "Port": 4488, "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\wREzo[1].txt Virustotal: Detection: 42% Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\wREzo[1].txt ReversingLabs: Detection: 27%
Source: C:\Users\user\subfolder1\filename1.exe ReversingLabs: Detection: 27%
Source: C:\Users\Public\69577.exe ReversingLabs: Detection: 27%
Multi AV Scanner detection for submitted file
Source: QUOTATIONs44888_A2221_TOAN_TAN_LOC_TRADING_SERVICES_JOINT_STOCKs.doc Virustotal: Detection: 39% Perma Link
Source: QUOTATIONs44888_A2221_TOAN_TAN_LOC_TRADING_SERVICES_JOINT_STOCKs.doc ReversingLabs: Detection: 25%
Yara detected Nanocore RAT
Source: Yara match File source: 00000006.00000002.2371344330.0000000000140000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2382867266.000000001F3FF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 2488, type: MEMORY
Source: Yara match File source: 6.2.RegAsm.exe.144629.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.RegAsm.exe.1f41b071.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.RegAsm.exe.1f416a48.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.RegAsm.exe.140000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.RegAsm.exe.140000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.RegAsm.exe.1f416a48.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.RegAsm.exe.1f4020ad.11.raw.unpack, type: UNPACKEDPE
Antivirus or Machine Learning detection for unpacked file
Source: 6.2.RegAsm.exe.140000.3.unpack Avira: Label: TR/NanoCore.fadte

Exploits:

barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\69577.exe Jump to behavior
Office Equation Editor has been started
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Compliance:

barindex
Uses new MSVCR Dlls
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Binary contains paths to debug symbols
Source: Binary string: .pdb< source: RegAsm.exe, 00000006.00000002.2383237704.000000002114B000.00000004.00000001.sdmp
Source: Binary string: ystem.pdb source: RegAsm.exe, 00000006.00000002.2371574970.0000000000576000.00000004.00000040.sdmp
Source: Binary string: System.pdbSystem.pdbpdbtem.pdbm\2.0.0.0__b77a5c561934e089\System.pdb9FFP source: RegAsm.exe, 00000006.00000002.2383237704.000000002114B000.00000004.00000001.sdmp
Source: Binary string: !symbols\dll\System.pdb source: RegAsm.exe, 00000006.00000002.2383237704.000000002114B000.00000004.00000001.sdmp
Source: Binary string: System.pdb H~t source: RegAsm.exe, 00000006.00000002.2383237704.000000002114B000.00000004.00000001.sdmp
Source: Binary string: nWindows\System.pdbpdbtem.pdb source: RegAsm.exe, 00000006.00000002.2371574970.0000000000576000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\System.pdb source: RegAsm.exe, 00000006.00000002.2371574970.0000000000576000.00000004.00000040.sdmp
Source: Binary string: WT3UpC:\Windows\System.pdb source: RegAsm.exe, 00000006.00000002.2383237704.000000002114B000.00000004.00000001.sdmp
Source: Binary string: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.pdb source: RegAsm.exe, 00000006.00000002.2371574970.0000000000576000.00000004.00000040.sdmp
Source: Binary string: < indows\RegAsm.pdbpdbAsm.pdb source: RegAsm.exe, 00000006.00000002.2371574970.0000000000576000.00000004.00000040.sdmp
Source: Binary string: < indows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb\cs source: RegAsm.exe, 00000006.00000002.2371574970.0000000000576000.00000004.00000040.sdmp
Source: Binary string: RegAsm.pdb source: smtpsvc.exe, smtpsvc.exe.6.dr
Source: Binary string: !C:\Windows\System.pdb@= source: RegAsm.exe, 00000006.00000002.2383237704.000000002114B000.00000004.00000001.sdmp
Source: Binary string: Wm.pdb source: RegAsm.exe, 00000006.00000002.2383056342.00000000203CD000.00000004.00000001.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.pdb source: RegAsm.exe, 00000006.00000002.2371574970.0000000000576000.00000004.00000040.sdmp
Source: Binary string: System.pdb source: RegAsm.exe, 00000006.00000002.2383237704.000000002114B000.00000004.00000001.sdmp
Source: Binary string: System.pdb8 source: RegAsm.exe, 00000006.00000002.2371574970.0000000000576000.00000004.00000040.sdmp
Source: Binary string: mscorrc.pdb source: RegAsm.exe, 00000006.00000002.2371259124.00000000000D0000.00000002.00000001.sdmp
Source: Binary string: C:\Windows\System.pdb source: RegAsm.exe, 00000006.00000002.2371574970.0000000000576000.00000004.00000040.sdmp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Windows\Microsoft.NET\Framework\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6f4f738362752c5d3a2c9234d604784d\System.Drawing.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Windows\Microsoft.NET\ Jump to behavior

Software Vulnerabilities:

barindex
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: bit.ly
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 5.79.72.163:443
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 67.199.248.10:80

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49171 -> 194.5.98.202:4488
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49172 -> 194.5.98.202:4488
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49173 -> 194.5.98.202:4488
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49174 -> 194.5.98.202:4488
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49175 -> 194.5.98.202:4488
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs:
Source: Malware configuration extractor URLs: 194.5.98.202
Connects to a URL shortener service
Source: unknown DNS query: name: bit.ly
Source: unknown DNS query: name: bit.ly
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 194.5.98.202:4488
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 67.199.248.10 67.199.248.10
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: GOOGLE-PRIVATE-CLOUDUS GOOGLE-PRIVATE-CLOUDUS
Source: Joe Sandbox View ASN Name: DANILENKODE DANILENKODE
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /2ZKf4aq HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: bit.lyConnection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 6_2_007B2E3E WSARecv, 6_2_007B2E3E
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{24864F90-30CA-4646-ACFF-79FC9E14ADCB}.tmp Jump to behavior
Source: global traffic HTTP traffic detected: GET /2ZKf4aq HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: bit.lyConnection: Keep-Alive
Source: RegAsm.exe, 00000006.00000002.2371992276.000000000089A000.00000004.00000020.sdmp String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
Source: RegAsm.exe, 00000006.00000002.2371992276.000000000089A000.00000004.00000020.sdmp String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
Source: RegAsm.exe, 00000006.00000002.2372026516.00000000008CC000.00000004.00000020.sdmp String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: unknown DNS traffic detected: queries for: bit.ly
Source: E0F5C59F9FA661F6F4C50B87FEF3A15A.2.dr String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
Source: RegAsm.exe, 00000006.00000002.2372026516.00000000008CC000.00000004.00000020.sdmp String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: RegAsm.exe, 00000006.00000002.2372026516.00000000008CC000.00000004.00000020.sdmp String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: RegAsm.exe, 00000006.00000002.2372026516.00000000008CC000.00000004.00000020.sdmp String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: RegAsm.exe, 00000006.00000002.2372026516.00000000008CC000.00000004.00000020.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: RegAsm.exe, 00000006.00000002.2372026516.00000000008CC000.00000004.00000020.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: RegAsm.exe, 00000006.00000002.2372026516.00000000008CC000.00000004.00000020.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: RegAsm.exe, 00000006.00000002.2371947778.000000000085A000.00000004.00000020.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: 77EC63BDA74BD0D0E0426DC8F8008506.2.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: RegAsm.exe, 00000006.00000002.2372026516.00000000008CC000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: RegAsm.exe, 00000006.00000002.2372026516.00000000008CC000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com0%
Source: RegAsm.exe, 00000006.00000002.2372026516.00000000008CC000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com0-
Source: RegAsm.exe, 00000006.00000002.2372026516.00000000008CC000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com0/
Source: RegAsm.exe, 00000006.00000002.2372026516.00000000008CC000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com05
Source: RegAsm.exe, 00000006.00000002.2371947778.000000000085A000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: RegAsm.exe, 00000006.00000002.2372026516.00000000008CC000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.entrust.net03
Source: RegAsm.exe, 00000006.00000002.2372026516.00000000008CC000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.entrust.net0D
Source: RegAsm.exe, 00000006.00000002.2371916923.000000000083D000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.msocsp.com0
Source: RegAsm.exe, 00000006.00000002.2372610828.0000000002790000.00000002.00000001.sdmp, taskeng.exe, 0000000C.00000002.2371587310.0000000001BE0000.00000002.00000001.sdmp, RegAsm.exe, 0000000F.00000002.2323283664.0000000002500000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: RegAsm.exe, 00000006.00000002.2372610828.0000000002790000.00000002.00000001.sdmp, taskeng.exe, 0000000C.00000002.2371587310.0000000001BE0000.00000002.00000001.sdmp, RegAsm.exe, 0000000F.00000002.2323283664.0000000002500000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: RegAsm.exe, 00000006.00000002.2372026516.00000000008CC000.00000004.00000020.sdmp String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: RegAsm.exe, 00000006.00000002.2372026516.00000000008CC000.00000004.00000020.sdmp String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: RegAsm.exe, 00000006.00000002.2371947778.000000000085A000.00000004.00000020.sdmp String found in binary or memory: https://ibkebw.dm.files.1drv.com/
Source: RegAsm.exe, 00000006.00000002.2382485610.000000001DC80000.00000004.00000001.sdmp String found in binary or memory: https://ibkebw.dm.files.1drv.com/y
Source: RegAsm.exe, 00000006.00000002.2371992276.000000000089A000.00000004.00000020.sdmp, RegAsm.exe, 00000006.00000002.2382485610.000000001DC80000.00000004.00000001.sdmp String found in binary or memory: https://ibkebw.dm.files.1drv.com/y4mkt1ePYl5p-A97ciot0bQ59hcBfLkczVR077g5LVTnsSoRxe1bs39ErOjDRD_qmHQ
Source: RegAsm.exe, 00000006.00000002.2371947778.000000000085A000.00000004.00000020.sdmp String found in binary or memory: https://onedrive.live.com/
Source: RegAsm.exe, 00000006.00000002.2371947778.000000000085A000.00000004.00000020.sdmp String found in binary or memory: https://onedrive.live.com/E
Source: RegAsm.exe, RegAsm.exe, 00000006.00000002.2371992276.000000000089A000.00000004.00000020.sdmp String found in binary or memory: https://onedrive.live.com/download?cid=802AC8A73EEC8C8E&resid=802AC8A73EEC8C8E%21110&authkey=AK1w6-P
Source: RegAsm.exe, 00000006.00000002.2372026516.00000000008CC000.00000004.00000020.sdmp String found in binary or memory: https://secure.comodo.com/CPS0
Source: 2ZKf4aq[1].htm.2.dr String found in binary or memory: https://u.teknik.io/wREzo.txt
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49166
Source: unknown Network traffic detected: HTTP traffic on port 49166 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Installs a raw input device (often for capturing keystrokes)
Source: RegAsm.exe, 00000006.00000002.2371344330.0000000000140000.00000004.00000001.sdmp Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 00000006.00000002.2371344330.0000000000140000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2382867266.000000001F3FF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 2488, type: MEMORY
Source: Yara match File source: 6.2.RegAsm.exe.144629.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.RegAsm.exe.1f41b071.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.RegAsm.exe.1f416a48.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.RegAsm.exe.140000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.RegAsm.exe.140000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.RegAsm.exe.1f416a48.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.RegAsm.exe.1f4020ad.11.raw.unpack, type: UNPACKEDPE
Drops certificate files (DER)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A Jump to dropped file

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000006.00000002.2371344330.0000000000140000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.2371329317.0000000000130000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: RegAsm.exe PID: 2488, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.RegAsm.exe.130000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.RegAsm.exe.144629.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.RegAsm.exe.1f41b071.12.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.RegAsm.exe.1f416a48.10.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.RegAsm.exe.140000.3.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.RegAsm.exe.140000.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.RegAsm.exe.1f416a48.10.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.RegAsm.exe.1e3c125c.9.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.RegAsm.exe.1f4020ad.11.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\69577.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\wREzo[1].txt Jump to dropped file
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\Public\69577.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\Public\69577.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Contains functionality to call native functions
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 6_2_00287311 NtProtectVirtualMemory, 6_2_00287311
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 6_2_0028725D NtProtectVirtualMemory, 6_2_0028725D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 6_2_002872B9 NtProtectVirtualMemory, 6_2_002872B9
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 6_2_00287322 NtProtectVirtualMemory, 6_2_00287322
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 6_2_007B180A NtQuerySystemInformation, 6_2_007B180A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 6_2_007B17CF NtQuerySystemInformation, 6_2_007B17CF
Detected potential crypto function
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 6_2_00792418 6_2_00792418
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 6_2_00799C03 6_2_00799C03
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 6_2_00798CF0 6_2_00798CF0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 6_2_007998F0 6_2_007998F0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 6_2_007938C8 6_2_007938C8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 6_2_0079B5C0 6_2_0079B5C0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 6_2_00793020 6_2_00793020
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 6_2_007930E7 6_2_007930E7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 6_2_007999B7 6_2_007999B7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 6_2_1E370FF6 6_2_1E370FF6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 15_2_006B01B7 15_2_006B01B7
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 17_2_003A01B7 17_2_003A01B7
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Code function: 20_2_002701B7 20_2_002701B7
PE file contains strange resources
Source: filename1.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: filename1.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: filename1.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Yara signature match
Source: 00000006.00000002.2371344330.0000000000140000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.2371344330.0000000000140000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000006.00000002.2371329317.0000000000130000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.2371329317.0000000000130000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: RegAsm.exe PID: 2488, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.RegAsm.exe.130000.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.RegAsm.exe.130000.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.RegAsm.exe.144629.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.RegAsm.exe.144629.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.RegAsm.exe.1f41b071.12.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.RegAsm.exe.1f41b071.12.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.RegAsm.exe.1f416a48.10.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.RegAsm.exe.1f416a48.10.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.RegAsm.exe.140000.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.RegAsm.exe.140000.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.RegAsm.exe.140000.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.RegAsm.exe.140000.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.RegAsm.exe.1f416a48.10.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.RegAsm.exe.1f416a48.10.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.RegAsm.exe.1e3c125c.9.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.RegAsm.exe.1e3c125c.9.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.RegAsm.exe.1f4020ad.11.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.RegAsm.exe.1f4020ad.11.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: classification engine Classification label: mal100.troj.expl.evad.winDOC@19/25@6/3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 6_2_007B149A AdjustTokenPrivileges, 6_2_007B149A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 6_2_007B1463 AdjustTokenPrivileges, 6_2_007B1463
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File created: C:\Program Files (x86)\SMTP Service Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\Desktop\~$OTATIONs44888_A2221_TOAN_TAN_LOC_TRADING_SERVICES_JOINT_STOCKs.doc Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{92421eeb-c456-44c2-ab8d-5a66d7e5ab97}
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\CVRB2DA.tmp Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Console Write: ................0.......................(.P.....................@.......8.................................................................)..... Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Console Write: ................`."...............".....(.P.............<....................................................................................... Jump to behavior
Source: C:\Users\Public\69577.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: QUOTATIONs44888_A2221_TOAN_TAN_LOC_TRADING_SERVICES_JOINT_STOCKs.doc Virustotal: Detection: 39%
Source: QUOTATIONs44888_A2221_TOAN_TAN_LOC_TRADING_SERVICES_JOINT_STOCKs.doc ReversingLabs: Detection: 25%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown Process created: C:\Users\Public\69577.exe C:\Users\Public\69577.exe
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Users\Public\69577.exe
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Users\Public\69577.exe
Source: unknown Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp9445.tmp'
Source: unknown Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp80F5.tmp'
Source: unknown Process created: C:\Windows\System32\taskeng.exe taskeng.exe {DA6299CA-95CA-4E9D-8945-2CC05321254C} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1]
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 0
Source: unknown Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe 'C:\Program Files (x86)\SMTP Service\smtpsvc.exe' 0
Source: unknown Process created: C:\Users\user\subfolder1\filename1.exe 'C:\Users\user\subfolder1\filename1.exe'
Source: unknown Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe 'C:\Program Files (x86)\SMTP Service\smtpsvc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\69577.exe C:\Users\Public\69577.exe Jump to behavior
Source: C:\Users\Public\69577.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Users\Public\69577.exe Jump to behavior
Source: C:\Users\Public\69577.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Users\Public\69577.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp9445.tmp' Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp80F5.tmp' Jump to behavior
Source: C:\Windows\System32\taskeng.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 0 Jump to behavior
Source: C:\Windows\System32\taskeng.exe Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe 'C:\Program Files (x86)\SMTP Service\smtpsvc.exe' 0 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: .pdb< source: RegAsm.exe, 00000006.00000002.2383237704.000000002114B000.00000004.00000001.sdmp
Source: Binary string: ystem.pdb source: RegAsm.exe, 00000006.00000002.2371574970.0000000000576000.00000004.00000040.sdmp
Source: Binary string: System.pdbSystem.pdbpdbtem.pdbm\2.0.0.0__b77a5c561934e089\System.pdb9FFP source: RegAsm.exe, 00000006.00000002.2383237704.000000002114B000.00000004.00000001.sdmp
Source: Binary string: !symbols\dll\System.pdb source: RegAsm.exe, 00000006.00000002.2383237704.000000002114B000.00000004.00000001.sdmp
Source: Binary string: System.pdb H~t source: RegAsm.exe, 00000006.00000002.2383237704.000000002114B000.00000004.00000001.sdmp
Source: Binary string: nWindows\System.pdbpdbtem.pdb source: RegAsm.exe, 00000006.00000002.2371574970.0000000000576000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\System.pdb source: RegAsm.exe, 00000006.00000002.2371574970.0000000000576000.00000004.00000040.sdmp
Source: Binary string: WT3UpC:\Windows\System.pdb source: RegAsm.exe, 00000006.00000002.2383237704.000000002114B000.00000004.00000001.sdmp
Source: Binary string: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.pdb source: RegAsm.exe, 00000006.00000002.2371574970.0000000000576000.00000004.00000040.sdmp
Source: Binary string: < indows\RegAsm.pdbpdbAsm.pdb source: RegAsm.exe, 00000006.00000002.2371574970.0000000000576000.00000004.00000040.sdmp
Source: Binary string: < indows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb\cs source: RegAsm.exe, 00000006.00000002.2371574970.0000000000576000.00000004.00000040.sdmp
Source: Binary string: RegAsm.pdb source: smtpsvc.exe, smtpsvc.exe.6.dr
Source: Binary string: !C:\Windows\System.pdb@= source: RegAsm.exe, 00000006.00000002.2383237704.000000002114B000.00000004.00000001.sdmp
Source: Binary string: Wm.pdb source: RegAsm.exe, 00000006.00000002.2383056342.00000000203CD000.00000004.00000001.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.pdb source: RegAsm.exe, 00000006.00000002.2371574970.0000000000576000.00000004.00000040.sdmp
Source: Binary string: System.pdb source: RegAsm.exe, 00000006.00000002.2383237704.000000002114B000.00000004.00000001.sdmp
Source: Binary string: System.pdb8 source: RegAsm.exe, 00000006.00000002.2371574970.0000000000576000.00000004.00000040.sdmp
Source: Binary string: mscorrc.pdb source: RegAsm.exe, 00000006.00000002.2371259124.00000000000D0000.00000002.00000001.sdmp
Source: Binary string: C:\Windows\System.pdb source: RegAsm.exe, 00000006.00000002.2371574970.0000000000576000.00000004.00000040.sdmp

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000006.00000002.2371533870.0000000000282000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 2488, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 6_2_1E370FAA push ds; retn 0024h 6_2_1E370FAC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 6_2_1E370FF6 push ds; retn 0020h 6_2_1E371054

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\69577.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\wREzo[1].txt Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File created: C:\Users\user\subfolder1\filename1.exe Jump to dropped file
Drops PE files to the user directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\69577.exe Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\wREzo[1].txt Jump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\69577.exe Jump to dropped file
Uses schtasks.exe or at.exe to add and modify task schedules
Source: unknown Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp9445.tmp'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe:Zone.Identifier read attributes | delete Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\69577.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\69577.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\69577.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\69577.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\69577.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\69577.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\69577.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\taskeng.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\taskeng.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\taskeng.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\taskeng.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\Public\69577.exe RDTSC instruction interceptor: First address: 0000000000320136 second address: 0000000000320136 instructions:
Source: C:\Users\Public\69577.exe RDTSC instruction interceptor: First address: 000000000032497F second address: 000000000032497F instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe RDTSC instruction interceptor: First address: 0000000000281951 second address: 0000000000281951 instructions:
Tries to detect Any.run
Source: C:\Users\Public\69577.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\Public\69577.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: RegAsm.exe Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\Public\69577.exe RDTSC instruction interceptor: First address: 0000000000320136 second address: 0000000000320136 instructions:
Source: C:\Users\Public\69577.exe RDTSC instruction interceptor: First address: 00000000003202DE second address: 000000000032038C instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b jmp 00007FAD4C762412h 0x0000000d test edi, 48009A78h 0x00000013 push 00000000h 0x00000015 jmp 00007FAD4C762412h 0x00000017 test bx, ax 0x0000001a jmp 00007FAD4C762412h 0x0000001c pushad 0x0000001d mov eax, 000000E8h 0x00000022 cpuid 0x00000024 popad 0x00000025 jmp 00007FAD4C762412h 0x00000027 test bh, ah 0x00000029 push 7F21185Bh 0x0000002e jmp 00007FAD4C762412h 0x00000030 cmp dx, cx 0x00000033 jmp 00007FAD4C762412h 0x00000035 test ax, cx 0x00000038 jmp 00007FAD4C762412h 0x0000003a pushad 0x0000003b lfence 0x0000003e rdtsc
Source: C:\Users\Public\69577.exe RDTSC instruction interceptor: First address: 000000000032038C second address: 000000000032044C instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b push 3E17ADE6h 0x00000010 push F21FD920h 0x00000015 jmp 00007FAD4CBC69F2h 0x00000017 test edi, B4CD5B79h 0x0000001d jmp 00007FAD4CBC69F2h 0x0000001f test bx, ax 0x00000022 push 27AA3188h 0x00000027 jmp 00007FAD4CBC69F2h 0x00000029 pushad 0x0000002a mov eax, 00000097h 0x0000002f cpuid 0x00000031 popad 0x00000032 push DFCB8F12h 0x00000037 jmp 00007FAD4CBC69F2h 0x00000039 test bh, ah 0x0000003b push 2D9CC76Ch 0x00000040 jmp 00007FAD4CBC69F2h 0x00000042 cmp dx, cx 0x00000045 jmp 00007FAD4CBC69F2h 0x00000047 test ax, cx 0x0000004a jmp 00007FAD4CBC69F2h 0x0000004c pushad 0x0000004d lfence 0x00000050 rdtsc
Source: C:\Users\Public\69577.exe RDTSC instruction interceptor: First address: 00000000003205CA second address: 00000000003205F3 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b pop ecx 0x0000000c mov edx, 94CFDCC5h 0x00000011 jmp 00007FAD4C762412h 0x00000013 pushad 0x00000014 mov edi, 0000000Bh 0x00000019 rdtsc
Source: C:\Users\Public\69577.exe RDTSC instruction interceptor: First address: 000000000032497F second address: 000000000032497F instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe RDTSC instruction interceptor: First address: 00000000002802DE second address: 000000000028038C instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b jmp 00007FAD4C762412h 0x0000000d test edi, 48009A78h 0x00000013 push 00000000h 0x00000015 jmp 00007FAD4C762412h 0x00000017 test bx, ax 0x0000001a jmp 00007FAD4C762412h 0x0000001c pushad 0x0000001d mov eax, 000000E8h 0x00000022 cpuid 0x00000024 popad 0x00000025 jmp 00007FAD4C762412h 0x00000027 test bh, ah 0x00000029 push 7F21185Bh 0x0000002e jmp 00007FAD4C762412h 0x00000030 cmp dx, cx 0x00000033 jmp 00007FAD4C762412h 0x00000035 test ax, cx 0x00000038 jmp 00007FAD4C762412h 0x0000003a pushad 0x0000003b lfence 0x0000003e rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe RDTSC instruction interceptor: First address: 000000000028038C second address: 000000000028044C instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b push 3E17ADE6h 0x00000010 push F21FD920h 0x00000015 jmp 00007FAD4CBC69F2h 0x00000017 test edi, B4CD5B79h 0x0000001d jmp 00007FAD4CBC69F2h 0x0000001f test bx, ax 0x00000022 push 27AA3188h 0x00000027 jmp 00007FAD4CBC69F2h 0x00000029 pushad 0x0000002a mov eax, 00000097h 0x0000002f cpuid 0x00000031 popad 0x00000032 push DFCB8F12h 0x00000037 jmp 00007FAD4CBC69F2h 0x00000039 test bh, ah 0x0000003b push 2D9CC76Ch 0x00000040 jmp 00007FAD4CBC69F2h 0x00000042 cmp dx, cx 0x00000045 jmp 00007FAD4CBC69F2h 0x00000047 test ax, cx 0x0000004a jmp 00007FAD4CBC69F2h 0x0000004c pushad 0x0000004d lfence 0x00000050 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe RDTSC instruction interceptor: First address: 00000000002805CA second address: 00000000002805F3 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b pop ecx 0x0000000c mov edx, 94CFDCC5h 0x00000011 jmp 00007FAD4C762412h 0x00000013 pushad 0x00000014 mov edi, 0000000Bh 0x00000019 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe RDTSC instruction interceptor: First address: 0000000000281951 second address: 0000000000281951 instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe RDTSC instruction interceptor: First address: 0000000000286AF8 second address: 0000000000286AF8 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b sub ebx, esi 0x0000000d inc ebx 0x0000000e jne 00007FAD4C762418h 0x00000010 jmp 00007FAD4C762412h 0x00000012 test eax, 276D876Eh 0x00000017 mov byte ptr [edx+ecx], al 0x0000001a jmp 00007FAD4C762412h 0x0000001c test edx, eax 0x0000001e inc ecx 0x0000001f jne 00007FAD4C76238Eh 0x00000021 mov al, byte ptr [edx+ecx] 0x00000024 add ebx, esi 0x00000026 xor al, byte ptr [ebx] 0x00000028 jmp 00007FAD4C762412h 0x0000002a pushad 0x0000002b lfence 0x0000002e rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 6_2_00284447 rdtsc 6_2_00284447
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2348 Thread sleep time: -360000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 2864 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 2512 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 884 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\System32\taskeng.exe TID: 2160 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 2332 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe TID: 2384 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 6_2_007B11C2 GetSystemInfo, 6_2_007B11C2
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Windows\Microsoft.NET\Framework\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6f4f738362752c5d3a2c9234d604784d\System.Drawing.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Windows\Microsoft.NET\ Jump to behavior
Source: RegAsm.exe Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Hides threads from debuggers
Source: C:\Users\Public\69577.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Thread information set: HideFromDebugger Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\Public\69577.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 6_2_00284447 rdtsc 6_2_00284447
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 6_2_00284C64 LdrInitializeThunk, 6_2_00284C64
Contains functionality to read the PEB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 6_2_00286C05 mov eax, dword ptr fs:[00000030h] 6_2_00286C05
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 6_2_00285D6F mov eax, dword ptr fs:[00000030h] 6_2_00285D6F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 6_2_00286BBA mov eax, dword ptr fs:[00000030h] 6_2_00286BBA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 6_2_002857CD mov eax, dword ptr fs:[00000030h] 6_2_002857CD
Enables debug privileges
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Writes to foreign memory regions
Source: C:\Users\Public\69577.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: 280000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\69577.exe C:\Users\Public\69577.exe Jump to behavior
Source: C:\Users\Public\69577.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Users\Public\69577.exe Jump to behavior
Source: C:\Users\Public\69577.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Users\Public\69577.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp9445.tmp' Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp80F5.tmp' Jump to behavior
Source: C:\Windows\System32\taskeng.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 0 Jump to behavior
Source: C:\Windows\System32\taskeng.exe Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe 'C:\Program Files (x86)\SMTP Service\smtpsvc.exe' 0 Jump to behavior
Source: RegAsm.exe, 00000006.00000002.2382730056.000000001E4ED000.00000004.00000001.sdmp Binary or memory string: Program ManagerH
Source: RegAsm.exe, 00000006.00000002.2382730056.000000001E4ED000.00000004.00000001.sdmp, taskeng.exe, 0000000C.00000002.2371495935.00000000007E0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: RegAsm.exe, 00000006.00000002.2372409017.0000000001180000.00000002.00000001.sdmp, taskeng.exe, 0000000C.00000002.2371495935.00000000007E0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 00000006.00000002.2382511336.000000001DCBD000.00000004.00000001.sdmp Binary or memory string: Program Manager (x86)\SMTP Service\smtpsvc.exe`
Source: RegAsm.exe, 00000006.00000002.2372409017.0000000001180000.00000002.00000001.sdmp, taskeng.exe, 0000000C.00000002.2371495935.00000000007E0000.00000002.00000001.sdmp Binary or memory string: !Progman
Source: RegAsm.exe, 00000006.00000002.2382511336.000000001DCBD000.00000004.00000001.sdmp Binary or memory string: Program Manager (x86)\SMTP Service\smtpsvc.exehS
Source: RegAsm.exe, 00000006.00000002.2382730056.000000001E4ED000.00000004.00000001.sdmp Binary or memory string: Program Manager<
Source: C:\Users\Public\69577.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Adds / modifies Windows certificates
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 Blob Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 00000006.00000002.2371344330.0000000000140000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2382867266.000000001F3FF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 2488, type: MEMORY
Source: Yara match File source: 6.2.RegAsm.exe.144629.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.RegAsm.exe.1f41b071.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.RegAsm.exe.1f416a48.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.RegAsm.exe.140000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.RegAsm.exe.140000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.RegAsm.exe.1f416a48.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.RegAsm.exe.1f4020ad.11.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Detected Nanocore Rat
Source: RegAsm.exe, 00000006.00000002.2371344330.0000000000140000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: RegAsm.exe, 00000006.00000002.2371329317.0000000000130000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Yara detected Nanocore RAT
Source: Yara match File source: 00000006.00000002.2371344330.0000000000140000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2382867266.000000001F3FF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 2488, type: MEMORY
Source: Yara match File source: 6.2.RegAsm.exe.144629.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.RegAsm.exe.1f41b071.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.RegAsm.exe.1f416a48.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.RegAsm.exe.140000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.RegAsm.exe.140000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.RegAsm.exe.1f416a48.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.RegAsm.exe.1f4020ad.11.raw.unpack, type: UNPACKEDPE
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 6_2_007B28F6 bind, 6_2_007B28F6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 6_2_007B28C3 bind, 6_2_007B28C3
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 358179 Sample: QUOTATIONs44888_A2221_TOAN_... Startdate: 25/02/2021 Architecture: WINDOWS Score: 100 61 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->61 63 Found malware configuration 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 19 other signatures 2->67 8 EQNEDT32.EXE 17 2->8         started        13 filename1.exe 1 2->13         started        15 taskeng.exe 1 2->15         started        17 2 other processes 2->17 process3 dnsIp4 49 67.199.248.10, 49165, 80 GOOGLE-PRIVATE-CLOUDUS United States 8->49 51 teknik.io 5.79.72.163, 443, 49166 LEASEWEB-NL-AMS-01NetherlandsNL Netherlands 8->51 53 2 other IPs or domains 8->53 37 C:\Users\user\AppData\Local\...\wREzo[1].txt, PE32 8->37 dropped 39 C:\Users\Public\69577.exe, PE32 8->39 dropped 77 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 8->77 19 69577.exe 1 8->19         started        79 Multi AV Scanner detection for dropped file 13->79 22 RegAsm.exe 2 15->22         started        24 smtpsvc.exe 2 15->24         started        file5 signatures6 process7 signatures8 69 Multi AV Scanner detection for dropped file 19->69 71 Writes to foreign memory regions 19->71 73 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 19->73 75 3 other signatures 19->75 26 RegAsm.exe 2 23 19->26         started        31 RegAsm.exe 19->31         started        process9 dnsIp10 55 194.5.98.202, 4488, 49171, 49172 DANILENKODE Netherlands 26->55 57 onedrive.live.com 26->57 59 2 other IPs or domains 26->59 41 C:\Users\user\subfolder1\filename1.exe, PE32 26->41 dropped 43 C:\Users\user\AppData\Roaming\...\run.dat, data 26->43 dropped 45 C:\Users\user\AppData\Local\...\tmp9445.tmp, XML 26->45 dropped 47 C:\Program Files (x86)\...\smtpsvc.exe, PE32 26->47 dropped 81 Tries to detect Any.run 26->81 83 Hides threads from debuggers 26->83 85 Hides that the sample has been downloaded from the Internet (zone.identifier) 26->85 33 schtasks.exe 26->33         started        35 schtasks.exe 26->35         started        87 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 31->87 89 Tries to detect virtualization through RDTSC time measurements 31->89 file11 signatures12 process13
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
67.199.248.10
 unknown United States
396982 GOOGLE-PRIVATE-CLOUDUS true
5.79.72.163
 unknown Netherlands
60781 LEASEWEB-NL-AMS-01NetherlandsNL false
194.5.98.202
 unknown Netherlands
208476 DANILENKODE true

Contacted Domains

Name IP Active
bit.ly 67.199.248.11 true
teknik.io 5.79.72.163 true
onedrive.live.com unknown unknown
ibkebw.dm.files.1drv.com unknown unknown
u.teknik.io unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
true
  • Avira URL Cloud: safe
 low
194.5.98.202 true
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
http://bit.ly/2ZKf4aq false
    		high