Windows Analysis Report wIQLBHYbqz

Overview

General Information

Sample Name:	wIQLBHYbqz (renamed file extension from none to exe)
Analysis ID:	483799
MD5:	1312d6ff22dbd8e9e05d1b0d9130439d
SHA1:	913051c8f41e722c522e637bdbdfa563ecfba4ff
SHA256:	543694f8b09a565a88932457d40d16cd85ac3f0b7be9ad322ef9486144379449
Tags:	exeNanoCore
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Detected FrenchyShellcode packer

Sigma detected: NanoCore

Detected Nanocore Rat

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for domain / URL

Antivirus detection for dropped file

Yara detected Nanocore RAT

Maps a DLL or memory area into another process

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Writes to foreign memory regions

Binary is likely a compiled AutoIt script file

.NET source code contains potential unpacker

AutoIt script contains suspicious strings

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Contains functionality to check if a debugger is running (IsDebuggerPresent)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Sleep loop found (likely to delay execution)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Stores files to the Windows start menu directory

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to call native functions

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality to simulate keystroke presses

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Drops files with a non-matching file extension (content does not match file extension)

Installs a raw input device (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Creates a start menu entry (Start Menu\Programs\Startup)

Potential key logger detected (key state polling based)

Contains functionality to retrieve information about pressed keystrokes

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 00000016.00000002.611459498.0000000003081000.00000004.00000001.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "0622add8-a38b-49c1-8dc8-c09cf432", "Group": "NewLappi", "Domain1": "megida.hopto.org", "Domain2": "", "Port": 8822, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Multi AV Scanner detection for submitted file

Source: wIQLBHYbqz.exe	Virustotal: Detection: 69%	Perma Link
Source: wIQLBHYbqz.exe	Metadefender: Detection: 62%	Perma Link
Source: wIQLBHYbqz.exe	ReversingLabs: Detection: 80%

Antivirus / Scanner detection for submitted sample

Source: wIQLBHYbqz.exe

Avira: detected

Multi AV Scanner detection for domain / URL

Source: megida.hopto.org

Virustotal: Detection: 12%

Perma Link

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Gfxv2_0\RMActivate_isv.exe.bat

Avira: detection malicious, Label: HEUR/AGEN.1100005

Yara detected Nanocore RAT

Source: Yara match	File source: 22.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wIQLBHYbqz.exe.39cbe78.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wIQLBHYbqz.exe.39cb008.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegAsm.exe.5b70000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.RMActivate_isv.exe.bat.3668768.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegAsm.exe.5b74629.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.RegAsm.exe.40d2a4d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.RegAsm.exe.40ce424.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegAsm.exe.42495ee.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.RMActivate_isv.exe.bat.3668768.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wIQLBHYbqz.exe.3918578.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.RMActivate_isv.exe.bat.3668768.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegAsm.exe.5b70000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.RegAsm.exe.40ce424.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wIQLBHYbqz.exe.3918578.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wIQLBHYbqz.exe.39cb008.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.RMActivate_isv.exe.bat.3668768.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wIQLBHYbqz.exe.39cb008.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wIQLBHYbqz.exe.39cbe78.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wIQLBHYbqz.exe.39cbe78.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.RMActivate_isv.exe.bat.16e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wIQLBHYbqz.exe.38c4300.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wIQLBHYbqz.exe.39cbe78.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegAsm.exe.424e424.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wIQLBHYbqz.exe.38c4300.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.RMActivate_isv.exe.bat.3668768.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wIQLBHYbqz.exe.39cb008.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wIQLBHYbqz.exe.39cbe78.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.RMActivate_isv.exe.bat.35a0a20.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.RMActivate_isv.exe.bat.3668768.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.RMActivate_isv.exe.bat.3668768.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegAsm.exe.424e424.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegAsm.exe.4252a4d.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wIQLBHYbqz.exe.14a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.RMActivate_isv.exe.bat.3668768.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.RegAsm.exe.40c95ee.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wIQLBHYbqz.exe.39cbe78.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.RMActivate_isv.exe.bat.35d3428.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.RMActivate_isv.exe.bat.35d3428.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.RMActivate_isv.exe.bat.356e018.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.617258087.0000000005B70000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.581083346.0000000003668000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.453308954.000000000399F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.611459498.0000000003081000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.580718643.0000000003611000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.452029104.0000000003975000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.614749797.00000000016E2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.614883445.00000000014A2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.609808438.0000000000402000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.609719074.0000000000402000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.580844038.0000000003B80000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.617706572.0000000003910000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.592051979.0000000003562000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.580617027.00000000035B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.450606191.0000000004911000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.615169994.0000000004247000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.617309688.0000000003893000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.580586671.000000000369C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.611621495.0000000004081000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.580975519.000000000363C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.450818264.000000000391C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.466877574.00000000039B2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.618062231.0000000003997000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.618678183.0000000004910000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wIQLBHYbqz.exe PID: 4904, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 4936, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RMActivate_isv.exe.bat PID: 6788, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7040, type: MEMORYSTR

Antivirus or Machine Learning detection for unpacked file

Source: 22.2.RegAsm.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 13.2.RegAsm.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 13.2.RegAsm.exe.5b70000.6.unpack	Avira: Label: TR/NanoCore.fadte
Source: 14.2.RMActivate_isv.exe.bat.16e0000.1.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 0.2.wIQLBHYbqz.exe.14a0000.1.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Compliance:

Uses 32bit PE files

Source: wIQLBHYbqz.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Source: Malware configuration extractor	URLs:
Source: Malware configuration extractor	URLs: megida.hopto.org

Source: wIQLBHYbqz.exe, 00000000.00000002.616258371.00000000030B4000.00000004.00000001.sdmp	String found in binary or memory: http://bot.whatismyipaddress.com
Source: wIQLBHYbqz.exe, 00000000.00000002.614810428.0000000000FFB000.00000004.00000001.sdmp	String found in binary or memory: http://checkip.dyndns.orglTime
Source: wIQLBHYbqz.exe, 00000000.00000002.614810428.0000000000FFB000.00000004.00000001.sdmp	String found in binary or memory: http://www.myexternalip.com/raw
Source: RMActivate_isv.exe.bat, 0000000E.00000002.615594870.0000000003129000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org
Source: wIQLBHYbqz.exe, 00000000.00000002.616316017.00000000030D3000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.orgDi

Source: 22.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.3.wIQLBHYbqz.exe.39cbe78.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.3.wIQLBHYbqz.exe.39cbe78.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.wIQLBHYbqz.exe.39cb008.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.wIQLBHYbqz.exe.39cb008.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegAsm.exe.56f0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.5b70000.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.3.RMActivate_isv.exe.bat.3668768.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.3.RMActivate_isv.exe.bat.3668768.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegAsm.exe.5b74629.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.RegAsm.exe.40d2a4d.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.RegAsm.exe.40ce424.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.42495ee.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.42495ee.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.wIQLBHYbqz.exe.3918578.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.3.RMActivate_isv.exe.bat.3668768.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.3.RMActivate_isv.exe.bat.3668768.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.3.RMActivate_isv.exe.bat.3668768.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.wIQLBHYbqz.exe.3918578.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.3.RMActivate_isv.exe.bat.3668768.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegAsm.exe.5b70000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.RegAsm.exe.40ce424.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.wIQLBHYbqz.exe.3918578.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.wIQLBHYbqz.exe.3918578.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.3.wIQLBHYbqz.exe.39cb008.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.3.wIQLBHYbqz.exe.39cb008.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.3.RMActivate_isv.exe.bat.3668768.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.3.RMActivate_isv.exe.bat.3668768.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.wIQLBHYbqz.exe.39cb008.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.wIQLBHYbqz.exe.39cb008.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.3.wIQLBHYbqz.exe.39cbe78.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.3.wIQLBHYbqz.exe.39cbe78.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.3.wIQLBHYbqz.exe.39cbe78.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.3.wIQLBHYbqz.exe.39cbe78.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.RMActivate_isv.exe.bat.16e0000.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.RMActivate_isv.exe.bat.16e0000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.wIQLBHYbqz.exe.38c4300.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.wIQLBHYbqz.exe.38c4300.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.3.wIQLBHYbqz.exe.39cbe78.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.3.wIQLBHYbqz.exe.39cbe78.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegAsm.exe.424e424.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.wIQLBHYbqz.exe.38c4300.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.wIQLBHYbqz.exe.38c4300.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.3.RMActivate_isv.exe.bat.3668768.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.3.RMActivate_isv.exe.bat.3668768.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.3.wIQLBHYbqz.exe.39cb008.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.3.wIQLBHYbqz.exe.39cb008.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.3.wIQLBHYbqz.exe.39cbe78.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.3.wIQLBHYbqz.exe.39cbe78.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.3.RMActivate_isv.exe.bat.35a0a20.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.3.RMActivate_isv.exe.bat.35a0a20.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.3.RMActivate_isv.exe.bat.3668768.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.3.RMActivate_isv.exe.bat.3668768.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.3.RMActivate_isv.exe.bat.3668768.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.424e424.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.32116dc.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.4252a4d.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.3.RMActivate_isv.exe.bat.3668768.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.3.RMActivate_isv.exe.bat.3668768.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.wIQLBHYbqz.exe.14a0000.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.wIQLBHYbqz.exe.14a0000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.3.RMActivate_isv.exe.bat.3668768.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 22.2.RegAsm.exe.30a3c68.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.RegAsm.exe.40c95ee.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.RegAsm.exe.40c95ee.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.3.wIQLBHYbqz.exe.39cbe78.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.3.wIQLBHYbqz.exe.39cbe78.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.3.RMActivate_isv.exe.bat.35d3428.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.3.RMActivate_isv.exe.bat.35d3428.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.3.RMActivate_isv.exe.bat.35d3428.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.3.RMActivate_isv.exe.bat.35d3428.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.3.RMActivate_isv.exe.bat.356e018.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.3.RMActivate_isv.exe.bat.356e018.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.617258087.0000000005B70000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000003.581083346.0000000003668000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000003.581083346.0000000003668000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.453308954.000000000399F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.453308954.000000000399F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000016.00000002.611459498.0000000003081000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000003.580718643.0000000003611000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000003.580718643.0000000003611000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.452029104.0000000003975000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.452029104.0000000003975000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.614749797.00000000016E2000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000002.614749797.00000000016E2000.00000040.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.614883445.00000000014A2000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.614883445.00000000014A2000.00000040.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.609808438.0000000000402000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.609808438.0000000000402000.00000040.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000016.00000002.609719074.0000000000402000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000016.00000002.609719074.0000000000402000.00000040.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000003.580844038.0000000003B80000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000003.580844038.0000000003B80000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.617706572.0000000003910000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.617706572.0000000003910000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000003.592051979.0000000003562000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000003.592051979.0000000003562000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000003.580617027.00000000035B9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000003.580617027.00000000035B9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.450606191.0000000004911000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.450606191.0000000004911000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.615169994.0000000004247000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.617309688.0000000003893000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.617309688.0000000003893000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000003.580586671.000000000369C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000003.580586671.000000000369C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000016.00000002.611621495.0000000004081000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000003.580975519.000000000363C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000003.580975519.000000000363C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.450818264.000000000391C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.450818264.000000000391C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.616663037.00000000056F0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.466877574.00000000039B2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.466877574.00000000039B2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.618062231.0000000003997000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.618062231.0000000003997000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.618678183.0000000004910000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.618678183.0000000004910000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: wIQLBHYbqz.exe PID: 4904, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: wIQLBHYbqz.exe PID: 4904, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: RegAsm.exe PID: 4936, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: RegAsm.exe PID: 4936, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: RMActivate_isv.exe.bat PID: 6788, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: RMActivate_isv.exe.bat PID: 6788, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: RegAsm.exe PID: 7040, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: RegAsm.exe PID: 7040, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Source: wIQLBHYbqz.exe, 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: wIQLBHYbqz.exe, 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
Source: RMActivate_isv.exe.bat, 0000000E.00000000.473380616.00000000004B5000.00000002.00020000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: RMActivate_isv.exe.bat, 0000000E.00000000.473380616.00000000004B5000.00000002.00020000.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
Source: wIQLBHYbqz.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: wIQLBHYbqz.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer

Source: wIQLBHYbqz.exe	AutoIt Script: ["vmtoolsd.exe" , "vbox.exe" ] FOR $I = BTBXJY
Source: wIQLBHYbqz.exe	AutoIt Script: ) LOCAL $ARRAY = ["vmtoolsd.exe" , "vbox.exe" ] FO
Source: wIQLBHYbqz.exe	AutoIt Script: 5,62" ) ) ) LOCAL $LPSHELLCODE = $E ($B (BTBXJYMRF
Source: wIQLBHYbqz.exe	AutoIt Script: ) $GOWQQZFKJDEL ("HKCU\Software\Classes\ms-settings\shell\open\command" , BTBXJYMRFGAETPA
Source: RMActivate_isv.exe.bat.0.dr	AutoIt Script: ["vmtoolsd.exe" , "vbox.exe" ] FOR $I = BTBXJY
Source: RMActivate_isv.exe.bat.0.dr	AutoIt Script: ) LOCAL $ARRAY = ["vmtoolsd.exe" , "vbox.exe" ] FO
Source: RMActivate_isv.exe.bat.0.dr	AutoIt Script: 5,62" ) ) ) LOCAL $LPSHELLCODE = $E ($B (BTBXJYMRF
Source: RMActivate_isv.exe.bat.0.dr	AutoIt Script: ) $GOWQQZFKJDEL ("HKCU\Software\Classes\ms-settings\shell\open\command" , BTBXJYMRFGAETPA

Source: C:\Users\user\Desktop\wIQLBHYbqz.exe	Code function: 0_2_0040E060	0_2_0040E060
Source: C:\Users\user\Desktop\wIQLBHYbqz.exe	Code function: 0_2_0040E800	0_2_0040E800
Source: C:\Users\user\Desktop\wIQLBHYbqz.exe	Code function: 0_2_0040FE40	0_2_0040FE40
Source: C:\Users\user\Desktop\wIQLBHYbqz.exe	Code function: 0_2_00416843	0_2_00416843
Source: C:\Users\user\Desktop\wIQLBHYbqz.exe	Code function: 0_2_0048804A	0_2_0048804A
Source: C:\Users\user\Desktop\wIQLBHYbqz.exe	Code function: 0_2_00437006	0_2_00437006
Source: C:\Users\user\Desktop\wIQLBHYbqz.exe	Code function: 0_2_0041710E	0_2_0041710E
Source: C:\Users\user\Desktop\wIQLBHYbqz.exe	Code function: 0_2_00436522	0_2_00436522
Source: C:\Users\user\Desktop\wIQLBHYbqz.exe	Code function: 0_2_00418A0E	0_2_00418A0E
Source: C:\Users\user\Desktop\wIQLBHYbqz.exe	Code function: 0_2_004216C4	0_2_004216C4
Source: C:\Users\user\Desktop\wIQLBHYbqz.exe	Code function: 0_2_00401287	0_2_00401287
Source: C:\Users\user\Desktop\wIQLBHYbqz.exe	Code function: 0_2_0042BFE6	0_2_0042BFE6
Source: C:\Users\user\Desktop\wIQLBHYbqz.exe	Code function: 0_2_0042DBB5	0_2_0042DBB5
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 13_2_02C12B58	13_2_02C12B58
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 13_2_0543AD38	13_2_0543AD38
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 13_2_05433850	13_2_05433850
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 13_2_05438468	13_2_05438468
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 13_2_05439068	13_2_05439068
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 13_2_054323A0	13_2_054323A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 13_2_05432FA8	13_2_05432FA8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 13_2_0543912F	13_2_0543912F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 13_2_0543306F	13_2_0543306F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 22_2_051B3850	22_2_051B3850
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 22_2_051B2FA8	22_2_051B2FA8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 22_2_051B23A0	22_2_051B23A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 22_2_051B306F	22_2_051B306F

Source: C:\Users\user\Desktop\wIQLBHYbqz.exe	Code function: 0_3_01411C68 CreateProcessW,NtQueryInformationProcess,NtReadVirtualMemory,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtWriteVirtualMemory,NtGetContextThread,NtSetContextThread,NtResumeThread,	0_3_01411C68
Source: C:\Users\user\Desktop\wIQLBHYbqz.exe	Code function: 0_3_014100AD NtOpenSection,NtMapViewOfSection,	0_3_014100AD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 13_2_0556116A NtQuerySystemInformation,	13_2_0556116A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 13_2_0556112F NtQuerySystemInformation,	13_2_0556112F
Source: C:\Users\user\AppData\Roaming\Gfxv2_0\RMActivate_isv.exe.bat	Code function: 14_3_016D1C68 CreateProcessW,NtQueryInformationProcess,NtReadVirtualMemory,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtWriteVirtualMemory,NtGetContextThread,NtSetContextThread,NtResumeThread,	14_3_016D1C68
Source: C:\Users\user\AppData\Roaming\Gfxv2_0\RMActivate_isv.exe.bat	Code function: 14_3_016D00AD NtOpenSection,NtMapViewOfSection,	14_3_016D00AD

Source: wIQLBHYbqz.exe, 00000000.00000002.611482400.0000000000C73000.00000004.00000001.sdmp	Binary or memory string: FV_ORIGINALFILENAME) vs wIQLBHYbqz.exe
Source: wIQLBHYbqz.exe, 00000000.00000002.611482400.0000000000C73000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename vs wIQLBHYbqz.exe
Source: wIQLBHYbqz.exe, 00000000.00000002.611076331.0000000000C17000.00000004.00000020.sdmp	Binary or memory string: FV_ORIGINALFILENAME vs wIQLBHYbqz.exe
Source: wIQLBHYbqz.exe	Binary or memory string: OriginalFilenameRdpSaUacHelper4 vs wIQLBHYbqz.exe

Source: wIQLBHYbqz.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wIQLBHYbqz.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wIQLBHYbqz.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wIQLBHYbqz.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: RMActivate_isv.exe.bat.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: RMActivate_isv.exe.bat.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: RMActivate_isv.exe.bat.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: RMActivate_isv.exe.bat.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: sfc.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: sfc.dll			Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\wIQLBHYbqz.exe 'C:\Users\user\Desktop\wIQLBHYbqz.exe'
Source: C:\Users\user\Desktop\wIQLBHYbqz.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Gfxv2_0\RMActivate_isv.exe.bat 'C:\Users\user\AppData\Roaming\Gfxv2_0\RMActivate_isv.exe.bat'
Source: C:\Users\user\AppData\Roaming\Gfxv2_0\RMActivate_isv.exe.bat	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Source: C:\Users\user\Desktop\wIQLBHYbqz.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gfxv2_0\RMActivate_isv.exe.bat	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 13_2_05560F2A AdjustTokenPrivileges,		13_2_05560F2A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 13_2_05560EF3 AdjustTokenPrivileges,		13_2_05560EF3

Source: 0.2.wIQLBHYbqz.exe.14a0000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 0.2.wIQLBHYbqz.exe.14a0000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 14.2.RMActivate_isv.exe.bat.16e0000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 14.2.RMActivate_isv.exe.bat.16e0000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 13.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 13.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 22.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 22.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\Desktop\wIQLBHYbqz.exe	Mutant created: \Sessions\1\BaseNamedObjects\frenchy_shellcode_001
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{0622add8-a38b-49c1-8dc8-c09cf4320fc4}
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: 0.2.wIQLBHYbqz.exe.14a0000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.wIQLBHYbqz.exe.14a0000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.wIQLBHYbqz.exe.14a0000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 13.2.RegAsm.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 13.2.RegAsm.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 13.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 14.2.RMActivate_isv.exe.bat.16e0000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 14.2.RMActivate_isv.exe.bat.16e0000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 14.2.RMActivate_isv.exe.bat.16e0000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: wIQLBHYbqz.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: wIQLBHYbqz.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: wIQLBHYbqz.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: wIQLBHYbqz.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: wIQLBHYbqz.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: wIQLBHYbqz.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: wIQLBHYbqz.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: wIQLBHYbqz.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: wIQLBHYbqz.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: wIQLBHYbqz.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: wIQLBHYbqz.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: 0.2.wIQLBHYbqz.exe.14a0000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.wIQLBHYbqz.exe.14a0000.1.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.2.RegAsm.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.2.RMActivate_isv.exe.bat.16e0000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.2.RMActivate_isv.exe.bat.16e0000.1.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 22.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 22.2.RegAsm.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\wIQLBHYbqz.exe	Code function: 0_2_00428B85 push ecx; ret	0_2_00428B98
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 13_2_02C2ABD8 push cs; retf	13_2_02C2ABEF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 13_2_02C29BDF pushfd ; retn 0002h	13_2_02C29BEA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 13_2_02C2AAEF push cs; retf	13_2_02C2AB07
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 13_2_02C274AC push ecx; ret	13_2_02C274AD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 13_2_02C274B8 push ebp; ret	13_2_02C274B9
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 13_2_02C2AB63 push cs; retf	13_2_02C2AB7B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 13_2_02C29D2C push eax; retf	13_2_02C29D2D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 13_2_02C29D30 pushad ; retf	13_2_02C29D31

Windows Analysis Report wIQLBHYbqz

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Source: wIQLBHYbqz.exe	Static PE information: real checksum: 0x10d8fc should be: 0x139c1f
Source: RMActivate_isv.exe.bat.0.dr	Static PE information: real checksum: 0x10d8fc should be: 0x14151e

Source: 0.2.wIQLBHYbqz.exe.14a0000.1.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 0.2.wIQLBHYbqz.exe.14a0000.1.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 13.2.RegAsm.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 13.2.RegAsm.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 14.2.RMActivate_isv.exe.bat.16e0000.1.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 14.2.RMActivate_isv.exe.bat.16e0000.1.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 22.2.RegAsm.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 22.2.RegAsm.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Source: C:\Users\user\Desktop\wIQLBHYbqz.exe	Mutex created: \Sessions\1\BaseNamedObjects\frenchy_shellcode_001			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gfxv2_0\RMActivate_isv.exe.bat	Mutex created: \Sessions\1\BaseNamedObjects\frenchy_shellcode_001			Jump to behavior

Source: C:\Users\user\Desktop\wIQLBHYbqz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wIQLBHYbqz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gfxv2_0\RMActivate_isv.exe.bat	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gfxv2_0\RMActivate_isv.exe.bat	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\wIQLBHYbqz.exe TID: 4864	Thread sleep count: 2878 > 30	Jump to behavior
Source: C:\Users\user\Desktop\wIQLBHYbqz.exe TID: 4864	Thread sleep count: 3460 > 30	Jump to behavior
Source: C:\Users\user\Desktop\wIQLBHYbqz.exe TID: 4864	Thread sleep time: -34600s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 6472	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gfxv2_0\RMActivate_isv.exe.bat TID: 6892	Thread sleep count: 2602 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gfxv2_0\RMActivate_isv.exe.bat TID: 6892	Thread sleep count: 300 > 30	Jump to behavior

Source: C:\Users\user\Desktop\wIQLBHYbqz.exe	Thread sleep count: Count: 2878 delay: -10	Jump to behavior
Source: C:\Users\user\Desktop\wIQLBHYbqz.exe	Thread sleep count: Count: 3460 delay: -10	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gfxv2_0\RMActivate_isv.exe.bat	Thread sleep count: Count: 2602 delay: -10	Jump to behavior

Source: C:\Users\user\Desktop\wIQLBHYbqz.exe	Window / User API: threadDelayed 2878	Jump to behavior
Source: C:\Users\user\Desktop\wIQLBHYbqz.exe	Window / User API: threadDelayed 3460	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Window / User API: foregroundWindowGot 494	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gfxv2_0\RMActivate_isv.exe.bat	Window / User API: threadDelayed 2602	Jump to behavior

Source: wIQLBHYbqz.exe, 00000000.00000002.617226072.0000000003876000.00000004.00000001.sdmp	Binary or memory string: vmtoolsd.exe
Source: wIQLBHYbqz.exe, 00000000.00000002.611076331.0000000000C17000.00000004.00000020.sdmp	Binary or memory string: vmtoolsd.exePA1'
Source: RegAsm.exe, 0000000D.00000002.611058214.0000000001440000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\wIQLBHYbqz.exe	Code function: 0_3_014100AD mov ecx, dword ptr fs:[00000030h]	0_3_014100AD
Source: C:\Users\user\Desktop\wIQLBHYbqz.exe	Code function: 0_3_014100AD mov eax, dword ptr fs:[00000030h]	0_3_014100AD
Source: C:\Users\user\Desktop\wIQLBHYbqz.exe	Code function: 0_3_014101CB mov eax, dword ptr fs:[00000030h]	0_3_014101CB
Source: C:\Users\user\AppData\Roaming\Gfxv2_0\RMActivate_isv.exe.bat	Code function: 14_3_016D00AD mov ecx, dword ptr fs:[00000030h]	14_3_016D00AD
Source: C:\Users\user\AppData\Roaming\Gfxv2_0\RMActivate_isv.exe.bat	Code function: 14_3_016D00AD mov eax, dword ptr fs:[00000030h]	14_3_016D00AD
Source: C:\Users\user\AppData\Roaming\Gfxv2_0\RMActivate_isv.exe.bat	Code function: 14_3_016D01CB mov eax, dword ptr fs:[00000030h]	14_3_016D01CB

Source: C:\Users\user\Desktop\wIQLBHYbqz.exe	Section loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gfxv2_0\RMActivate_isv.exe.bat	Section loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe protection: execute and read and write			Jump to behavior